Open Firmware Security for Mac Workstations

When Apple Computer Inc. introduced Open Firmware with the first G3 Macintosh computers, it was big news because it allowed Apple to easily modify system information previously stored in ROM. This meant that revisions made to ROM code after a computer had been manufactured and sold could still be applied to that computer. It also meant that Apple didn't need to patch the operating system to work around older ROM data. It wasn't until Apple introduced the iMac in 1998 that Open Firmware gained common use. The iMac introduced what's called New World ROM architecture, where some of the data previously kept in ROM could now be stored on in a file on a computer's start-up disk (which is even easier to update than firmware data stored on the motherboard).

I could go into many more details about Open Firmware besides its relevance to security, but I'll settle for one main point: Open Firmware is accessed immediately after the Mac's power-on self-tests and before any operating system loads from any device. Calls to it are used to boot with most start-up key combinations, including booting from CD, from a default NetBoot image, through target disk mode (where the computer's hard drive mounts as a firewire drive on another computer) or the start-up manager. As you have already guessed, most of these special start-up modes offer a way for a user to gain full access to a computer's hard drive.

If you can boot from a Mac OS 9 disk, then you have full access to the hard drive, regardless of the permissions assigned to files and folders. If you boot from a Mac OS X CD, you can use the Reset Password command to change the administrator and root passwords for the workstation. If you boot into target disk mode, you can use another computer to copy items from the hard drive. If you boot from an alternate disk (such as a CD, DVD or hard drive), you can run several versions of Unix or Linux and access any data you choose on the internal hard drive of the computer. CDs or DVDs, iPods and portable hard drives are all small, easy to carry, require little or no cables and can be unobtrusively attached to a workstation. And all of them can be bootable, easily allowing a user to circumvent any security measures and permissions you have configured on a workstation.

Open Firmware Security Modes

Open Firmware allows you to set a password for the workstation and to choose one of three operating or security modes, all of which affect the Mac at the hardware level, before the computer even looks for an operating system or accepts shortcut key combinations. (The one exception is the command-option-O-F key combination that boots the computer to the Open Firmware prompt.) The operating modes allow you to configure Open Firmware to ignore a password, even if one has been set; restrict Open Firmware access and require a password to make Open Firmware changes; or completely prevent access to the workstation unless the password is entered.

The default Open Firmware security mode is none, meaning users have access to all start-up key combinations and to the Open Firmware prompt at start-up. You can set a password and still enable this mode. Doing so will require only that the existing password be used to set a new password. I recommend against using this mode in open environments or for any workstation that will contain sensitive data.

The next security mode is command. Command mode requires you to set a password. It prevents the use of all start-up key combinations, with the exception of booting to the Open Firmware prompt or the start-up manager. If you choose to boot to the start-up manager (holding down the option key), you will need to enter the Open Firmware password. This is the most logical security mode for most situations. You can still boot to an alternate start-up disk of any kind if you need to using the start-up manager (including CDs and NetBoot/NetInstall images).

For general user access, workstation operation will appear normal when using command mode. You should consider using this mode with a password for all workstations in an open environment simply to head off a user who might do it first -- thus locking you and your support staff out of the workstation. You can reset Open Firmware security without the password, but doing so is cumbersome. Also, be aware that even with the Open Firmware command mode, you will still be able to change start-up disks using the Start-up Disk System Preferences pane or Control Panel, unless you restrict access to it.

The highest security mode is full mode, which requires the Open Firmware password whenever the computer is booted. It prevents booting from any disk at all until the password is entered, rendering the computer otherwise useless. This mode is very rarely used, though you might want to consider it for an extremely sensitive workstation, particularly portable workstations with highly sensitive data.

Setting Open Firmware Security

There are two basic ways to set or change Open Firmware security settings: booting into the Open Firmware prompt and setting it directly or using a tool from within Mac OS X. Apple provides a graphical tool called Open Firmware Password that can be downloaded from Apple's support site, and there are graphical user interface and command-line shareware tools available for both Mac OS X and Mac OS 9.

To set Open Firmware security directly through the Open Firmware prompt, start up the computer while holding down the command-option-O-F keys. You will arrive at a black-on-white command line display that says something like this:

Apple PowerMac3,4 4.2.0f4 BootROM built on 10/11/02 at 14:12:47
Copyright 1994-2001 Apple Computer Inc.
All Rights Reserved.

Welcome to Open Firmware, the system time and date is: 15:49:05 8/15/2004

To continue booting, type "mac-boot" and press return.
To shut down, type "shut-down" and press return

Release keys to continue!

ok

0 > _

Be very careful at this prompt, because you are interactively editing the firmware configurations on the motherboard. It's possible to damage the firmware to the degree that the computer won't initiate the boot process. Although unlikely, such damage may be irreversible. This is a big drawback to using the Open Firmware prompt and another important reason to secure Open Firmware access.

Use the command "password" to set or change the Open Firmware password. You will be asked to enter the password twice (and if one already exists, to enter that first). To set the security mode, type "setenv security-mode" followed by the chosen security mode (none, command, or full) and then use the reset-all command to save the changes you have made and reboot the computer using those settings, as shown below. You can exit the Open Firmware prompt using the shut-down or mac-boot commands to shut down or continue the boot process, but this won't save changes.
The commands typed in look like this:

setenv security-mode command
reset-all


Apple's Open Firmware Password tool is extremely simple to use, and you won't risk damaging a workstation's firmware in the process. The one limitation is that setting an Open Firmware password automatically sets the command security mode. It doesn't offer the option of setting the full security mode. It also requires you to authenticate as a local administrator of the workstation before making changes.
Bypassing Open Firmware Security
If you forget the Open Firmware password for a computer, or if someone else sets one before you do, you can reset the Open Firmware settings to their defaults (no password and the none security mode). If other Open Firmware settings have been changed, this might reset them as well. As I said, it's a cumbersome process, so you'll want to avoid having to do it.
First, open the computer and either remove or install RAM. What you need to do is change the amount of RAM that's installed in the computer, so simply moving modules around won't do the trick. Reboot the computer with the changed amount of RAM and zap the PRAM. (Changing the installed RAM allows you to use the command-option-P-R key combination to zap the PRAM, regardless of the Open Firmware security mode, which removes the password.) Then boot into the Open Firmware prompt and use the set-defaults command. This should reset all Open Firmware configurations to the default settings. Use the reset-all command to reboot with the new settings, after which you can set a new password and security mode (either directly through the Open Firmware prompt or using another tool). Restore the original amount of RAM in the computer.


The ability to get around Open Firmware like this is a key reason to ensure that computers are physically secure. This process won't work unless you can get to the RAM inside the computer.
Unfortunately, it's possible to extract the Open Firmware password through other methods: mSec developed a Mac OS 9 tool called FWSucker after the introduction of Open Firmware simply to prove that it could be done. Apple restricted the use of the tool with Mac OS 9.2, and to date there is no corresponding Mac OS X native tool. However, it''s possible to extract the Open Firmware password from the nvRAM chip that holds all Open Firmware data on a Mac's motherboard. With that in mind, you should use managed preferences, Mac Manager settings or Mac OS X local user-access settings to restrict users to a list of known applications. That would help prevent users from running such a tool, should one be developed.
Ryan Faas is the network administrator and offers consulting services specializing in Mac and cross-platform network solutions for small businesses and education institutions. He is co-author of Troubleshooting, Maintaining and Repairing Macs (Osborne/McGraw-Hill, 2000) and of the forthcoming Essential Mac OS X Server Administration (O'Reilly, 2005). He can be reached at ryan_faas@yahoo.com.

5 ways to make Windows 10 act like Windows 7
  
Shop Tech Products at Amazon