Hiding in plain site.

[PcTek9]

How do you leave a server with the floppy and cd rom drive but without people able to use these to boot into the system?

A simple way is to just hide it in plain site.

All floppy drive units, cd rom drives, and multicard readers have long screw slots on the sides.

This lets you slide them back into the pc case. Sort of "recess" the unit an inch.

Then just stick on a blank face plate and snap it into the hole.

Problem solved.

Now everyone will think that machine has no floppy or cdrom drives... b/c you slid them back inside the machine a little and covered the opening with a plain plastic face plate.

When you need to remove them, just take a plastic spade slip in at the side and bend to the left, it will open easy as pie, then you can do your updates, and when you leave, stick the blank faceplate back over the drive.

hiding in plain site.

 

[RogueTech]

While that's a good tip for a quick fix, I wouldn't suggest it to any major corporate customers. Most company policies would find that method to be a breach of policy. The most typical way of locking peripherals or ports down is with 'Device Control'. Several security companies offer this software based solution to lock ports and drives down. You can even go above and beyond by locking a USB port down from all sticks except ones from let's say Cruzer..or whatever brand. I'd consider that as an alternative to your method for the bigger business.

 

[PcTek9]

Yeah, I know about those methods, but don't like them.

My method is simple and easy. Also nobody knows it there by just looking at the machine everyone assumes there are no cd drives or floppy drives.

I simply like my way better. I really don't like the idea of having tons of extra software for every little thing on the pc.

They also make physical locking doors for pc's, and drive lock gadgets, etc.

As far as using additional software to lock devices, it's easier just to go into the registry and make a few changes, et voila!

The cd drive and floppy drive no longer even show up in windows. Also you can turn devices off in the bios, and pw protect that.

The eventuality of all this is that it looks like it's not there, and it's not seen in the os or in the case.

 

[RogueTech]

Pshh your methods are way too advanced for a bunch of HD guys in a University or sometimes even a corporate environment..I deal with those types of guys every day, I would know.

I only suggested the alternative as rolling out your method to multiple machines seems more time consuming and harder to manage from a central point. Thus the CTO's of the business world would hate it. While I'm sure the CFO's would love it!

 

[Vicenarian]

I think that's a fantastic idea! Would easily deter most data thieves/etc.

 

[vdub12]

I wrote a how-to quite a few years ago covering that same thing but A little different. I stuck the blank cover on the front of the CD to make it more stealth. If you push on the corner of the blank drive slot the CD would just open.

Here the link.
http://www.cybercpu.net/howto/mods/sbay.asp

While that's a good tip for a quick fix, I wouldn't suggest it to any major corporate customers. Most company policies would find that method to be a breach of policy. The most typical way of locking peripherals or ports down is with 'Device Control'. Several security companies offer this software based solution to lock ports and drives down. You can even go above and beyond by locking a USB port down from all sticks except ones from let's say Cruzer..or whatever brand. I'd consider that as an alternative to your method for the bigger business.

That would not stop someone from using something like Konboot to login as the admin and have control of the system.

 

[RogueTech]

That would not stop someone from using something like Konboot to login as the admin and have control of the system.

Shouldn't matter if you are restricting it from the server side. Worst case scenario I can think of user takes admin privileges, removes agent that's controlling the peripherals, agent gets redeployed via server as it's a standard policy through Active Directory.

So a very brief temporary access?

 

[MobileTechie]

Any half decent place I've worked in had the servers in a rack with a lockable door or some other proper locking system.

I'm not a big fan of security through obscurity. It might work, it might not depending if they decide to have poke around or just happen to know about this sort of thing - the person you need to stop might even work in the department or know someone who does.

Physical locking security is good it requires someone forces it open, in which case they must have so much time and privacy that they could easily open it up and take the drives anyway.

Or as Roguetech said you can just block the IO devices from working without prior access to Windows. Shouldn't be too hard to rustle up a little script to disable/enable the CD device.

I like this for avoiding the theft of a car radio but not on a server.

 

[PcTek9]

but let's be clear...

if you turn it off in the bios, and you pw protect the bios, the drive won't be there anyway. Further you can as admin turn off those devices. Very simple to do.

So now... your intruder has to take the false face plate off, take the pc case off, and clear the bios, then enter the bios and set the cd to boot or the usb to boot, then use something like abrehLePuerta to get the administrators password or set a new one.

Yes kon boot, and ubcd4win have a cli thing that can do it, etc. But I mean to accomplish all this they have to have a lot of alone time with the pc. Which also means they could just steal the entire pc, or remove the drives. lol.

Mostly security just slows down a determined thief, it never really prevents anything...

 

[RogueTech]

All too true. With enough time, pretty much anything can be cracked.

 

[vdub12]

When I made my stealth drive mod i just did it for looks. I thought it looked really cool.

 

[PcTek9]

I think that's a fantastic idea! Would easily deter most data thieves/etc.

Thank you Vicenarian, at least someone likes my idea.

 

[ATTech]

Reminds me of this encounter I had with a salesmen who was selling security systems.

"Hello sir, are you the owner of this property?" He may have said man of the house, but I'll give him the benefit of the doubt.

"Yes."

"I wanted to drop by and let you know that we are currently looking for some advertising opportunities on this street and wanted to offer you a free security system for simply having our sign in your yard." Sneaky

"So In other words, you want to sell me your service and you're offering a free security system for signing up?"

"It's much more than that... <Insert long sales speech, trying to reiterate that it's an advertising deal>."

"Tell you what, my neighbors don't have any signs, why don't you just put the sign in my yard and I won't even need the security system, all I need is the sign."

"That's not how it works, <More sales speech>"

"So it's not an advertising opportunity, it's a sales pitch. If it was an advertising opportunity, you would have jumped at the opportunity for free advertising. Goodbye!"

Honestly though, who needs a whole security system when you have the sign. I suppose if somebody was specifically targeting me, then it may be a problem, but I make it a point to not give out personal information to unscrupulous people.

 

[PcTek9]

vdub12, your stealth drive idea is fabulous. I love it.

 

[ForsitheComputers]

I wrote a how-to quite a few years ago covering that same thing but A little different. I stuck the blank cover on the front of the CD to make it more stealth. If you push on the corner of the blank drive slot the CD would just open.

Here the link.
http://www.cybercpu.net/howto/mods/sbay.asp



That would not stop someone from using something like Konboot to login as the admin and have control of the system.

I like that Idea. I need a new case/chipset/mobo...uhh a lot of things anyway, when i get one I should try that.