The importance of physical security for domain controllers

Your logical and technical security will be wasted if you do not physically secure your DC. This tip will put you on the right path.

No matter how much effort you put into securing a domain controller from a hardware or software perspective, no amount of logical or technical security controls will prevent a security breach if physical access security is not maintained. Physical access security is simply preventing anyone and everyone who does not have specific authorization from being able to gain direct physical proximity to a domain controller.

If someone is able to touch a domain controller, there are numerous vulnerabilities you expose the system to, including:

  • turning off the power or recycling the power
  • booting with a portable OS on a CD or floppy
  • adding or removing hardware components - especially USB, PC card, Firewire and various other devices
  • inserting or removing removable media -- especially writable CDs, USB memory drives, and portable hard drives
  • attempting a direct logon
  • attaching a physical keystroke catcher
  • stealing backup media
  • stealing a component or the entire computer

To maintain physical access control and therefore physical access security over domain controllers or any important or mission critical network system, it must be located in a secured room. A server room, server cage, server closet, or server vault are all common terms referring to a locked room that is secured against intruders. The server room should be accessible from only a single reliably locked door. This means making sure the room cannot be accessed through a window, within the drop ceiling, or through removable or thin wall panels. Entry into the server room should be logged and monitored. A paper trail or audit trail of access must be created in order to be able to reconstruct events surrounding administrative authorized activity. Often this process is automated through the use of security cameras on the entrance door and within the room as well as with electronic locks requiring smart cards or biometrics for authentication and entry.

Many other reputable security sources also recommend removing floppy, CD and DVD drives, disabling all unused ports through CMOS, requiring a boot password, and using SYSKEY as additional mechanisms to provide or improve physical security. However, all of these measures will have little effect if an intruder is able to obtain physical access. They are hindrances, but not outright deterrences. With as little as 15 minutes, most determined attackers can overcome these protections.

Thus, before you deploy a new domain controller, ensure that your facility is providing adequate physical access control. Otherwise, all of your efforts to provide logical and technical security for the DC will be wasted.


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


This was first published in April 2004

Dig deeper on Microsoft Active Directory Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close