From owner-freebsd-questions@FreeBSD.ORG Thu Aug 6 20:21:07 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69131106566B for ; Thu, 6 Aug 2009 20:21:07 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr1.xs4all.nl (smtp-vbr1.xs4all.nl [194.109.24.21]) by mx1.freebsd.org (Postfix) with ESMTP id 1582A8FC0A for ; Thu, 6 Aug 2009 20:21:06 +0000 (UTC) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr1.xs4all.nl (8.13.8/8.13.8) with ESMTP id n76KL5Hf080285; Thu, 6 Aug 2009 22:21:05 +0200 (CEST) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id E3EF7B85D; Thu, 6 Aug 2009 22:14:59 +0200 (CEST) Date: Thu, 6 Aug 2009 22:14:59 +0200 From: Roland Smith To: Tim Judd Message-ID: <20090806201459.GA8957@slackbox.xs4all.nl> References: <560f92640908061135j41f35bfevcd1476ce9ead38a4@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Dxnq1zWXvFF0Q93v" Content-Disposition: inline In-Reply-To: X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.20 (2009-06-14) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: freebsd-questions@freebsd.org, Nerius Landys Subject: Re: Physically securing FreeBSD workstations & /boot/boot2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Aug 2009 20:21:07 -0000 --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 06, 2009 at 01:35:55PM -0600, Tim Judd wrote: > On 8/6/09, Nerius Landys wrote: > > Hi. I am attempting to secure some workstations in such a way that a > > user would not be able gain full control of the computer (only user > > access). However, they are able to see and touch the physical > > workstation. Things I'm trying to avoid, to list a couple of > > examples: > > > > 1. Go to BIOS settings and configure it to boot from CD first, then > > stick in a CD. To prevent this I've put BIOS to only boot from hard > > drive and I've password-locked the BIOS. >=20 >=20 > You can't beat physical security. If you have access to the hardware, > you can TAKE the box, saw it open, unmount the hard drive, slave it > into another system, mount it as a data drive and steal the info. > geli encryping the drive can secure the data on the disk, but they > have your disk. it's as good as stolen data, even if they are unable > to decrypt it. >=20 >=20 > After sawing open the case, move the jumper to reset CMOS data, power > up, change boot order, and boot off CD. >=20 > After BIOS is back to normal, stick in a USB drive, boot off the HDD, > which is self-decrypting the geli encryption, copy the data off, and > scrub the HDD and install Windows on it. The hacker's OS (Just > Kidding, all. Little humor is all I'm doing). You can (and should) set geli up to require a passphrase, instead of or next to a key-file. Using only a key-file is like sticking a tin-opener to the tin. > > 2. Go to loader menu and load (boot kernel) with some custom > > parameters or something. I've secured the loader menu by > > password-protecting it (/boot/loader.conf has password) and > > /boot/loader.conf is not world-readable. >=20 > If you can do the above, even booting from alternate medium, no other > means of security will apply. >=20 > > And I'm sure there are other things, I just forgot them. > > > > So my question is: Is this [securing of the workstation] worthwhile, > > or should I just forget about this kind of security? I want to make > > it so that the only way to gain full control of the computer is by > > physically opening up the box. > > > > I noticed that boot2 brings up a menu like this one when I press space > > during the initial boot blocks: > > > >>> FreeBSD/i386 BOOT > > Default: 0:ad(0,a)/boot/loader > > boot: > > > > I guess it would be possible to stick in a floppy disk or something > > and boot from there? So my question is, is this a threat to my plan, > > and if so, how can I disable this prompt? Disconnect or remove the floppy. Adn disable booting from USB devices. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkp7OcMACgkQEnfvsMMhpyXKTQCgsCnOD6YVVsN6bxxNZfp/tOqt tP0AnRz6igvUECr0qfol0cHxOcmVg4EM =2uaH -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v--