act@softserver.canberra.edu.au (Andrew Turner) (04/23/91)
To minimise and manage virusses at our institution I wish to prevent PC's being booted off Drive A: and only permit booting off the Hard Disk. This of course immediately presents a management problem of what to do if the Hard Disk goes bad and I need to boot off a floppy. So ideally any solution needs to address this situation. Two possibilities spring to mind: a. Use of a ROM. This would sit in the appropriate address space and be detected during the BIOS boot. The code would need to at least prevent floppy boots and desirably check for a floppy with a particular label and if detected permit the floppy boot. This would overcome the problem of a clobbered hard disk. b. Use of hardware modifications connected to a key switch mounted on the case which would be used to enable/disable floppy boots. On our machines the keyboard lock could be used for this purpose. If you have a solution that does not address all the problems still respond. ALL suggestions help welcome. For option a., actual code and/or technical specs would be appreciated. For option b., specific details please. We run both Wyse 286's and PROTECH 386sx's(towers) all with hard disks. If I get a meaningful response I'll post a summary. - -- Andrew Turner :-) | E-mail : act@csc.canberra.edu.au Comp. Services Centre | +61 6 2522414 / +61 6 2522401 University of Canberra |________________ fax +61 6 2522400 P.O. Box 1 BELCONNEN ACT 2616 AUSTRALIA |
padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (04/24/91)
>From: act@softserver.canberra.edu.au (Andrew Turner) >a. Use of a ROM. The best way. According to Computer Shopper, ROMs run about $70 qty 1. Certain PS/2, Compaq, & Zenith PC have this standard. A ROM extension on a 8-bit card would also be simple & could be cheap but would have two drawbacks: 1) Memory would have to be allocated in the region of C800-F000 (segment) 2) Would use a slot. >b. Use of hardware modifications connected to a key switch mounted on > the case which would be used to enable/disable floppy boots. Don't think this would work since all that is required to boot is for the disk to be read. I do not think a switch could prevent selective reads without disbling any read. (unless you have a use for a write-only floppy). If you only have one floppy, you might be able to connect it as drive B to prevent booting if the BIOS does not halt with an error on boot - this is machine depandant but the cost (if it works) is essentially zero. The other possibility is via software. This will not protect against a cold (power-off) boot, but can trap <cntrl><alt><del>. I believe McAfee's F-Prot does this. Not a 100% solution, but possibly into the 90's.
davidsen@crdos1.crd.ge.COM (Wm E Davidsen Jr) (04/26/91)
| >b. Use of hardware modifications connected to a key switch mounted on | > the case which would be used to enable/disable floppy boots. | | Don't think this would work since all that is required to boot is for the | disk to be read. I do not think a switch could prevent selective reads witho ut | disbling any read. (unless you have a use for a write-only floppy). All you need is a switch the BIOS can read to disable trying the boot on A:. I mailed this to the original poster, but here's my idea. I suggested it to a vendor, but they haven't used it, or at least not yet. Have in the CMOS a "boot path" which works like the PATH variable, and specifies which devices are to be tried, in what order. This allows disable of floppy boot, as well as boot from B: if A: fails or if you have one 5-1/4 and one 3-1/2, etc. Use a password to allow access to change the configuration. If the password takes too much room, save three bytes of CRC20 plus a value for length range 1-15 characters. Length zero could mean "no password." - -- bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen) "Most of the VAX instructions are in microcode, but halt and no-op are in hardware for efficiency"
padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (04/27/91)
>From: davidsen@crdos1.crd.ge.COM (Wm E Davidsen Jr) > All you need is a switch the BIOS can read to disable trying the >boot on A:. First you need a BIOS that will read the switch (hardware again - best but most expensive answer). The programming is trivial but production is the hard part (ps a ROM extention is easy & uses the stock BIOS, for maintenance/resale, just remove it & you have a "normal" PC. Warmly, Padgett
chap@art-sy.detroit.mi.us (j chapman flack) (05/01/91)
davidsen@crdos1.crd.ge.COM (Wm E Davidsen Jr) writes: >I mailed this to the original poster, but here's my idea. I suggested >it to a vendor, but they haven't used it, or at least not yet. > >Have in the CMOS a "boot path" which works like the PATH variable, and >specifies which devices are to be tried, in what order. This allows >disable of floppy boot, as well as boot from B: if A: fails or if you >have one 5-1/4 and one 3-1/2, etc. > >Use a password to allow access to change the configuration. If the >password takes too much room, save three bytes of CRC20 plus a value >for length range 1-15 characters. Length zero could mean "no >password." AST Research implements all of this. They included every detail needed to make a workable system: 1) you can set a boot path in the CMOS, 2) the setup program is in firmware, so you can change the boot path if you can't boot, 3) a password can be required to get into the firmware setup. Then they added a "feature": if the hard drive won't boot, it will automatically override your boot path and boot the diskette. Grr. Furthermore, if your hard drives are on a SCSI, it NEVER believes you have a hard drive, so it ALWAYS overrides your boot path. GRR. This is because it only checks the CMOS to see if you have a hard disk, rather than following the drive parameter table vector to see if there's a table. This is /* flame ON */ inexcusable, because there are tons of disk subsystems, not just SCSI, that have their own firmware and build their own parameter tables. This is common knowledge. *Sigh*. They were close... I think IBM got it all right in the PS/2 firmware. But you have to buy a PS/2 to get it.... - -- Chap Flack Their tanks will rust. Our songs will last. chap@art-sy.detroit.mi.us -Mikos Theodorakis Nothing I say represents Appropriate Roles for Technology unless I say it does.