Hardening against users with physical access

A system to which an intent and malicious user has physical access is not a secure system. But in some usage scenarios it is inevitable that curious, clumsy, and malicious-lite users will have physical access to a system. Such scenarios include, but are not limited to, anything from PCs deployed in labs and as public terminals, to home computers accessible by children. In these and similar cases there are many steps that may be taken to harden a system, which will serve as an effective deterrent against all but the truly malicious user waiting with bolt cutter, hacksaw, and keypress-sniffer (or keystroke logger) in hand.

As in all cases your first step would be to inspect the box for the possibilities it offers and make a "what if" scenario to find out cause and effect of activity/vulnerability vs hardening (and the effect it has on operability).

Items on your checklist should be:
 * the BIOS
 * floppy drives
 * the CD-ROM drive
 * any cabling
 * any peripherals
 * casing
 * placement (room, including access to)


 * In some cases where public access is necessary running the securely encased box in Kiosk mode can be an alternative.
 * Looking at and securing physical access is just a start. Please continue by hardening the machine (and any other machine on your network users have network access to) with respect to installed software, running and dormant daemons, users and processes.