S 6.24 Creating an emergency boot medium
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
When configuring a computer, a boot medium should be created that can be used to reboot the system after the failure of a hard disk and to create a controlled system state in the event of an infection by malware. Such boot media can include Emergency Repair Disks (ERDs) or CDs, which the particular operating system may offer to create, but can also include CDs or portable drives (such as USB sticks or external hard drives with a USB or Firewire interface) configured by the organisation itself. The type and scope of the emergency boot medium depends on the intended use of the computer and on which interfaces are available.
The emergency boot medium can be used in case the following problems arise, among others:
- a loss of data due to user error,
- operating and administration errors that prevent the computer from being used and rebooted,
- the system is infected with malware (such as computer viruses, for example),
- the system is compromised by an attacker,
- hardware problems.
Ideally, the emergency boot medium will contain all programs and data needed to analyse and, if possible, eliminate the problems found. It is also possible to create different boot media for different problem scenarios, if necessary.
The following programs are recommended as "standard equipment":
- virus protection programs with up-to-date signatures,
- programs for editing configuration files or the databases maintained by the system (e.g. editors for files, the registry, etc.),
- a program for restoring the boot sector and MBR (master boot record) of the system disk,
- backup/recovery programs,
- diagnostic programs to analyse hardware defects.
In addition to these programs, other programs for more detailed analysis can be added to the media, for example for the forensic analysis of a compromised system.
It is essential for all programs and libraries to be loaded from the boot medium only. No components of the system installed should be used. When creating the boot medium, it must also be ensured that all drivers needed to access the disks installed on the computer are available in addition to the required programs. This includes, for example, drivers for hard disk controllers (and especially RAID controllers) and drivers for hard drive encryption or hard drive compression if such items are used.
If the boot medium provides enough storage space, then additional programs or documentation can be stored on the medium. For example, troubleshooting can be performed much more efficiently when the boot medium always contains up-to-date documentation of the system configuration.
The emergency boot medium itself must be free of viruses and other malware. For this reason, only programs from trustworthy sources (i.e. directly off the CD provided by the manufacturer) or whose digital signatures have been checked should be used. The boot medium should also be scanned with a virus protection program at least once after it has been created and after every change to the boot medium.
It is not absolutely necessary to create a separate boot medium for each system. One boot medium, when designed flexibly enough, can suffice for a large number of different systems. The operating system used on the boot medium does not even have to be the same as the operating system on the target system itself. However, using the same operating system on the boot medium and the target system offers advantages in terms of compatibility. However, it is absolutely necessary to ensure that the medium actually works on all computers for which it was designed by conducting corresponding tests. Depending on the operating system, it may also be necessary to take certain system-specific aspects into account.
After making changes to the target system, for example after updating the operating system or making changes to the configuration, the emergency boot medium and the documentation stored on it must be updated, if necessary. Changes to the boot medium must be documented as well.
The system administrator must be able to access the emergency boot medium quickly so that valuable time is not wasted in case of a malfunction. However, the emergency boot medium also needs to be stored in a secure location that is inaccessible to unauthorised persons.
The function of the emergency boot medium should be tested regularly, and the administrators should practice using programs stored on it to ensure that the medium will work properly in the event of problems and to ensure the administrators are familiar with the operation of the programs. Consideration should be given to storing a quick guide in printed form together with the medium that summarises the most important steps to take for typical operational scenarios.
Review questions:
- Are emergency boot media available that can be used to start the IT systems and put them in a controlled state?
- Are all programs and libraries loaded from the boot medium only?
- Do the emergency boot media contain all programs, drivers, and data required?
- Are the emergency boot media scanned for malware when created and after making changes?
- Are the contents for boot media obtained from secure sources?
- Are the emergency boot media always kept up-to-date?
- Has it been ensured that only authorised personnel have access to the emergency boot media?
- Are the boot media tested after they have been created?