How can I stop the Windows Recovery Environment being used as a back door?

In Windows 10, the Windows Recovery Environment (WinRE) can be launched by repeatedly cutting power to the computer during the boot sequence. This allows an attacker with physical access to a desktop machine to gain administrative command-line access, at which point they can view and modify files, reset the administrative password using various techniques, and so on.

(Note that if you launch WinRE directly, you must provide a local administrative password before it will give you command line access; this does not apply if you launch WinRE by repeatedly interrupting the boot sequence. Microsoft have confirmed that they do not consider this to be a security vulnerability.)

In most scenarios this doesn't matter, because an attacker with unrestricted physical access to the machine can usually reset the BIOS password and gain administrative access by booting from removable media. However, for kiosk machines, in teaching labs, and so on, measures are usually taken to restrict physical access by, e.g., padlocking and/or alarming the machines. It would be very inconvenient to have to also try to block user access to both the power button and the wall socket. Supervision (either in person or via surveillance cameras) might be more effective, but someone using this technique would still be far less obvious than, e.g., someone attempting to open the computer case.

How can the system administrator prevent WinRE from being used as a back door?

---

Addendum: if you are using BitLocker, you are already partially protected from this technique; the attacker will not be able to read or modify files on the encrypted drive. It would still be possible for the attacker to wipe the disk and install a new operating system, or to use a more sophisticated technique such as a firmware attack. (As far as I am aware firmware attack tools are not yet widely available to casual attackers, so this is probably not an immediate concern.)

@HarryJohnston: I am not very familiar with Windows, but won't an attacker who has physical access to the computer always be able to wipe the drive and reinstall the operating system?

@ThomasPadron-McCarthy, not if the BIOS is properly configured and they can't get the case open.

"It's the only reliable and truly secure way" This pretty much states the other answer is either invalid or gives a false sense of security. Elaborating on why that's so would turn this short answer into something helpful.

@Mast It succeeds in disabling the local recovery environment. It doesn't prevent booting from a usb stick to reset the password. It doesn't stop you from taking the harddisk out and connect it to another computer. (But op already stated the latter wasn't a goal)

This. If someone repeatedly cutting power to gain access is a concern, then putting the disk into a different computer certainly is, too. Bitlocker (or similar software) is really the only way of preventing that. No credentials typed in, no disk access (not useful, meaningful access anyway, you can sure overwrite everything, but you can always smash the disk with a hammer, too).

@poizan42 the OP address this other concern elsewhere. They're only concerned with WinRE for the purpose of this question.

What on earth are you talking about? If you want to mount a bitlockered drive as a secondary drive, you need its recovery key. If you do anything to upset the TPM in the host machine, you need its recovery key. If you boot off a portal copy of windows, you'll need its recovery key.

@Mark, I think you've misinterpreted this answer; it is saying that if you don't use BitLocker then an attacker can steal the hard drive and access the contents. On the other hand, it completely misses the point of the question, which refers to computers that have been physically secured; if the attacker can't get the case open, they can't steal the hard drive.

@Damon, I'm not sure you understand the scenario. How is the attacker going to remove the hard drive if they can't open the computer case? (Yes, physical security can be bypassed if you're determined and/or reckless enough, but we're not talking about nuclear launch codes here.)

@HarryJohnston how are they able to repeatedly cut power and physically control it, but unable to open the case? What’s preventing them from cutting the case open?

@Tim, that's an acceptable risk, because (a) it is unlikely to happen, and (b) if it did, it would be fairly obvious and we'd have a good chance of catching the vandal via surveillance footage and/or entry logs. We could even get the police in to take fingerprints! To expand on (a) the underlying problem is that there are a significant number of people who (either subconsciously or consciously) don't really believe that hacking is dishonest. If there's some way to break into a machine that doesn't involve causing physical damage or risking setting off an alarm, they'll take it.

... and in the cases where someone is willing to cause physical damage, it is almost always done in order to steal the equipment, not to hack into it. BitLocker would be essential if there was valuable data on the HDD, but that would be pretty unusual for a machine in this situation.

I would suggest also adding a recovery entry manually that isn't part of the recoverysequence. That will allow recovery without (hopefully?) being auto-started.

@HarryJohnston then just make the wire go into the wall, and the plug terminate behind the wall. If they’re so adverse to damaging it, they won’t cut the wire.

@Tim, yes, I already mentioned this class of solution in the question. But why go to all that trouble and expense when you can just disable WinRE instead?

I can now confirm that WinRE will not have access to BitLocker-encrypted drives unless you can provide the recovery key.

Exactly @Harry Johnstno ,I meant to say that encryption provide you more security.

@HarryJohnston If an attacker can't get the case open, he's not trying hard enough. A hacksaw and some elbow grease will "open" any computer case, to say nothing of power tools or an old-fashioned "smash and grab". Not to say that this is a likely risk for use case, but still, "physically secured" is a relative term, and almost never all that secure, in reality.

@HopelessN00b, yes, it's all about risk profiles.

There is a reason why WinRE is enabled on Win10. If your system fails to boot and you want to repair, WinRE tools help you do it. Once someone has physical access, all bets are off. Disabling it doesn't really help in that regard. One can easily create USB stick with WinRE and boot from it and now has access to whole C:\ drive.

@videoguy, that's why we disable booting from USB in the BIOS, and alarm the cases so users can't reset the BIOS password. And of course we have the tools we need to repair the system without needing WinRE, or since these are kiosk machines, we can just reinstall.