Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Ghost 2003 (or earlier) Security Issue

Posted on 2004-09-19
8
Medium Priority
?
271 Views
Last Modified: 2010-04-11
Hello,

   We're running Ghost 2003 right now for wide-deployment and backup of workstations.  We are having a concern with regard to the Ghost files used in the Virtual Partition setup.

   We understand that Ghost changes boot process to where the PC boots from Ghost's Virtual Partition.  This means that it sets that "partition" as active.  (As noted in the Recovery process from Symantec's website).  However when the ghost client service powers down the machine, when does it change the system setup for the partitions and active settings?  Does it happen before Power-down, affecting BOOT.INI, does it change the MBR or something?  It apparently causes the machine to treat the VD folder as a partition in some way.  

   We understand that it is the Ghost Service Account that can add a machine to the domain, and it appears that the symantec ghost client uses the SYSTEM account to manipulate the machine's boot process.  Is this correct?  What level of security on Win2000 and WinXP does this service account NEED to have in order to work?  


Thanks to all.  This might take some clarification!
0
Comment
Question by:jennifer_borman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
8 Comments
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12100334
Apperently, the BOOT.INI file is not affected at all but it creats a unique boot process which is located on a unique file Symantec created:
"When you start the cloning operation from within Windows, Ghost automatically restarts your computer into a DOS environment, performs the cloning operation, and then restarts the computer into Windows. Ghost uses a Ghost Virtual Partition to create the DOS environment. The Ghost Virtual Partition is a file stored on the hard disk. When Ghost restarts the computer, the computer uses the information from that file to load DOS and other required files, and to run Ghost.exe."
See link:
http://service1.symantec.com/SUPPORT/ghost.nsf/docid/2002030415014425?Open&src=&docid=2000012811284125&nsf=ghost.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

As for the addition of the machine to the domain; I guess it reads information from the SID registry settings allowing it to be part of the domain along with all permissions and forth...

Need more than that? just call...

Cyber
0
 

Author Comment

by:jennifer_borman
ID: 12112470
I appreciate the information, but the particular item that I am looking for is the point of change in the booting process, whether or not the change occurrs before Windows shuts down or after reboot.  Also, what kind of permissons the account needs (if it is either the SYSTEM or GHOST account).  If the MBR, etc. is modified we need to understand when these changes are made.  I know that a USER account can shut down the system but I don't think that it can modify system properties of that proportion.  Any thoughts ?

Thanks!
-Jen
0
 
LVL 15

Accepted Solution

by:
Cyber-Dude earned 2000 total points
ID: 12156011
Sorry for the late answer; if it is still worth anything; why dont you use system tracker to monitor changes while happenning? This way you will be able to monitor changes and analyse the time of occurance...
Something like this:
http://www.1000files.com/Utilities/System_Utilities/Disk_and_Registry_Alert_268_Review.html

Hope that helped

Cyber
0
 

Author Comment

by:jennifer_borman
ID: 12197384
I'll check it out - sorry it's late at night.  I'll try it tomorrow and see what happens.  No problem with the late answer either, you know how it is with some Q's.  sometimes people seem to disappear after their 2 bits are put in.

Moderator: Please do not close this question yet
0
 

Author Comment

by:jennifer_borman
ID: 12238905
I think that's a good option.  Definitely appreciated!

-Jen
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
What we learned in Webroot's webinar on multi-vector protection.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question