Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 6 Aug 2009 22:14:59 +0200
From:      Roland Smith <rsmith@xs4all.nl>
To:        Tim Judd <tajudd@gmail.com>
Cc:        freebsd-questions@freebsd.org, Nerius Landys <nlandys@gmail.com>
Subject:   Re: Physically securing FreeBSD workstations & /boot/boot2
Message-ID:  <20090806201459.GA8957@slackbox.xs4all.nl>
In-Reply-To: <ade45ae90908061235t771b40f9qc56a827216cb725e@mail.gmail.com>
References:  <560f92640908061135j41f35bfevcd1476ce9ead38a4@mail.gmail.com> <ade45ae90908061235t771b40f9qc56a827216cb725e@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--Dxnq1zWXvFF0Q93v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Aug 06, 2009 at 01:35:55PM -0600, Tim Judd wrote:
> On 8/6/09, Nerius Landys <nlandys@gmail.com> wrote:
> > Hi.  I am attempting to secure some workstations in such a way that a
> > user would not be able gain full control of the computer (only user
> > access). However, they are able to see and touch the physical
> > workstation.  Things I'm trying to avoid, to list a couple of
> > examples:
> >
> > 1. Go to BIOS settings and configure it to boot from CD first, then
> > stick in a CD.  To prevent this I've put BIOS to only boot from hard
> > drive and I've password-locked the BIOS.
>=20
>=20
> You can't beat physical security.  If you have access to the hardware,
> you can TAKE the box, saw it open, unmount the hard drive, slave it
> into another system, mount it as a data drive and steal the info.
> geli encryping the drive can secure the data on the disk, but they
> have your disk.  it's as good as stolen data, even if they are unable
> to decrypt it.
>=20
>=20
> After sawing open the case, move the jumper to reset CMOS data, power
> up, change boot order, and boot off CD.
>=20
> After BIOS is back to normal, stick in a USB drive, boot off the HDD,
> which is self-decrypting the geli encryption, copy the data off, and
> scrub the HDD and install Windows on it.  The hacker's OS  (Just
> Kidding, all.  Little humor is all I'm doing).

You can (and should) set geli up to require a passphrase, instead of or
next to a key-file. Using only a key-file is like sticking a tin-opener
to the tin.

> > 2. Go to loader menu and load (boot kernel) with some custom
> > parameters or something.  I've secured the loader menu by
> > password-protecting it (/boot/loader.conf has password) and
> > /boot/loader.conf is not world-readable.
>=20
> If you can do the above, even booting from alternate medium, no other
> means of security will apply.
>=20
> > And I'm sure there are other things, I just forgot them.
> >
> > So my question is: Is this [securing of the workstation] worthwhile,
> > or should I just forget about this kind of security?  I want to make
> > it so that the only way to gain full control of the computer is by
> > physically opening up the box.
> >
> > I noticed that boot2 brings up a menu like this one when I press space
> > during the initial boot blocks:
> >
> >>> FreeBSD/i386 BOOT
> > Default: 0:ad(0,a)/boot/loader
> > boot:
> >
> > I guess it would be possible to stick in a floppy disk or something
> > and boot from there?  So my question is, is this a threat to my plan,
> > and if so, how can I disable this prompt?

Disconnect or remove the floppy. Adn disable booting from USB devices.

Roland
--=20
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)

--Dxnq1zWXvFF0Q93v
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)

iEYEARECAAYFAkp7OcMACgkQEnfvsMMhpyXKTQCgsCnOD6YVVsN6bxxNZfp/tOqt
tP0AnRz6igvUECr0qfol0cHxOcmVg4EM
=2uaH
-----END PGP SIGNATURE-----

--Dxnq1zWXvFF0Q93v--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090806201459.GA8957>