Insecure boxes at computer lab?

[Compunuts]

If people are that worried about physical tampering, they should have the computer locked in a cabinet or closet.

Just because you can't stop people from cracking your computer doesn't mean any security precaution are worthless efforts.
Just because there is no way to completely secure intruder(s) from entering your home doesn't mean you should leave all of your doors wide open at any time.
It's all about making it harder and much longer to get access hoping that someone will notice within reasonable time.

There's still the possibility of someone beating the cabinet apart with a sledge hammer or taking an axe to the closet door, but get real.

What we mean by physical access is easy access to the computer boxes without the knowledge of others with lack of physical evidence. If someone beat the crap out of your computer cabinet, you will know that someone had at least tried to access it. If you do not take any precaution towards giving physical access to others, then you will have no way of knowing someone did or didn't have accessed it.
All we can do is make it harder to get physical access as well as remote access. There is no way to prevent all from happening though ..... Such is a way of life. But if nobody do nothing about it, then we must be fools ...

[kenshi]

Just because you can't stop people from cracking your computer doesn't mean any security precaution are worthless efforts.
Just because there is no way to completely secure intruder(s) from entering your home doesn't mean you should leave all of your doors wide open at any time.
It's all about making it harder and much longer to get access hoping that someone will notice within reasonable time.

For what I said, the reverse applies. If you're really worried about people hacking it through physical access, put it in a location where they can't easily get to it. Likewise if you can't put it in a place where people can't easily get to it, don't put important stuff on it. There's no reason that a set of computers should be restricted to a certain class. When I took unix class, at first we had to telnet to a remote Mandrake box. It was in a closet so people couldn't get to it. Then it was discovered that 3 people in the class, including me, used Linux at home, so we installed various distros on 3 computers in the classroom. And no one really cared if you touched them. Again, don't put stuff that you care about on computers in the open.

[Compunuts]

If you're really worried about people hacking it through physical access, put it in a location where they can't easily get to it. Likewise if you can't put it in a place where people can't easily get to it, don't put important stuff on it. There's no reason that a set of computers should be restricted to a certain class.

That is not always possible especially at business environment. You have cubicles that are wide open to public and there are workstations that needs to maintain information crucial to company business. What do yo suggest? Put all of them into locked rooms? Or tell them to completely shut computers down whenever they leave and take the computers with them? Lock them in storage areas? It's not possible.

So the next alternative is make computers out in the open not to have easy access by others such as screen locks, BIOS passwords, access restraint floppies and CD drives and so on ...... These are not 100% secure methods but designed to discourage from someone from trying .... That's all we can do ... and that's what we are saying to limit physical access to computers... as system admins or IT professionals, it's part of our job to offer/make it as secure and safe computing environent as possible but needs to avoid limiting ability of our users work at the same time ....

[kenshi]

That is not always possible especially at business environment. You have cubicles that are wide open to public and there are workstations that needs to maintain information crucial to company business. What do yo suggest?

For that, I think the old fashioned keyboard locks would do fine, except design the locks so that each key is different, like in a car. And if you're worried about people leaving the key in the computer, make it so the key will only come out when the computer is locked (there are padlocks like this) and it is tied to their body somehow. (You'd have to tie down the computer so they don't yank it off the table.) You could also make the lock function for the mouse. This would be a very cheap method (if manufacturers still built support into the motherboards) and, if coupled with setting the BIOS to only boot from the hard drive, would be almost impenetrable from my perspective.

[Compunuts]

For that, I think the old fashioned keyboard locks would do fine, except design the locks so that each key is different, like in a car. And if you're worried about people leaving the key in the computer, make it so the key will only come out when the computer is locked (there are padlocks like this) and it is tied to their body somehow. (You'd have to tie down the computer so they don't yank it off the table.)

I bet you've never worked for facilities deparment at large companies... It's a nightmare maintaining already existing backup keys ( such as a few cabinets, computer chain locks and stuff ). This will just add to that nightmare. Not only that, they have so much keys to maintain and keep track that they have to standadized on that and then it defeats the purpose of it.

I was just trying to say that what you said earlier was almost impossible to do so. Here is what you said.

If people are that worried about physical tampering, they should have the computer locked in a cabinet or closet.

Let's say an IT desktop support guy was called in to fix a problem. The host guy can't sit around a few hours just to wait an IT guy to show up. IT guys can't come right away or give out exact schedules since they are busy themselves maintining all those computers ... If you have locked the computers, then you must wait for the IT guys to show up. Companies can't waste that time. They have to make good use of it...

That's where software based security tools come into play. That needs to be transparent to users since they already have enough hard time remembering all of their passwords for network, email and a few file servers. ( ask any techsupport and they will tell you how many forgot their own passwords ).

That's what my argument about making it harder to get physical access but make it in a way that will not interfere with users....

Anyway ......

[ph34r]

If you are truly that paranoid about local security, then use dumb X terminals and keep the computers really locked up. While you are at it, set a strong screensaver type logout app that will automajikly log you out after 1 minute of inactivity (instead of firing up a useless screensaver).

[kenshi]

I bet you've never worked for facilities deparment at large companies... It's a nightmare maintaining already existing backup keys ( such as a few cabinets, computer chain locks and stuff ). This will just add to that nightmare. Not only that, they have so much keys to maintain and keep track that they have to standadized on that and then it defeats the purpose of it.

Why would they need a backup? If the person who sits at the computer loses theirs, then they can replace the lock at the expense of the employer. If a higher up person needs to get on the computer for some reason, then they could have ssh or vnc set up to do so. That would be a port open, but if set up properly, it would still be more secure than an open physical interface.

Let's say an IT desktop support guy was called in to fix a problem. The host guy can't sit around a few hours just to wait an IT guy to show up. IT guys can't come right away or give out exact schedules since they are busy themselves maintining all those computers ... If you have locked the computers, then you must wait for the IT guys to show up. Companies can't waste that time. They have to make good use of it...

That's when he uses ssh or vnc as mentioned above, or has some kind of physical bypass of the lock. It could be an electronic lock. That could get expensive though, depending on how it's implemented. But nevertheless, there must be a way. I won't say that it's as easy as installing keyboard locks, but there has to be a cheap and somewhat effective way. I have several general ideas in my head right now. You might be able to find flaws in most of them, but I bet I could find something that would work for most companies.

[tolstoy]

If you are truly that paranoid about local security, then use dumb X terminals and keep the computers really locked up. *While you are at it, set a strong screensaver type logout app that will automajikly log you out after 1 minute of inactivity (instead of firing up a useless screensaver).

That's pretty much how we do it. Only about 30 people out of 450 in our org have actual computers. The rest are dumb terminals locked to undersides of their desks. No disks, no nothing. They never turn off, they never go down. They run for ever. No one even knows that they are there. If someone walked away with one, big deal. Everything else is locked away. Not only is security planning much, much easier, but adminning the system is a breeze. I realy don't understand why people still deploy traditional desktops to the masses, when most of the world's average workers do not need them.

[Compunuts]

I realy don't understand why people still deploy traditional desktops to the masses, when most of the world's average workers do not need them.

They want to have the most useful time of workers even the system ( servers or network ) is down .... It's been my experience that whenever the network down, there is some parking lot parties ( or gatherings ) with the reason of being network down.
With real desktops, most of it is gone. The education and governmental work environment is quiet different than the commerce companies' need. They want the most out of their workers time and just simply don't want to see them walking around. I've also seen some benefits of having the real desktops as well. With proper precautions and planning, it can be quiet useful to have the real desktops.

[kenshi]

They want to have the most useful time of workers even the system ( servers or network ) is down .... It's been my experience that whenever the network down, there is some parking lot parties ( or gatherings ) with the reason of being network down.

Ok, now I'm curious as to why Network, a company I once worked for, was switching their terminals for computers. Even with PC's, we had to use a telnet-like program to access the server in order to do anything. When the server went down, we still did nothing. So why the switch to PC's? I can't see any benefit they brought to the company except that we didn't have to type on burned screens anymore.