Physical and Operational Threat Assessment

Because the preceding chapter was all about threat and risk assessment, you d be correct to assume that this chapter starts off by giving you some tools to figure out what level of risk you face from physical and operational threats. Many of these threats will be familiar, as they affect homes and offices equally; some are specific to particular environments.

The most obvious physical threats are those that directly threaten the physical components of a computer. These include damage due to fire, flooding, careless placement of coffee cups or soda cans (the so-called grand latte effect), power surges or dips, and so on. We can loosely refer to these threats as environmental, because most of them stem directly from the physical environment in which the computer is located.

Next come threats from people. These threats can be divided into two primary categories: malicious and nonmalicious. Malicious threats include theft, sabotage , and physical attacks against the integrity of the computer s software or hardware. Nonmalicious threats include accidental damage, improper maintenance, or plain old forgetfulness (as at one customer I visited; they set a blank password on the domain administrator account so that their hardware vendor could build a new cluster for them, but they forgot to change it back later!).

Of these possibilities, the most interesting are probably related to physical integrity attacks. Some potential attacks you might not have thought of include the following:

Surreptitiously booting the machine off a floppy or CD and stealing or modifying valuable data.
Booting with a third-party boot disk that allows changing the local administrator password, then using that account to compromise a trusted domain account.
Installing Trojans or escalating privileges using local exploits against vulnerabilities in the operating system or applications.
Disabling access or audit control systems or tampering with security logs and audit records.
Changing the basic input/output system (BIOS) password so that legitimate administrators don t know what it is. A variant of this attack is to secretly remove the BIOS password altogether.
Using bootable universal serial bus (USB) or FireWire devices ( especially those diabolically clever little thumb- sized USB storage devices) to steal or modify data.
Hooking up unauthorized peripherals, including Web cams, microphones, and keystroke loggers (that s how the FBI eventually bagged traitor Aldrich Ames and organized crime kingpin Nicky Scarfo).

People threats are harder to mitigate against, because a clever attacker can exploit the principles described in Chapter 4, Threats and Risk Assessment, to attack precisely the component you haven t protected at the time you least expect it (or at the time it s most vulnerable). In addition, don t disregard the simple fact that people can be bribed or threatened; if you have extremely valuable or sensitive data, you should keep this in mind as you design your security policies. The good news is that strengthening your access controls will help keep malefactors away from the machines in the first place.

Beefing Up Your Physical Security

Let me begin with a quote from Apple engineer Scott Collins: You should be exactly as paranoid as it is cost-effective to be. Many of the concepts described in this chapter are adopted from publicly available descriptions of the physical security measures used to protect U.S. nuclear weapons. That doesn t mean you need the same level of security. A careful and honest assessment of the risks you face can help you decide how much money you should spend on physical security and where you should apply it. It doesn t make any sense to go out and buy an expensive, high-tech lock for your front door if your back door has no lock at all.

Securing the Environment

The obvious place to start improving your physical security is with the location and environment of your servers. When I say servers, this includes not only your Microsoft Exchange servers, but also your Active Directory domain controllers and global catalogs, certificate authorities, and other computers that provide services to Exchange.

Providing Physical Access Controls

First, consider where your computers are physically located. Are they in secure areas or in public view? Your goal for location security is to put the machines somewhere that is difficult or impossible for unauthorized people to enter. Accordingly, the rooms in which you locate your servers should ideally have one or two solid, lockable , fireproof doors that can be observed from the outside. Don t call attention to your security areas by posting big signs that say This Is a Secure Area or anything similar ”that just highlights targets of interest.

Within a secured area, consider further separation of systems based on the teams that administer them. If you cannot place different classes of systems in different rooms with different access controls, consider cages within the room or locks on racks. This computer-in-a-cage model is common at Internet service providers (ISPs) and hosting companies, because they don t want customer X to have physical access to any other customers machines. You can do the same if your security environment warrants .

If you can afford to use an electronic lock that keeps an audit trail of who enters and leaves the room, and when, so much the better. Consider augmenting this with a time-lapse camera or some other recording device that provides visual records to go along with the lock s audit trail. No matter how you do so, it s important to control who can enter the room. Keep records so that you know who has the key or combination needed to enter the room, and be vigilant about changing the lock or combination at regular intervals and when people on the access list lose their access.

Alarms can be powerful additions to your security configuration; they give you an unattended way to monitor when someone goes in or out. In the same vein, some sites depend on surveillance cameras that continually record activity in sensitive areas; other sites prefer smaller, less intrusive cameras that take snapshots of who s opening and closing access doors.

Environmental Security

Access control is important, but so is the environment of the server room. First, when staging systems inside your well-protected room, keep them away from windows , radiators, water pipes, or other potential sources of damage. Because computers must be maintained within a range of temperature and humidity conditions, in most cases you ll need additional cooling for spaces that have lots of servers, especially if you re using high-density rack-mount systems or storage arrays. Be sure that you have a mechanism in place to protect your hardware if the cooling system fails, particularly in hot climates. Depending on where you live, and where in your building your servers are located, you might want to consider other types of environmental warning systems. For example, if your servers are in the basement , a flood alarm might not be a bad idea; in cold climates, a low- temperature warning can be useful. A dehumidifier might be useful if you re in a damp climate, but be careful: if the air gets too dry, you ll have more static electricity than is healthy for your servers.

Note

Notice that I haven t said much about client workstations ”that s because you normally don t have any control or influence over their location. They have to be located where users are. There are some practical tips for securing user workstations that I cover in Chapter 13, Securing Outlook, and the next section explains some measures that are equally useful for clients and servers.

Electrical power is another potential source of damage. Because Exchange uses transaction logs, it is relatively likely to survive an unplanned power outage without damage to your Exchange data, but why take chances ? Use uninterruptible power supply (UPS) units on all your servers. They re not very expensive, and they provide terrific peace of mind. Make sure that your power is properly conditioned and that you re getting the correct voltage and frequency; if not, call your utility provider. If you live in an area that s prone to severe weather, a whole-building surge suppressor is a valuable addition as protection against lightning-induced power spikes.

Finally, a word about fire. Large data centers usually have computer-friendly fire suppression systems using Halon or one of its replacements (see http://www.halcyon.com/NAFED/HTML/Halonalt.html for a list). These systems, however, are expensive and they require periodic maintenance, so smaller facilities aren t likely to have them. If you re in a small office, you re likely to have fire suppression systems intended to save human lives, but not necessarily to save computer hardware. If you can t get adequate fire suppression, at least be sure to keep good backups in an offsite location, and keep your fire insurance up to date. You can supplement your offsite storage with a fire-rated media vault. Ordinary safes might or might not be fireproof, but they aren t insulated well enough to keep media from melting. Even a media vault will succumb to very hot or long-burning fires, so don t use a vault as your only means of media storage.

Securing Your Hardware

Access control is only the first layer of defense; it helps keeps your servers from being damaged or compromised by environmental factors or people. However, a second line of defense is necessary; you have to make your hardware physically secure to the extent that you can. This involves protecting the physical integrity of the computer case, protecting components from tampering, and reducing the ability of an attacker to gain control over the hardware or data if access control protection doesn t work to keep him or her away.

First, be aware of the physical security features that are probably built into your servers, desktops, and laptop computers:

Most desktop systems and towers have lock attachment points. Use these to physically lock the case to prevent attackers from opening the case and stealing components from the machine or tampering with the motherboard jumpers .
If you re using rack-mounted servers or storage units, their cabinets are almost certainly lockable. Keep them locked, and keep good control over the keys. Bear in mind that most vendors use a small number of different keys, so beware ”lots of other people might already have keys to your server.
For desktops and laptops, use cable-type security locks. These locks attach to a small slot in the frame of the computer and anchor it to something large, heavy, or hard to steal. These locks are particularly valuable for laptops or small desktops like the Acer C110 Tablet PC, the HP/Compaq Evo or Sony Vaio series, because the computers can easily be hidden in a briefcase or other container.
On laptops, turn off the infrared port until you re ready to actually use it.
Mark your equipment, outside and inside. The U.S. Department of Education suggests using fluorescent paint on the backs of computers and monitors , because it can t easily be removed or covered up. This might be overkill, but you should certainly mark equipment in some way that allows you to prove ownership. Put identification inside the case, too, so that you can prove ownership even if a thief covers or removes your external markings .

These measures will help protect your machines against gross physical threats, particularly theft. What about protection against attacks that involve logging on or connecting to computers without authorization? There are some things you can do to protect yourself there, too.

First, and most important, you should use the Syskey utility, which is available in Microsoft Windows NT 4 and later, to secure the local accounts database, local copies of Encrypting File System (EFS) encryption keys, and other valuables that you don t want attackers to have access to. (See Microsoft Knowledge Base article 143475 for more details on setting up Syskey.) Microsoft Windows 2000 and Windows Server 2003 turn Syskey on by default using mode 1, which encrypts the local security accounts manager (SAM) using a key stored in the local machine s registry. This is probably adequate for most servers, but your domain controllers should use one of Syskey s stronger modes:

Syskey mode 2 requires the administrator to type in a passphrase to decrypt the key at boot time. The system key is still stored in the registry, but it can t be decrypted without the passphrase. (Hint: make sure you choose a strong, dictionary-attack-proof passphrase!)
Mode 3 stores the system key on a boot floppy.

Obviously, modes 2 and 3 require some extra care on your part; if the machine reboots and no one is there to type in the passphrase or insert the floppy, it won t be able to come back online. (I m not even going to mention what happens if you leave the floppy in and someone steals the server.) However, the extra hassle is well worth it for critical servers.

In addition to using Syskey, you should consider some additional protective measures for your servers:

Configure the BIOS not to boot from the floppy drive. This makes it harder for an intruder to remove passwords and account data from your system s disks, because the machine won t boot from the floppy without reconfiguration. In some cases, you might want to remove the floppy drive altogether. Many high-security sites remove all removable media drives from their machines.
Always lock your machine when you walk away from it. In less than 30 seconds, an attacker can share the entire contents of your locally mounted volumes ”try it on your own computer to see how long it takes!
Use EFS to encrypt sensitive folders on your machine. You can t use it to encrypt Exchange data directly, but you can use it to protect configuration documents and other valuables. EFS is simple for end users to configure and use, but there are some fine points to using it in enterprise deployments that are outside the scope of this book. The Microsoft TechNet Web site has plenty of EFS- related information, though.
If you re worried about data theft, be careful of machines that have removable media drives. CD-RW and writable DVD drives are quite common; even though they re relatively slow, an attacker who can work undisturbed for 10 minutes or so can steal a healthy volume of data.

Protecting Against USB Drive Attacks

Since I wrote the first edition of this book, I ve seen an upsurge in the number of people wondering how to protect their servers against attacks involving those little USB memory drives. These devices combine up to 1 GB of NVRAM storage with a USB port; Windows 2000 Server and later versions include drivers, so all you have to do is pop the drive into a USB slot and it appears on the Windows desktop. From a data security standpoint, this is pretty nightmarish. Fortunately, there are a few ways you can attack this problem, although none of them provide ironclad security:

The first, and most obvious, is to physically remove or block the USB ports. A blob of epoxy in each port does wonders. Of course, this won t work well if you have servers that are actually using USB peripherals, so clearly it s not for everyone.
Use the Devcon utility (available in the Windows driver development kit) to disable the USB class drivers. This is essentially the same thing as disabling the USB device classes from within Device Manager, but because it s done using the command line, you can do it as part of a logon or startup script. However, users with sufficient privilege can just run Device Manager and tell it to detect new hardware, at which point the USB ports will be available again. Microsoft Knowledge Base article 311272 has information on where to get Devcon and how to use it.
Set access control lists (ACLs) on the USB device ports to restrict their use to whatever groups of users you want. This has the advantage of not requiring any external software; however, because administrators can take ownership and reset ACLs, this isn t a good way to keep administrators from using these devices.

A Few Words About Laptops

Laptops are a blessing and a curse: they are now small and powerful enough to allow us to work where we want, when we want. However, their very portability and power makes them dangerous. They re easily damaged and easily stolen, and as more users switch over to using laptops as desktop replacements, the value of data on them is increasing. There is relatively little that you can do to truly secure laptops, because you can t completely protect them against damage or theft. You can, however, increase the security of your laptops by using the measures already discussed in this chapter, particularly EFS encryption and security cables. In addition, remember that not all of the networks your users might connect to are trustworthy; make sure that portable machines have adequate antivirus software and that users are sensitive to the risks of disclosing their account credentials on the road.

A Few Words About Mobile Devices

If you think laptops pose some troubling security issues, wait until you consider the rapid proliferation of mobile devices. These devices range from the simple ( cell phones enabled with Wireless Access Protocol that can access Microsoft Outlook Mobile Access but have limited local storage) to the powerful (the GoodLink G100, RIM BlackBerry line, or PalmOS and Microsoft Windows Mobile handhelds with near-PC functionality). Because their capabilities vary, so do the amount and kinds of data they store, and so do their security features. It s very important to consider the potential exposure that loss or compromise of these devices could have on your network, because it s very, very easy to lose or drop these devices somewhere that they can easily be found. The London Underground estimates that they find several hundred lost devices per day, and a 2003 survey by consulting company Pointsec indicated that roughly 25 percent of mobile device users have either lost their device or had it stolen! Consider the following:

Some devices cache passwords. For example, the e-mail application on my Kyocera 7135 knows the account password for my Internet Message Access Protocol (IMAP) account; the SonyEricsson T68i series caches Outlook Mobile Access passwords for 24 hours after entry. Let s say you use a T68i to access your Outlook Mobile Access server on Monday as you take the train to work. It falls out of your pocket (easy, considering it s smaller than most candy bars). Someone picks it up. Unless you ve set a power-on password, they ve got free run of your Outlook Mobile Access inbox until the cached password expires . (Of course, devices that don t cache passwords are a hassle to use ”there s that security-versus-convenience trade-off again!)
The finder might not even need a password! For example, the RIM BlackBerry and Good G100 both allow the device to be used by whomever finds it, at least until the original owner tells either the service provider or their Exchange administrator to turn off that particular device s access.
Let s say you have a Palm Tungsten C or a Toshiba e740, both of which incorporate WiFi access. You lose it. Could an attacker who finds it now drive to your office parking lot and surf your corporate network? Probably, if you re like most users of these devices ”people tend to store their network credentials so they don t have to re-enter them.
Most devices don t offer native data encryption. There are several good third-party encryption tools for Windows Mobile and PalmOS devices, but they must be installed and configured, which poses a problem for corporate deployments. The Pointsec survey indicated that about 57 percent of handheld users don t encrypt data on their devices.
Administrators can remotely disable some devices. This is a terrific feature, because it allows the parent of a lost device to remove all its sensitive data remotely. However, it s a little scary to consider the potential risks of allowing an administrator to remotely zap your device; after all, an accidental disablement could leave you in a sticky situation.

Outlook Mobile Access offers a number of security features (described in Chapter 16, Securing Exchange Server Mobility Tools ) to help mitigate these problems, but you should carefully consider the security implications of allowing mobile access with particular devices. It s a good idea to carefully quiz your device vendor about the device s built-in protection and security features (if any) to see how those devices fit into your overall security strategy.