How to password protect boot entries
Brought to you by:
drummerdp
Menu
▾
▴
My OS: Windows 7 x64
I would like to password protect specific/all boot entries; however, I do not see an option for this in Grub2Win. I assume Linux is needed to use the security in Grub, from the online instructions I could find.
Can you include this feature in future updates or provide a guide on how to set up password protected entries with Grub2Win. This would very much be apprecited. Thanking you in advance :D
Last edit: Nicholas 2018-05-05
hmmmm An interesting question Nicholas.
Reviewing this link https://www.thegeekdiary.com/centos-rhel-7-how-to-password-protect-grub2-menu-entries/ does indicate a Linux system is required if protecting individual menu items. A Windows option will be necessary for a Grub2Win system.
Finally, something for Dave to sink his teeth into. LOL
Hi Nicholas,
Password security in Grub is doable, but rather complicated. I don't think it will be practical to automate in Grub2Win.
You can manually set up security by editing the user section of your C:\grub2\grub.cfg file.
Grub password security requires the use of a utility program called grub-mkpasswd-pbkdf2.exe to create a secure hash.
The utility is included in the GNU Grub Windows software which can be downloaded here:
https://ftp.gnu.org/gnu/grub/grub-2.02-for-windows.zip
I'm attaching a sample grub.cfg user section for you to use as a model. As I said, it's complicated so if you have any questions, please let me know.
Dave
I really hope you see it practical in the future to automate because it is very complicated to the average user. In terms of, just wanting to set up a recovery section with password during boot to easily fix pc in case of emergency and also to prevent anyone else from being able to access it.
Without the password, Grub2Win can only be use to really dual boot os with their default login security because using any recovery boot entries, anyone can gain access/do harm to pc if not around. This is my layman understanding of how it works, so please bear with me if I said something wrong.
I would look into your post and test on virtual environment first.
Thanks you for reply and I will indeed check the model grub.secure.cfg
Last edit: Nicholas 2018-05-06
Hi again Nicholas,
A couple of things you need to realize about Grub security:
Anyone who has physical access to your PC can simply boot a Ubuntu DVD, edit the C:\grub2\grub.cfg file and remove GNU Grub security from the system.
Given this vulnerabily, I'm not sure GNU Grub security will meet your requirements.
Grub2Win is written using no external software, only GNU Grub, Windows and the included Windows utilities that are already on every Windows PC.
The Grub security hash function requires the installation of an additional GNU Grub utility software package to function properly. Most users do not want to install additional software.
Hope this helps,
Dave
Okay I understand to a degree, but wouldn't securing your BIOS with password prevent the ability to boot up any external (inclduing DVD) therefore nulling this vulnerabilty?
Then I can only assume Grub2Win is only able to give the user only a easy way to dual boot other OS with there default password/security.
Because if you try to add any recovery options/recovery tools using Grub2Win (e.g Hiren's BootCD or Paragon Recovery Media ), Grub2Win creates greater security risk/vulnerabilty in my opinion. I am shock most users dont want password protected entires.
Thanks though for clearing up but sadly I will have to look elsewhere.
The C:\grub2\grub.cfg file doesn't require Ubuntu to be editted, Windows Notepad does it just fine. However to be editted it has to be found and I think Windows supports adding a $ to the name masks it. So c:\grub$ or c:\$grub may help. Course there is always the System and Hidden attributes.
The thing with security the question is always secure from whom. Secure from a passerby or secure from someone hell bent on breaking in.
Hey Ed,
I used Ubuntu as an example. There are many DVD's and ISO's that can be
booted to edit the file: Hiren's, Suse, Fedora Windows etc.
Most of them ignore the Windows attributes and the $ prefix so there's
no security there.
My point is that GNU Grub and all the other bootloaders are inherently
insecure if you have physical access to the machine.
Dave
On 5/6/2018 9:18 PM, Ed P wrote:
I'm confused. What file are you referring to? I thought it was c:\grub2\grub.cfg which is a text file that Windows can access directly.
As for security, physical access to the machine is definitely a concern.
You cannot boot from a DVD or USB if you prevent it in bios.
Password was ask because without it, users cant use recovery tools as boot entries in Grub2Win such as Hiren's BootCD or Paragon Recovery Media Live without leaving a big security problem.
In the long run if someone really wanted to access the pc there are ways. But the point is to prevent the average user and make it to time consuming/difficult for the experience user.
Last edit: Nicholas 2018-05-07
I'm not sure booting from a DVD or USB prevented in the BIOS is prevented from a grub2 bootloader booted with a Windows bootloader. The BIOS is no longer involved at this point. As such the easiest way to prevent access to Hiren's BootCD (and it's illegal apps) would be to put them on a USB drive which is booted via grub2win and limit access to the USB drive.
Try it and let us know if it works.