S 4.49 Protection of the boot procedure for a Windows system

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Windows can only be operated securely when it is guaranteed that a closed security environment will be created right from the start of the system. There should be no way to bypass the security functions of the operating system. This requires all resources that can be protected by Windows to be under the control of the operating system. In addition, there must not be any way to start external systems or open system environments from floppy disk drives, CD-ROM drives, or USB storage media that could undermine the protection offered by Windows. The following aspects must be taken into account to accomplish this:

• All existing hard drive partitions must be formatted with the NTFS file system. Partitions formatted with the FAT12, FAT16, FAT32, VFAT, or HPFS file systems cannot be protected against unauthorised user accesses. On the one hand, this means that the data stored to these partitions is exposed to random accesses of all users. On the other hand, these partitions may be misused to exchange data between users in an uncontrolled manner.
• Floppy disk drives pose a similar risk, since diskettes can only be formatted with FAT or VFAT file systems in NT-based Windows systems. For this reason, all floppy disk drives on all computers not under the organisation's strict physical control must be locked as a rule (see S 4.4 Correct handling of drives for removable media and external data storage). On NT-based Windows clients, the floppy disk drives can also be disabled for users without the proper privileges by deactivating the Devices option in the Control Panel or via Computer Management | Device Manager, Floppy device. This should not be done on Windows NT/2000 servers (see S 4.52 Device Protection under Windows NT/2000/XP for more information) or on Windows Vista systems (S 4.339 Prevention of unauthorised use of removable media under Windows Vista).
• If the computer is equipped with an unlocked floppy disk drive or if it is possible to boot from an existing CD/DVD drive, there is a risk that the computer could be started with an operating system other than Windows. The same risk arises when it is possible to start the computer from a USB storage medium or when there are other operating systems installed on a local hard disk. In this case, users can bypass the security mechanisms of Windows using various programs. In the meantime, though, there are several programs that can read, and sometimes even change, protected NTFS files from a DOS environment or a Linux environment. Both the MS DOS operating system as well as the Linux operating system ignore the security attribute settings of an NTFS file system.
  
  The user in this case has full access to all files on the computer in MS DOS or Linux. For this reason, it is not recommended to install additional operating systems on local hard disks of Windows systems.
• In the Enterprise and Ultimate versions of Windows Vista / Windows 7, the BitLocker hard drive encryption program is available for protecting the boot procedure. In connection with a TPM (Trusted Platform Module), BitLocker checks the system integrity during the boot procedure. Furthermore, it is possible to prevent unauthorised persons from booting Windows Vista / Windows 7 using BitLocker PIN and/or USB stick authentication (S 4.337 Use of BitLocker Drive Encryption).
• If you elect to reinstall Windows, you can update the existing installation of the operating system or install a new version parallel to the existing one. When the new version is installed in parallel, the existing file structure is not changed but the predefined administrator account is recreated with a new password. This "new" administrator has full access to all resources available on the computer, and therefore also to all data and programs.
  
  In order to prevent users from adding other operating systems to the boot menu of the Windows operating system, the users should not be able to change the boot.ini file in the root directory of the first disk. In order to prevent the booting of alternative operating systems using a boot manager on an external medium such as a USB stick or CD/DVD, it must not be possible to change the boot order. A BIOS password should be used to protect the boot order. (see S 4.149 File and share authorisations under Windows and S 4.247 Restrictive assignment of authorisations under Windows Vista and Windows 7).
• In Windows 2000, it is possible to create an emergency repair disk with the help of the installation program (see S 6.77 Creation of rescue disks for Windows 2000) that can then be used to restore a system. However, when restoring the system, the access protection mechanism of the NTFS partition of the operating system is disabled. For this reason, it is absolutely essential to store the installation programs, any existing emergency repair disks, and the setup diskettes in such a way that they are protected against unauthorised access. Protection against this specific threat can also be obtained by locking the disk drives (see S 4.4 Correct handling of drives for removable media and external data storage) and securing the boot procedure by specifying the corresponding BIOS settings (see above).
• The Recovery Console in Windows XP and Windows Vista / Windows 7 is used to reconstruct the system. In these versions, system restoration using an emergency repair disk is no longer available. The Recovery Console can either be started from the installation CD/DVD or the installation diskettes. It can also be integrated into the system so that it can be selected as one of the boot options during system start.
• Since the Recovery Console is such a powerful tool, its use must be restricted by setting the BIOS correspondingly and generally by defining the Recovery Console policies (see S 4.244 Secure configuration of Windows client operating systems).

Review questions:

• Are all existing hard drive partitions formatted with the NTFS file system?
• Has it been ensured that users are prevented from booting the computer from a floppy disk drive, a CD-ROM drive, or a USB storage media?
• Is the boot.ini file in the root directory of the first disk protected against changes?
• Are the existing installation programs, as well as any existing emergency repair disks, and installation media protected against unauthorised access?