Workstation Security; Evaluating Workstation Security; Bios And Boot Loader Security - Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE Manual

Hide thumbs Also See for ENTERPRISE LINUX 3 - SECURITY GUIDE:

Manual (410 pages)

System administration manual (348 pages)

Reference manual (324 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

page of 136

/ 136
Contents
Table of Contents
Bookmarks

Table of Contents

Securing a Linux environment begins with the workstation. Whether locking down a personal machine

or securing an enterprise system, sound security policy begins with the individual computer. After all,

a computer network is only as secure as the weakest node.

4.1. Evaluating Workstation Security

When evaluating the security of a Red Hat Enterprise Linux workstation, consider the following:

BIOS and Boot Loader Security — Can an unauthorized user physically access the machine and

•

boot into single user or rescue mode without a password?

Password Security — How secure are the user account passwords on the machine?

•

Administrative Controls — Who has an account on the system and how much administrative control

•

do they have?

Available Network Services — What services are listening for requests from the network and should

•

they be running at all?

Personal Firewalls — What type of ﬁrewall, if any, is necessary?

•

Security Enhanced Communication Tools — Which tools should be used to communicate between

•

workstations and which should be avoided?

4.2. BIOS and Boot Loader Security

Password protection for the BIOS (or BIOS equivalent) and the boot loader can prevent unautho-

rized users who have physical access to systems from booting using removable media or attaining

root through single user mode. But the security measures one should take to protect against such at-

tacks depends both on the sensitivity of the information the workstation holds and the location of the

machine.

For instance, if a machine is used in a trade show and contains no sensitive information, than it may

not be critical to prevent such attacks. However, if an employee's laptop with private, unencrypted

SSH keys for the corporate network is left unattended at that same trade show, it could lead to a major

security breech with ramiﬁcations for the entire company.

On the other hand, if the workstation is located in a place where only authorized or trusted people

have access, then securing the BIOS or the boot loader may not be necessary at all.

4.2.1. BIOS Passwords

The following are the two primary reasons for password protecting the BIOS of a computer

1. Preventing Changes to BIOS Settings — If an intruder has access to the BIOS, they can set it

to boot off of a diskette or CD-ROM. This makes it possible for them to enter rescue mode or

single user mode, which in turn allows them to seed nefarious programs on the system or copy

sensitive data.

1. Since system BIOSes differ between manufacturers, some may not support password protection of either

type, while others may support one type but not the other.