Q. How do I stop tools like Kon-Boot?

A. A client of mine recently had concerns about a new tool, Kon-Boot, and the fact that it could bypass the requirement to enter a password at the logon screen. I downloaded the tool and tried it. It works by booting from a CD or USB stick (meaning you need physical access and the ability to boot from alternate media) that has a small boot environment that loads itself into memory. The environment hooks into the BIOS then boots the main Windows OS, where it modifies the Windows kernel that's loaded into memory to not require the entry of a password at the logon screen. Below you can see a virtual machine that I booted via Kon-Boot at the initial Kon-Boot loading stage.


Note that Kon-Boot works with local accounts and domain accounts that have the credentials locally cached. I can't log on without a password for a domain account whose password isn't cached locally. Also, once I'm logged on with a domain account, no contact with the domain has taken place, so I have no token. So I can't talk to network resources as the domain account, I can just access local content on the box with that user's permissions.

This isn't really much different from many system recovery tools out there that enable access to NTFS volumes outside of Windows for recovery or password reset solutions. In fact, Microsoft provides its own set of solutions as part of the Desktop Optimization Pack in the form of Desktop and Recovery Toolset (DART), which has a local account password reset and NTFS access tool.

Like most other security bypass products and recovery solutions, Kon-Boot requires physical access to the box. If you give someone unprotected physical access to the box there, are many products and methods to gain access to information. There are key steps you can perform to provide protection from these attacks:

  • Use BitLocker on the disks, or if you're not running Windows 7 or Windows Vista, a third-party disk protection solution. If the disk can't be read, tools can't access file systems or change content.
  • Disable booting from USB and CD in the BIOS of the machine and protect the BIOS with a password.
  • EFS can also be used on specific files that are extra sensitive, to provide defense in depth

These basic steps will provide protection from most types of physical attack, including Kon-Boot.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.