Strategies for Difficult Locations
Unfortunately, not every computer can be sequestered in a locked room. Some machines must even be made available for unattended public use. Though this is certainly risky, there are some steps that can be taken to improve security and reduce the odds that service interruptions or data loss will occur.
The Power Cycle
The simplest form of physical attack against a publicly accessible system is a power cyclethe unexpected loss of power to the system, resulting either in a reboot or unattended "off" time. Incidents of this kind usually aren't even malicious, but are caused instead by clumsy or unaware users or visitors to your place of business or by unaware children in your home.
This type of incident generally is caused by easy access to reset and power buttons, which lie on the front of most computer cases and can be triggered easily by a stray elbow, finger, purse, or other solid object. There are several possible solutions to the power cycle issue, each slightly more severe than the one before:
The most common method for small businesses to handle this problem seems to be to place a note over the switch in question that says "Do NOT hit this switch!"
In spite of the fact that it is the most popular solution, simple politeness is a bit silly in this context. A more proactive step that is also sometimes seen is the placing of strong tape over the switches in question alongside the note.
The ideal solution for these types of switches is to forcibly disconnect them. Then, they can be hit, whether by accident or purposefully, without causing any interruption or data loss whatsoever.
Simply put, the last option, force, is preferable when security is really a concern. Though it's not as easy as simply placing a note or tape over a switch, it's certainly more effective. In truth, it is not as hard to disable these switches as one might think. The following are a few methods:
Use BIOS features
Many BIOS configuration programs on newer energy-saving ATX motherboards have an option to control power features, including in some cases system power and reset. Often, both functions can be completely disabled in the BIOS setup without having to make physical system modifications at all.
Disconnect the reset switch
In most cases, disabling the reset switch is simply a matter of opening the case and unplugging one small cable lead from the system motherboard. Simply follow the lead from the switch itself to its other end and give the cable a gentle tug. In some cases, the arrangement is physically different, and no cable is present. In such cases, the switch must be removed altogether.
Disconnect the power switch (ATX)
If your system is a newer ATX system, the power switch on your system operates simply by making a momentary connection across two jumper posts. To disable the power switch and place your system into a permanent-on state, simply follow the lead from the switch to the motherboard and pull the cable off as you did with the reset switch. Then place a standard jumper shunt over the two posts to which the cable was connected; this will create a permanent-on setting.
Remove the power switch (AT)
On an older AT-style case, you must be more inventive because of the wide range of possible power switch configurations that have appeared over the years. In some cases, the solution is as simple as unbolting the switch from the front of the case and taping it elsewhere on the inside of the case, left in the on position. In more extreme cases or on older power supplies, it may be impossible to disable the power switch without modification to the power supply itself, which is best not attempted unless you're very familiar with electrical circuitry.
There is one other potential interruption to the power supply for a machine that is routinely used by the public, and that is the wall plug itself. Your computer must have power, after all, and that power comes through a cord that plugs into 120 volts on one end and the back of the machine on the other.
Here it is best to use your own discretion. If you are relatively sure that most of your power cycle vulnerability lies in unintentional accidents by otherwise trusted individuals, simply disabling the reset and power switches should prevent most service interruptions. Beware the janitor's power-waxer or the clumsy customer's shoe, however: Either could unplug your machine and create the very power cycle problem we're trying to prevent. To that end, you may choose to take additional steps:
Secure the power cable to the back of the machine
This can be done in a variety of ways, but one of the most effective is to use glue to attach the cable to its socket permanently. Take care not to get glue on the metal contacts, or your newly glued power cord may not work at all!
Plug the other end of the cable in somewhere else
Use a long cable and plug the 120-volt side of the cable into a socket in another room or somewhere out of view and easy reach so that the temptation to unplug the cable from the wall socket is minimized. Any home hardware store will also sell a wall-type cable clamp that can firmly affix a cable to a wall or floor; use something like this right next to the wall plate to ensure that the cable can't be pulled out by jerking it.
Protect the length of the cable
Don't run the cable across the floor. Run it to the outlet in conduit against the wall, under the carpet, in a rubber cable guide, or in some other apparatus that will prevent both accidental tripping and a jerk from the janitor.
Unfortunately, these measures protect against only incidental or unintended loss of power from cable interruption. All cables, however, are clippablethere is no way to prevent malicious interruption of power when someone has physical access to the machine. Therefore, the ideal policy is still to separate the machine physically and securely from any individuals whom you don't know or fully trust.
We covered this once in the previous hour when discussing BIOS issues, but the problem of bootable devices can be explored even further here. If you are unable to password-protect your BIOS or fix your boot order completely, your system is vulnerable to being hijacked by someone with his own boot disk. To prevent these types of attacks from occurring, concentrate on securing these devices specifically.
Lock floppy drives
Many computer accessory dealers sell a small device called a floppy drive lock. This device is a small piece of plastic shaped more or less like a floppy disk with a keyhole on one end. When inserted into a floppy drive and locked, the plastic unit prevents a floppy disk from being inserted until the device is unlocked and removed again.
Disable CD-ROM drive eject buttons
Some newer CD-ROM drives, especially those from big-name manufacturers, ship with a jumper- or switch-operated feature to allow the user to completely disable the frontal eject button while leaving software eject intact. Even in the absence of such an option, you may be able to disable the button manually with a little tinkering, though doing so will likely void your warranty. Once the button has been disconnected or disabled, a CD can be inserted only after the user has logged into Linux and issued the eject command.
Consider removing such drives altogether
If there's no reason to have removable storage on a publicly accessible system, by all means remove the device. Any computer system will operate perfectly well with no floppy drive or CD-ROM drive, though a few BIOS configuration changes may be necessary. Remove the drive and put a blank faceplate in its place; this is the ultimate form of floppy or CD-ROM drive security.
If finances allow it, you may even consider using diskless clients for public access machines and mounting needed file systems using NFS or some other network file system hosted in another, more secure room or environment. That way, even if the system is stolen or damaged physically, the data on your boot drive and file systems remains intact.
Locking Down "the Box"
Every measure we've discussed so far is moot if a thief or malicious individual simply picks up your "box" and walks away with it when you're not looking. It makes little sense to spend money on cable clamps, uninterruptible power supplies, floppy drive locks, and other security paraphernalia if your box itself is vulnerable to simple theft. There are several possible ways to solve this problem, which are listed here and which involve progressively more expensive equipment.
Lock the back room
This method of securing your box costs little or nothing. If you're keeping your machine in a secure room, simply ensure that the room has a lock and that it stays locked at all times. Even when you're on the premises, the circumstances can easily get out of control, and a five-minute absence can translate into a several-thousand-dollar loss from your secure but unlocked room.
Use an adhesive cable lock
Cable locks come in various shapes, sizes, and installation methods. The most common of these is a thin but strong steel cable with an incredibly powerful adhesive block on each end. One end is glued to the table, the other to the machine. Such cables are generally thick and strong enough to act as a serious deterrent to theft.
Use a thicker, invasive cable lock
Some site administrators have gone a bit further with the cable lock, drilling a hole in the computer case's sheet metal and another large hole in the edge of the table or desk. A bicycle combination lock with a thick steel cable or even a chain is then threaded through the holes and locked.
Use an alarm cable lock
Several computer accessory manufacturers sell alarm lock systems that are similar to cable locks described above but that are electrified and connected to an alarm system. If the cable is ever cut, an audible alarm sounds.
In addition to locking down the box, it is also a good idea to lock the box so that a malicious individual with a few minutes and a screwdriver can't simply open the case and make off with your hard drive and, thus, your data. Some cases include built-in locking mechanisms of high quality, while others do not. The easiest way to lock an unsecured box is to drill a set of strategically placed holes and then use a standard padlock to secure the major parts of the case.