Date: Thu, 6 Aug 2009 22:14:59 +0200 From: Roland Smith <rsmith@xs4all.nl> To: Tim Judd <tajudd@gmail.com> Cc: freebsd-questions@freebsd.org, Nerius Landys <nlandys@gmail.com> Subject: Re: Physically securing FreeBSD workstations & /boot/boot2 Message-ID: <20090806201459.GA8957@slackbox.xs4all.nl> In-Reply-To: <ade45ae90908061235t771b40f9qc56a827216cb725e@mail.gmail.com> References: <560f92640908061135j41f35bfevcd1476ce9ead38a4@mail.gmail.com> <ade45ae90908061235t771b40f9qc56a827216cb725e@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 06, 2009 at 01:35:55PM -0600, Tim Judd wrote: > On 8/6/09, Nerius Landys <nlandys@gmail.com> wrote: > > Hi. I am attempting to secure some workstations in such a way that a > > user would not be able gain full control of the computer (only user > > access). However, they are able to see and touch the physical > > workstation. Things I'm trying to avoid, to list a couple of > > examples: > > > > 1. Go to BIOS settings and configure it to boot from CD first, then > > stick in a CD. To prevent this I've put BIOS to only boot from hard > > drive and I've password-locked the BIOS. >=20 >=20 > You can't beat physical security. If you have access to the hardware, > you can TAKE the box, saw it open, unmount the hard drive, slave it > into another system, mount it as a data drive and steal the info. > geli encryping the drive can secure the data on the disk, but they > have your disk. it's as good as stolen data, even if they are unable > to decrypt it. >=20 >=20 > After sawing open the case, move the jumper to reset CMOS data, power > up, change boot order, and boot off CD. >=20 > After BIOS is back to normal, stick in a USB drive, boot off the HDD, > which is self-decrypting the geli encryption, copy the data off, and > scrub the HDD and install Windows on it. The hacker's OS (Just > Kidding, all. Little humor is all I'm doing). You can (and should) set geli up to require a passphrase, instead of or next to a key-file. Using only a key-file is like sticking a tin-opener to the tin. > > 2. Go to loader menu and load (boot kernel) with some custom > > parameters or something. I've secured the loader menu by > > password-protecting it (/boot/loader.conf has password) and > > /boot/loader.conf is not world-readable. >=20 > If you can do the above, even booting from alternate medium, no other > means of security will apply. >=20 > > And I'm sure there are other things, I just forgot them. > > > > So my question is: Is this [securing of the workstation] worthwhile, > > or should I just forget about this kind of security? I want to make > > it so that the only way to gain full control of the computer is by > > physically opening up the box. > > > > I noticed that boot2 brings up a menu like this one when I press space > > during the initial boot blocks: > > > >>> FreeBSD/i386 BOOT > > Default: 0:ad(0,a)/boot/loader > > boot: > > > > I guess it would be possible to stick in a floppy disk or something > > and boot from there? So my question is, is this a threat to my plan, > > and if so, how can I disable this prompt? Disconnect or remove the floppy. Adn disable booting from USB devices. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkp7OcMACgkQEnfvsMMhpyXKTQCgsCnOD6YVVsN6bxxNZfp/tOqt tP0AnRz6igvUECr0qfol0cHxOcmVg4EM =2uaH -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090806201459.GA8957>