Posted by: Administrator
on July 20, 2004 11:53 PM
Good tips, but you forgot to let them know that, even with password-protecting the BIOS, you really need to have the system's case locked as well.
If not, a user could simply open it up and reset the BIOS via the jumper. If they had a clue, they would then be able to reconfigure the BIOS as it was, only without the password. Once that's done, they could modify the boot order at will, enabling them to load a live CD configured with they're own security settings (and more), resetting the device boot-order back to the way it was when they're done. Until you need to actually go into the BIOS yourself and discover that a password is no longer needed (or even sneakier, they set a different password so you will think that you must have changed it, but have now forgotten it), you probably wouldn't even know.
If you can't securely lock the system away, there will always be local-access vulnerabilities exposed, but you could at least lock down the case with a physical lock (some systems allow for this, and don't use a cheap dime-store lock that can be picked with a paper clip!). For those cases that don't provision for a case lock, there are after-market ones available.
Anyway, just my<nobr> <wbr></nobr>.02. Good basics, though!
Learn about Linux
Download Linux
Get Linux help
Lock the box, too!
Posted by: Administrator on July 20, 2004 11:53 PMIf not, a user could simply open it up and reset the BIOS via the jumper. If they had a clue, they would then be able to reconfigure the BIOS as it was, only without the password. Once that's done, they could modify the boot order at will, enabling them to load a live CD configured with they're own security settings (and more), resetting the device boot-order back to the way it was when they're done. Until you need to actually go into the BIOS yourself and discover that a password is no longer needed (or even sneakier, they set a different password so you will think that you must have changed it, but have now forgotten it), you probably wouldn't even know.
If you can't securely lock the system away, there will always be local-access vulnerabilities exposed, but you could at least lock down the case with a physical lock (some systems allow for this, and don't use a cheap dime-store lock that can be picked with a paper clip!). For those cases that don't provision for a case lock, there are after-market ones available.
Anyway, just my<nobr> <wbr></nobr>.02. Good basics, though!
#