SANSFire 2008 – Audit 507, Day 5 – Windows

Day 5: Auditing Windows systems. Not really a lot of earth-shattering news here today. Having been exposed to Windows tools like MMC, Security Policies and Group Policies, and the Event Viewer for years now, I was in pretty familiar territory. There were some reminders (why LM hashes are bad, what to do about them if you still have them) and some new ideas (methods for baselining a system and taking periodic diffs to compare, moving forward), but no real “aha moments” for me. Not that I’m complaining, mind you. I’ve had enough new stuff for now. At least today my brain did not feel like it was completely overflowing.
I also took a sneak peek at tomorrow’s book on auditing Unix. Familiar stuff there too. (*phew!*)

Moving Grub from the MBR to the Install Partition

I realize this is nothing new to experienced Linux users, but I figured I’d document the process I used to move GRUB from the master boot record (MBR) of my notebook’s hard drive to the partition where I had Linux installed. I got the steps straight out of the Ubuntu forums as a result of a Google search for “move grub mbr.” The reason I am moving it is because, as I write this, I am using TrueCrypt to encrypt my entire Windows partition. To be able to boot Linux, I needed to move GRUB to make room for the TrueCrypt boot loader, since the MBR ain’t big enough for the both of them!
So, the process was:

  1. Identify the partition in which Linux is installed.
    Look for the / partition, which, in my case, is /dev/sda2 (as /dev/sda1 is where Windows lives on this machine).
  2. sudo grub-install /dev/sda2
    Voila! GRUB now lives in /dev/sda2 (as well as in the MBR).

Of course, there’s no real way to verify that this will work until you overwrite the MBR with something else, as GRUB still lives in the MBR, so effectively nothing has changed. In my case, I installed the TrueCrypt boot loader in the MBR. I then booted and selected my Linux partition from the TrueCrypt boot loader, which brought up my friendly GRUB boot menu! Now assured that things were working and that I could get back into Linux, even if I somehow hosed my Windows partition, I continued on with encrypting the entire partition.