Best method for system security?

[Twinkle]

Is there any way to implement security in regards to system access? I don't want someone to be able to just close out Sage and get access to the OS.

I know the recording can take place as a Service, and so does not require the OS to be logged in. But will the UI run under the service as well?

If not, is there any other good way to protect the system?

[bastafidli]

HD Media Extender, enough said

[Twinkle]

Quote:

Originally Posted by bastafidli

HD Media Extender, enough said

Thank you, but that's not the solution I'm looking for. (Jedi wave optional)

[stanger89]

Well you can configure Sage to go to screensaver instead of minimizing when you hit "power". Then if you don't leave a keyboard/mouse connected, there's no way to leave the Sage UI.

Also it is possible I believe to start Sage in leu of explorer.exe.

[Twinkle]

Quote:

Originally Posted by stanger89

Well you can configure Sage to go to screensaver instead of minimizing when you hit "power". Then if you don't leave a keyboard/mouse connected, there's no way to leave the Sage UI.

Also it is possible I believe to start Sage in leu of explorer.exe.

The screensaver idea is too easy to bypass and I'm reluctant to do the other, given OS stability issues.

I guess this issue wasn't something that was ever taken into account with Sage's design.

[GKusnick]

I'm not clear on what you think the issue is. What's your deployment scenario, what kind of threats are you worried about, and who is this "someone" you're afraid might have access to your personal PC?

[Twinkle]

Quote:

Originally Posted by GKusnick

I'm not clear on what you think the issue is. What's your deployment scenario, what kind of threats are you worried about, and who is this "someone" you're afraid might have access to your personal PC?

Whether we're talking about my own setup, or setups I build for others, protecting system access is always a legitimate concern. Whether it's to keep your kids from having a free reign surfing the net, or to keep guests (yours or anyone else's) from causing damage or planting malware, it's a legitimate issue. Perhaps you don't need to worry about it, and that's fine - but that doesn't mean it's paranoid for others to have that concern.

[GKusnick]

I'm not saying it's not a legitimate concern. But the kind of security measures you take depend on your usage scenarios and what kind of threats you expect. If a malicious user has unsupervised physical access to your PC, that's a whole different ballgame than, say, some kid with a remote watching TV on an extender. But you've apparently ruled out the use of extenders as a security measure without really explaining why.

I'm not looking to pick a fight here; sorry if it came off that way. I'm just saying it's going to be hard to give good advice without a clearer idea of what your design constraints are and what you're trying to protect against.

[bastafidli]

As an example I will give you my setup and concerns I have been trying to address. My scenario deals with spouse that needs to use computer for general use, family that wants to use our media library, tv, etc. and me that uses computers professionaly and wants to have as litle headaches as possible. My solution:

1. Office pc for general computer use, internet, documents etc.. People store documents to this PC and the documents are replicated to the server share every 8 hours. This PC is not trusted since who knows what stuff the family does there :-).
2. Several servers, one of them is file servers that has 1 writable share to which documents are replicated and several read only shares that contains everything else. Nobody except me has access to these servers. If they want something (e.g. watch or listen something on the office pc), they can get it unauthenticated from the read only shares. Only I can transfer files to specific locations on these servers via SSH. Everybody else can just write to that one share for replication (which nobody really does or cares to do) since their local documents are replicated automaticaly. Sage also runs on this server.
3. HD Extender giving access to the media library in living room. Since the Sage exists on the server, only I can configure it and nobody can mess it up. I keep multiple versions of Sage installed in case I need to revert due to an issue. This way I guarantee the WAF. Server is headless, in the closet, password protected, etc. Nobody in the family ever cared to get into it.

What have I solved? Anybody can easily watch media in our living room without messing with computers or on the office PC using placeshifter. Anybody can use the computer and I do not have to worry about what is going on there. All is automatically backed up to server. I periodically synchronized current backup with "master copy" backup (that is read only for everybody else). Before I let it replicate the changes I review that only the expected files were changed, removed, etc. This way if somebody deletes somethign by accident, we have a copy. If some virus encrypts all our files, we have a copy. If disks fail, we have copies.

Solving access and security on the office PC is outside the scope of this discussion and doesn't really apply ot Sage.

[CollinR]

Stanger mentioned running the client as the shell with all benfits normally provided explorer.exe. This is your first logical move IMO, I build comercial CCTV systems most have XP Pro and an alternate shell for local access. Still with the Intel Little valley so cheap I may start "extending" it so you no longer have local access.

Still really there is nothing that will stop anyone determined if they have local access. They can worst case reset the BIOS and boot whatever they like. Changing the shell stops a bunch of them.


I have also been working with Sage embedded to protected compact flash with good results. You can still mess with wiz.bin I dunno how you would protect Sage from the user it has no access control. I use dynamic menus to limit the functionality inside the GUI.

[stanger89]

Quote:

Originally Posted by Twinkle

The screensaver idea is too easy to bypass and I'm reluctant to do the other, given OS stability issues.

Greg's right, we really need a better idea of who or what types of activities you need to secure the system from.

For example, setting sage to screensaver on sleep and removing the keyboard/mouse makes it a) rather hard to get out of SageTV and b) essentially impossible to do anything on the PC if you do manage to "escape" Sage.

If that's too weak, then the stock STV can be customized to disable the user from changing the Sleep Mode behavior and from changing STVs, thus it's impossible to get out of Sage without a keyboard mouse.

Now, if you're saying you need a way to prevent the user from getting out of Sage either on a PC with a keyboard/mouse connected, or if you're needing to secure from people connecting a keyboard/mouse, well you're basically SOL since it's impossible for Sage to disable people from killing it's process (eg Ctrl+Alt+Del).

This is why we need to what you're trying to protect from, because extenders are the only way to completely eliminate the possibility of exiting the Sage interface and gaining access to the OS. Of course even that won't work if physical access can be gained to the server.

[Twinkle]

Quote:

Originally Posted by GKusnick

I'm not saying it's not a legitimate concern. But the kind of security measures you take depend on your usage scenarios and what kind of threats you expect. If a malicious user has unsupervised physical access to your PC, that's a whole different ballgame than, say, some kid with a remote watching TV on an extender. But you've apparently ruled out the use of extenders as a security measure without really explaining why.

I'm not looking to pick a fight here; sorry if it came off that way. I'm just saying it's going to be hard to give good advice without a clearer idea of what your design constraints are and what you're trying to protect against.

I understand that extended physical access has its own concerns - that's not what I'm concerned about. I want to keep script kiddies and the average too-inquisitive-for-manners joe out of the OS. If Sage could run (including the UI) while the OS was logged out, that would be sufficient. If it was possible to set a strong password in order to exit or minimize Sage, and the other routes of ingress/egress (e.g. Alt-Tab, Ctrl-Alt-Delete, Windows Key, Ctrl-Shift-Esc, etc...) were disabled, that would also be sufficient.

Hopefully, that gives you an idea of what I'm looking for.


Edit:


I forgot to address the extenders issue - I don't want to use an extender because of the added expense, as well as the bandwidth it's going to suck off the network (not to mention the performance issues that will crop up when there are *other* needs for the bandwidth).

[Twinkle]

Quote:

Originally Posted by stanger89

Now, if you're saying you need a way to prevent the user from getting out of Sage either on a PC with a keyboard/mouse connected, or if you're needing to secure from people connecting a keyboard/mouse, well you're basically SOL since it's impossible for Sage to disable people from killing it's process (eg Ctrl+Alt+Del).

This is why we need to what you're trying to protect from, because extenders are the only way to completely eliminate the possibility of exiting the Sage interface and gaining access to the OS. Of course even that won't work if physical access can be gained to the server.

As I said earlier, I'm not interested in protecting against a serious attack - I want to be able to keep nosy people and kids/teens out. The keyboard issue is too easy to bypass. All I'm looking for is for a strong password to be required - whether it's through Sage, or whether it's the Windows login itself.

For example, if Sage pipes output to the TV-Out, as opposed to playing on the monitor and leaving it up to you how it gets to the TV - perhaps it might be possible to login to Windows, start Sage, and then lock the station.

[planetc]

I have the client in my daughters room set up to auto login with tweakui into a severely limited user account. I have disabled everything I can get away with on this account. Local admin accounts have very strong passwords.
I then used dynamic menus to give her access to the stuff I want her to be able to use.

Whilst it's not a complete solution it I would think it should be sufficient for the type of threats you are talking about.

If the kids are much cleverer than that then an mvp is the sensible option otherwise you will be merely setting a challenge. Personally if I had kids coming into my house that I thought had tried to do something unauthorised with my network they wouldn't be allowed back again.

[mickp]

Just off the top of my head I'd suggest removing physical access to boot devices (disable this in bios or fill up the various holes with epoxy resin ), set sage to run as shell and use group policy to limit the executables that the user account is able to execute.

There's a link (first off google, there may be better) that describes manually setting this up if you don't happen to have a domain at home to apply group policy. I of course haven't tried this and take no responsibility for it's accuracy or anything that you might do to your machine.

http://www.pctools.com/guides/registry/detail/113/

If you do have a dc at home (does WHS act as an AD dc?) then this might be more helpful;

http://support.microsoft.com/kb/310791/en-us

I notice that you can also use group policy to set whether a user has access to the task manager (via ctrl-alt-del or ctrl-shift-esc) along with other goodies.

NB: I'm no expert in locking down machines to this extent. The last time I had anything to do with application lockdown was when rolling out a bunch of terminal servers in 1998-99 and I don't recall that being particularly straightforward. Use my advice at your own peril .

Mick.

[mickp]

Quote:

Originally Posted by Twinkle

I forgot to address the extenders issue - I don't want to use an extender because of the added expense, as well as the bandwidth it's going to suck off the network (not to mention the performance issues that will crop up when there are *other* needs for the bandwidth).

Hmmn,

What's this about bandwidth? I don't think that this is a realistic concern, is it? What kind of network do you propose using?

Mick.

[Twinkle]

Quote:

Originally Posted by mickp

Just off the top of my head I'd suggest removing physical access to boot devices (disable this in bios or fill up the various holes with epoxy resin ), set sage to run as shell and use group policy to limit the executables that the user account is able to execute.

I suppose limiting the account priviledges is the best way to go - I was hoping that there was a simple way to implement a password-for-access method, that's all.
Thanks.

[Twinkle]

Quote:

Originally Posted by mickp

Hmmn,

What's this about bandwidth? I don't think that this is a realistic concern, is it? What kind of network do you propose using?

Mick.

Bandwidth isn't an issue? If on the Sage machine, you've got 10 GB per hour video, how can it not be an issue to broadcast that over a network? Unless the quality is dropped significantly?

[stuckless]

Quote:

If on the Sage machine, you've got 10 GB per hour video,how can it not be an issue to broadcast that over a network

100mbit network == ~10mb/sec, so in 1 hr, you can transfer 10mb x60sec x60min == 360,000mb/hr == 36gb/hr.

So even if you are only getting half the throughput in your 100mbit network... you'll be ok. I would think that over wireless, it would be a stretch... but on a wired network... i can't see it being much of an issue.

I agree with the other people, regarding the HD extenders. It's a low cost solution, and it allows your sage server to be a server only, which will bring stability to the whole chain. My sage server remains running for months at a time... I've only ever rebooted the server to take kernel updates. I haven't actually tried to watch a ripped blu-ray movie across the network... but it's on my list

I doubt you'll ever find a solution to your problem, as long as you allow direct access to the computer. That's why my server is in a closet, eclosed in a steel frame, enclosed in cement. Ok I made that up.... but really, as long a someone has access to the machine.... even script kiddies... especially script kiddies will gain access.

[Twinkle]

Quote:

Originally Posted by stuckless

100mbit network == ~10mb/sec, so in 1 hr, you can transfer 10mb x60sec x60min == 360,000mb/hr == 36gb/hr.

So even if you are only getting half the throughput in your 100mbit network... you'll be ok. I would think that over wireless, it would be a stretch... but on a wired network... i can't see it being much of an issue.

I agree with the other people, regarding the HD extenders. It's a low cost solution, and it allows your sage server to be a server only, which will bring stability to the whole chain. My sage server remains running for months at a time... I've only ever rebooted the server to take kernel updates. I haven't actually tried to watch a ripped blu-ray movie across the network... but it's on my list

Yes, Blu-Ray is the sticking point. But between the bandwidth useage, dependance on the network, and additional cost, I'll pass for the moment. (I'm already going broke to build the HTPC itself! )

Quote:

Originally Posted by stuckless

I doubt you'll ever find a solution to your problem, as long as you allow direct access to the computer. That's why my server is in a closet, eclosed in a steel frame, enclosed in cement. Ok I made that up.... but really, as long a someone has access to the machine.... even script kiddies... especially script kiddies will gain access.

Oh, I know the vulnerabilities exist - I simply wish to address this low level of attack vectors. But given what's been discussed, I'll just try to do it via the OS access priviledges. Thanks, though.