On Thu, Aug 06, 2009 at 01:35:55PM -0600, Tim Judd wrote: > On 8/6/09, Nerius Landys <nlan...@gmail.com> wrote: > > Hi. I am attempting to secure some workstations in such a way that a > > user would not be able gain full control of the computer (only user > > access). However, they are able to see and touch the physical > > workstation. Things I'm trying to avoid, to list a couple of > > examples: > > > > 1. Go to BIOS settings and configure it to boot from CD first, then > > stick in a CD. To prevent this I've put BIOS to only boot from hard > > drive and I've password-locked the BIOS. > > > You can't beat physical security. If you have access to the hardware, > you can TAKE the box, saw it open, unmount the hard drive, slave it > into another system, mount it as a data drive and steal the info. > geli encryping the drive can secure the data on the disk, but they > have your disk. it's as good as stolen data, even if they are unable > to decrypt it. > > > After sawing open the case, move the jumper to reset CMOS data, power > up, change boot order, and boot off CD. > > After BIOS is back to normal, stick in a USB drive, boot off the HDD, > which is self-decrypting the geli encryption, copy the data off, and > scrub the HDD and install Windows on it. The hacker's OS (Just > Kidding, all. Little humor is all I'm doing).
You can (and should) set geli up to require a passphrase, instead of or next to a key-file. Using only a key-file is like sticking a tin-opener to the tin. > > 2. Go to loader menu and load (boot kernel) with some custom > > parameters or something. I've secured the loader menu by > > password-protecting it (/boot/loader.conf has password) and > > /boot/loader.conf is not world-readable. > > If you can do the above, even booting from alternate medium, no other > means of security will apply. > > > And I'm sure there are other things, I just forgot them. > > > > So my question is: Is this [securing of the workstation] worthwhile, > > or should I just forget about this kind of security? I want to make > > it so that the only way to gain full control of the computer is by > > physically opening up the box. > > > > I noticed that boot2 brings up a menu like this one when I press space > > during the initial boot blocks: > > > >>> FreeBSD/i386 BOOT > > Default: 0:ad(0,a)/boot/loader > > boot: > > > > I guess it would be possible to stick in a floppy disk or something > > and boot from there? So my question is, is this a threat to my plan, > > and if so, how can I disable this prompt? Disconnect or remove the floppy. Adn disable booting from USB devices. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
pgp0APKNpOUAz.pgp
Description: PGP signature