Warning: These changes need to be re-done after each OtA update
If you are using the Education or Enterprise Editions of CloudReady, you already have the most secure set up CloudReady offers. No access to the system is possible except where allowed by the browser's security policies.
If you're using the Home Edition of CloudReady, then your machine comes with more flexibility and freedom than our paid version. In particular, you have access to the cmd line (using ctl+alt+t or ctl+alt+f2) where you can make changes that are not possible through the GUI. But this extra freedom comes with a loss in security that you may want to counteract.
Chromium OS (and therefore CloudReady) has only two users of relevance - root, and chronos. The chronos user has no password set by default, allowing anyone to access a shell and escalate root privileges. You can set a password for the chronos user in order to avoid this vulnerability.
This article advises you on making system level changes manually from the command line. In versions of CloudReady v66 and higher you'll need to disable rootfs verification prior to making these changes. which can have security implications.
STEPS TO CHANGE ROOT AND CHRONOS PASSWORDS:
1) Access a cmd-line using ctl+alt+t (followed by the "shell" command) when at the desktop, or ctl+alt+f2 from anywhere (some computers will need ctl+alt+fn+f2)
2) Allow yourself to make changes to these settings by running:
sudo mount -o rw,remount /
3) Now run the command to actually change the password for chronos:
sudo passwd chronos
(enter the new password you want, following by enter, twice as prompted)
4) We recommend you don't change the root password, leaving it inaccessible unless someone knows the chronos password.
5) Now make your disc read-only again for security.
sudo mount -o ro,remount /
That's it! You should have as secure of access as you'd like now.