Securing Your Network 43.1. Workstation Security; Evaluating Workstation Security; Bios And Boot Loader Security - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 43.
Securing Your Network
43.1. Workstation Security
Securing a Linux environment begins with the workstation. Whether locking down a personal machine
or securing an enterprise system, sound security policy begins with the individual computer. A
computer network is only as secure as its weakest node.

43.1.1. Evaluating Workstation Security

When evaluating the security of a Red Hat Enterprise Linux workstation, consider the following:
• BIOS and Boot Loader Security — Can an unauthorized user physically access the machine and
boot into single user or rescue mode without a password?
• Password Security — How secure are the user account passwords on the machine?
• Administrative Controls — Who has an account on the system and how much administrative control
do they have?
• Available Network Services — What services are listening for requests from the network and should
they be running at all?
• Personal Firewalls — What type of firewall, if any, is necessary?
• Security Enhanced Communication Tools — Which tools should be used to communicate between
workstations and which should be avoided?

43.1.2. BIOS and Boot Loader Security

Password protection for the BIOS (or BIOS equivalent) and the boot loader can prevent unauthorized
users who have physical access to systems from booting using removable media or obtaining root
privileges through single user mode. The security measures you should take to protect against such
attacks depends both on the sensitivity of the information on the workstation and the location of the
machine.
For example, if a machine is used in a trade show and contains no sensitive information, then it may
not be critical to prevent such attacks. However, if an employee's laptop with private, unencrypted
SSH keys for the corporate network is left unattended at that same trade show, it could lead to a major
security breach with ramifications for the entire company.
If the workstation is located in a place where only authorized or trusted people have access, however,
then securing the BIOS or the boot loader may not be necessary.
43.1.2.1. BIOS Passwords
The two primary reasons for password protecting the BIOS of a computer are
1. Preventing Changes to BIOS Settings — If an intruder has access to the BIOS, they can set it to
boot from a diskette or CD-ROM. This makes it possible for them to enter rescue mode or single
Since system BIOSes differ between manufacturers, some may not support password protection of either type, while others may
support one type but not the other.
1
:
603