Windows: Local Security Workarounds - Other operating systems?

[whitevampire () MINDLESS COM (WHiTe VaMPiRe)]

        We have largely discussed the security, or lack thereof when
having complete physical access to a machine (specifically Windows 9x in
this case); I will summarize what we have determined from this
discussion.

        The BIOS password can easily be circumvented physically via
opening the case and removing the battery or changing a jumper, this
being the last chance scenario.  Many BIOSes have either backdoor
passwords, or ways to be reset via a key combination (specifically
the END key), and quite easily via software to manipulate the password
protection.

        Totally disabling security methods implemented could easily be
done once DOS is accessed, usually after bypassing the BIOS
password, using a boot disk, or selecting DOS from the startup 
menu if possible (f8).  After that, you could modify the registry,
autoexec.bat, or other startup files that are enabling the security
policies.

        Working past security methods implemented by administrators is
generally done via third party software (or software not directly
related to the operating system).  You could use scripting via Office,
manipulating files via a Web browser, via Winzip, or other third party
software.

        In short, if you have physical access, the security methods
might as well not exist.  (Generally applicable to all operating
systems.)

        To any administrator, if you are concerned about physical
security, the best method would most likely be locking the system in
some sort of cabinet or other room, depending upon your options.  Also,
disabling certain keys on the keyboard would largely limit the
options.  You could always use a dumb terminal-based serial
setup.  (Depending upon your OS of choice, I suppose.  There are most
likely solutions for many operating systems.)

        If the software security policies are not well-thought and 
well-implemented even if the physical machine is locked away, it will
make little difference.

        Some good software policies are to disable booting of disks,
other devices, et cetera.  Enable a BIOS password (although
more a limited deterrent than anything else.)  Perhaps even have some
sort of password enabled using the MbR (I know LILO supports
this.)  Have some sort of software preventing the access of DOS via
breaking the autoexec.bat, using the startup menu, or other such common
methods.  Largely disabling access to the main hard-drive, and available
software.  Most Internet stations need a (limited) Web browser and
perhaps a simple text editor.  If the software is not needed, do not
have it installed, and especially do not have it accessible if not
needed.  Same basic remote access security policies apply, which I will
not cover.  In Windows, disabling the start menu, right click on desktop
(and most shortcuts/software/whatever) is also a good policy.

        You should also, of course, keep the system(s) up to date with
the latest hot-fixes, security fixes, bug fixes, and software
updates.  If you have vulnerable software, it obviously compromises the
software aspect of your security policies.

        There are many, many, other things you can do.  Those are just
some good general recommendations, and most are easily bypassed (as
covered above) if a person has complete physical access.

        These main reccomendations are mainly for a public workstation
of sorts, with data of no concern on the machine.  If sensitive data was
on the machine, somebody could also steal the hard drive.  I could
ramble on about this for a bit more, but I will stop here.  I am also 
not covering this aspect in this posting.

        I apologize for not directly crediting each contributor to this
discussion but so many people voiced the same opinions and searching
through all the old postings is simply beyond my available time.  This
summary is from memory, if I forgot anything, please feel free to point
out my errata or add to my summary.

        To continue this discussion, why not cover other operating
systems?  Specifically Windows NT, or Windows 2000, which is not as
easily bypassed as 9x.

        Unix-based operating systems typically require a boot disk of sorts
to bypass the superuser password.  Depending on the security methods
implemented, this can also be prevented.  This is another area that
could be discussed.

Regards,

-- 
    __      ______   ____
   /  \    /  \   \ /   / WHiTe VaMPiRe\Rem
   \   \/\/   /\   Y   /  whitevampire () mindless com
    \        /  \     /   http://www.projectgamma.com/
     \__/\  /    \___/    http://www.gammaforce.org/
          \/ "Silly hacker, root is for administrators."


<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>