Re: Secure Boot Manager

["herki" <herki () naex sk>]

     One way (the easiest), how to do this is to set both partitions
(windows) as hiden. If you boot from one of them, the other stay
unaccessible
and unvisible. Of course the one, you have booted from is visible.
    The problem is, if you have logged in as admin, you can change the
partition as unhidden or mount it another way. But if you haven't
administrator's rights, you cannot access it.
    Also the other way, how to access the hidden patition(s) is boot from a
bootable disk(floppy,CD) for ex. some mini linux distribution and set the
partition as unhidden. So it is good to have your bios setup under password
and booting enabled only from local disk(s).
    This works only on win2k(winNT) or higher, where OS switchs
between diffrent privileged processor levels.
    If you have NTFS partition(s), you should set "partition type id" from
7h(unhidden) to 17h(hidden) (from bh to 1bh on fat32 partition(s)) if you
are going to use some of the low level disk tools.
     If you cannot set all the things mentioned above, it is more secure to
crypt both disks.


 herki

----- Original Message -----
From: "Meidinger Christopher" <christopher.meidinger () badenIT de>
To: "Security-Basics@Securityfocus. Com (E-Mail)"
<security-basics () securityfocus com>
Cc: "Meidinger Christopher" <christopher.meidinger () badenIT de>
Sent: Monday, June 30, 2003 1:44 PM
Subject: Secure Boot Manager


> Hello List-Readers,
>
> i have a question for you all, hopefully someone will have a great answer
> for me.
>
> Our company needs to securely seperate two partitions on several laptops.
> This means we are looking to have two Windows Installations on one hard
> drive, and have them be *entirely* invisible to one another, even if the
> user has escalated privileges.
>
> This involves keeping two secure networks seperated. I am less worried
about
> the actual data on the machines. If the user should do something to
destroy
> one of the partitions, that's ok, there just has to be a 0% chance that
the
> OS on the other partition can access it.
>
> The best solution i have been able to come up with is:
>
> 1. encrypt the partitions - we will buy a commercial software so that the
OS
> itself and its entire partition can be encrypted.
> 2. use a boot manager to hide the partitions from one another so that the
> user would have to actively un-hide them to attempt to mount them
>
> Can anyone point out any obvious problems here, or does anyone have a
> suggestion on how to do this better? I have no real reason to encrypt the
> data except to make it inaccessible for the other OS, so i would prefer to
> avoid the performance loss associated with encrypted file systems if
> possible. I just haven't thought of another way to be 100% sure that
neither
> OS can access the partition of the other one.
>
> Thanks in advance,
>
> badenIT GmbH
> System Support
>
> Chris Meidinger
> Tullastrasse 70
> 79108 Freiburg





---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------