Deleting DeepFreeze

Printable View

February 21st, 2007, 12:09 AM
YoungNobody

Deleting DeepFreeze

I am sure many of you have heard of the security product called "DeepFreeze" which is available from faronics.com.

I am an admin and i have set this program up on my computers on my lan and i want to know can this program be deleted by booting from a floppy with a program like fdisk or by using knoppix?.

The reason i ask is because it says on the companys web site that this program protects the mbr and partition table.
February 21st, 2007, 01:02 AM
nihil

Hmmmm...................... It would seem that Faronics Inc haven't seen me run amok with a S&W Highway Patrolman .357? :D............. just try protecting the MBR and partition table against one of those:eek:

It will protect your system such that it will boot to your standard configuration at the next reboot.

If I can boot from almost any "live CD" that can read and write to a Windows file system then I can destroy it. "Fdisk" is a bit trivial, as that would wipe everything?

Having said that, to destroy it, I would have to understand it...........and hopefully(?) that what I was about to do was a serious felony offence.

Unless it has changed dramatically, what it is, is a sort of automatic restore point system............ it takes the machine back to its original configuration, assuming that it hasn't been tampered with. ;)
February 21st, 2007, 01:25 AM
Net2Infinity

Certainly it would seem wise to check the vendors site .....

http://faronics.com/faq/#1
February 21st, 2007, 01:36 AM
nihil

Hi Net2Infinity,

That is how you do a legitimate uninstall from within Windows. I think our friend was asking about unauthorised disabling/uninstalling, as he did mention Knoppix, Fdisk and floppies?
February 21st, 2007, 02:00 AM
Net2Infinity

Well that could be true, but he did say he was the admin ... so I took him at his word. :)
February 21st, 2007, 02:36 AM
nihil

Hmmmm,

The way I read the original post is that he is the Admin and is using this product on his network.

He seems to want to know if you can circumvent or delete it by unauthorised methods. I guess a bit like the school or library scenario?

My argument is that it is pretty secure at locking down the system within Windows, but if you boot from media with a "live CD", for example, it cannot defend itself.

You would need to use other security options to prevent this attack vector.

However, you would need to have a reasonable knowledge of how it worked to sucessfully attack it?

I guess it is all down to risk analysis?
February 21st, 2007, 02:52 AM
Net2Infinity

I gotcha ..... after I reread the initial post I see what you mean. Well he should select the HDD as the first boot device in BIOS and then set a password in the bios. Then there wouldnt be a direct vector of attack using a live cd.
February 21st, 2007, 03:01 AM
Network Enforce

I ran across this site a while back and thought it would be some insight for some knowledge. I don't know how relevant the information still is but it is a start to see if some of it applies to your situation.

-E
February 21st, 2007, 08:50 AM
shadowroot

To the DeepFeez question

the BIOS password can easily be changed- or just plain removed.

I'm not sure about just attacking DF from a live boot disk like knopix, but I know for a fact you can some how bypass DF's settings and change things- I saw it done at school by someone else. If they could change something- then they prob. could have run things like the uninstall file or just del the start up or go after one of the program's .dll 's. The program itself can be tampered with- tho not sure exactly how.
February 21st, 2007, 11:54 AM
nihil

The basic "rule" is that if you allow unsupervised physical access to a machine it can be owned.

The first step in this kind of situation is to perform a threat/risk analysis.

Thus far we have thought about live CDs and bootable floppies but there are others:

1. Live CD/DVD
2. Bootable floppy
3. External device attached to LPT1 etc.
4. USB drive
5. Other computing device via null modem cable
6. E-mail attachments
7. Internet downloads

You also need to consider that you need to protect the network as well as the authorised devices attached to it. Like what is the point if someone can just plug their private laptop into it.

You need to control the boot sequence and protect the BIOS. OK the BIOS can be attacked in a variety of ways, notably:

1. Remove CMOS battery
2. Operate jumper switch on MoBo
3. Short EEPROM chips with a paper clip
4. Flash the BIOS

As a starter, you would have to be sure that the cases are physically secure (locked).

Don't forget that you can use Windows policies and permissions to control what users are allowed to do. Frequently your security model needs to be both layered and integrated. Physical controls, OS authorities controls, third party software controls.

I usually start with the questions:

1. What do I want users to be able to do?
2. What don't I want them to be able to do?
3. What are the risks?
4. What is the potential damage?

At the end of the day your options range from a dumb terminal to full network administrator rights............... it is up to you to determine what is appropriate.

In all honesty I am not aware of any security product that is a substitute for a well thought out security model supported by appropriate processes and procedures. ;)