GRAND PRIZE
Martin Kiaer
Principal Consultant,
WM-data,
Ballerup, Denmark
Years in IT: 16
Fun Facts: Microsoft Most Valuable Professional (MVP) in Windows Security; freelance journalist for Denmark's largest computer magazine; attended college in the United States on a football scholarship
Notable Quote: "As a generic, bootable USB solution, Windows XP is actually more plug-and-play friendly than Novell SuSE Linux 10.1."
Email: mrkia@wmdata.com
Windows on a Memory Stick
Denmark's police force has what might be the ultimate in Windows mobile-computing technology: USB memory sticks that run XP. Two years ago, when the Danish National Police asked consulting firm WM-data to develop a state-of-the-art, secure method to let employees access the central system from any computer, Principal Consultant Martin Kiaer ultimately looked to the Linux world for inspiration. Martin devised a way to enable XP (and other Windows OSs) to boot and run reliably from a 4GB or 8GB encrypted USB memory device.
"The police wanted a highly secure and portable platform that looked and felt like the standard Windows desktop," says Martin. "I initially came up with some designs that used Windows Preinstallation Environment (WinPE), but that isn't a supported end-user OS. Then I thought about Linux: You can run it off a CD-ROM or a USB drive. I decided that if I could boot WinPE from a USB stick, it should be possible to boot any Windows OS from a USB stick."
The first time Martin tried to boot XP from a memory stick, he got a blue screen and an error. Undeterred, he spent about three weeks investigating what happens within Windows during the boot process. Martin won't divulge exactly how he got Windows to boot off the USB drive because of Microsoft licensing restrictions and Danish National Police confidentiality requirements. (Microsoft doesn't officially support booting Windows off a USB drive but gave special approval to the Danish police force to do so.)
Martin's next challenge was to make his solution generic so it could run with any make of PC or USB drive. "If you simply install Windows on a USB drive, Windows will be unstable because of the effect it has on removable devices. I had to modify my solution so that it behaves as a nonremovable storage device."
Securing the solution was Martin's final hurdle. Although USB devices have a reputation for vulnerability, "in terms of security, the USB device turned out to be my friend, not my enemy," he says. Martin worked on the solution's security function for almost a year to ensure that security, like other aspects of the system, would function the same regardless of the device on which XP was installed.
Martin determined that the essence of securingthe USB devices was to keep security simple for end users. "Very few security decisions are left to users; everything is controlled centrally. The only thing the user needs is a smart card and PIN code." The 4GB USB key uses full-volume encryption (AES 256) to prevent unauthorized users from accessing the data and applications on the device. Typically, the USB key will be generic, Martin says. "At the start of a shift, a police officer gets a USB key. At the end of the shift, the officer turns in the key. The key is then 'refueled' using a specially designed life-cycle? management solution—the refueling process reinstalls the OS and re-encrypts the USB key in about three and a half minutes."
To boot a computer from the memory stick, a user inserts the smart card and USB device into any computer that can establish a VPN connection, then enters a PIN. Via two-factor authentication, the user simultaneously logs on to Windows, the VPN, and Terminal Services. "We use proactive device security based on white lists, ensuring that any device attached externally or internally to the computer doesn't run if it isn't on a white list," Martin says. The user can connect to the central police department network via a LAN, wireless, or satellite connection or can work offline.
The Danish National Police will go live with Martin's solution in October. "There's nothing new about running an OS on a stick," says Martin. "What's new are the scenarios in which the solution is used and the security and maintenance schemes I developed. This project has been a passion, a lot of fun, and very challenging."
)
)
828287 Unsupported Sysprep scenarios
http://support.microsoft.com/default.aspx?scid=kb;EN-US;828287
309283 HAL options after Windows XP or Windows Server 2003 Setup
http://support.microsoft.com/default.aspx?scid=kb;EN-US;309283
“5. Microsoft does not support running a HAL other than the HAL that Windows Setup would typically install on the computer. For example, running a PIC HAL on an APIC computer is not supported. Although this configuration may appear to work, Microsoft does not test this configuration and you may have performance and interrupt issues. Microsoft also does not support swapping out the files that are used by the HAL to manually change HAL types. “
(if support from Microsoft is not a concern, I wish you well if you go through with this.)
Juxp0 November 13, 2006 (Article Rating: