Physical security is often overlooked. Additionally, tools designed to audit potential abuse are often not used. In this article, we will examine issues and recommendations associated with computer system physical security and auditing. The text is extracted from our book, The Ultimate Windows 2000 System Administrator's Guide (Addison Wesley, 2000). Although some of the text is focused on Microsoft enterprise environments, the principles broadly address other operating system environments.
The importance of physical security cannot be understated because it ranges from issues of outright theft of a system or key storage component to intervention with the boot drive during startup. Let's consider several common physical security threat scenarios.
Backups and Restoration Security
An organization's philosophy of network security can vary greatly. Data integrity is not commonly viewed as a security issue, but maintaining system and data backup is fundamental. Securing valuable information through regular backups is the best defense against a natural disaster, a runaway virus, or a hack job.
When implementing a backup policy, don't forget to also secure the backup media. For example, if you regularly back up critical data files and then tuck media away in an unsecured desk drawer, you are inviting theft. At a minimum, store backup media in a secure environment. It is also recommended that a second set of backup media be periodically archived in a secure remote location.
Theft of Systems or Storage Media
At a minimum, efforts must be taken to physically lock down domain controllers and member servers. As powerful systems come packed in lighter and more portable footprints, the ability to take important services out the door without detection becomes increasingly easy.
Theft of critical media is just as easy. If unmonitored access is provided to a critical system such as a domain controller, it is really no effort to open the cover and pull a hard drive. Your physical data is out the door and in the hands of a hacker in just a few minutes.
Physical Access to the Boot CD-ROM and Floppy Drives
Let's consider another hardware-based scenario. Physical access to a floppy drive or CD-ROM on a domain controller or member server during the booting process invites intrusion. For the most malicious, it is obviously possible to use boot disks to completely erase all data or to get system access. With FAT-based Windows 2000 installations, the boot can also be used to gain direct access to files contained on the drive. All the invader has to do is abort the install process and revert to a DOS prompt. Even easier is simply booting directly from MS-DOS. Although native NTFS was designed to prevent intrusion, the same type of utilities that plagued Windows NT, such as ntdos.exe, will undoubtedly surface for Windows 2000.
General Physical Security Solutions
To prevent this type of serious damage, it is recommended that domain controllers and member servers be physically locked in a server room or (minimally) fit with locking devices. Also, use passwords to protect BIOS settings, which eliminate floppy and CD booting. If the BIOS password is not supplied, settings cannot be modified, and thus attempts to boot floppies or CD-ROMs can be denied.
Many CD-ROMs come with an auto-run function, which allows a virus to be executed or copied onto a hard drive without visibility. Turning off this feature is recommended. Using the Registry Editor, move to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControllerSet\Services\CDROM key. Right-click on Autorun REG_Word, and select Modify. Set the value to 0.
Another common-sense security action is placing critical systems and media in an environment that is not likely to experience water damage. For example, if a pipe breaks over the weekend that results in even a few inches of water, a floor-standing server could be damaged, as well as its data.
Dual-Boot Environment Issues
Installing more than one bootable operating system on a machine can breach security. Even NTFS partitions are vulnerable to the Administrator account being accessed through a secondary operating system. If another operating system is booted, permissions set from the original are useless.