I recently received a call from a client whom I have worked with on prior occasions. Their business is growing and they wanted me to draft a series of options that could be implemented to prevent employees from damaging critical computers in the workplace. Simple – control access via group policy settings and other OS safeguards.
During the conversation, however, I could not help but think about what could be done to prohibit physical access and threats to critical computers. Here is what I came up with – much of it is off the wall, but it should get you thinking nonetheless…
The obvious solutions would be to either unplug the computer or remove the power supply from the chassis. The downsides with either of solutions is that they render the computer inoperable, which is of no use to the client, and they are both easily circumventable.
Moving beyond the obvious, here are some basic steps to limit physical access to critical computers:
- Locate the computer in a facility that has controlled access, i.e. strong physical locks.
- Limit means of ingress and egress to the bare functional minimums required by the room or facility.
- Use all hardening functionality built into the specific OS. Yes, even Windows XP can be locked down pretty tight.
- Generate strong passwords and use them everywhere to further protect the system, i.e. logins, logouts, data directories, etc.
- Encrypt any data that cannot be risked to unauthorized exposure.
Beyond the initial steps outlined above, further steps could be taken for even greater system protection. Please note, much of what follows as recommendations are excessive and will ultimately limit the functionality of the computer. Proceed with caution…
- Unplug the network cable connecting this machine to your network and fill the network port with epoxy. This makes sense, if and only if, the machine will run as a stand-alone computer while deployed in a production environment. This scenario is not that likely.
- Physically remove the floppy, CD, and DVD drives from the machine. As with #1 above, this makes sense if and only if the machine will run as an isolated, stand-alone computer while deployed in a production environment. Drive removal should occur only after the computer has been configured to the final production state.
- If implementing #2, then also consider filling all USB and firewire ports with epoxy. Again, perform this step only after final stand-alone configuration is complete. If completely nonfunctional USB ports are not an option, then you may temporarily disable USB port functionality with one of the following methods:
- Lock down the USB ports in the BIOS. Be sure to password protect the BIOS with a strong password, which can be generated here.
- Lock down via registry hacks (see: http://support.microsoft.com/default.aspx?scid=kb;en-us;823732)
At the end of the day, the safety of the data housed within these mission critical systems is why users are concerned about controlling physical access to the computer. So far, everything suggested does limit one’s ability to access the data. However, we have not examined how to protect the medium that houses the data, i.e. the hard and solid state drives within the computer itself. If someone can physically access these drives, then all prior preventative steps are for not. How does one control control access to the internal drives? For laptops, try the following:
- If you are using a laptop, access to the internal drives could be discouraged by using a high-strength threadlock compound on all case screws,e.g. Loctite 277 Threadlocker. Access could be further, if not severely, discouraged by using a high-strength epoxy on all case screws and all seams on the case, e.g. Devcon 2-Ton Epoxy.
- If you are going to be using epoxy to seal the case, you might as well go ahead and use the same epoxy to secure the hard drive to the motherboard connector, thereby discouraging access and tampering even more.
If the system is a server or workstation, try these steps instead:
- Swap out any exterior thumb screws with screws that employ these than common heads, i.e. Torx or tamper-resistant heads.
- Employ physical locks on the chassis and utilize any onboard intrusion-detection systems of the motherboard will discourage tampering with the drives.
- As with the laptop above, using a high-strength threadlock compound or epoxy on the case screws and seams will further discourage physical access to the hard drives inside the computer chassis.
- Additionally, securing the SATA or IDE cable connectors to both the motherboard and the hard drive or solid state drive with epoxy will add yet another layer of frustration.
- Mounting the hard drive or solid state drive to the chassis with epoxy provides another layer of security.
- Bolting the chassis to the floor or wall of the room will visually frustrate anyone attempting to tamper with the drives inside.
What I outlined above is engineered to frustrate and discourage anyone trying to tamper with critical computing systems. It is not exhaustive by any means as it omits techniques that could be taken to fortify the structure housing the computer for example. Is this guide practical for most? No. Will it deter all but the most determined individuals? Yes.
DISCLAIMER: The above is not intended to be an exhaustive guide to physicl computer security. Rather, the recommendations listed above are intended to provide a framework upon which a suitable security solution can be designed for your particular situation.
Photo Credits: Police Car – davidsonscott15; purple lock – Darwin Bell