Physical Security: The Final Frontier

Many people think of computer security as something that involves bits, bytes, and passwords. You might not think much about a more elementary level of security: the physical security and integrity of your Exchange Server systems and your Outlook client workstations. Dismissing physical security as someone else's problem is easy but foolish: If an attacker gets unrestricted physical access to your computer, it won't be "your" computer much longer. Fortunately, you can take simple steps to make your systems more secure.

Begin by taking a good look at your building's physical security. Can just anyone get in? Is there an alarm? How about fire protection? Is the cooling system adequate for the number of machines you have? These questions might seem obvious (even dumb), but answering them will help you take inventory of your site's physical-security posture.

Next, take a look at your Exchange servers. Are the servers in a separate room-—as they should be--or do they sit next to or under someone's desk? If the machines are in a separate room, make sure the room has a locking door. Depending on the value of your hardware, a simple lock might not be adequate; a combination or cipher lock might be more useful. Restrict who gets the key, combination, or code. Permit only those whose jobs require access to enter the server room (or server closet).

What about the machines themselves? If you're using a server rack, it probably has a lockable door--use it. If you have standalone servers with locking hasps, lock the server cases to prevent miscreants from tampering with or stealing internal components or even the entire system. Most machines contain some amount of sensitive data, so consider removing or disabling any drives that could be used to write data to removable media, including 3.5" drives. Set BIOS and power-on passwords.

These steps apply to desktop workstations, too. Much of your organization's most valuable data probably exists on these machines (a reason to consider regular backups as an additional security measure). Also encourage users to use the Windows Security dialog box (they simply press Ctrl+Alt+Delete to access it) to lock their workstations when they leave their desks. An unattended, unlocked workstation is an open invitation to data theft and compromise.

Laptops are somewhat more difficult to secure physically because they're designed to move around. I know of several high-ranking Microsoft and Hewlett-Packard (HP) employees whose unsecured laptops were stolen from their offices, so no one is immune to laptop theft. Buy some cable locks, and teach people to use them. And make sure users take advantage of Encrypting File System (EFS), which ships with Windows XP and Windows 2000, to secure crucial data.

Finally, investigate and use the Syskey utility on all your machines. Attackers often target systems from which they can harvest local account information, but Syskey effectively prevents this type of attack. Syskey is turned on by default in XP and Win2K, and you can enable it manually in Windows NT 4.0 Service Pack 3 (SP3) and later.

None of these steps, other than purchasing locks, costs money. The trick is to use built-in security features to the maximum. Of course, you can do a lot more to beef up physical security, including adding appropriate surveillance and auditing equipment and improving environmental protection (e.g., heating, cooling, fire suppression) measures (see the URL below for some other physical-security suggestions). However, high-end "gates, guards, and guns" measures aren't necessary for most sites. The simple steps I've described will help ensure that your Exchange servers and client systems are (physically) there when you need them.

"Computer Room Fortress"

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.