NTFSDOS is a file system driver for DOS, Windows 3.x, and Windows 95 that makes NT File System (NTFS) files visible, as if they were standard File Allocation Table (FAT) drives. We wrote this 16-bit real-mode DOS program to access files we store on NTFS drives from Win95 on our dual-boot Win95/NT systems. If run under DOS 7.0 or Win95, NTFSDOS supports NTFS long file names, and it has decompression routines that understand NTFS compressed files and directories.
Because we wanted to run NTFSDOS only on single-user NT workstations that have dual-boot systems, it ignores NTFS security attributes. Once NTFSDOS mounts an NTFS drive, the entire drive is visible, including files and directories of all users. In addition, loading NTFSDOS onto a floppy disk lets us boot on systems that have a floppy boot capability. The ability to boot off a floppy lets NTFSDOS access files on systems that have NT as their sole operating system and NTFS as their only file system type.
Several magazines have recently published stories on NTFSDOS. They imply that the ability to boot NTFSDOS from a floppy exploits or creates an NT security hole, and concerned NT administrators have apparently contacted Microsoft. In response, Microsoft published a white paper to address NTFSDOS, “Windows NT File System: Built for Data Security” (1996, available on the Microsoft Web site at www.microsoft.com/ntserver/guide/ntfilesys.asp). Microsoft correctly asserts that NT’s C2 security certification requires a physically secure NT system. This requirement means isolating the system from unauthorized physical access. Of course, if unauthorized users are not allowed near a machine, they cannot force it to boot NTFSDOS from a floppy disk.
Although we disagree with the view that NT has a security hole for NTFSDOS to exploit, NT users and administrators must know that NTFSDOS can breach poorly implemented security. NTFSDOS raises the requirement of physical security to a new level. Consider a company that in the past thought its NT machines secure from unauthorized access because security measures were in place at the building entrance. Thus, although employees were able to physically access the company’s server and a colleague’s workstation, stealing a computer or destroying a disk drive was highly unlikely. If users tried to access data to which they were not privy, NTFS software-based security prevented them from doing so.
The availability of NTFSDOS means that the company must lock its server away and disable the ability of its workstations to boot off a floppy disk. Because many old computers do not have a floppy-boot disabling feature, companies must now consider upgrading to machines that do. Physical security for NT systems used to mean preventing theft or destruction. NTFSDOS means you also have to disable the ability to boot from a floppy disk.
Critical Challenges of ESI & Email Retention Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.
Rev Up Your IT Know-How with Our Recharged Magazine! The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!
Get It All with Windows IT Pro VIP Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro
Register
