RE: Secure Boot Manager

From: Brent Gardner <bgardner(at)iprocorp.com>
Date: Mon Jun 30 2003 - 19:42:20 EDT

There are probably many options available in the *nix world but speaking as a non-*nix literate admin I have had success using Smart Boot Manager (btmgr.sourceforge.net). It will allow you to set passwords for each configured partition as well as a password to prevent changes to the boot manager configuration.

You will of course need to set the BIOS to prevent booting from removable media and then password protect the BIOS.

A determined hacker could remove the hard drive from the laptop to try to access it in a separate machine. Encryption would probably guard against this.

As always, it's all a matter of how much time and money you want to spend.

Brent Gardner
Network Administrator
IPRO Tech, Inc.
www.iprocorp.com
602-324-4776

-----Original Message-----

From: Meidinger Christopher [mailto:christopher.meidinger@badenIT.de] Sent: Monday, June 30, 2003 4:45 AM
To: Security-Basics@Securityfocus. Com (E-Mail) Cc: Meidinger Christopher
Subject: Secure Boot Manager

Hello List-Readers,

i have a question for you all, hopefully someone will have a great answer for me.

Our company needs to securely seperate two partitions on several laptops. This means we are looking to have two Windows Installations on one hard drive, and have them be *entirely* invisible to one another, even if the user has escalated privileges.

This involves keeping two secure networks seperated. I am less worried about the actual data on the machines. If the user should do something to destroy one of the partitions, that's ok, there just has to be a 0% chance that the OS on the other partition can access it.

The best solution i have been able to come up with is:

1. encrypt the partitions - we will buy a commercial software so that the OS itself and its entire partition can be encrypted.
2. use a boot manager to hide the partitions from one another so that the user would have to actively un-hide them to attempt to mount them

Can anyone point out any obvious problems here, or does anyone have a suggestion on how to do this better? I have no real reason to encrypt the data except to make it inaccessible for the other OS, so i would prefer to avoid the performance loss associated with encrypted file systems if possible. I just haven't thought of another way to be 100% sure that neither OS can access the partition of the other one.

Thanks in advance,

badenIT GmbH
System Support

Chris Meidinger
Tullastrasse 70
79108 Freiburg

---

Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm

---

---

Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare.      

Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance.           

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm

---

Received on Wed Jul 2 12:01:54 2003