No matter how much effort you put into securing a domain controller from a hardware or software perspective, no amount of logical or technical security controls will prevent a security breach if physical access security is not maintained. Physical access security is simply preventing anyone and everyone who does not have specific authorization from being able to gain direct physical proximity to a domain controller.
If someone is able to touch a domain controller, there are numerous vulnerabilities you expose the system to, including:
- turning off the power or recycling the power
- booting with a portable OS on a CD or floppy
- adding or removing hardware components - especially USB, PC card, Firewire and various other devices
- inserting or removing removable media -- especially writable CDs, USB memory drives, and portable hard drives
- attempting a direct logon
- attaching a physical keystroke catcher
- stealing backup media
- stealing a component or the entire computer
To maintain physical access control and therefore physical access security over domain controllers or any important or mission critical network system, it must be located in a secured room. A server room, server cage, server closet, or server vault are all common terms referring to a locked room that is secured against intruders. The server room should be accessible from only a single reliably locked door. This means making sure the room cannot be accessed through
Many other reputable security sources also recommend removing floppy, CD and DVD drives, disabling all unused ports through CMOS, requiring a boot password, and using SYSKEY as additional mechanisms to provide or improve physical security. However, all of these measures will have little effect if an intruder is able to obtain physical access. They are hindrances, but not outright deterrences. With as little as 15 minutes, most determined attackers can overcome these protections.
Thus, before you deploy a new domain controller, ensure that your facility is providing adequate physical access control. Otherwise, all of your efforts to provide logical and technical security for the DC will be wasted.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in April 2004