[NTLUG:Discuss] Interesting List Stats

Paul Ingendorf pauldy at wantek.net
Wed Jun 23 10:15:45 CDT 2004 

You don't have to remove the utility of a machine in order to "lock it
down."  What you do need to do is build the machine with the authorized
applications installed.  Next you allow only the executables that are
currently installed to be run.  Then you setup booting from ide0 only from
within bios and password protect it.  The HW abstraction layer should
prevent the primitive CMOS corruption exploits that were common in years
past.  Not allowing applications to be run from external media would prevent
the worry of external applications being run on the system.  For added
paranoia machines can be purchased with locking mechanism that prevent
removal of the case.  Quite a few of the Dell boxes come with the ability to
add locks to them making the machines tamper resistant.  This forces the
issue of tampering with the machine to destruction of company property which
cannot be argued with on principle like tampering with the software can and
is already covered under most companies in their employee manuals.

To prevent tampering based of exploitable holes in the operating system
itself (assuming winblows boxen) software is available that will create a
separate backup partition on the drive itself that is kept hidden.  On
bootup changes are inspected from the startup partition on the backup.
Files that have been added that are not in the "users predefined area" are
removed.  Files that have been modified or are missing will be replaced by
their authorized counterparts on the hidden partition.

The final step for the paranoid is to build a cd/dvd with a compressed image
of the software install/build on it.  When you suspect tampering simply drop
the cd in and reinstall the entire box.


-----Original Message-----
From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org]On
Behalf Of Alvin Goats
Sent: Monday, June 21, 2004 7:31 PM
To: NTLUG Discussion List
Subject: Re: [NTLUG:Discuss] Interesting List Stats


That makes me curious:

1)  Do order PC's without CD-R/RW or DVD-R/RW?

2)  How do you secure against USB devices?

3)  Are the PC's setup to have unusable floppy drives or without floppy
drives at all?

As you jack up the paranoia of the security concious, such devices are a
major concern. I'm curious about fending off USB; the others are more
easily done.

Alvin

More information about the Discuss mailing list