Getting Physical With Workstation Security

So often we as security professionals talk about the security of the machines we're responsible for, and the only time physical security comes up is during the discussion of laptops and server rooms. We're concerned about laptop theft and loss that could lead to the dreaded customer notification process. Or maybe we brag about the awesome security of our datacenter. What about user workstations? Is there an subconscious assumption they're safe since they're behind locked doors?I'll admit that workstation physical security is something I think about only when I'm working on a pentest that includes on-site work where I might be looking at the physical security of a building, ability to social engineer my way into the offices, or simply get a receptionist to plug in a USB flash drive. Maybe it's the difference between having a purely defensive security role as opposed to mixing it up with offensive duties.

For example, security pros who deal with offensive security often have a great familiarity with bootable Linux LiveCDs, like Backtrack, that are designed for pentesting. If they can get access to an internal system, then they can reboot the box, boot from the Backtrack CD and it's game over. How many sysadmins, helpdesk technicians, or desktop support folks do you know that have all of their users' workstations locked down to prevent booting from anything but the local hard drive?

I won't even take a guess at that last question because I know it will be skewed based on my experience in an academic environment -- a place where only the most paranoid lock there machines down to the BIOS level, and even then, that doesn't extend out to their users. I'm curious how many of you out there have detailed build procedures for you workstation that includes adding an administrator password to the BIOS to prevent modification and restrict boot devices to the hard drive only.

Leave a comment here or e-mail me directly with your experiences in locking workstations down physically and if you've had users try to thwart those measures with tools like the Offline NT Password & Registry Editor to gain access to the local Administrator account. As there is more and more talk about insider threats due to the economy, issues like these may come to light in more and more IT shops.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.