Security Basics mailing list archives
Re: Secure Boot Manager
From: "herki" <herki () naex sk>
Date: Tue, 1 Jul 2003 23:21:39 +0200
One way (the easiest), how to do this is to set both partitions (windows) as hiden. If you boot from one of them, the other stay unaccessible and unvisible. Of course the one, you have booted from is visible. The problem is, if you have logged in as admin, you can change the partition as unhidden or mount it another way. But if you haven't administrator's rights, you cannot access it. Also the other way, how to access the hidden patition(s) is boot from a bootable disk(floppy,CD) for ex. some mini linux distribution and set the partition as unhidden. So it is good to have your bios setup under password and booting enabled only from local disk(s). This works only on win2k(winNT) or higher, where OS switchs between diffrent privileged processor levels. If you have NTFS partition(s), you should set "partition type id" from 7h(unhidden) to 17h(hidden) (from bh to 1bh on fat32 partition(s)) if you are going to use some of the low level disk tools. If you cannot set all the things mentioned above, it is more secure to crypt both disks. herki ----- Original Message ----- From: "Meidinger Christopher" <christopher.meidinger () badenIT de> To: "Security-Basics@Securityfocus. Com (E-Mail)" <security-basics () securityfocus com> Cc: "Meidinger Christopher" <christopher.meidinger () badenIT de> Sent: Monday, June 30, 2003 1:44 PM Subject: Secure Boot Manager
Hello List-Readers, i have a question for you all, hopefully someone will have a great answer for me. Our company needs to securely seperate two partitions on several laptops. This means we are looking to have two Windows Installations on one hard drive, and have them be *entirely* invisible to one another, even if the user has escalated privileges. This involves keeping two secure networks seperated. I am less worried
about
the actual data on the machines. If the user should do something to
destroy
one of the partitions, that's ok, there just has to be a 0% chance that
the
OS on the other partition can access it. The best solution i have been able to come up with is: 1. encrypt the partitions - we will buy a commercial software so that the
OS
itself and its entire partition can be encrypted. 2. use a boot manager to hide the partitions from one another so that the user would have to actively un-hide them to attempt to mount them Can anyone point out any obvious problems here, or does anyone have a suggestion on how to do this better? I have no real reason to encrypt the data except to make it inaccessible for the other OS, so i would prefer to avoid the performance loss associated with encrypted file systems if possible. I just haven't thought of another way to be 100% sure that
neither
OS can access the partition of the other one. Thanks in advance, badenIT GmbH System Support Chris Meidinger Tullastrasse 70 79108 Freiburg
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- RE: Secure Boot Manager Brent Gardner (Jul 02)
- <Possible follow-ups>
- Re: Secure Boot Manager herki (Jul 02)
- Re: Secure Boot Manager Jeff (Jul 02)
- Re: Secure Boot Manager herki (Jul 02)