PC Security (UEFI / Secure Boot / TPM / Drive encryption)

[Ceph92]

Hi - I'm very old skool and updating my approach to security because despite good basic habits, I still ended up with 2 rootkits. My work computers have all used these features (managed by IT) but I've neglected learning about them for personal use.

1. What elements of PC configuration should I consider to maximize security, as part of what strategy?
   
2. How do I do backup and recovery when using that strategy?
   
3. I was able to detect / remove rootkits using bootable scanners (bootable media or windows boot-time scan), but if the drive is encrypted, what methods are there?
4. How can you detect a comprimised kernel (even with secure boot) or comprimised firmware?
   
5. Can I use hardware drive encryption to facilitate secure multi-boot? That is, keep OSs on drives/partitions separated via encryption, accessed by password on boot?
   
6. If TPM manages keys for drive encryption, then how can I recover from a hardware failure of that PC? Is it possible to access that drive or install it in identical hardware?

I'm studying, but it's taking a long time. *Any* insights or legs up would be appreciated.

 

[B00nie]

According to the experts on this page you must be imagining things and Windows is perfectly secure to use as it is. </sarcasm>
Drive encryption will do nothing to protect you from rootkits or other infections, it will only make it more likely that you lock yourself out of your own data. This is because the infection is spread through your OS which obviously has access to the encrypted drive.

A consumer needs drive encryption only if he plans to do something illegal basically. Secure boot is also basically useless, it's designed only to make it more difficult to use alternative OSes (IMHO) and does little to nothing to actually protect your computer.

So to make your computer more secure:

1) Use a non mainstream OS, avoid Windows when possible. 99% of the attacks existing in the world target windows users.
2) Steer clear from non-paid (windows) software, especially warez. Open source obtained from trusted sources is naturally ok to use.
3) Do not visit shady sites and install adblock and no-script extensions to your browser to protect it. Uninstall java if you do not need it. Uninstall all unnecessary software from your computer or avoid installing them in the first place. Do not use software that promises to 'keep your computer up to date' or 'help you with drivers' or 'clean up your registry'. They do damage, nothing else and open up attack vectors.
4) Use a proper antivirus if you are unfortunate and must continue to use Windows. Heck, if you use Windows, feel free to use 80% of your system resources with antirootkit, antimalware, antiadware, antivirus and whatever you can find which will result to multiple software making low level system hooks to interfere with every process you run on your computer. Ok, maybe the 80% was sarcastic but you get what I mean.

 

[Ceph92]

I'm not just concerned about rootkits, but the whole gamut of security and privacy threats. Included in that are loss/theft of the system, data exfiltration (including sensitive stuff that I'm responsible for), and being the weak point in a employer extranet/VPN scenario.

 

[B00nie]

First rule of thumb: Keep your work computer separate from your private life. You put your company into risk if you use your work computer for anything else than your work. Also whilee it's sensible to encrypt your work stuff, rarely it's necessary to encrypt your holiday pictures etc that people usually have on their computers.

Just keep your sensitive data such as passwords protected.