Re: Deepfreeze - Why not?

[Tim Doty <tdoty () MST EDU>]

On Thu, 2011-11-17 at 22:17 -0500, Mclaughlin, Kevin (mclaugkl) wrote:
> I wonder if it would be worthwhile to tie this thread into thought
> discussions on the large scale relatively undiscovered theft and
> siphoning off of intellectual property from IHE’s.    

In this context it would depend on what access to IP was possible
through the lab machine and how would such activity be identified,
substantiated and tracked. Our labs all require authentication (central
logging provides tracking) and have no more access to IP than a random
computer on the Internet excepting the journals.

And access to the journals is tracked via network activity and tied to
an account via authentication. None of which depends on the local
machine (other than it being in our domain forcing use of our
authentication).

A greater risk from that view point is the fact that the network jacks
are not secured and a miscreant can bring in their own computing device,
connect it to the network, hand configure the MAC address to the
computer they disconnected, take over its DHCP lease and leave us with
no authentication records. (Though I've not seen or heard of anyone
manipulating the dhcp client id which has allowed identifying the
culprit when the culprit's system was normally used on our network, and
some Windows systems end up being configured such that you get the
user's name.)

That approach is difficult to protect against. You can have cameras, but
they are easily defeated (dark green hoodie, low light conditions) even
if unintentional (there was a theft where the only precaution the person
took was turning out the lights. Too bad for him we use IR cameras, too
bad for us the resolution and framerate never quite matched up with a
frame good enough for an identification.)


> I guess what I am really stuck on and trying to figure out is whether
> or not we continue to make decisions of convenience to/for IT when
> those decisions may be ones that make it easier for the bad guys to
> access data and infrastructure that we don’t want them to access?

That is a good point. While I don't think that is so much an issue in
this particular case, it is always one to consider. If convenience rules
security is often the first victim, even if unintended.

>    I’m not saying that this is happening but my gut tells me that it’s
> worth taking a good hard look at. 

We don't use DeepFreeze, but even if we did there are very few instances
in which it would impact anything. There was an ediscovery, for example,
that would have been less useful to the requestor. Not sure what impact
it would really have made on the case as a whole, and certainly would
have been something that they would have just accepted (at least in that
case).

Because we use roaming profiles in the labs and students don't have
admin privileges files of interest are often not local to the machine
and would be unaffected.

Authentication is logged by the domain controllers so we can always tie
account authentication to a system by time. Similarly, netflow provides
a certain amount of tracking for network activity. Server logs and
netflow are my best tools when tracking down misbehavior.

> However, if forensic tools and carving still work on a DeepFreeze
> machine then most of my arguments and concerns are moot.  Would anyone
> on the thread who uses DeepFreeze be willing to run an image through
> FTK or send me an image to run through FTK so we could see what
> results we get?

That would be an interesting exercise. But in the end I just don't see
DeepFreeze adding up to that much an issue for lab computers.

Tim Doty