No matter how much effort you put into securing a domain controller from a hardware or software perspective, no amount of logical or technical security controls will prevent a security breach if physical access security is not maintained. Physical access security is simply preventing anyone and everyone who does not have specific authorization from being able to gain direct physical proximity to a domain controller.
If someone is able to touch a domain controller, there are numerous vulnerabilities you expose the system to, including:
- turning off the power or recycling the power
- booting with a portable OS on a CD or floppy
- adding or removing hardware components - especially USB, PC card, Firewire and various other devices
- inserting or removing removable media -- especially writable CDs, USB memory drives, and portable hard drives
- attempting a direct logon
- attaching a physical keystroke catcher
- stealing backup media
- stealing a component or the entire computer
To maintain physical access control and therefore physical access security over domain controllers or any important or mission critical network system, it must be located in a secured room. A server room, server cage, server closet, or server vault are all common terms referring to a locked room that is secured against intruders. The server room should be accessible from only a single reliably locked door. This means making sure the room cannot be accessed through a window, within the drop ceiling, or through removable or thin wall panels. Entry into the server room should be logged and monitored. A paper trail or audit trail of access must be created in order to be able to reconstruct events surrounding administrative authorized activity. Often this process is automated through the use of security cameras on the entrance door and within the room as well as with electronic locks requiring smart cards or biometrics for authentication and entry.
Many other reputable security sources also recommend removing floppy, CD and DVD drives, disabling all unused ports through CMOS, requiring a boot password, and using SYSKEY as additional mechanisms to provide or improve physical security. However, all of these measures will have little effect if an intruder is able to obtain physical access. They are hindrances, but not outright deterrences. With as little as 15 minutes, most determined attackers can overcome these protections.
Thus, before you deploy a new domain controller, ensure that your facility is providing adequate physical access control. Otherwise, all of your efforts to provide logical and technical security for the DC will be wasted.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.