On Wed, 9 Feb 2005 14:22:17 +0100 (MET), Karl-Olov Serrander <kase@xxxxxxxx> wrote:
Running FC2/FC3 in a sensitive environment we need to deny ordinary users the possibilty to read or write floppy/cdrom/usbsticks.
We need to be able to give som users/machines permissions to do nothing/read/write floppy/cdrom/usbsticks.
How can this be done ?
Can you put the computers in locking cases? Sometimes that's the easiest/best way. For one thing, it's easy for a non-technical security guard to know when the security has been altered, so you don't have to be querying logs all the time.
Otherwise, in addition to breaking removable devices in the OS, you might also want grub passwords, BIOS passwords, etc., because you'll have to prevent booting from CD's and floppies, too, to stop people from starting up a different copy of the OS. That can all be hard to keep track of.
Depending on the sensitivity, it probably makes sense to turn off what you can in software, also, but do consider physical security as part of the broader solution. There are off-the-shelf cases that don't cost very much.
Or don't install the devices or connectors in the first place. If there is a requirement for using one of these, then take the computer back to "the shop". This is what we do.
For USB/IEEE ports on motherboards, fill with epoxy and they become un-usable.
Physical control is much easier to control than any other method.
-- Robin Laing