Dual boot security, shared files

[Epitome_Inc]

Hi there!

I'm upgrading a laptop for a friend of mine who has some unique requests/needs for security. I plan on a 960GB SSD in it, and he wants dual-boot Windows 10 with one of the OS's completely cut off from the internet. He wants to keep it as clean and secure as possible. It will have access to his current confidential files. But he also needs a folder or partition that the two OS's can share so he can transfer some files when necessary. I plan on increasing security to that folder (anti-virus scans, etc) and educating him on security measures he needs to take. But aside from that shared area we don't want the two OS's to be able to access each other in any way. In fact, he won't be keeping files in that shared folder permanently - it's only there to facilitate transfers between the OS's. I also plan to introduce him to LastPass since he's so risk-averse, and really everyone should be using a password manager these days anyway. We're also exploring options for long-term storage and access of the literally tens of thousands of confidential files and images he needs to keep for his business. He needs to store a ton but have the ability to access it from his phone or laptop remotely (where 6 TB of data just won't go). It's a mom-and-pop operation (literally), and I'm their free friend tech support, so solutions that require frequent management are out of the question.

I'm looking for input on keeping the OS's 'firewalled' from each other (if that's the right term in this scenario). Or if there's a better way to effectively do the same thing, I'm all ears. I'd also like opinions on personal cloud storage (WD or Seagate, etc) vs a monthly subscription to OneDrive or equivalent (who makes it easy to store files off-site while being easily accessible). Dropbox and Google Drive don't seem to make it easy to off-load files (cloud-stored and not locally-stored simultaneously) without having to change file settings every time you do it. An option for automatic sorting of files would be welcome as well so he can keep things organized (which isn't his strong suit). I would probably also make an archive backup of all his files at the start of this process that's kept in an off-site location in case of personal cloud failure.

 

Thanks in advance for your help!

[DXMember]

First of all look into "Whitelist Security", that should aid greatly in security you are looking to achieve

[cynexit]

You talk a lot about security and separation but then you want to have shared folders and cloud storage? You'll most likely have to pick one. Having a dual boot system with a shared folder won't do much for security, also if both OSes are Windows and the partitions are just out there in the open, what would stop malware from mounting and compromising other partitions as well?

Also on a much lower level something like badbios could compromise the hardware and just don't care about the dual boot.

 

The only way I see this could be done semi-secure would be to encrypt both partitions on a lower level than Windows, with separate keys, no sharing then of course, just via USB or something else.

 

It is very noble that you thing about security and I salute you for that, but I think within these conditions you can only achieve "feel good security" and then you can basically just don't bother at all. Do it right and proper or just ditch it and instead educate the users on how to handle a PC with some thought, this alone should prevent 90% of security breaches.

[DXMember]

5 minutes ago, cynexit said:

Having a dual boot system with a shared folder won't do much for security, also if both OSes are Windows and the partitions are just out there in the open, what would stop malware from mounting and compromising other partitions as well?

 

Whitelisting

[Epitome_Inc]

Thanks for the input guys! I see online some ppl in similar circumstances are using virtual machines to keep things separate. Thoughts? I'll have to address things with my friend and let him make the decision on where he'll compromise. Whitelisting looks great, but the laptop he's got won't do Device Guard (lacking UEFI) and so far I don't see a 3rd party solution.

[DXMember]

14 minutes ago, Epitome_Inc said:

Thanks for the input guys! I see online some ppl in similar circumstances are using virtual machines to keep things separate. Thoughts? I'll have to address things with my friend and let him make the decision on where he'll compromise. Whitelisting looks great, but the laptop he's got won't do Device Guard (lacking UEFI) and so far I don't see a 3rd party solution.

if you can't do it on BIOS/UEFI level, then just don't bother,

VMs are fine, but when your VM get's compromised there's nothing really stopping ir from compromising the host hardware as well, it's still executing on the same CPU and has access to the same HDD

You can still use real-time protection like Kaspersky Internet Security which has been holding the crown for a couple of years in a row now.

But if you're that paranoid then the only bullet-proof solution is Whitelisting,