Clean Boot Method

I'm looking for some feedback on my security idea. The purpose is to use Linux to secure a Windows environment. My Linux idea (Clean Boot) will help Windows stay virus free and encrypt propriety data safely, so even physical access to the Windows drive will be futile to an interloper.

The motivation for this method comes from the fact that security experts can't really be fully expert unless they understand every peice of software that ships with an os and that just isn't impractical. So, I've attempted to design a method that gets around it based upon what I call clean booting.

I first describe my own Linux security session to make it understandable how Windows fits in. My Linux security sessions do not require online activity. They are intented for the artist, engineer, etc who only wants to secure things locally and doesn't require online access during sessions with the computer they are using.

This is what I do for my Linux Security Session:

Setup:
- physically detach all bluetooth and wireless hardware from my computer
- physically remove all drives that aren't used for security sessions
- boot computer with Live Linux Distro of my choice.

Use:
This security session is used in this way:
- All work stays in ram.
- All work is first encrypted in ram, then saved to disk that's meant only for files from this security session.
- Drives containing encrypted data from security session should never be connected to any other computer and then connected back to a security session. If connected to a non-security session, my protocol is to wipe and reformat first before using this drive in further security sessions.

Now as much as I love Linux, Windows doesn't have equivalent for some programs. In order to achieve the same security as above this process that follows is what I've come up with:

One Time Setup
- Wipe the Windows drive.
- Install Windows.
- Update Windows fully.
- Install neccessary software and updates.
- Reboot and ensure all Windows software works.
- Shut down computer.
- Shrink Windows drive to minimum.
- Copy Windows partition to dvds, solid state drive, etc. Whatever drives you have. Create two copies of your Windows partition. One for back up, the other as a security session copy.

Security Session
- It will be the same as Linux Setup and Use above. No wireless connected, all files encrypted in ram and saved to - security drives, etc.
- The computer is shutdown.
- The computer is started with a Live Linux Distro with one addistion added to it: the clean up script. The clean up script just copies that back up Windows partition over the partition just used for the security session. It automatically shutdowns the computer after the script runs.

So, clean up is a just matter of rebooting with a Linux distro containing the cleanup script.

That's pretty much it in general. Keep in mind, I don't intend this level of security for a general user, it's intention is for a high security environment.

What do think? Is there an easier way to achive this level of security? Are are there an weaknesses you see? Could it be made better?

Any helpfull comments welcome.

The first concern I see is doing the updates during the initial install of Windows. If you are connected to the Internet to do that your Windows install can (will?) become contaminated. Of course you could clone the off-line install to another connected machine, run MBSA and download the necessary patches, verify the patches to be clean then manually transfer them to the off-line machine and install them.

How about running your Windows install as a virtual machine on the Linux host? Here is how to set this up to work using the free VMWare Player.

1 - configure the Linux host swap as an encrypted partition (in case of leakage from VMWare Player).
2 - create a True Crypt container to hold the files for the VM.
3 - install Windows into VMWare Player. (You can turn off networking while doing the install.)
4 - install anti-virus and other protective software into the Windows VM.
5 - enable networking on the VM and install updates, virus definitions etc.
6 - shut down the VM and archive a copy of the files from the True Crypt container
7 - start the Windows VM and do whatever naughty business you need to do with or without networking enabled

If (when) the Windows VM gets hosed, contaminated or whatever, copy the files from the archive back to the True Crypt container.

The second concern... I think that Live CDs may use available hard drives for swap space. I am not sure but if you are concerned about leaving traces you might want to double check.

Ken

p.s. Windows can be run from a CD/DVD - look into Bart-PE or Hawk-PE. I cannot comment on the licensing status of these products (well not favorably at least).

Moved: This thread is more suitable in the General forum (discussing Microsoft Products) and has been moved accordingly to help your thread/question get the exposure it deserves.