Password protect non-default boot options

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

On a computer that is configured for booting to multiple operating systems /
windows recovery console, is there a way to password protect non-default boot
options? In other words, is there a way to keep users from choosing anything
other than the default OS unless proper credentials are given?

I guess a simpler way to put this is: is there a way to protect non-default
boot options from unauthorized access? Physical access is not an option as I
suspect a user might be accessing alternate boot options accidentally or
purposely to cause problems with system.

If there is no way to protect boot options I have this question: is there
any way for someone to surreptitiously bypass password prompted login via the
default OS by choosing another boot option, i.e. safe mode, et al? Can
someone damage/destroy system by booting system to recovery console or other
boot options via the F8 boot menu?

Thanks.
 
Hi,

There is nothing you are going to be able to do security-wise as long as the
user has physical access to the machine. If nothing else, he/she can always
boot a stand-alone OS on disk like BartPE or one of the many iterations of
Linux now available to access the machine.

AFAIK there is no way to password any boot options, though you may want to
check into some boot managers - some may offer a method of locking into the
default OS. You could also password the system boot from the BIOS, though
this could be cleared by means of a jumper on the motherboard or by removing
the CMOS battery. Again, physical access to a system is key, removing it is
the only real solution.

As to alternative logons, make sure they are all passworded, particularly
the hidden administrator account (in XP Home this only shows in Safe mode).
Even the Recovery Console requires an administrator logon. If done with
strong passwords, there is no way to bypass the logons, and I would suspect
that whatever damage is being done is being initiated from another
installation.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org
 
Thanks Rick. Here’s my situation. I’m the go to IT guy for a company that
has 14 systems. Two machines within one department that two particular users
use, best friends but alienated from the rest of the company, often boot into
alternate configurations that do not allow certain software to be run. These
users claim they cannot get the system to boot properly. So I get a call to
make a trip to trouble shoot. By the time I can arrive at the location half
the day has been wasted. Upon restart, system ALWAYS boots as it should, set
to start default OS within 15 seconds. These two employees blame the IT guy
(me) for their loss of productivity, while they go off and screw around since
the system they need access to is, in their words to their boss, “broken†or
“down†so they cannot work. EVERY time I have access to the system it ALWAYS
boots as it should. I would love to lock the system into booting only to one
OS but cannot as other users need the system to boot into an alternate
configuration. Note, these other users never experience this boot “problem.â€
The only time this problem occurs is when one of these persons access the
system. I’m tired of getting blamed for something I cannot replicate, nor
can it be replicated when I’m there, hence my suspicion.

Sorry for the rant. Thanks again for the info. Anyone have any input, feel
free. One other thing, can the event viewer log which boot is chosen by the
user?

Thanks.
 
Hi,

No, the event viewer can't show which system was chosen to boot.

Call their bluff. Set a time for you and their boss to be there when they
are scheduled to start work. Be there early and waiting for them. Let them
boot the system in front of you and the big guy and see if anything happens.
They can hardly blame the IT guy if nothing goes wrong.

Unfortunately, if the system has to be open for others to use different
configurations, locking it down isn't an option. If it were just the two of
them, then I'd lock the case, password the startup BIOS, and set a kiosk
mode for the configuration they need. Warn them not to shut down or attempt
a restart and copy the boss on the memo.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org
 
PatrixUSA said:
On a computer that is configured for booting to multiple operating systems
/
windows recovery console, is there a way to password protect non-default
boot
options? In other words, is there a way to keep users from choosing
anything
other than the default OS unless proper credentials are given?

I guess a simpler way to put this is: is there a way to protect
non-default
boot options from unauthorized access? Physical access is not an option
as I
suspect a user might be accessing alternate boot options accidentally or
purposely to cause problems with system.

If there is no way to protect boot options I have this question: is there
any way for someone to surreptitiously bypass password prompted login via
the
default OS by choosing another boot option, i.e. safe mode, et al? Can
someone damage/destroy system by booting system to recovery console or
other
boot options via the F8 boot menu?

Thanks.
Click to expand...

A bit away from your original question here, but have you considered virtual
machines instead of dual-booting?

http://www.microsoft.com/windows/virtualpc/default.mspx

http://www.vmware.com/
 
Rick said:
Hi,

No, the event viewer can't show which system was chosen to boot.

Call their bluff. Set a time for you and their boss to be there when
they are scheduled to start work. Be there early and waiting for them.
Let them boot the system in front of you and the big guy and see if
anything happens. They can hardly blame the IT guy if nothing goes
wrong.

Unfortunately, if the system has to be open for others to use
different configurations, locking it down isn't an option. If it were
just the two of them, then I'd lock the case, password the startup
BIOS, and set a kiosk mode for the configuration they need. Warn them
not to shut down or attempt a restart and copy the boss on the memo.
Click to expand...

I think Colin's idea is brilliant - run Virtual PC or VMWare and put the
other two operating systems in virtual machines. Password accordingly.

Malke
 
PatrixUSA said:
On a computer that is configured for booting to multiple operating systems /
windows recovery console, is there a way to password protect non-default boot
options? In other words, is there a way to keep users from choosing anything
other than the default OS unless proper credentials are given?

I guess a simpler way to put this is: is there a way to protect non-default
boot options from unauthorized access? Physical access is not an option as I
suspect a user might be accessing alternate boot options accidentally or
purposely to cause problems with system.

If there is no way to protect boot options I have this question: is there
any way for someone to surreptitiously bypass password prompted login via the
default OS by choosing another boot option, i.e. safe mode, et al? Can
someone damage/destroy system by booting system to recovery console or other
boot options via the F8 boot menu?

Thanks.
Click to expand...


You would have to use a 3rd party boot manager. If I remember
correctly, System Commander from V-Communications had the capability of
securing each boot options. (Haven't looked for a modern version,
though; try Google.)


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell
 
All good advice and thanks for the input. Will research the virtual PC
option. I think I’ll also look into seeing if the client will pay to upgrade
the database software that requires the dual boot. No boot options at
startup would be optimal and easiest I think since there’d be a learning
curve for me with virtual PC.

Thanks to all for the input.
 
PatrixUSA said:
Bruce, System Commander sounds like it might be just what's needed. Thanks.
Click to expand...

You're welcome.

--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell
 
Using Virtual PC would be the way to go if there is a need to have different
operating systems. In the mean time see if there another trusted person or
manager that can verify for you that there is indeed a problem before you
make the trip there and have them provide you with explicit information on
what the problem is and have them secure the computer for you until you get
there such as locking it up in some room or closet.

Steve
 
Back
Top