1

We have corporate network where remote workers connect via encrypted latops (Windows 7) using VPN (Cisco AnyConnect client), log into the Windows domain and access their network shares, Outlook e-mail, MS Office applications and the sales database. For security reasons laptops are configured so that files cannot be saved locally (on drive C:) and USB ports are disabled. So people can work only when logged on the corporate network and then save their files on their network shares. In terms of threats we assume that users are honest and do not try to abuse their physical access to laptops.

Problem: We have a small department that organises conferences and events. For the organisers this configuration often presents problems - e.g. lecturers come with their USB sticks for presentations, or need access to internet. Every time there is a glitch with the VPN connection from where they are located (e.g. cannot connect to VPN, or connection is very slow) the organisers suffer embarrassing difficulties using their laptops with lecturers and audience waiting. When it happens this costs in time, reputation and probably more. This has lead to the following solution:

Solution: We have set up the 4 laptops of the conference department in such a way that they dual-boot between two windows 7 installations each from its own fully encrypted hard drive. Installation 1 is the same as before and provides access to corporate network. Installation 2 has Windows configured to be used on local machine only - without access to corporate network. The conference organisers can use this installation as they would want but without autorun and without privileges to install programs locally. They can use wifi in conference centers and hotels and the built in mobile 3G connection. Antivirus software is updated regularly. Configuration of Installation 2, if needed, is done via the local administrator account by the network specialist at the company base. If the users of these laptops need to exchange document files with their corporate network (or their own accounts there) they use e-mail. Every 4 to 6 months their Installation 2 is overwritten / re-imaged by the network specialist, to deal with any potential problems.

Could this setup be considered reasonably safe, given that the conference organisers are responsible people? Are there better solutions that would allow the organisers to both access the corporate network (with re-booting) and to use laptops for conference presentations as described?

r0berts
  • 113
  • 5

2 Answers2

4

It depends on your threat model. There is one problem I can see: disk encryption does not guarantee integrity. That means the other operating system installation could change the data on the first one. Now unless something went wrong, it should not be able to write arbitrary data (it does not know how to encrypt them), but it can write random data, or more dangerously roll back the data to earlier version. This could allow for example uninstalation of security updates. Then the attacker could exploit the vulnerability, that was supposed to be patched already. This could allow an attacker who was able to infect the less OS used for presentations to attack the OS connected to the corporate network. This may be solved by reinstalling the presentation OS after each update.

Another problem may be, that if the OS connected to the corporate network stores data on its local drive for example as cache for the network share, the presentation OS may see, when data changes, even if it can't see from what to what. This can't be really prevented with FDE, though it gives an attacker limited amount of information.

An option to solve some of these issues may be to use file-system encryption in addition or instead of FDE, but reverting the whole disk will still be possible.

Peter Harmann
  • 7,778
  • 5
  • 20
  • 28
  • Thanks, this is very useful. I understand that writing random data would corrupt the non-booted installation, this would be evident on boot and therefore the disk will be re-imaged. Uninstallation of security updates - is that really possible, if the attacker does not know how to write in the encrypted disk. I suppose for the presentation OS a updated master image could be kept centrally and imaged over the disk monthly? – r0berts Apr 29 '18 at 19:58
  • @r0berts He can uninstall them, because he can store them. So after infection he stores an image of the encrypted drive and after a vulnerability is discovered, he prepares an exploit and restores the OS from the image. He never needs to decrypt the image, he can just hold it indefinitely and it is already encrypted. – Peter Harmann Apr 29 '18 at 20:19
  • 1
    @r0berts note that the best setup would be, if you could get a hardware switch to disconnect the drives. So one drive would always be connected and one disconnected, never both at once. But making a hardware switch into a laptop may not be feasible. An alternative may be external drives. Just pull out all drives from the laptop and use external ones, always either connecting the one with the networked OS or one with the presentation OS (if this level of security is really required). – Peter Harmann Apr 29 '18 at 20:21
  • Otherwise, just re-installing both operating systems often should be enough. – Peter Harmann Apr 29 '18 at 20:24
  • @PeterHarmann So let's say today, I go to a conference, someone steals my laptop, makes an image of the encrypted install #1, and then replaces my laptop before I notice it was gone. Sometime in the next month a big vulnerability is found and MS patches it which is rolled down to my laptop. Sometime after that I go back to another conference and the same attacker intercepts my laptop to restore the previously made image? Do I have that right? – Dean MacGregor Apr 29 '18 at 20:24
  • @DeanMacGregor Yes, except the attacker can do it without touching your laptop if he can infect install #2. Do all the stuff using malware. – Peter Harmann Apr 29 '18 at 20:27
  • I don't know how file system encryption would differ from FDE, could you please let me know? Is it like encrypting certain directories and files? – r0berts Apr 29 '18 at 22:57
  • 1
    @r0berts Sorry for being silly and wrong, file-system encryption stops many possible attacks, but not making image of the whole disk. The difference is that FDE has to encrypt on block level and it can't store any additional data. File-system encryption knows the data format, can encrypt on file level and most importantly can store MACs to guarantee integrity. It does not prevent reverting to old version completely, but it prevents most other attacks. Here is an article with more detail about why XTS (standard FDE sucks): https://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/ – Peter Harmann Apr 30 '18 at 06:08
  • That is a very good article, thanks. Somewhere past the half it started to get a bit harder to understand, but I get the general idea. What would be an alternative file level encryption scheme? VeraCrypt for example uses XTS mode, so it might be not that much different. – r0berts Apr 30 '18 at 06:56
  • @r0berts VeraCrypt is for FDE and its containers also act like FDE (using XTS and block level encryption). I don't personally know any filesystem level encryption solution for Windows other than their built in one, which is "not great": https://security.stackexchange.com/questions/8307/how-secure-is-ntfs-encryption – Peter Harmann Apr 30 '18 at 07:02
  • @Peter Harmann Thanks, that is very helpful and a very relevant post for me to read. – r0berts Apr 30 '18 at 08:06
2

The short answer is that it's not secure.

Not only aren't dual-boot installations secure against each other, they're actually less secure when the other install is running. Normally Windows tries to protect some of its files; it won't protect another Windows. Dual-booting is often used by admins to perform actions beyond even admin privileges.

Drive encryption changes this, as it protects the OS from having its data read. But it doesn't protect the OS from being overwritten in its entirety.

The long answer is that it depends (aren't all long answers like that?) Realistically, most malware is made to attack the currently booted system. If everyone acts in good faith, you only have to worry about opportunistic attacks from accidental infections.

It's possible for someone who knows your system and wants to break into your system to do so. They can still replace data on your secure drive or reimage it with a different install with whatever payload they want. Windows tends to ignore a lot of errors. But it's not an issue if the network has security beyond login-password to control access.

However, realistically, your setup is far less likely to compromise your corporate network than the default option, even if it's just security through obscurity. Ideally, if that's an option, using dedicated outdated or written-off computers to run presentations would be more secure.

Therac
  • 2,610
  • 11
  • 18
  • 1
    That is not entirely true. If the attacker rewrites the drive, he will loose the credentials for the corporate network, along with anything valuable. In other words, he will not gain anything. He would have to come up with a more sophisticated attack to get into the network. – Peter Harmann Apr 29 '18 at 19:45
  • I agree, the main object to protect here is access into corporate network, So if the Installation 1 is damaged it has to be re-imaged. With respect to using outdated computers to run presentations - I wish it were possible, but it gets hard to lug around 2 computers. I understand for the attacker to re-image our 'secure' drive he has to have physical access. I completely agree this is a significant vulnerability, but we trust the organisers not to allow others use the laptops. – r0berts Apr 29 '18 at 19:54
  • Well, given the security configuration, that's probably so. If the employees in question are computer literate, there will be more than enough red flags. – Therac Apr 29 '18 at 19:58
  • Thanks, I suppose this system is better than using default Windows installation with permission to save files locally and allowing to use USB. Your comment about possibility of imaging the other disk is helpful; I had not thought of it. – r0berts Apr 29 '18 at 22:53