9

In two weeks time, I will have to test a couple of computers that a client would like to provide to its employees. The main concern is making sure that the employees won't be able to use those computers for anything that isn't actually allowed.

I won't have any information on these computers until I get there, but I can think of some measures that are probably likely to be implemented:

  • No CD/DVD drive
  • Disabled USB ports
  • No Internet access (not sure if the machines will or won't have a network card)

Now, the first thing that popped into my mind was trying to use a live CD and see if I will be able to bypass some of the measures, but since I never did a test like this one...

What other things could I test on those machines?

bstpierre
  • 4,888
  • 1
  • 21
  • 34
Gurzo
  • 1,117
  • 6
  • 18
  • 2
    See Law 3 of _10 Immutable Laws of Security_: http://technet.microsoft.com/library/cc722487.aspx _Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore_ – kinokijuf Dec 03 '11 at 16:43

4 Answers4

14

The main thing to understand is that your client is trying to solve an impossible problem. Trying to prevent someone with physical access to the machine from accessing it is like trying to make water not wet. It ain't gonna work.

If you want to do the best that you can, you can take the steps you mention, and I also suggest you research "kiosk mode". But fundamentally, it will still be relatively easy for employees to use the computers for activities your client doesn't like. It will be as easy as inserting a Linux LiveCD, or a gazillion other methods. You're never going to close them all (not and leave the employees with a useful computer), and realistically speaking, you're not even going to be able to make it terribly difficult to defeat the security measures.

So I would argue that there are two important takeaways: (1) keep your expectations low; there is only so much that technical methods can provide, so don't waste too much time or energy trying to invent a foolproof defense, (2) this is primarily a matter for policy and social methods, rather than technical methods -- for instance, your client might want to adopt and promulgate a clear company policy regarding acceptable use of company computers, and be explicit about the penalty for violations.

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • +1 This was a great answer and gave good insight on the matter. Still, I was looking for something more along the lines of Iszi's answer. – Gurzo Dec 06 '11 at 11:51
8

To add to D.W.'s answer: after you make the machine as secure as practical, use measures to detect tampering. For example:

  • Anti-tamper stickers / seals on the case. They don't prevent anyone from getting into the case, but they make it obvious that the case has been opened.
  • If they are network-enabled, use network monitoring/logging. Notify the employees that network activity is monitored/logged.

Whatever measures you use, make sure you check them! Otherwise they're useless.

bstpierre
  • 4,888
  • 1
  • 21
  • 34
7

Depending on what sort of threats your client is worried about, there are different things you will want to test.

If they're worried about end-users obtaining or abusing unauthorized elevated privileges on the machine, you should look for ways to obtain or modify the Administrator password on the system. The easiest ways to do this generally involve booting the system from alternative media.

  • First, try simply inserting a bootable CD or USB drive and see if it loads.
  • If that doesn't work, try accessing the system's boot menu (if it has one) to force selection of the boot media.
  • If that doesn't work, try accessing the BIOS to change the default boot order yourself. Also, use this opportunity to verify that the CD drive(s) and/or USB port(s) are actually enabled - and enable them, if not.
  • If the BIOS configuration or boot order is password-protected, there's probably a way to reset this via a jumper on the motherboard. Look that up and try it.
  • Once you've loaded the system with your own boot disc/drive, see if you can read the HDD. If you can, you should be able to discover or change the passwords on any local account (including the built-in Administrator) with the right tools. After that, the system is effectively pwned.

Alternative methods of privilege escalation involve client-side exploits. You may want to try this if you can't boot to alternate media, or cannot read the HDD after an alternate media boot, or if you'd like to cover this territory in addition to those tests. To check for these, you will at minimum want access to a Limited User account on the system. Then, use tools like Metasploit and/or Nessus (and, failing those, Google) to discover and test vulnerabilities you might be able to leverage to upgrade your Limited User's access. Here, you'll also want to check how the system handles AutoPlay/AutoRun functions for removable media.

If the client is more worried about data theft, I'd test the system for susceptibility to network-based exploits just as if you didn't have physical access. Once done with that, you could also just pull the HDD and see what you can read off it from another system.

Regarding defense against physical attack vectors, here's a few other threads you may want to read:

How can I prevent my kids from bypassing my computer restrictions?

How can I prevent someone from accessing a Windows XP system via boot disk?

https://superuser.com/questions/222080/how-to-secure-my-windows-7-pc

Iszi
  • 27,027
  • 18
  • 99
  • 163
1

Or for far better security that full fledged PC's can ever offer, suggest the use of jack PC's or Chip PC's and terminal services, Citrix or other remote desktop tool.

Paul Ackerman
  • 466
  • 2
  • 5
  • Hi Paul, welcome to IT Security! You make a good point about use of remote desktop tools (+1). (May I ask (and I hope you won't find this rude): Do you have any affiliation with a company that sells this stuff? I mention that only because [this site asks people to disclose their affiliation if promoting your products/websites](http://security.stackexchange.com/faq#promotion).) – D.W. Dec 03 '11 at 06:00
  • @Paul: I will be doing this test with a senior consultant, I've started working in IT security just a month ago. Even if my co-worker will know what to do, I still wanted to get there with some thoughts on the matter. – Gurzo Dec 03 '11 at 11:11
  • @D.W. No affiliation whatsoever. I was just throwing out ideas. I work for the gov. – Paul Ackerman Dec 05 '11 at 15:44