Apparently a computer system protected by a a login password, e.g. Windows XP, can be easily hacked by someone with physical access to it using methods like this one:
Can anyone inform me how to mitigate against this type of attack?
Thanks!
Apparently a computer system protected by a a login password, e.g. Windows XP, can be easily hacked by someone with physical access to it using methods like this one:
Can anyone inform me how to mitigate against this type of attack?
Thanks!
The real issue here is that the attacker only needs physical access to your hard drive in order to read or manipulate the files which contain your password hashes. There is already a thread on SuperUser which has some recommendations, which I will likely repeat here.
How to secure my Windows 7 PC?
As security compromises of a PC go, physical access is perhaps by far the worst kind. Once an attacker has their hands on your computer, most other security methods in place are easily circumvented. That said, here's what you can do to prevent or hinder these attacks from affecting your system.
The short answer is: there is no good way to provide strong security if your enemy has physical possession of your PC. You just have to accept that as a fact of life.
For example, if your enemy has physical control over your PC, then he can remove the hard drive from your PC and read and write it to his heart's content on his own PC.
As another example, the enemy can surreptitiously introduce a key logger that records all your passwords and other key strokes. Some key loggers are small, unobtrusive dongles that fit between your keyboard and your PC, so no amount of locking down the case of your PC is sufficient to protect against that threat.
None of the answers proposed on this web page can stop all of these attacks.
You asked about mitigations. There are no great mitigations, but here are some imperfect steps you can take (in addition to the other ones mentioned here):
Use an encrypted filesystem. Encrypt your entire filesystem. TrueCrypt has software that is free and good. PGP sells software that's good. This will reduce the window of opportunity for an enemy to access your hard drive. Some downsides include the fact that you have to memorize and use a long passphrase. It doesn't work for unattended servers (because someone has to be around to enter the passphrase when the server boots, and also once the password is entered, for as long as the server is unattended, an enemy may be able to gain access to the data).
Apply as much physical security as possible to the PC. For instance, lock the case, lock the room it is located in, buy a burglar alarm, install a surveillance video camera.
There are fancy things you can do, including buying hardware security modules (HSMs) to store your crypto keys and using tamper-resistant hardware, such as a smartcard or IBM 4758. However, these are exotic techniques not likely to be cost-effective in most settings.
One way to prevent booting from devices like CDs and USB sticks is to disable it in the BIOS and password protect it. It would then require access to the motherboard to reset the BIOS.