Bootcamp and security

Question

Bootcamp and security

I have just installed Windows 10 using Boot Camp, for the sole purpose of testing the Windows version of an application I am developing. It was always my impression that this would create a completely separate system, and that neither OS would have any access to the other's partition or files. So I was surprised to find a 'BOOTCAMP' drive icon on my Mac desktop, giving access to all files on the Windows partition.

My concerns/questions are as follows:

1 Does Windows have access to files on my OS X partition? I don't want this as I don't want Microsoft and others being able to access my file (as their EULA permits), and IMHO Windows has generally lax security, especially with an unencripted partition.

2 Given that OS X can access the Windows parition, is there any chance that Windows malware could end up running in OS X?

My system: early 2015 rMBP; OS X 10.11.3 with FileVault 2 enabled, Windows 10 with no encription.

Thanks in advance.

MacBook Pro (Retina, 13-inch,Early 2015), OS X El Capitan (10.11.3)

Posted on Feb 12, 2016 4:58 AM

Reply

Answer 1

Best reply

mende1

Level 10

93,538 points

Feb 12, 2016 5:46 AM in response to samuelfromaberdeen

samuelfromaberdeen wrote:

1 Does Windows have access to files on my OS X partition? I don't want this as I don't want Microsoft and others being able to access my file (as their EULA permits), and IMHO Windows has generally lax security, especially with an unencripted partition.

If you installed the Boot Camp drivers on Windows (if you did not, you should install them ASAP), Windows can read your OS X partition but it cannot write, and viceversa. Apple included a basic HFS+ driver in Windows that lets you access your files from OS X but keeping them safe by not allowing Windows to write in the OS X part of your hard drive.

samuelfromaberdeen wrote:

2 Given that OS X can access the Windows parition, is there any chance that Windows malware could end up running in OS X?

As you could see above, Windows cannot write files in your OS X partition, so there's no risk of that.

Reply

Answer 2

Feb 12, 2016 5:55 AM in response to mende1

Thanks mende1 for your quick and helpful response. I should have made it clear that I don't want Windows being able to READ or write to/from the Mac partition for privacy reasons. I wonder if there is any way to achieve this? Perhaps by removing/disabling the HFS+ driver or removing the FileVault encription key from Windows so Windows can't get past FileVault? I'd prefer something that blocks Windows access from the Mac side so Windows can't just download and install some software that overrides my preference, without me even knowing about it.

It astonishes me that Apple doesn't realise privacy is a key reason (no pun intended) for many people buying their products, and at least give you the option during Boot Camp setup of not allowing Windows to access the Mac partition.

Reply

Answer 3

mende1

Level 10

93,538 points

Feb 12, 2016 6:14 AM in response to samuelfromaberdeen

There are several other threads in this forum to do what you want to, such as this one -> Need to remove access to Mac drives from Windows 7. Bootcamp used. You would only have to remove the files that "The hatter" mentions, but make a backup before doing it (note that you will be deleting files from one of the core folders).

Reply

Answer 4

Feb 12, 2016 6:14 AM in response to mende1

Thanks very much, I will look into that!

Reply

Answer 5

mende1

Level 10

93,538 points

Feb 12, 2016 6:15 AM in response to samuelfromaberdeen

You are welcome! 🙂

Reply

Answer 6

Feb 12, 2016 3:04 PM in response to samuelfromaberdeen

Update: I just booted into Windows and had a look for the Mac partition but couldn't see it anywhere. I looked in 'This PC', and under 'Devices and drives' the only things listed were Boot Camp (with the windows system and file space), USB drive and DVD RW drive. No Mac drive.

Some on the web have suggested that FileVault prevents access from Windows. I'd be very grateful if anyone could advise on whether this is (reliably) the case?

I went ahead and (I hope) disabled the AppleMNT.sys and AppleHFS.sys drivers by renaming and moving them.

I'm still a little concerned that the Mac partition might just be hidden from me in File Explorer, and that Windows might still be able to access it. Is there a way I can verify whether this is the case? I.e. somewhere I can look for the Mac partition in Windows where I would definitely find it if Windows has access?

Thanks

Reply

Answer 7

Loner T

Level 9

59,471 points

Feb 12, 2016 4:29 PM in response to samuelfromaberdeen

From the OS X side, if you run diskutil cs list in OS X Terminal, and get any output, all such volumes listed are not visible on the Windows side. This is unrelated to AppleHFS.sys and AppleMNT.sys which support reading only JHFS+ partitions.

Reply

Answer 8

Feb 13, 2016 8:50 AM in response to Loner T

Thanks very much! I ran that command and it returned the name of my Mac partition, as well as some other stuff. I also had a read around and think I understand what it is telling me. I only hope they never 'fix' this to allow people to access CoreStorage from Windows!

Reply

Answer 9

Loner T

Level 9

59,471 points

Feb 13, 2016 10:21 AM in response to samuelfromaberdeen

If the status of your CS volume shows Revertible, it may be possible to let Windows see the contained JHFS+ volume.

Reply

Answer 10

Feb 13, 2016 1:54 PM in response to Loner T

When you say "...it may be possible to let..."; do you mean 'it may be possible for me to let...' by first 'reverting' it, or do you mean 'it may be possible for someone else to let...' without my knowlege or permission? From my reading it looked like I would have to run 'diskutil cs revert', thus unwrapping the HFS+ volume, in Terminal on the Mac side to allow access from the Windows side, thus meaning that only someone with my password/encription key could do this. Am I correct?

Reply

Answer 11

Loner T

Level 9

59,471 points

Feb 13, 2016 4:09 PM in response to samuelfromaberdeen

No one else other than you can revert it, because it requires Administrative access to your Mac. The command you list is the correct one.

Here is in example of a Revertible CS LVG/LV.

diskutil cs list

CoreStorage logical volume groups (1 found)

|

+-- Logical Volume Group BA505F54-9967-4941-87E8-46117F75918B

=========================================================

Name: Macintosh HD

Status: Online

Size: 459362963456 B (459.4 GB)

Free Space: 10653696 B (10.7 MB)

|

+-< Physical Volume EC4CFF1A-3069-4530-A16B-394EAEBB3A68

| ----------------------------------------------------

| Index: 0

| Disk: disk0s2

| Status: Online

| Size: 459362963456 B (459.4 GB)

|

+-> Logical Volume Family 3D067CCE-3290-4E38-8FC0-B878D9E9484B

----------------------------------------------------------

Encryption Type: AES-XTS

Encryption Status: Unlocked

Conversion Status: Complete

High Level Queries: Fully Secure

| Passphrase Required

| Accepts New Users

| Has Visible Users

| Has Volume Key

|

+-> Logical Volume 718153C9-E45C-4D8B-BA3A-0FE5DEAA1D8C

---------------------------------------------------

Disk: disk1

Status: Online

Size (Total): 458999988224 B (459.0 GB)

Revertible: Yes (unlock and decryption required)

LV Name: Macintosh HD

Volume Name: Macintosh HD

Content Hint: Apple_HFS

Reply

Answer 12

Feb 14, 2016 9:25 AM in response to Loner T

Thanks very much! My output looked just the same as what you have posted. This is just what I had hoped for - a way of securing the Mac partition that can only be undone with administrative priviledges to the Mac side. Very re-assuring, thanks!

Reply

Answer 13

Loner T

Level 9

59,471 points

Feb 14, 2016 9:28 AM in response to samuelfromaberdeen

Please ensure that you have a good back up for OS X and Windows in place. Also, create a Windows System restore point.

Reply

Answer 14

Feb 15, 2016 5:15 AM in response to Loner T

Yes thanks, I do make frequent back-ups. I've always taken it for granted that if I forgot my password, or if there was a problem with it, my data would be lost unless backed up, and I don't have a problem with that. I'll certainly look into the Windows System restore point too, thanks.

Reply