The most obvious physical threats are those that directly threaten the physical
Next come threats from people. These threats can be divided into two primary categories: malicious and nonmalicious. Malicious threats include theft,
Of these possibilities, the most interesting are probably
Surreptitiously booting the machine off a floppy or CD and stealing or modifying
Booting with a third-party boot disk that allows changing the local administrator password, then using that account to compromise a trusted domain account.
Installing Trojans or escalating privileges using local exploits against vulnerabilities in the operating system or applications.
Disabling access or audit control systems or tampering with security logs and audit records.
Changing the basic input/output system (BIOS) password so that
Using bootable universal serial bus (USB) or FireWire devices (
Hooking up unauthorized peripherals, including Web cams, microphones, and keystroke loggers (that s how the FBI eventually bagged traitor Aldrich Ames and organized crime kingpin Nicky Scarfo).
People threats are harder to mitigate against, because a clever attacker can exploit the principles described in Chapter 4, Threats and Risk Assessment, to attack precisely the component you haven t protected at the time you least expect it (or at the time it s most vulnerable). In addition, don t disregard the simple fact that people can be bribed or threatened; if you have extremely valuable or sensitive data, you should keep this in mind as you design your security policies. The good news is that strengthening your access controls will help keep malefactors away from the machines in the first place.
Let me begin with a quote from Apple engineer Scott Collins: You should be exactly as
The obvious place to start improving your physical security is with the location and environment of your servers. When I say servers, this includes not only your Microsoft Exchange servers, but also your Active Directory domain controllers and global catalogs, certificate authorities, and other computers that provide services to Exchange.
First, consider where your computers are physically located. Are they in secure areas or in public view? Your goal for location security is to put the machines somewhere that is difficult or
Within a secured area, consider further separation of systems based on the
If you can afford to use an electronic lock that keeps an audit trail of who enters and
Alarms can be powerful additions to your security configuration; they give you an unattended way to monitor when someone goes in or out. In the same vein, some sites depend on surveillance cameras that continually record activity in sensitive areas; other sites prefer smaller, less
Access control is important, but so is the environment of the server room. First, when staging systems inside your well-protected room, keep them away from
Notice that I haven t said much about client workstations ”that s because you normally don t have any control or influence over their location. They have to be located where users are. There are some practical tips for securing
Electrical power is another potential source of damage. Because Exchange uses transaction logs, it is relatively likely to survive an
Finally, a word about fire. Large data centers usually have computer-friendly fire suppression systems using Halon or one of its
Access control is only the first layer of defense; it helps keeps your servers from being damaged or compromised by environmental factors or people. However, a second line of defense is necessary; you have to make your hardware physically secure to the extent that you can. This involves protecting the physical integrity of the computer case, protecting
First, be aware of the physical security features that are probably built into your servers, desktops, and laptop computers:
Most desktop systems and
If you re using rack-mounted servers or storage units, their
For desktops and laptops, use cable-type security locks. These locks attach to a small slot in the frame of the computer and anchor it to something large, heavy, or hard to steal. These locks are particularly valuable for laptops or small desktops like the Acer C110 Tablet PC, the HP/Compaq Evo or Sony Vaio series, because the computers can easily be hidden in a briefcase or other container.
Mark your equipment, outside and inside. The U.S. Department of Education suggests using fluorescent paint on the backs of computers and
These measures will help protect your machines against gross physical threats, particularly theft. What about protection against attacks that involve logging on or connecting to computers without authorization? There are some things you can do to protect yourself there, too.
First, and most important, you should use the Syskey utility, which is available in Microsoft Windows NT 4 and later, to secure the local accounts database, local copies of Encrypting File System (EFS) encryption keys, and other valuables that you don t want attackers to have access to. (See Microsoft Knowledge Base article 143475 for more details on setting up Syskey.) Microsoft Windows 2000 and Windows Server 2003 turn Syskey on by default using mode 1, which encrypts the local security accounts manager (SAM) using a key stored in the local machine s registry. This is probably adequate for most servers, but your domain controllers should use one of Syskey s stronger modes:
Syskey mode 2 requires the administrator to type in a passphrase to decrypt the key at boot time. The system key is still stored in the registry, but it can t be decrypted without the passphrase. (Hint: make sure you choose a strong, dictionary-attack-proof passphrase!)
Mode 3 stores the system key on a boot floppy.
Obviously, modes 2 and 3 require some extra care on your part; if the machine reboots and no one is there to type in the passphrase or insert the floppy, it won t be able to come back online. (I m not even going to mention what happens if you leave the floppy in and someone steals the server.) However, the extra hassle is well worth it for critical servers.
In addition to using Syskey, you should consider some additional protective measures for your servers:
Configure the BIOS not to boot from the floppy drive. This makes it harder for an intruder to remove passwords and account data from your system s disks, because the machine won t boot from the floppy without reconfiguration. In some cases, you might want to remove the floppy drive altogether. Many
Always lock your machine when you walk away from it. In less than 30 seconds, an attacker can share the entire contents of your locally mounted
Use EFS to encrypt sensitive folders on your machine. You can t use it to encrypt Exchange data directly, but you can use it to protect configuration documents and other valuables. EFS is simple for end users to configure and use, but there are some fine points to using it in enterprise deployments that are outside the scope of this book. The Microsoft TechNet Web site has plenty of EFS-
If you re worried about data theft, be careful of machines that have removable media drives. CD-RW and writable DVD drives are quite common; even though they re relatively slow, an attacker who can work undisturbed for 10 minutes or so can steal a healthy volume of data.
Since I wrote the first edition of this book, I ve seen an upsurge in the number of people wondering how to protect their servers against attacks involving those little USB memory drives. These devices combine up to 1 GB of NVRAM storage with a USB port; Windows 2000 Server and later versions include drivers, so all you have to do is pop the drive into a USB slot and it appears on the Windows desktop. From a data security standpoint, this is pretty nightmarish. Fortunately, there are a few ways you can attack this problem, although none of them provide ironclad security:
The first, and most obvious, is to physically remove or block the USB ports. A blob of
Use the Devcon utility (available in the Windows driver development kit) to disable the USB class drivers. This is
Set access control lists (ACLs) on the USB device ports to restrict their use to whatever groups of users you want. This has the advantage of not requiring any external software; however, because administrators can take ownership and reset ACLs, this isn t a good way to keep administrators from using these devices.
Laptops are a blessing and a curse: they are now small and powerful enough to allow us to work where we want, when we want. However, their very portability and power makes them dangerous. They re easily damaged and easily stolen, and as more users switch over to using laptops as desktop replacements, the value of data on them is increasing. There is relatively little that you can do to truly secure laptops, because you can t completely protect them against damage or theft. You can, however, increase the security of your laptops by using the measures already discussed in this chapter, particularly EFS encryption and security cables. In addition, remember that not all of the networks your users might connect to are trustworthy; make sure that portable machines have adequate antivirus software and that users are sensitive to the risks of disclosing their account credentials on the road.
If you think laptops pose some troubling security issues, wait until you consider the rapid
Some devices cache passwords. For example, the e-mail application on my Kyocera 7135
The finder might not even need a password! For example, the RIM BlackBerry and Good G100 both allow the device to be used by whomever finds it, at least until the original owner
Let s say you have a Palm Tungsten C or a Toshiba e740, both of which
Most devices don t offer native data encryption. There are several good third-party encryption tools for Windows Mobile and PalmOS devices, but they must be installed and configured, which poses a problem for corporate deployments. The Pointsec survey indicated that about 57 percent of handheld users don t encrypt data on their devices.
Administrators can remotely disable some devices. This is a terrific feature, because it allows the parent of a lost device to remove all its sensitive data remotely. However, it s a little scary to consider the potential risks of allowing an administrator to remotely zap your device; after all, an accidental disablement could leave you in a sticky situation.
Outlook Mobile Access offers a number of security features (described in Chapter 16, Securing Exchange Server Mobility Tools ) to help mitigate these problems, but you should carefully consider the security implications of allowing mobile access with particular devices. It s a good idea to