One of the most important things you can do to make sure that you've got good security on your systems is to make sure that you've got good physical hardening. Now, when I'm talking about physical hardening, I don't mean pour concrete all over it or cover it with steel plates. Instead, what I'm talking about is that your typical system is covered with ports and connections and all kinds of stuff that either inadvertent or evil people can take advantage of. So what we're going to be doing is talking about how to deal with that, as well as talk about some of the evil things that can happen with CPUs that need a little extra help. So the first place I want to talk about more than anything else is removable media controls. Now, I'm old school, so I still like to have a CD DVD on my system.
But removable media is still a real issue. Now the one thing I'm not talking about here is USB. We'll save that for a little bit later. What I am talking about is mainly optical media more than anything else. It's a trick to be able to make sure that you can gotta deal with this stuff. What if you don't want people throwing CD ROMs into their system and installing stuff?
Or worse yet, what if the autoplay kicks in and automatically does naughtiness. Luckily for us, there's very easy controls on this. So what I want to do is we're going to handle this from the operating system level do keep in mind if you wanted to, a lot of systems allow you to simply shut off optical media, but let's do it a little bit more elegantly. To do that within Windows. Although every operating system has something similar to this, we're actually going to go into a local computer policy and configure it so that people can do only certain things with their removable media. So on this particular system here, I'm going to run MMC and I'm going to add myself a plugin.
In this particular aspect, I'm going to use group policy objects just from my local computer and what I've got Is my local computer policy now I need to stress right now is that if I wanted to, and you can do this with just about any operating system, I can set it up for the system as a whole, so that nobody can do anything on optical media. But I could also set it up for individual users. In this particular example, I'm going to set it up for the computer as a whole. But keep in mind that every OS would let you set it up so that Mike Myers could never run executable files on DVDs, stuff like that. Okay, so first thing we're going to do is let's go into our computer configuration, because I want to do it for the whole computer. And we'll go under Administrative Templates and come down here to system and scroll all the way down.
Removable storage access. There it is. Now if you take a look here, you can see we've got a lot of very, very tight controls here. floppy drives, removable disk. In this case, they're talking about removable drives, in CDs, DVDs, let's just have fun. Let's just say I want to set it up.
So nobody can read any optical media on this system. So you see right now it's not configured. So I'm just going to fire this up and enable it. And if I hit OK, I've set it up in such a way that nobody is going to be able to read any optical media. Now, let me go ahead and turn that off, because I'm just the kind of person who's going to forget. Let's just go to not configured.
And we've turned that back off. So every operating system is a little bit different in terms of how it handles removable media controls, but in Windows, it's done through a local computer policy. Now the next thing I want to do under physical hardening is something called Data execution prevention or dp. dp is a problem that was discovered a few years back where evil guys could actually execute programs in certain parts of memory they weren't supposed to. So this really is a hardware issue even though it seems To be that we only use software to fix it. So let me show you where DDP sits, at least within the world of Windows.
So the first thing I'm going to do is I'm going to type in system. And under system, we go to advanced system settings. And we click under performance. And if you look right here, this is data execution prevention. And you'll notice it's on for pretty much anybody who needs it. DDP by default is a good thing.
And there's very, very few situations where people do not want to turn off the EP. However, if you take a look on the screen here, you can actually go in and add executable programs. I gotta tell you dp has been around for close to 10 years now, and I have never once had to go in there, however, it's on the exam. So you have been fully covered, at least in terms of understanding how to turn on or turn off dp. Now the last one that I want to talk about when it comes to fishing hardening is actually pretty interesting. Here, we're going to be talking about disabling ports.
However, to disable ports, we're going to have to go into the bias. So I'm going to point a camera right at the screen. So you can watch me do some bias changes. Ready? Okay, folks, here we are, in my you EFI bias on this particular system. And now keep in mind what I'm about to show you changes on every different bias.
So keep that in mind as I show you this. So on this particular bias, we go into peripherals. And what I'm looking for is I want to turn off ports. So first of all, I cannot actually turn off my USB ports, and that's a big one that a lot of people worry about. It's a matter of fact, there'd be a lot of security people who had not liked this particular motherboard. However, I can do this USB mass storage driver support.
Now you can see that I've got it disabled the reason it's disabled. If somebody can plug in a USB device, they can plug in a mouse and the mouse will work. But if they try to plug in a thumb drive to copy data, it's not going to work for them. So keep in mind, all of these are easily toggled, enabled and disabled. So now people can start using the thumb drives again properly. Let's go ahead and turn that off.
The other thing we could do is we can turn off just about any port. Now I'm not going to go showing you every different port we can turn off here. But one of the things that I like to use are legacy ports. On this particular motherboard, it actually still has a superior, a serial port, and a parallel port. serial ports are particularly notorious for bad guys to get into. So I'm going to go ahead and disable that one as well.
And then that way, I've got ports turned off. So with all the different things we've seen in physical hardening, the one thing I really can't stress enough is shutting off those ports in law enforcement scenarios in a lot of high proprietary scenarios, not turning off ports and in particular USB ports is a recipe for IP security disasters.