The Open Firmware built into Macintosh computers supports a variety of startup options, many of which allow bypassing Mac OS X:
Using an Open Firmware PasswordTo prevent attackers from selecting any of these alternate boot modes, you should enable an Open Firmware password. The easiest way to do this is with the Apple Open Firmware Password utility, provided on the Mac OS X version 10.4 (v10.4) installer DVD in the /Applications/Utilities folder. The Open Firmware password feature is supported only by Open Firmware version 4.1.7 and later. You may need to update some older Macintosh models' firmware to use this feature. To determine which version of Open Firmware is installed on a computer, open the System Profiler located in /Applications/Utilities and click the Hardware option under the Contents pane. The BootROM version, which is also the computer's Open Firmware version, is displayed in the Hardware Overview window. Note A list of the latest firmware updates for various models is available at http://docs.info.apple.com/article.html?artnum=86117. For some older Mac models, you may need to perform updates under Mac OS 9. The following Apple computers can use the Open Firmware Password application:
When an Open Firmware password is enabled, it blocks the following boot modes by displaying a lock with an entry box for the Open Firmware password:
Note Target Disk Mode, NetBoot, and CD-ROMs may still be selected in the Startup Disk preferences pane; the Open Firmware password prevents them from being selected only at boot time. Open Firmware mode also restricts the following modes, by requiring that the password be provided to use them:
Choosing an Open Firmware PasswordOpen Firmware does not support international or accented characters in passwords, so you must choose a password consisting only of the printing ASCII characters (character values 32 through 126). Also, to avoid a known-password issue, do not use the capital letter U in an Open Firmware password. Following are the allowed characters: !"#$%&'()*+,-./0123456789:;<=>? @ABCDEFGHIJKLMNOPQRSTVWXYZ[\]^_ 'abcdefghijklmnopqrstuvwxyz{|}~ Be aware that Open Firmware stores its password in recoverable form. This means that if an attacker gains root access to a computer by other means, he can find out what the Open Firmware password is. For example, there are certain applications that will routinely collect the Open Firmware password from any computer on which they are installed. If multiple computers share the same Open Firmware password, the attacker can use that password to gain control of other computers with the same password. Ideally, each computer should be given a unique password to prevent such cross-computer attacks. If completely individual passwords are impractical, at least split your computers into groups to limit the exposure. In particular, low-security computers (such as laptops and lab/general-access computers) should never be assigned the same Open Firmware password as high-security computers. Also, you should not use the Open Firmware password in any other context, such as a login password. Tip You can use the command-line utility nvram to control firmware settings. Just type man nvram at the command line to see the arguments. To see a better set of options, type nvram -p. Disabling an Open Firmware PasswordYou may find that you need to disable an Open Firmware password, either temporarily or permanently, to perform operations like installing a new version of Mac OS X from DVD. There are a number of ways to accomplish this:
|