Product SiteDocumentation Site

Chapter 3. Before and during the installation

3.1. Choose a BIOS password
3.2. Partitioning the system
3.2.1. Choose an intelligent partition scheme
3.2.2. Selecting the appropriate file systems
3.3. Do not plug to the Internet until ready
3.4. Set a root password
3.5. Run the minimum number of services required
3.5.1. Disabling daemon services
3.5.2. Disabling inetd or its services
3.6. Install the minimum amount of software required
3.6.1. Removing Perl
3.7. Read the Debian security mailing lists

3.1. Choose a BIOS password

Before you install any operating system on your computer, set up a BIOS password. After installation (once you have enabled bootup from the hard disk) you should go back to the BIOS and change the boot sequence to disable booting from floppy, CD-ROM and other devices that shouldn't boot. Otherwise a cracker only needs physical access and a boot disk to access your entire system.
Disabling booting unless a password is supplied is even better. This can be very effective if you run a server, because it is not rebooted very often. The downside to this tactic is that rebooting requires human intervention which can cause problems if the machine is not easily accessible.
Note: many BIOSes have well known default master passwords, and applications also exist to retrieve the passwords from the BIOS. Corollary: don't depend on this measure to secure console access to system.