[unisog] HXD

SAWYER,JOHN H JSawyer at ifas.ufl.edu
Mon Feb 14 01:15:15 GMT 2005

>   Last year at Tech-Ed I lobbied (unsuccessfully) for 
> Microsoft to provide a PE boot CD that would guarantee 
> authenticity of critical Windows OS pieces such as gina.dll, 
> lsass.exe and the windows APIs that lists running processes 
> and accepts passwords.  Such a disk could insure that a 
> system, when booted would not have replacement "shim" code 
> that captures passwords or hides processes.  There was 
> considerable interest, but no commitment.  

Why not create one yourself?  I am working on this exact same issue and
developing a custom CD for our server admins that uses McAfee to scan
the local disks and MD5 hashes to verify the system files have not been
tampered with.  The CD also allows you to verify Services and Registry
settings making sure that they have not been changed.  It is not very
difficult to do, and with a little effort, you can have a custom
incident response tool tailored specifically to your environment.
Below, I am including links to BartPE to build your own PE disk, links
to quite a few plugin sites, MD5 hashing tool for windows, and the
National Software Reference Library (NSRL)'s hashsets.

Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD

BartPE Plugin Repositories
http://www.irongeek.com/i.php?page=security/pebuilder (very handy)

Windows MD5 apps

National Software Reference Library (NSRL)


John H. Sawyer - GCIH GCFW 
Systems Security Engineer
UF/IFAS Information Technologies

More information about the unisog mailing list