-
July 21st, 2009, 08:06 PM
#1
Boot Device List
Hey Folks,
I have been trying to figure out a way to prevent people from booting off of CDs, USB devices, etc. [For reasons which should be pretty obvious ] The machine I am currently working with is a Dell Optiplex. I have gone into the BIOS, and disabled all items in the boot sequence, except for the SATA HDD, and set the administrator password [to prevent changes in Setup]. Even with this set, you can still tap F12, which brings up a list of devices, and choose which one to boot from. I inserted a linux live cd, and was able to boot from it with no problems.
Does anyone know of a way to prevent users from accessing the boot device listing? I have been searching around, but have not found anything yet. I will edit this post if I find the answer before anyone responds.
Thanks in advance.
Edit:
The closest thing I have found so far, is to turn off the message that says 'Press F12 for boot device list'. Though if you already know which key to press, or mash enough keys, you can still get to it...
Last edited by westin; July 21st, 2009 at 08:15 PM.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
July 22nd, 2009, 09:43 AM
#2
-
July 22nd, 2009, 10:17 AM
#3
Originally Posted by nihil
I have just booted up one of my home-built boxes, and this option is not there and F12 does nothing.
Try F10 or F11. A lot of BIOS manufacturers have this option.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
July 22nd, 2009, 11:10 AM
#4
Try F10 or F11. A lot of BIOS manufacturers have this option.
No, no response with those either. It is a home built box with a Gigabyte MoBo and a P4 2.26GHz single core, booting XP Pro, which I guess makes it about 6 or 7 years old.The BIOS is Award 6.0 PG, dated 17 May 2002. My wife's is a Dell, which is a couple of years older and has the F12 functionality.
I seem to recall that if this function is there, you also have an option in the BIOS to "Disable boot menu on startup" or something along those lines?
AS westin specifically mentioned Dell, it made me think of the ESXi recovery mechanism that uses onboard SD Flash or USB memory.
-
July 22nd, 2009, 12:38 PM
#5
Originally Posted by nihil
I seem to recall that if this function is there, you also have an option in the BIOS to "Disable boot menu on startup" or something along those lines?
Yeah, something like that. I've also seen "Alternative boot options".
Oliver's Law:
Experience is something you don't get until just after you need it.
-
July 22nd, 2009, 03:16 PM
#6
Thanks for the response nihil. I will give that a shot. I just don't want the kiddos in the school here booting BackTrack, Knoppix STD, OWASP, etc...
I have noticed the boot menu on IBM/Lenovo machines as well. I am sure that several other manufacturers have something similar.
Thanks again for the help, I will let you know what happens.
Update:
I didn't see either SD Card or Internal USB. It did have 'USB Controller'. I switched that setting to 'No Boot'. This option appears to disable booting from USB devices, but will still allow booting from CD. Getting closer.
Last edited by westin; July 22nd, 2009 at 03:39 PM.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
July 22nd, 2009, 04:10 PM
#7
disable a IDE port or remove power\cable from cd-device.
-
July 22nd, 2009, 04:22 PM
#8
Originally Posted by Linen0ise
disable a IDE port or remove power\cable from cd-device.
That would be ideal, but unfortunately some of the classes have instructional CDs/DVDs that they watch.
I appreciate the suggestion though...
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
July 22nd, 2009, 05:21 PM
#9
Originally Posted by westin
That would be ideal, but unfortunately some of the classes have instructional CDs/DVDs that they watch.
I appreciate the suggestion though...
lol.... Disable the devices and put those cd's on a local server with a desktop shortcut. Otherwise you have a no-win situation. They still have access to the primary partition including everyone's documents and settings. A hacker just needs to take a snapshot of the original partition before creating their personal partition; restoring the magic numbers will pwn you everytime.
Last edited by Linen0ise; July 22nd, 2009 at 05:39 PM.
-
July 22nd, 2009, 07:33 PM
#10
Originally Posted by Linen0ise
lol.... Disable the devices and put those cd's on a local server with a desktop shortcut. Otherwise you have a no-win situation. They still have access to the primary partition including everyone's documents and settings. A hacker just needs to take a snapshot of the original partition before creating their personal partition; restoring the magic numbers will pwn you everytime.
Thanks again for the suggestions
I may give that a try. It will be painful, as some of the classes [credit recovery for example] have 30-45 cds that they use throughout the year. And the business classes like to burn their projects to CD... but we can probably work around that... though if anyone has any suggestions that would be easier to implement, I am all ears.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
Similar Threads
-
By aura2 in forum General Computer Discussions
Replies: 7
Last Post: December 21st, 2005, 09:37 AM
-
By MrLinus in forum Other Tutorials Forum
Replies: 3
Last Post: December 10th, 2003, 02:16 PM
-
By -DaRK-RaiDeR- in forum Newbie Security Questions
Replies: 9
Last Post: December 14th, 2002, 08:38 PM
-
By R0n1n in forum *nix Security Discussions
Replies: 3
Last Post: November 20th, 2002, 02:20 PM
-
By xmaddness in forum Other Tutorials Forum
Replies: 1
Last Post: July 23rd, 2002, 12:00 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|