Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!um-math!sharkey!cfctech!teemc!hpftc!zardoz!henry.jpl.nasa.gov!elroy.jpl.nasa.gov!csun!srhqla!nrcvax!rick
From: rick@NRC.COM (Rick Wagner)
Newsgroups: comp.sys.ibm.pc
Subject: Re: Preventing Floppy Boots
Message-ID: <298@nrcvax.NRC.COM>
Date: 30 Aug 89 19:21:01 GMT
References: <2610@astroatc.UUCP>
Reply-To: rick@nrcvax.UUCP (Rick Wagner)
Distribution: na
Organization: Network Research Corp., Oxnard CA
Lines: 51

In article <1989Aug15.183532.27998@ee.rochester.edu> jal@ee.rochester.edu writes:
>A friend of mine wants to write a program that would provide some
>small security by either preventing people from booting off a 
>floppy drive or by making the information on the hard-drive unusable
>if the system is booted off the floppy.
>
>This is for DOS and cannot involve significant hardware (like
>burning ROMS, cutting wires, etc).  Any thoughts would be appreciated.
>
>This is personal opinion.

Well, depending upon your system: IBM's and many (most?) compatables
will not boot from the B: drive; so...

	(a) if you have a dual floppy system, unplug your A: drive.
This will leave you with the B: drive to read/write floppies.  

	(b) If it is a single floppy system, use the second drive
connector on the flat ribbon cable for the drive; this will accomplish
the same thing as (a).

Now this assumes a case with a lock, or some other method of locking
the case closed.  The biggest problem (more of an annoiance) is that
the system will report a drive failure for drive A:, probably
requiring you to press the F1 key.  The advantage is that in the an
appropriate system, there is no H/W mods needed, just unplugging a
cable, which is a reversable process.

Now you still need some software to password protect the hard disk.
The comlpexity of this will depend upon how much you trust the people
who are allowed to log on. (Do you trust them not to change your
config.sys file, say; or delete the security program?).  The simplest
way would be to write a 'device driver' to ask for a password.  It
would not really be a driver, but would look like one so it will get
loaded at boot time from your config.sys.  It can't be in your
autoexec.bat file, since that can be aborted with a ^c, dropping
whoever back into DOS.

A more complex system would involve modifying the boot block, but that would
still be at the mercy of someone with a disk-editor.

If you don't mind buying some hardware, there are small boards which
plug into one of your system slots, and prompt for a password at
power-up.  This only occurs at power up time, so your logout is a
power down.  Again, for most of these boards, the case must be locked.
-- 
===============================================================================
Rick Wagner						Network Research Corp.
rick@nrc.com	rick@nrcvax.UUCP			2380 North Rose Ave.
(805) 485-2700	FAX: (805) 485-8204			Oxnard, CA 93030
Don't hate yourself in the morning, sleep 'till noon.