Open Firmware Security for Mac Workstations

Computerworld - When Apple Computer Inc. introduced Open Firmware with the first G3 Macintosh computers, it was big news because it allowed Apple to easily modify system information previously stored in ROM. This meant that revisions made to ROM code after a computer had been manufactured and sold could still be applied to that computer. It also meant that Apple didn't need to patch the operating system to work around older ROM data. It wasn't until Apple introduced the iMac in 1998 that Open Firmware gained common use. The iMac introduced what's called New World ROM architecture, where some of the data previously kept in ROM could now be stored on in a file on a computer's start-up disk (which is even easier to update than firmware data stored on the motherboard).
I could go into many more details about Open Firmware besides its relevance to security, but I'll settle for one main point: Open Firmware is accessed immediately after the Mac's power-on self-tests and before any operating system loads from any device. Calls to it are used to boot with most start-up key combinations, including booting from CD, from a default NetBoot image, through target disk mode (where the computer's hard drive mounts as a firewire drive on another computer) or the start-up manager. As you have already guessed, most of these special start-up modes offer a way for a user to gain full access to a computer's hard drive.
If you can boot from a Mac OS 9 disk, then you have full access to the hard drive, regardless of the permissions assigned to files and folders. If you boot from a Mac OS X CD, you can use the Reset Password command to change the administrator and root passwords for the workstation. If you boot into target disk mode, you can use another computer to copy items from the hard drive. If you boot from an alternate disk (such as a CD, DVD or hard drive), you can run several versions of Unix or Linux and access any data you choose on the internal hard drive of the computer. CDs or DVDs, iPods and portable hard drives are all small, easy to carry, require little or no cables and can be unobtrusively attached to a workstation. And all of them can be bootable, easily allowing a user to circumvent any security measures and permissions you have configured on a workstation.

Open Firmware Security Modes
Open Firmware allows you to set a password for the workstation and to choose one