Secure Laptop Build

[tcsgabe]

If you were building a secure laptop for the president what would it include.

It has to be windows based OS.

Is their a good software that locks down a PC in general. This PC is going to be used to do a lot of financial transactions which will need to access the internet.

What are your ideas?

[digininja]

I reckon you'd need:

full disk encryption - true crypt or bitlocker

good AV - I rate the free MS one, they know their OS and how to hook into it the best

an application white list program - basically tell the OS that these are the only apps which are allowed to be ran

disable all non-essential services - including file sharing

don't install things like flash or java unless your app needs them

disable DNS and hardcode domain names into the hosts file

hardcode ARP entries

password protect the BIOS and boot, make sure the hdd is the first and only boot option

If you are really paranoid about it then do regular AV/malware scans with a live boot DVD.

Don't run as admin - very important

some people suggest mirroring the machine once installed then doing regular reinstalls from that image so you know the machine is clean, I don't like that too much as it means you have to repatch everything each time which will get slower over time. You could restore, patch then re-image but not really sure that is buying you extra security.

[digip]

AS mentioned above, full disk encryption would probably be a must in the event it ever got stolen. I'd also probably setup the machine with something like Deep Freeze, where the machine reverts back to a saved state after every boot, and only allow file storage on the domain used for the latop, where the shared data is not kept on the laptop, but on servers back at the "white house" or such, with security on that end uber locked down. I'd also probably use Emet 3.0, to limit buffer overflows, ASLR and DEP bypassing, as well as setup the user account as a limited user vs being admin on the laptop, so they can surf the web, but not install anything. Next step would be mandatory VPN access through your secured network to reach the internet, so no matter where you go, and whatever network you are on, your traffic is always encrypted between you and your VPN in order to gain internet access. Without access to the VPN, you deny all other traffic on the workstation/laptop. BIOS passwords are a given, but most can be bypassed, so disk encryption is a must.

The other alternative, build a live disc of Windows with all your preconfigured settings as you would a normal machine, and run booted off that live disc, with no HDD on the laptop. Just make sure the live disc doesn't have any stored hashes, ie: pass the hash attacks, or login credentials stored in the image, since that disc alone, gives the attacker access to boot off nearly anything and don't need the laptop, just the live disc to gain access to the secured network.

If possible, also get a laptop that has a thumb scanner built in. I know some sony vaio laptops have them, but sure there are other built in laptops and external USB devices for the same thing, so only the "president" or end user can authenticate with the machine, adding a second layer of authentication. Hell, go for 3 factor or more authentication with a combination of thumb and biometric scanners as well as things like a ubi key or rsa smart cards in conjunction with normal authentication practices and certificate servers for VPN access to the network.

[Jomba]

Well, since Microsoft gave the Russian Secret Service source code, I would say no dice. Forget the fact that he would want to use wifi, or bluetooth.

[digip]

Well, since Microsoft gave the Russian Secret Service source code, I would say no dice. Forget the fact that he would want to use wifi, or bluetooth.

Um, whatchu smokin Willis?

[Radau]

Well, since Microsoft gave the Russian Secret Service source code, I would say no dice. Forget the fact that he would want to use wifi, or bluetooth.

Well I'm pretty sure a decent amount of U.S. branches have access to it as well so I don't see why that would make it a deal breaker. If anything it would allow them to lock it down more, although that's not exactly possibility in this specific case it would be for the president most likely.

Honestly as long as you update it frequently, have a good active scanner/firewall, encryption and other basic methods of OS Hardening (depending upon if it's mobile or not) you'll be fine. At least it will be so long as you don't screw yourself over by using weak passwords, exposing it to a DMZ, not physically locking it down, or a variety of other things. Not really necessary to go through NSA standard preparation for a financial computer, though it's your call.

Personally I'd use a flavor of linux such as Fedora with SELinux, modify it a bit if you want then burn it to a disk or usb and only pop it in for the off chance of you making a transaction. This could leave you open to vulnerabilities but the chance it would take to find one vs the time you're online isn't that great (so long as it isn't a very old version). If you're doing 24/7 then you should update at every chance you get. Upside to this is it'd be small enough to lock in a safe as well, though a laptop might fit depending on your safe size/if you have one.

[Radau]

http://www.spi.dod.mil/lipose.htm

This one is maintained by the Air Force apparently, I personally haven't looked too much into it but it could be good for what you're after.

[joey-world]

as well as encryption of the hard drive, I would add, encrypted conections, firewall filtering, a possible VPN conection, remote wipe in case of the laptop gets stolen, and I guess that's pretty much it.

Best Regards

[hak4fun]

now, someone build a computer like this and pen test it!

[digininja]

Getting in to something like this is always possible, just depends on how far you want to go.

xkcd says it best http://xkcd.com/538/

[GuardMoony]

Mayby add DeepFreeze or something simular to the list ( reset everything back on reboot )

http://www.faronics.com/en-uk/products/deep-freeze/standard/

[barry99705]

Mayby add DeepFreeze or something simular to the list ( reset everything back on reboot )

http://www.faronics.com/en-uk/products/deep-freeze/standard/

That will do it. It will make the laptop so damn slow to use, no one will.

[logicalconfusion]

It has to be windows based OS.

is closed source generally more secure? Most corporations avoid using open source operating systems since closed source systems are controlled. I think its best to avoid anything not directly from M$ if you want real security. you'll always have someone to sue; don't forget the tinted glare protector.

Edited March 11, 2013 by logicalconfusion

[digininja]

You think someone would be able to sue Microsoft if they got hacked?

Most vulnerabilities I've been finding and exploiting on tests over the last few years are nothing to do with the OS/software, who wrote it or whether it is open or closed source it is down to misconfiguration, misuse or sloppy use. Simple or reused passwords get me in lots of places, open network shares provide a wealth of information and similar mistakes. These can all be done on Linux, Windows, OSX or any other OS you care to mention.

[ibuildgrits]

I would lay down XenClient XT before doing the OS install. Then, I'd have the Windows VM pass everything through an Untangle like appliance which in turn would connect to a VM of DD-WRT (theres a x86 DD-WRT project out there) thats locked down and passing everything over OpenVPN (traffic would be encapsulated in various other encryptions before using OpenVPN) using VPN servers and DNS servers maintained by my security staff.

Did this the other day with my project laptop and a trial of XenClient. It was alot of fun to build but not too practical for day to day use. Thats where the XT comes in. It puts your hardware to way better use (so ive heard) than the civilian XenClient. Oh yea, the Citrix website says "Have your agency request more information" in regards to obtaining a trial or purchase. Good luck with that.