Home > Articles > Security > Network Security

Physical Security

  • Nov 20, 2001
This chapter is from the book

This chapter is from the book

Sams Teach Yourself Linux Security Basics in 24 HoursSams Teach Yourself Linux Security Basics in 24 Hours

Learn More Buy

This chapter is from the book

This chapter is from the book

Sams Teach Yourself Linux Security Basics in 24 HoursSams Teach Yourself Linux Security Basics in 24 Hours

Learn More Buy

Strategies for Difficult Locations

Unfortunately, not every computer can be sequestered in a locked room. Some machines must even be made available for unattended public use. Though this is certainly risky, there are some steps that can be taken to improve security and reduce the odds that service interruptions or data loss will occur.

The Power Cycle

The simplest form of physical attack against a publicly accessible system is a power cycle—the unexpected loss of power to the system, resulting either in a reboot or unattended "off" time. Incidents of this kind usually aren't even malicious, but are caused instead by clumsy or unaware users or visitors to your place of business or by unaware children in your home.

This type of incident generally is caused by easy access to reset and power buttons, which lie on the front of most computer cases and can be triggered easily by a stray elbow, finger, purse, or other solid object. There are several possible solutions to the power cycle issue, each slightly more severe than the one before:

  • Politeness

    The most common method for small businesses to handle this problem seems to be to place a note over the switch in question that says "Do NOT hit this switch!"

  • Prevention

    In spite of the fact that it is the most popular solution, simple politeness is a bit silly in this context. A more proactive step that is also sometimes seen is the placing of strong tape over the switches in question alongside the note.

  • Force

    The ideal solution for these types of switches is to forcibly disconnect them. Then, they can be hit, whether by accident or purposefully, without causing any interruption or data loss whatsoever.

Simply put, the last option, force, is preferable when security is really a concern. Though it's not as easy as simply placing a note or tape over a switch, it's certainly more effective. In truth, it is not as hard to disable these switches as one might think. The following are a few methods:

  • Use BIOS features

    Many BIOS configuration programs on newer energy-saving ATX motherboards have an option to control power features, including in some cases system power and reset. Often, both functions can be completely disabled in the BIOS setup without having to make physical system modifications at all.

  • Disconnect the reset switch

    In most cases, disabling the reset switch is simply a matter of opening the case and unplugging one small cable lead from the system motherboard. Simply follow the lead from the switch itself to its other end and give the cable a gentle tug. In some cases, the arrangement is physically different, and no cable is present. In such cases, the switch must be removed altogether.

  • Disconnect the power switch (ATX)

    If your system is a newer ATX system, the power switch on your system operates simply by making a momentary connection across two jumper posts. To disable the power switch and place your system into a permanent-on state, simply follow the lead from the switch to the motherboard and pull the cable off as you did with the reset switch. Then place a standard jumper shunt over the two posts to which the cable was connected; this will create a permanent-on setting.

  • Remove the power switch (AT)

    On an older AT-style case, you must be more inventive because of the wide range of possible power switch configurations that have appeared over the years. In some cases, the solution is as simple as unbolting the switch from the front of the case and taping it elsewhere on the inside of the case, left in the on position. In more extreme cases or on older power supplies, it may be impossible to disable the power switch without modification to the power supply itself, which is best not attempted unless you're very familiar with electrical circuitry.

There is one other potential interruption to the power supply for a machine that is routinely used by the public, and that is the wall plug itself. Your computer must have power, after all, and that power comes through a cord that plugs into 120 volts on one end and the back of the machine on the other.

Here it is best to use your own discretion. If you are relatively sure that most of your power cycle vulnerability lies in unintentional accidents by otherwise trusted individuals, simply disabling the reset and power switches should prevent most service interruptions. Beware the janitor's power-waxer or the clumsy customer's shoe, however: Either could unplug your machine and create the very power cycle problem we're trying to prevent. To that end, you may choose to take additional steps:

  • Secure the power cable to the back of the machine

    This can be done in a variety of ways, but one of the most effective is to use glue to attach the cable to its socket permanently. Take care not to get glue on the metal contacts, or your newly glued power cord may not work at all!

  • Plug the other end of the cable in somewhere else

    Use a long cable and plug the 120-volt side of the cable into a socket in another room or somewhere out of view and easy reach so that the temptation to unplug the cable from the wall socket is minimized. Any home hardware store will also sell a wall-type cable clamp that can firmly affix a cable to a wall or floor; use something like this right next to the wall plate to ensure that the cable can't be pulled out by jerking it.

  • Protect the length of the cable

    Don't run the cable across the floor. Run it to the outlet in conduit against the wall, under the carpet, in a rubber cable guide, or in some other apparatus that will prevent both accidental tripping and a jerk from the janitor.

Unfortunately, these measures protect against only incidental or unintended loss of power from cable interruption. All cables, however, are clippable—there is no way to prevent malicious interruption of power when someone has physical access to the machine. Therefore, the ideal policy is still to separate the machine physically and securely from any individuals whom you don't know or fully trust.

Boot Devices

We covered this once in the previous hour when discussing BIOS issues, but the problem of bootable devices can be explored even further here. If you are unable to password-protect your BIOS or fix your boot order completely, your system is vulnerable to being hijacked by someone with his own boot disk. To prevent these types of attacks from occurring, concentrate on securing these devices specifically.

  • Lock floppy drives

    Many computer accessory dealers sell a small device called a floppy drive lock. This device is a small piece of plastic shaped more or less like a floppy disk with a keyhole on one end. When inserted into a floppy drive and locked, the plastic unit prevents a floppy disk from being inserted until the device is unlocked and removed again.

  • Disable CD-ROM drive eject buttons

    Some newer CD-ROM drives, especially those from big-name manufacturers, ship with a jumper- or switch-operated feature to allow the user to completely disable the frontal eject button while leaving software eject intact. Even in the absence of such an option, you may be able to disable the button manually with a little tinkering, though doing so will likely void your warranty. Once the button has been disconnected or disabled, a CD can be inserted only after the user has logged into Linux and issued the eject command.

  • Consider removing such drives altogether

    If there's no reason to have removable storage on a publicly accessible system, by all means remove the device. Any computer system will operate perfectly well with no floppy drive or CD-ROM drive, though a few BIOS configuration changes may be necessary. Remove the drive and put a blank faceplate in its place; this is the ultimate form of floppy or CD-ROM drive security.

If finances allow it, you may even consider using diskless clients for public access machines and mounting needed file systems using NFS or some other network file system hosted in another, more secure room or environment. That way, even if the system is stolen or damaged physically, the data on your boot drive and file systems remains intact.

Locking Down "the Box"

Every measure we've discussed so far is moot if a thief or malicious individual simply picks up your "box" and walks away with it when you're not looking. It makes little sense to spend money on cable clamps, uninterruptible power supplies, floppy drive locks, and other security paraphernalia if your box itself is vulnerable to simple theft. There are several possible ways to solve this problem, which are listed here and which involve progressively more expensive equipment.

  • Lock the back room

    This method of securing your box costs little or nothing. If you're keeping your machine in a secure room, simply ensure that the room has a lock and that it stays locked at all times. Even when you're on the premises, the circumstances can easily get out of control, and a five-minute absence can translate into a several-thousand-dollar loss from your secure but unlocked room.

  • Use an adhesive cable lock

    Cable locks come in various shapes, sizes, and installation methods. The most common of these is a thin but strong steel cable with an incredibly powerful adhesive block on each end. One end is glued to the table, the other to the machine. Such cables are generally thick and strong enough to act as a serious deterrent to theft.

  • Use a thicker, invasive cable lock

    Some site administrators have gone a bit further with the cable lock, drilling a hole in the computer case's sheet metal and another large hole in the edge of the table or desk. A bicycle combination lock with a thick steel cable or even a chain is then threaded through the holes and locked.

  • Use an alarm cable lock

    Several computer accessory manufacturers sell alarm lock systems that are similar to cable locks described above but that are electrified and connected to an alarm system. If the cable is ever cut, an audible alarm sounds.

NOTE

In addition to locking down the box, it is also a good idea to lock the box so that a malicious individual with a few minutes and a screwdriver can't simply open the case and make off with your hard drive and, thus, your data. Some cases include built-in locking mechanisms of high quality, while others do not. The easiest way to lock an unsecured box is to drill a set of strategically placed holes and then use a standard padlock to secure the major parts of the case.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020