14

Apparently a computer system protected by a a login password, e.g. Windows XP, can be easily hacked by someone with physical access to it using methods like this one:

http://www.raymond.cc/blog/archives/2006/09/02/how-to-hack-into-a-windows-xp-computer-without-changing-password/

Can anyone inform me how to mitigate against this type of attack?

Thanks!

Iszi
  • 27,027
  • 18
  • 99
  • 163
Django Reinhardt
  • 948
  • 2
  • 8
  • 20

3 Answers3

21

The real issue here is that the attacker only needs physical access to your hard drive in order to read or manipulate the files which contain your password hashes. There is already a thread on SuperUser which has some recommendations, which I will likely repeat here.

How to secure my Windows 7 PC?

As security compromises of a PC go, physical access is perhaps by far the worst kind. Once an attacker has their hands on your computer, most other security methods in place are easily circumvented. That said, here's what you can do to prevent or hinder these attacks from affecting your system.

  1. Use strong passwords. Make them 15 characters long at minimum, and use all four character types (lowercase letters, uppercase letters, numbers, non-alphanumerics). Also, avoid using any dictionary words in any part of the password. Lastly, do not write it down!
  2. Encrypt the hard drive. This will prevent any attacker from reading or manipulating the system files when booting into their own environment. This is the only measure that will generally survive an attack involving physical access to the system. Also, see item 1.
  3. Lock down the BIOS and Boot Order. Set the system to only boot to the system drive, and set an Administrator password on the BIOS so that this cannot be changed. Also, see item 1.
  4. Physically secure the system case. If possible, lock the system's chassis with a padlock and/or place it in a secured cabinet. A chassis lock will hinder efforts to clear the BIOS password by using jumpers on the motherboard, and efforts to remove the hard drive for loading into another system. A secured cabinet will do that, and also hinder any attempts at plugging in or loading alternative boot media. For ideal security, and if you're really paranoid, do both.
Iszi
  • 27,027
  • 18
  • 99
  • 163
  • I think XP has netbios default ON (does it?? cant remember at this stage...), which allows for network attacks on already logged in computers :P so you will probably need to secure the network as well +1 otherwise – Sigtran Mar 08 '11 at 14:57
  • @Sigtran - I didn't consider network attacks, since the OP specifically referred to local attacks using boot discs. Good point, though. – Iszi Mar 08 '11 at 15:18
  • @Iszi yeah, i was thinking more of a public-like environment, where an attacker can bring in his own laptop & hook it up to the network... – Sigtran Mar 08 '11 at 15:24
  • 1
    +1. You got it, the physical access is giving any unixoid system the very same weakness. So it's not even limited to the "oh so insecure" Windows ;) – 0xC0000022L Mar 08 '11 at 23:43
  • 2
    XP machines are by default more vulnerable to password brute forcing the subsequent Windows versions because the store the less secure LM hash of passwords. If you don't need this for legacy reasons turn of its generation - http://support.microsoft.com/kb/299656 - so you can at least get the full benefits of a stronger password. – Bell Mar 09 '11 at 03:56
  • 1
    @Bell - This is one of the reasons I suggested passwords with 15+ characters. Such passwords are too long to be stored in an LM hash - this is why they will generate a warning message stating that the password is incompatible with older versions of Windows. It is absolutely good practice to turn off features that are not needed, but a 15+ character password will help avoid the LM hash vulnerability even on systems which you do not administer yourself. – Iszi Mar 09 '11 at 04:09
  • 1
    I think the techniques described in this answer are not likely to add a great deal of security. They add a speed bump (to keep your kid brother/sister out), not strong security. – D.W. Mar 09 '11 at 05:38
  • 2
    @D.W. - When it comes to scenarios involving physical compromise of the system, "speed bumps" are really the best you can do. The only truly effective security measure you can put in place against this is whole disk encryption, which I did address in my answer. – Iszi Mar 09 '11 at 05:48
  • @Iszi, that's right. My suggestion is that the answer should include an explicit disclaimer: it should warn explicitly that the methods it describes only provide a speed bump, and do not provide strong protection. Without such a cautionary note, some readers might over-estimate the amount of security they are getting. – D.W. Mar 11 '11 at 06:13
  • @D.W. - See my note on #2 already, and more details in the linked thread, plus one other mention in the above answer. I think it's pretty well covered. – Iszi Mar 11 '11 at 13:45
7

The short answer is: there is no good way to provide strong security if your enemy has physical possession of your PC. You just have to accept that as a fact of life.

  • For example, if your enemy has physical control over your PC, then he can remove the hard drive from your PC and read and write it to his heart's content on his own PC.

  • As another example, the enemy can surreptitiously introduce a key logger that records all your passwords and other key strokes. Some key loggers are small, unobtrusive dongles that fit between your keyboard and your PC, so no amount of locking down the case of your PC is sufficient to protect against that threat.

None of the answers proposed on this web page can stop all of these attacks.

You asked about mitigations. There are no great mitigations, but here are some imperfect steps you can take (in addition to the other ones mentioned here):

  • Use an encrypted filesystem. Encrypt your entire filesystem. TrueCrypt has software that is free and good. PGP sells software that's good. This will reduce the window of opportunity for an enemy to access your hard drive. Some downsides include the fact that you have to memorize and use a long passphrase. It doesn't work for unattended servers (because someone has to be around to enter the passphrase when the server boots, and also once the password is entered, for as long as the server is unattended, an enemy may be able to gain access to the data).

  • Apply as much physical security as possible to the PC. For instance, lock the case, lock the room it is located in, buy a burglar alarm, install a surveillance video camera.

There are fancy things you can do, including buying hardware security modules (HSMs) to store your crypto keys and using tamper-resistant hardware, such as a smartcard or IBM 4758. However, these are exotic techniques not likely to be cost-effective in most settings.

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • I appreciate what you're saying, but the example is Windows XP, so it's pretty clear it's not going to be an unattended server. Useful information though, thanks. – Django Reinhardt Mar 09 '11 at 13:13
  • Useful information, but the question was *specifically* targeting boot-disk-based attacks. – Iszi Mar 09 '11 at 19:32
  • @Iszi, the right way to think about security is to work out your threat model, and then figure out what security can provided against that threat model. Focusing on one attack, and ignoring the threat model, is silly. It's silly because there may be other similar attacks that are even more effective; if you stop one attack, the attacker may just switch strategies slightly to use a slightly different attack you didn't stop. Targeting only boot-disk-based attacks is poor security practice; you should start with a plausible threat model, and stop all attacks within that threat model. – D.W. Mar 14 '11 at 06:16
  • It is true that the entire threat model needs to be taken into consideration. But, at the end of the day, we have to address all vulnerabilities in the best way possible. Certain vulnerabilities have very specific measures that can be taken to mitigate *just those* vulnerabilities. Certainly there are other measures to be taken which encompass more than one, but that doesn't lessen the value of a good defense-in-depth strategy. – Iszi Mar 14 '11 at 15:45
2

One way to prevent booting from devices like CDs and USB sticks is to disable it in the BIOS and password protect it. It would then require access to the motherboard to reset the BIOS.

jer.salamon
  • 129
  • 3
  • 3
    That would slow folks down, but they could still change the password on the hard drive or just read it elsewhere if they could get in to the system, unless the hard drive is encrypted as Iszi describes. – nealmcb Mar 09 '11 at 04:34
  • Definitly, but it would prevent them if they were trying the method he asked about. – jer.salamon Mar 09 '11 at 05:11
  • 1
    I believe that disabling alternate boot devices is an incomplete solution unless you restrict physical access to the hardware too. Fortunately most boxes today support padlocking. – George Jun 09 '11 at 09:01