Building a dual boot system with Windows Vista BitLocker protection with TPM support

Updated 2008-05-12 : added a step to turn the TPM on before enabling BitLocker. By the way, someone made me notice this post is now referenced by the official BitLocker FAQ on Microsoft’s website.     Many people have wondered if it would be possible to dual boot a TPM-bitlockered instance of Windows Vista with Linux,…

11

How to use Windows Vista’s Boot Manager to boot Linux

The Web is full of explanations on how to dual boot Windows and Linux using a Linux boot manager like GRUB or LILO. If you want to dual boot Windows Vista and Linux using Windows Vista’s Boot Manager, please read on. I will assume that you already have installed Linux on your machine using GRUB…

7

Network restrictions for service hardening

(This is part 5 of our series of posts on service hardening.) Last but not least a service can be (and should be) configured to have network restrictions with what is called the “Windows Service Hardening” rules in the Windows SDK (we’ll call those WSH rules for short). As a service developer, it is your…

3

Per-service SID

(This is part 3 of our series of posts on service hardening.)  Under Windows Vista/Longhorn Server, your service can now have its own SID (Security Identifier), which you can then use in ACLs to protect your service resources. You configure your service to be assigned a per-service SID during its installation with the ChangeServiceConfig2 API (dwInfoLevel=…

2

Services isolation in Session 0 of Windows Vista and Longhorn Server

You may have heard that built-in services in Windows Vista were specifically hardened by Microsoft engineers during its development process. You might be wondering what that really means, how it works and, if you are a developer, how to harden your own services the Vista way.  Jean-Yves Poublan, a Principal Security Consultant at Microsoft, and…

2

Least privilege for services

This is part 2 of our series of posts on service hardening. “Need to have” and least privilege principle Executing with least privilege is a good practice of computer security.  As with the “need to know” principle for information access, there should be a “need to have” principle for privileges. If your code does not…

2

Linux-Windows Vista dual boot with BitLocker and a TPM

Based on my earlier posts, I’ve recently written a whitepaper for Microsoft France on how to build a machine that is capable of dual booting either Linux or Windows Vista when the latter is protected by BitLocker leveraging a TPM chip. If you understand French, you’ ll find the whitepaper, a webcast where I describe…

1

Write-restricted token

(This is part 4 of our series of posts on service hardening.) A service can be configured to be write-restricted, in addition to having a per-service SID. To do so, you specify a SID type of “Restricted” when configuring your service (see our previous post “Per-service SID”). In that case the process hosting your service…

1

"Security is not important, when you have it.(*)" – a constructive blog on security

Hello everyone! As you can see, I decided to start blogging on security, maybe sometimes on interoperability. To be honest, if the blogosphere was the solar system, I could be found closer to Neptune than Mercury. However, I’ve been spending more than the last five years meeting with people on security and every time I…

1

The human factor is a chance for IS security

People:  the weakest link or a chance for security? Have you ever heard security experts? They all point out that the human factor is the weakest link in the security chain. They often make fun of people being victims of social engineering for instance. They try to prove their assumption by showing how phishing attacks…

1