| Before addressing directory services (DS) security, we need to touch on the need for physical security on the servers holding DS replicas. If at all possible, you should take the following measures: If these measures are not possible, you should find a way to physically secure the system. If someone breaks in and steals the server, no matter how good your security policy is, that person has all the access needed and more than enough time to break into the data. TIP It often escapes administrators' attention, but you also need to secure all your backup media. Having access to the data on your system backup is as good as having access to the data on your server.
TIP If you have a small server that needs to be secured, one option may be Kanguru Solution's Kanguru Encryptor ( www.kanguru.com/encryptor.html ). It is a real-time data encryption/decryption device and is hardware based. Even if the server is stolen, the data stored on the hard drive is useless to anyone without the correct access key.
Almost all companies have firewalls to protect their data from external attacks across WAN/Internet links. Often overlooked, however, is another aspect of physical security ”the various LAN access points located within a network. As with your server room, you should restrict access to network switch rooms where someone can easily plug in a laptop computer running a packet sniffer and gather information that would otherwise require a privileged user ID and password to obtain. NOTE With the popularity of wireless networking, many companies have wireless access points that are interconnected with the LAN infrastructure. It is prudent to enable Wired Equivalent Privacy (WEP) encryption, but even 128-bit WEP is not as secure as you might think, but it's better than not using any security. It is a good idea to change the passphrase or secret key frequently.
| 