Use USB as a password/key

4

3

Is there any way to prevent a computer from booting up into Windows unless there is a USB device plugged in? I suspect this is difficult/impossible, in this case would there be any way to prevent Windows from unlocking/logging in unless a USB device is plugged in?

For example, if a hacker has remote access to my computer, he won't be able to bypass the Windows login screen without me being present with the signature USB stick. It also just adds a physical level of protection, say I have shared my password with others, they will still require my USB.

Anton8000

Posted 2015-09-20T12:28:47.153

Reputation: 1 274

1

What about Smart Cards.

– RogUE – 2015-09-20T12:35:54.420

1You can use BitLocker or SysKey. – user364455 – 2015-09-20T12:36:50.973

Smart Cards would work, but I'm wondering if you could use a USB for this purpose... After all, smart cards need a special reader etcetera – Anton8000 – 2015-09-20T12:50:59.390

If a hacker has remote access, then I guess they would not even see any login window. Is not like your computer is not running whenever that login window is shown. – Arjan – 2015-09-20T13:31:01.310

https://www.yubico.com/applications/computer-login/windows/windows-login/ – Neil McGuigan – 2015-09-20T18:10:40.600

Answers

5

If you are in a hurry to do this, skip into the numbered steps below.(But keep in mind that I recommend you to read these facts before locking your computer with a usb drive)

Extracted only required details from the seven forums site

SysKey (SAM Lock Tool) is an in-built Windows utility that can help you secure the Security Accounts Management or SAM database. The SAM Database stores hashed copies of our user passwords, which is encrypted with a locally stored system startup key by default.

You can use SysKey to store the startup key locally in Windows or on a USB flash drive. Having the startup key stored on a USB flash drive instead will give you better security since the USB flash drive must be connected at startup to be able to login and gain access to Windows.

You must be logged in as an administrator to be able to do the steps in this tutorial.

This will only lock the Windows computer at boot from a cold startup after a restart or shut down. It will not lock Windows after a log off, lock, or switch user.

Once Windows has started after logging in, you will no longer need to have the USB flash drive connected. It is only required to be connected at system startup at boot.

You will still be able to continue to use the USB flash drive as normal. Just do not ever delete the StartKey.Key file on it, or you will not be able to unlock Windows with it anymore.

The startup key placed on the USB flash drive is only good to gain access to logon to the specific Windows that it was created in.

Note : Windows will not startup until you connect the USB startup key.

To make Windows Require a USB Key at Startup to Unlock :

  1. you will need to change the drive letter of the USB flash drive to have the letter A.

  2. Press the Windows+R keys to open the Run dialog, type syskey, and click/tap on OK.

  3. If prompted by UAC, then click/tap on Yes (Windows 7/8) or Continue (Vista).

  4. Click/tap on Update.

  5. Select (dot) System Generated Password, select (dot) the Store Startup Key on Floppy Disk option, and click/tap on OK.

If you already have an existing StartKey.Key file on the USB, then the older existing one would be renamed to StartKey.Bak for the new one to be saved to it.

It is recommended that you keep a backup of this StartKey.Key file at another location in case the USB gets corrupted or lost. This way you will be able to copy it to another USB with a drive letter of A to be able to gain access to Windows again.

To make Windows Not Require a USB Key at Startup :

  1. Do all the above mentioned steps till number 4.
  2. Select Store Startup Key Locally option in the 5th step.

Nirmal Seneviratne

Posted 2015-09-20T12:28:47.153

Reputation: 378

What if the usb key dies? Better have a backup... – Moab – 2016-01-12T01:54:11.017

4

You ask if there is a way to prevent bootup unless a USB Key is plugged in. This is possible, and it helps protect your data if your harddrive/computer is stolen.

However, you also mentioned that you want the USB Key to prevent someone with remote access to your computer from logging in. This second part to your question doesn't really make any sense. If someone has remote access to your system, it assumes that the system is already booted. In which case, the USB Key required for booting is of no relevance.

Perhaps what you are really asking is if there is a way to disable Remote Access, or if there is a way to only enable Remote Access when certain conditions are met (e.g. if a USB Key is inserted). One way to do this is to write a script. For now, in this answer, I will just show you how to require a USB Key to boot up to Windows.

I am assuming you do not have a TPM (Trusted Platform Module). Most people don't have this in their PCs. If you do have a TPM, you can probably skip step 1 to 4. If you don't know whether or not you have a TPM, you should just perform step 1 to 4. Even if you do have TPM, performing those steps shouldn't be of any harm.

Attached at the end of the answer are a few images relevant to the steps.

  1. Open Group Policy Editor. Do this by searching gpedt.msc in Windows Search.
  2. Navigate to Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives.
  3. Double Click Require Additional Authentication at Startup.
  4. Select Enable and make sure Allow BitLocker without a... is checked.
  5. Open BitLocker settings by searching Manage BitLocker.
  6. Select your Boot Drive (Usually, it is C:) and click Turn on BitLocker.
  7. Insert your USB Key, and follow the steps of the prompt.

When finished, you will be required to insert your USB Key every time you boot up the Computer in order for it to boot into Windows. In addition, if your Hard Drive or Computer is stolen, and the thief does not have your USB Key, your data will be protected.

Below are some relavent images. The first one is for Step 2 and 3. The second one is for Step 4.

Step 2 and 3 Reference Step 2 and 3

Step 4 Reference Step 4

nehcsivart

Posted 2015-09-20T12:28:47.153

Reputation: 493

0

You can install Windows to USB device itself, and boot from USB (but please choose fast enough device for this purpose, otherwise it will suck). So when USB thumbdrive is in your pocket, there's nothing to boot from at your PC. All local partitions can be encrypted with TrueCrypt or similar software, so another stranger with LiveCD/LiveUSB won't read your data. You can have a script in startup folder of your Windows-on-USB-installation to automount TrueCrypt partitions without entering a password.

Mikhail Kupchik

Posted 2015-09-20T12:28:47.153

Reputation: 2 381

Asked: 2015-09-20T12:28:47.153

Viewed: 1 357 times

Active: 2015-09-20T17:59:47.167