Browse Prior Art Database

Preventing Access to a Personal Computer

IP.com Disclosure Number: IPCOM000109520D
Original Publication Date: 1992-Sep-01
Included in the Prior Art Database: 2005-Mar-24
Document File: 3 page(s) / 171K

Publishing Venue

IBM

Related People

Moore, WS: AUTHOR [+2]

Abstract

This article describes a means of preventing access to an IBM PC or PS/2* compatible workstation. Most IBM compatible personal computers have a power-on-password and a cover lock to prevent unauthorized access to the computer or its data. These are effective in most environments but are not intended to protect against a professional attack. Sensitive data requires a more rugged method of securing access. The method described in this article provides a substantially higher level of security. Access is limited through user verification, data encryption, and diskette boot prevention. These three components are essential to a secure workstation methodology. User verification is necessary to authorize access to the workstation. Diskette boot prevention is necessary to prevent bypassing the user verification.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Preventing Access to a Personal Computer

       This article describes a means of preventing access to an
IBM PC or PS/2* compatible workstation.  Most IBM compatible personal
computers have a power-on-password and a cover lock to prevent
unauthorized access to the computer or its data.  These are effective
in most environments but are not intended to protect against a
professional attack.  Sensitive data requires a more rugged method of
securing access.  The method described in this article provides a
substantially higher level of security.  Access is limited through
user verification, data encryption, and diskette boot prevention.
These three components are essential to a secure  workstation
methodology.  User verification is necessary to authorize access to
the workstation.  Diskette boot prevention is necessary to prevent
bypassing the user verification.  Data encryption is necessary to
prevent physical removal of the data, and insertion into an unsecured
workstation where it could then be read.

      The method described in this article requires three software
components: (1) a ROM software component to handle the diskette boot
prevention and sector level read/write intercept for ciphering, (2) a
DOS shell software component to handle user verification, and (3) an
installation software component necessary to prepare the system for
disk and diskette encryption.  In addition, a fourth component is
necessary, which could be a combination of hardware and software, to
perform the user verification and data encryption.

      This secure workstation methodology requires a software
component that resides in ROM, either on an adapter card or in a
socket on the system motherboard.  This software component is an
extension of the workstation's BIOS, and is executed at power-on,
prior to any DOS or user programs.  This software captures the
disk/diskette services interrupt (INT 13 hex) and inserts its
interrupt handler into the chain for this interrupt.  This interrupt
handler evaluates every read/write to any diskette or hard disk.  It
prevents reads from the boot sector of any diskette, thus forcing the
workstation to boot on the primary hard disk.  It also will
automatically encrypt/decrypt at the sector level on all read/writes
to a diskette or hard disk, depending on the security level.  The
encryption methodology used is the ECB mode of DES.
Encryption/decryption may be done in software or hardware, but with a
software solution, care must be taken to protect the cipher keys.  A
table is maintained in a hidden sector of the primary hard disk which
indicate...