It's easy to overlook physical security, especially if
you own a small or medium sized business. However, physical security is an
extremely important part of keeping your computers and data secure-- if an
experienced hacker can just walk up to your machine, it can be compromised in
a matter of minutes. That may seem like a remote threat, but there are other
risks—like theft, data loss, and physical damage—that make it important to
check your physical security posture for holes.
There are three simple principles to follow: keep people away, keep them out,
and protect your plumbing.
Let us help you find the right mix between usability
and security.
Following are a few thoughts on some of the measures you could implement:
Keeping People Away
Keep Out!
Protect Your Plumbing
Keeping People Away
Most large corporations maintain very strict control over who can enter their
datacenters. They use card key or keypad systems, log books and human security
to limit unauthorized access. If you don't have a datacenter, this might seem
like overkill—very small companies often tend to have their servers in
hallways, reception areas, or other publicly-accessible spaces. Not only does
this expose them to malicious attacks, it increases the risk of accidents from
spilled coffee, people tripping over cables, and small, curious children.
If at all possible, sensitive servers should be kept behind a locked door, not
just a door with a lock, and access should be limited to a select set of
trustworthy administrators. Of course, you shouldn't let security concerns
override the environmental requirements of your hardware. For instance,
locking a server in a closet prevents malicious users from accessing it, but
if not adequately ventilated, the computer will overheat and fail, rendering
your security concerns pointless.
Of course, your computers aren't the only valuable asset you have: consider
the worth of your backup tapes! If you want your backups to be generally
useful, you'd better be storing them somewhere that protects them against
fire, theft, and spilled diet Coke.
Keep Out!
It's a good idea to restrict physical access, and limit potential damage, but
someone's got to be able to use the computers—you can't keep everyone away
from them. The next layer of a good physical security plan is to limit what
can be done with the computers.
Here's a great security feature that costs nothing: lock your computer when
you're walking away from it. In Windows NT, Windows 2000, or Windows XP, you
only have to quickly hit Ctrl+Alt+Delete, then "k" (the shortcut for the Lock
button). A fast-typing attacker can get to your machine and share its disk
drives with no passwords in under 10 seconds—but not if the machine's locked!
Get in the habit of locking your computer whenever you're away from it.
A corollary to the idea of restricting physical access to the areas where your
computers are is to restrict people's access to the computers' components. You
can do this with the physical security features built in to your computers.
What? You didn't know there were any? Good news: practically every desktop,
tower, or laptop computer sold in the last 15 years or so has some useful
security features that you can apply to make it harder to attack or steal your
computer (or, at worst, to render it useless if stolen); Windows provides a
number of useful features too.
• Lock the CPU case. Most desktop and tower cases have locking lugs that you
can use to keep an intruder from opening the case.
• Use a cable-type security lock to keep someone from stealing the whole
computer. This is particularly good advice for laptops or small desktops that
can easily be hidden inside a backpack or coat.
• Configure the BIOS not to boot from the floppy drive. This makes it harder
for an intruder to remove passwords and account data from your system's disks.
• Consider whether it's worth the expense of using a motion-sensor alarm in
the room where the computer's located.
• Use the syskey utility to secure the local accounts database, local copies
of EFS encryption keys, and other valuables that you don't want attackers to
have.
• Use the Encrypting File System (EFS) to encrypt sensitive folders on your
machine. EFS is available for all versions of Windows 2000 and for Windows XP
Professional—whether you're using a laptop, desktop, or server, EFS adds an
extra layer of protection.
Protect Your Plumbing
Network cabling, hubs and even the external network interface are extremely
vulnerable points in a network. An attacker who can attach to your network can
steal data in transit or mount attacks against computers on your network—or on
other networks! If at all possible, keep hubs and switches behind looked doors
or in locked cabinets, run cabling through walls and ceilings to make it
harder to tap, and ensure that your external data connection points are kept
locked. A few other tips:
• If you're using a DSL connection for your home or office computers, make
sure the phone company's interface box is locked—if anything happens to its
cabling, your DSL service will go away.
• If you want to use wireless networking, be sure that you understand the
security requirements. In brief, you need to secure your network so that an
outside attacker can't intercept your traffic or join your network. The
process of setting this up varies according to your wireless hardware vendor,
but it's easy to do from Windows XP.
Wrapping Up
You could spend a great deal of time and effort fortifying the security of
your network, only to find that you're vulnerable to an old-school "steal the
computer" attack. Beefing up your physical security is easy, and it doesn't
have to be expensive, especially compared to the security benefits it brings
_90x45.jpg){kind=small}
