If someone has SYSTEM rights to my PC remotely security question

BlackVen0m · 30 Jan 2023

Hi. If someone has full SYSTEM rights remotely to my Windows, that person can do whatever he likes and no antivirus or software will ever find out, right? Let's say that this person is spying on me. If I change group policy to secure my self as well as I can with over 20 group policy edits from STIG security, and then a lot from STIG in secpol. And then have malwarebytes norton 360 and windows defender. Would that do anything at all to the person that has remotely access to my pc from the network or through my mouse or keyboard USB receivers. Will he be able to do what ever he wants unnoticed until I see changes to my security that I have secured that is now suddenly reverted?

Or that he can basically format my whole non OS drives with a click of a button whenever he likes? Let's say this person had physical access to my PC at some point and installed a deep-rooted rootkit in my motherboard or any other component or in my hard drives and if I don't secure erase all of them it persists and then spread to all HDD every time I use them or clean installation windows. For an example, is a rootkit in HDD that has a hidden partition with files in it that the rootkit works in? Would this mean I would basically need to buy a whole new PC and never use any parts I ever used with my old PC with the new, like any USB I ever used or HDD, does RAM count?

The only way to get rid of it is by not using any of it again? I guess with a new PC, they can't reinstall this without having physical access to my PC again? Or am I in danger just using my router? Let's say the hacker is my neighbor, would using my router be a risk, that he can use to transfer the rootkit again? And would that rootkit be caught by my security in windows before damage is done, vs if he has physical access to my PC?

"Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem. When dealing with firmware rootkits, removal may require hardware replacement, or specialized equipment. "

NTN · 30 Jan 2023

Attachment 384611
Attachment 384612

TairikuOkami · 30 Jan 2023

BlackVen0m said:

Or that he can basically format my whole non OS drives with a click of a button whenever he likes? "

You can limit SYSTEM on non OS drivers (write/modify), it actually prevents ransomware, which uses SYSTEM.

cereberus · 30 Jan 2023

Firstly, you should only use RDP on a LAN or via a VPN.

You should set secure credentials so a person cannot remote over internet to PC.

You can also turn off RDP when not needed.

For somebody to get access via RDP over internet, you have to set up port forwarding to your pc. Simple thing - Don't!

In the end, for somebody to get access via RDP, your pc has to have already been compromised e.g. via malware previously installed.

I only use apps like Splashtop to access my pc over internet, and make sure passwords etc. are secure. For a hacker to access pc, they need to know passwords etc. You can minimise risk by turning of the host servers when not needed.

As for users having physical access, then use Bitlocker with Bitlocker PIN particularly on laptops outside home environment.

My point is there is lots of common sense (regrettably an oxymoron) things you can do to minimise risk by not letting them get access.

Of course, if one is careless and allows a person access with admin rights, nothing can truly protect you. You can set up all sorts of policies, but they can be reversed.

I never let anybody other than myself have admin rights to my devices.

I use simply expediency of a second pc for vistors and even then, only allow a standard account. If I have any concerns, I just wipe pc and restore from a backup.

So whilst you are right about what damage COULD be done, in reality you can take sensible protection measures to minimise risk.

Of course, regular image backups etc help to protect you (assuming pc is not alreasy compromised).

To me, recognising when pc is compromised is more important than lulling yourself into a false sense of security by assuming all your protective measures are adequate.

In the end, the only way to keep a oc totally secure is to never connect to internet and never allow others to use pc.

Even then, the simple act of installing software can make a device insecure but a person still needs physical access to do any harm.

bro67 · 30 Jan 2023

You are overthinking this. No one can access your system from a remote terminal unless you grant access in some form or another. Antivirus/antimalware software only blocks those threats that can harm the system. A Firewall can block inbound and outbound requests only. Now layer it up one with a DNS service that you can block outbound requests from happening, same as using the built in firewall on a router, you can layer the security even more.

Basically what I am getting at is that a person can remote into your computer if you have allowed malware or even a remote request through the use of false information with a email attachment or telling you to go to a site to download something, you are not being vigilant enough.

Samuria · 30 Jan 2023

No one connecting is System that is the windows itself

bro67 · 30 Jan 2023

TairikuOkami said:

You can limit SYSTEM on non OS drivers (write/modify), it actually prevents ransomware, which uses SYSTEM.

Should already be done if a regular Windows distribution user. If insider, see second paragraph.

"

he Windows Security app is updated separately from the OS and ships out of box. The version with the vulnerable driver blocklist toggle is in the final validation ring and will ship to all customers very soon. Initially, you will be able to view the configuration state only and the toggle will appear grayed out. The ability to turn the toggle on or off will come with a future Windows update.
For Windows Insiders, the option to turn Microsoft's vulnerable driver blocklist on or off using the Windows Security app is grayed out when HVCI, Smart App Control, or S mode is enabled. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can turn off the Microsoft vulnerable driver blocklist."

BlackVen0m · 31 Jan 2023

TairikuOkami said:

You can limit SYSTEM on non OS drivers (write/modify), it actually prevents ransomware, which uses SYSTEM.

Great I'm doing that now, because just some days ago I saw a hidden file that came out of nowhere in my non-os drive H: called Winstart.bat I deleted it manually because I panicked. I am all clean when I scanned my system, though.