Improving security using USB?

By aliyalcin ·
Hello all,

There's a project which I'm currently working on. One of my customer wanted a weird thing from me. That is all about preventing OS boot if we don't have proper USB Flash plugged-in. As I tought I need to copy whole BOOT info (including MBR or BOOT.INI) to USB drive to success this but I'm quite stuck.

I downloaded EasyBCD today but I'm very senseless about that.

Sorry for my bad grammar and I hope someone could help me through this. Anyone who want to share their experience can send me email : aliyalcin AT ymail.com

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

That method won't stop anyone

by seanferd In reply to Improving security using ...

from making their own flash drive with a bootloader on it. So, I'm not even going to worry about killing the bootloader on the HDD and putting one on a flash drive to boot the system. And instructions and tutorials are all over the web for these things.

What the customer should consider, if they need to protect these systems, is authentication on the USB drives instead.

Either way, it makes a difference what operating system(s), which editions, service packs... Is this a domain environment?

Collapse -

My customer is not so good at technology, so...

by aliyalcin In reply to Improving security using ...

I just want to simply do these :

1- A simply operating system will run on hdd.
2- USB will be used to JUST to boot. Nothing more.
3- If we have not proper USB, then we should see "improper boot device" etc...

That's it. If we have USB plugged in, system will boot. Otherwise should fail.

Collapse -

I get that, but it will not secure the system at all.

by seanferd In reply to Improving security using ...

Anyone with a USB with a bootloader on it can boot the system. It won't secure anything.

Collapse -

Request for Clarification

by aliyalcin In reply to I get that, but it will n ...

No one can have a USB bootloader at that company I'm sure. I got you.

Collapse -

Request for Clarification

by seanferd In reply to I get that, but it will n ...

Well, if no one can bring in their own Flash drive, floppy, or CD, this may work then.

Collapse -

Request for Clarification

by aliyalcin In reply to I get that, but it will n ...

But how? :)
I want to have JUST a command that points the bootloader to USB :)

Collapse -

There is a way, but depends on OS

by paulo.sedrez In reply to Improving security using ...

Using Linux, you can have the file system encrypted except for the boot partition; the boot image will search for the decrypting key in the USB flash card. Without the proper key, the system can simply reboot.

Once the key is loaded, the boot can proceed and the flash drive can be removed and secured.

Use the BIOS to prevent the boot from any device other then the hard drive; be sure to lock the BIOS with a strong password.


- the system can only boot from hard drive;
- configuring the GRUB initialization with a password, you can prevent alterations during the boot processes; you can use the password in case of maintenance;
- the flash drive with the proper, signed key is *required* to decrypt the file systems;

That attends the requirements from your client.

(And you thought YOU had a bad grammar...)

Collapse -

Create bootloader on USB key.

by seanferd In reply to Improving security using ...

Remove bootloader from HDD, and set the partition as "not active" with a partition editor.

There isn't any "pointing" involved. And I only have this one answer for you.\\

To do it differently, encrypt the drives, and have the decryption key on the USB drive. This doesn't involve messing around with the boot loader, but you must meet the requirements for BitLocker. (And this will actually secure the system.)

Related Discussions

Related Forums