From owner-freebsd-questions@FreeBSD.ORG Thu Aug 6 19:35:55 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3F871065672 for ; Thu, 6 Aug 2009 19:35:55 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.224]) by mx1.freebsd.org (Postfix) with ESMTP id 983848FC16 for ; Thu, 6 Aug 2009 19:35:55 +0000 (UTC) Received: by rv-out-0506.google.com with SMTP id f9so232719rvb.43 for ; Thu, 06 Aug 2009 12:35:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=H7jQnYXAKyV8qNhbUyu58A3K59l4M+DcFzzrVkWDgX8=; b=Fch9hqu2qhnmxuIr5A5wpI5nQ2703gci0Le55uLw+hnxsIHTUsr2PTeqROqA+RQDfB hTSNVRGlywMiUT2yMTFvwkUIj3XYJNfhlH3SQbq2lRd20F+P/XAiJHLvWbqKRi8a2ivX asgtUZ5JHUNfDmX8qCj6h2Dw5A4nly2gky8n0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=rkPP9eTpjaYRmWgzkjMdCATSEXH8/NGh5CQhoZtN1D1L851J4IIhssVgmWWg58GgCX P0FQPHF5MTSjHu9Z5PGy/h/QzT7OG0/T4bat04zAAJpiGdgAl4eFhWqMsjxmCCl1foYR usQas4J0bF6Td3dAwLraLVEXOcixqjbupNy8Y= MIME-Version: 1.0 Received: by 10.140.140.12 with SMTP id n12mr100876rvd.211.1249587355163; Thu, 06 Aug 2009 12:35:55 -0700 (PDT) In-Reply-To: <560f92640908061135j41f35bfevcd1476ce9ead38a4@mail.gmail.com> References: <560f92640908061135j41f35bfevcd1476ce9ead38a4@mail.gmail.com> Date: Thu, 6 Aug 2009 13:35:55 -0600 Message-ID: From: Tim Judd To: Nerius Landys Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Physically securing FreeBSD workstations & /boot/boot2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Aug 2009 19:35:56 -0000 On 8/6/09, Nerius Landys wrote: > Hi. I am attempting to secure some workstations in such a way that a > user would not be able gain full control of the computer (only user > access). However, they are able to see and touch the physical > workstation. Things I'm trying to avoid, to list a couple of > examples: > > 1. Go to BIOS settings and configure it to boot from CD first, then > stick in a CD. To prevent this I've put BIOS to only boot from hard > drive and I've password-locked the BIOS. You can't beat physical security. If you have access to the hardware, you can TAKE the box, saw it open, unmount the hard drive, slave it into another system, mount it as a data drive and steal the info. geli encryping the drive can secure the data on the disk, but they have your disk. it's as good as stolen data, even if they are unable to decrypt it. After sawing open the case, move the jumper to reset CMOS data, power up, change boot order, and boot off CD. After BIOS is back to normal, stick in a USB drive, boot off the HDD, which is self-decrypting the geli encryption, copy the data off, and scrub the HDD and install Windows on it. The hacker's OS (Just Kidding, all. Little humor is all I'm doing). > 2. Go to loader menu and load (boot kernel) with some custom > parameters or something. I've secured the loader menu by > password-protecting it (/boot/loader.conf has password) and > /boot/loader.conf is not world-readable. If you can do the above, even booting from alternate medium, no other means of security will apply. > And I'm sure there are other things, I just forgot them. > > So my question is: Is this [securing of the workstation] worthwhile, > or should I just forget about this kind of security? I want to make > it so that the only way to gain full control of the computer is by > physically opening up the box. > > I noticed that boot2 brings up a menu like this one when I press space > during the initial boot blocks: > >>> FreeBSD/i386 BOOT > Default: 0:ad(0,a)/boot/loader > boot: > > I guess it would be possible to stick in a floppy disk or something > and boot from there? So my question is, is this a threat to my plan, > and if so, how can I disable this prompt? Only security in these days is to physically secure the box and leave it off the network. Flaws and security problems will always allow unauthorized access. But a computer that's not on the network is of no use. So it's a loose-loose situation. Best effort is to know your people, and either trust them, or fire them. --TJ