Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

Physically Secure Domain Controllers

A copy of the domain's Active Directory resides on each domain controller, and therefore, the physical security of computers used as domain controllers should be planned and maintained. Although it's easy to insist that all domain controllers exist within the corporate data center, this is not possible in all organizations. Therefore, it's important to consider the possible different locations for domain controllers and establish physical security guidelines for each. For many deployments, domain controllers will be located at the main offices of an organization or at its large regional offices where there are established data centers. However, there are other situations where domain controllers may reside at branch offices or offices where establishing a formal data center would be cost prohibitive. All these locations can apply physical security, and guidelines for each are outlined in the following section. First, however, common security guidelines can be met at any location.

Physical Security for All Domain Controllers

Physical security is the first line of domain controller defense. Physical security includes physical barriers to DC access, securing network infrastructure, providing support and control mechanisms, establishing procedural controls, ensuring a location safe from possible hazardous threats, such as water leakage, excessive heat, and power fluctuation, and securing administrative access and physical security for backups.

Physical Barriers

Physical barriers should secure all domain controller access. All DCs must be kept behind locked doors, and there must be standard policies and procedures that dictate who and how these locked enclosures can be entered and DCs accessed. The locked enclosures used for DCs may range from locked racks within a corporate data center, which is itself protected by locked doors, to locked rooms and cabinets in remote branch office locations. In any situation, there is a way to provide this type of conditional access. Even an authorized administrator is required to pass through these barriers.Establish Security Configuration." In this model, some administrators are given a higher level of privilege than others. Therefore, not all administrators require physical access to DCs. Having a separate lock for DCs ensures that fewer employees, including administrators, have actual physical access to them.

Is Security by Obscurity Worthwhile?

During an internal audit of a large organization's NT network, I examined physical security for domain controllers. All domain controllers were located within the data center. All servers in the data center were identified by a six-digit number that indicated their position as row number followed by rack number and then rack position. No servers were labeled as to use or classification. In short, to locate a specific server, a directory was consulted, and then the server was located by its number.

When queried about providing additional locks for the DCs, the response was that providing obvious symbols of the importance of a server would attract attention to the server and make it the object of a console-based or physical attack. In short, by treating all servers the same, IT management felt that an attack by an employee or contractor made from within the data center would be less likely to succeed because the attacker would not know which systems were most worthy of attack.

This is a false assumption. A data center is not a public place. Sure, if it were penetrated either by force or via social engineering, extra locks on systems would draw attention to them. But the people who are authorized to be in the data center can, by observation or via access to the data center "directory," discover the critical systems.

Unless they have been trained to do so, no one will notice that an unauthorized employee is fooling with a sensitive system. By physically obscuring the identity of these servers, they've only become as ordinary as the rest of the machines when viewed as a whole. An attacker could easily discover which computers are worth spending time to break into. Putting extra locks on sensitive machines that are already protected is a good thing. It provides extra protection in two ways: First, it makes it physically harder for an attacker to breach security, and second, it makes it more obvious that an unauthorized person is working on it.

On the other hand, identification on the network should not be obvious. For example, domain controllers should not be named DC1, DC2, DC3, and so on. When a network includes thousands of computers, giving computers names that mean something attracts undue attention without providing any benefit.

Secure Network Infrastructure

Additional physical network security should be applied to the network infrastructure. If cabling, routers, switches, and other devices are not located in the same locked area with DCs, these items should be provided their own secure location. This location should not be shared with items such as telephony cabling to which outside contractors or consultants require access. For example, a typical configuration is to locate branch office patch panels and network devices in the same wiring closet with telephone switching equipment and cabling provided and serviced by local telephone contractors. Even within larger organizations, these telephony closets may be located throughout the plant to ease configuration and maintenance. If these locations are serviced by non-IT personnel, they should not include network infrastructure devices and cabling plant equipment. Sharing access with other equipment may seem a valid way to provide security. After all, the locked location may have been present when the location was computerized or upgraded. However, though physically secured from casual access, these locations are highly available to outsiderseither authorized telephony contractors or people who may pretend to be them. Because phones are not considered to be sensitive equipment, less attention is paid to them.

Do not allow direct access to DCs from the Internet. Although authentication from DCs may be necessary to provide access to internal sites, access to DCs should be via processes designed and implemented for secure access, such as VPNs, SSL, and RADIUS. Differentiation should be made between employee authentication needs, such as providing employee access to company email or intranet sites via the Internet and the authentication requirements for public or partner access. In the later case, you may want to establish a separate forest. If the forest used for public or partner access is compromised, access to the organization's internal forest is still protected. Public or partner access forest DCs should also be physically secured.

Support and Control Mechanisms

In addition to locks, physical security for DCs includes the physical security of DC support and control mechanisms. All domain controllers should be supported by a UPS system for power management and power supply backup. A steady source of power will ensure healthy domain controller operation. The security of Active Directory relies on the healthy operation of all domain controllers. When DCs are unavailable because of lack of power or unclean power, security in the network is reduced. By keeping the UPS systems with the DC in a locked area, the operation of the DC, and thus the security of Active Directory, is enhanced. Removing power to a DC can cause data corruption and may, if done deliberately, be one form of a Denial of Service attack. Be sure to calculate power backup needs. UPS systems are not meant for long-term power supply. Generators may be required where critical operations must remain operational even under extreme conditions.

Physical Security Procedural Controls

Specific processes and procedures for any physical access to DCs should be implemented and maintained. This includes items such as logging physical access and requiring documentation on changes to DC location, configuration, backup, and restore. It should also include a requirement for the signature of an authorized administrator before archived backup media is brought back on site or returned from onsite secured storage to the physical domain controller location. The reason for this requirement is that a backup could be accidentally or maliciously restored. Controlling backup media and logging its return from storage will not always prevent its misuse; however, it will help, and it will provide an audit trail (a record of who did what) that might be used if an abuse occurs.

Secure Backup Tapes

Backup procedures should be established and maintained, and the physical management of backup media should be controlled. Procedures to follow include limiting who can check out or in backup media, requiring a secure backup media location on site and off site, and not having backup media physically present unless a backup or restore is being performed. Consider encryption and/or password protection of backup tapes. Another sound practice is to require management authority and signature before backup media is returned on site from offsite storage.

Secure Administrative Access

Secure any remote administrative access. Although a discussion of security for remote access often revolves around logical security structures, such as software-based authentication and authorization, the physical devices and cabling used to provide remote access should also be secured. For example, in a data center, a management network might be established, which is physically separate from the network that provides access to services. This network can be a separate physical network segment that is isolated from clients. At a branch office, an out-of-band management device, such as a dialup modem, can provide remote management that can be physically secured and kept isolated from common access.

Additional security is possible if smart cards or other hardware devices for authentication are required for console access to domain controllers. In addition, the privilege to log on locally to the DC can be restricted to only those administrators authorized to manage and maintain DCs. Require these administrators to use smart cards or other devices when logging on.

Beware Remodeled Offices

Several years ago, as a network administrator for a consulting firm, I often was the first person to arrive at the office in the morning. Like many small companies, we rented office space in a suburban area. One morning, I was in a particular hurry, and traffic had been particularly heavy. An extra room had been rented, and the day before, all servers and the resident domain controller along with the firewall and other equipment had been moved to this more secure location. Everything was OK when I left the night before, but that day, I needed to verify operations and ensure new access and maintenance procedures were in place before anyone else arrived.

I entered the building and quickly headed down the hall. I turned the corner and fell flat on my back. Water seeped into my clothing from soaked carpeting. All I could think of was the safety of the servers, so I got up and carefully and quickly went to the new server room. When I unlocked the server room and opened the door, more water gushed out into the hall. Inside, water was spurting from the opposite wall.

A quick call to building maintenance got the water supply turned off and prevented more water in the room. The day was spent cleaning up the mess. Fortunately, because I arrived early, and because no equipment was directly within range of the leakage, damage was contained to the floor covering and wall. The cause of the leakage was a concealed water pipe. Our new server room had originally been a large maintenance closet, complete with a sink. When it was remodeled, the pipes had not been removed or properly sealed, and thus caused the accident.

It's always a sound practice to examine building blueprints and infrastructure history before creating data centers and server rooms.

Protect from Accidents

DCs should also be protected from building physical plant operations and conditions that might threaten DC operation. DCs should not be near items such as boilers, air conditioner and heating plants, power stations, or storage areas for chemicals, flammables, or hazardous wastes. A problem with the operation of such areas could cause extensive damage to nearby IT operations. Because these areas pose a risk to any organization's ability to function, ensure that DCs and indeed data centers or IT locations are not directly adjacent to, above, or below them.

Protect from Sabotage

Data centers, and thus DCs, should not be located in a place where it might be easy to sabotage them via explosives or other another physical activity or accident. For example, if a data center is located on a ground floor next to a poorly secured external area, a truck could be filled with explosives and parked nearby.

Physical Security for Data Center Locations

Corporate data center locations typically house all servers, administrative workstations, cabling plants, and other network infrastructure devices for the main corporation location. Thus, physical security can be applied more easily, and the location can even be designed with this in mind. All domain controllers at this location should be placed within the data center. In addition, if external forests are deployed to manage border networks, such as extranets and other Internet accessible operations, the domain controllers that support these operations should also be housed in the data center.

Where appropriate and possible, larger, separate geographical locations should also have data center operations.

Extreme physical security measures are often possible, practical, and provided by corporate network data centers. A long history of securing sensitive digital-processing systems is often present, and the model is well known and understood. In addition to the physical securing operations described previously, important considerations for data centers include

Locating the data center at the center of the building and away from the location of hazardous materials or operations, such as power plants and chemicals storage.

Providing tiered entry to data center operations. An outer area may be opened to Help Desk or monitoring staff and equipment. A middle area may contain administrative offices and monitoring stations, while a third, inner area contains servers and other hardware and cabling. Additional, separate locked racks are provided for DCs, and a separate "vault" may exist for other specialized servers, such as certification authorities and for securing backup media. Physical access to each area is managed by locks, and administrative procedures require that only authorized personnel have physical access.

Providing sprinkler systems for offices (and fire suppression systems in data centers) and other emergency systems, such as emergency power shutoff switches.

Establishing detailed business continuity plans that specify secure movement of operations to alternative secure physical sites in the event that some disaster prevents the use of the data center for IT operations. The physical security both for the transfer of operations and for securing operations at the other location is specified and tested.

Correctly Label All Physical Controls

In London in 2001, a large data center housing a huge server farm in support of a very large web site was shut down because of inadequate labeling. The informational and e-commerce sites supported by the data center were inaccessible because a data center employee flipped the emergency power shutoff switch.

This particular data center did not provide automatic egress. A card key was required for exiting and entering the facility. One night, a single employee found himself trapped in the data center without his card key. He could not leave the center and was unable to enter locked offices to gain access to a phone. Spotting the large "In case of emergency, pull switch" sign over the power shutoff switch near the door, he wrongly assumed that it would open the door or alert security guards of a problem in the data center. He pulled the switch.

Needless to say, he did attract the attention of security guards, who hastened to investigate when monitors viewing the inside of the data center went dark.

Physical Security for Branch Offices and Small Offices

Branch offices and small offices do not typically provide sophisticated data centers to house servers and DCs. Instead, a locked room may be provided. If this is impossible, a locked cabinet can provide some security. The purpose of a locked location is to provide a strong physical boundary between the DCs and ordinary office operations. This allows access to be restricted. In addition to the problem of providing adequate basic physical separation, branch offices potentially suffer from the lack of dedicated IT personnel. Instead of trained and supervised operators, administrators, and so on, branch offices may have to rely on staff that has other duties and has had very little technical training.Chapter 18, "Auditing."

Use a BIOS password. This can prevent the unauthorized boot of a DC. However, if a BIOS password is implemented, someone must be present to enter the BIOS password when the system reboots or the system will remain offline. If the system is located at a branch office, this may represent an unacceptable situation. Branch offices do not typically have dedicated staff present or available at all hours. Also note that BIOS passwords on most systems can be bypassed using maintenance techniques provided by the hardware manufacturer.

Use additional security offered by syskey password or floppy disk choices. Syskey adds a layer of protection to the AD password database and other security data. It can be further secured by changing its operation to use either an entered password at boot or the insertion of a floppy disk on which a system-generated password exists. When this syskey functionality is used, be sure to physically secure the floppy disk and provide a secure copy off site (perhaps in a bank safety-deposit box), or if the password method is used, secure a copy of the password off site. Like the entry of a BIOS password, when these methods are implemented, someone must be present if the domain controller must be restarted. Another downside to using syskey is that the DC cannot be restarted if the password or floppy disk is lost. Also note that using syskey is not an effective protection from password-cracking applications. Attack code exists that can crack passwords in an offline copy of a syskey-protected password database or extract the password hashes from an online syskey-protected password database. Once extracted, the password hashes can be fed to password-cracking software. Syskey alone cannot be the only defense for a domain controller. However, when coupled with physical security and sound administrative practices, syskey can help can resist attacks.

Secure backup media and store off site. The off site storage should not be in unsafe places, such as the trunk of an employee's car. Instead, a useful offsite location for branch office backups may be a bank safety-deposit box or a registered company that specializes in secure offsite media storage.

Audit backup and storage practices. A higher level of attention to backup procedures is often necessary at branch locations. In the data center, backup often becomes part of a carefully maintained list of procedures, and checklists and supervision often ensures this process is followed. However, at branch offices and other sites that lack dedicated staff, it is often neglected.

Restrict network access to DCs. Although it may not be possible to secure DCs on a secured network segment, it is possible to limit external access. No Internet access to DCs or indeed to the branch office network should be allowed. Internet access by branch office employees should be filtered and appropriately restricted and not performed from the DC.

Secure routers, switches, firewalls, proxy servers, and other devices. These items should be in the locked area with the DC or, at the least, in a locked room or closet where access from outsiders is not permitted and access by local employees is restricted.

Use strong passwords for access to DCs, routers, and other devices that provide administrative interfaces. Many network appliances provide default external administrative access. This should be blocked, and default passwords should be changed. Passwords should be different for each administrative account and should not be the same for any two devices.

Use a dialup modem for remote management services. This out-of-band management can isolate external administrative access because a specific phone line can be dedicated to the interface, knowledge of the phone number can be limited, and settings can require dial-back to a limited list of numbers. User ID can be required for call back. Remote access using built-in remote access services can be tuned to use only secure authentication services.

Secure additional services that are added to branch office DCs. Branch offices may require the DC to host additional services such as file and print services. Consider headless operations. When the DC has no monitor, keyboard, or mouse, only remote access can be used to administer the system. This prevents local staff from inadvertently making changes or deleting items. Although it will not prevent a determined attacker, it does make things a bit harder for him. Headless operations have their own challenges, and access to the out-of-band access equipment (such as a modem) must be provided. Headless operation may be acceptable for some sites and unmanageable for others. Although it may be argued that local users shouldn't have the authority to log on to the DC and that a headless server provides no additional advantage, remember that all local users have domain accounts. A small slip in administration or a successful escalation of privilege attack might add them to a group that can log on to the server. The headless server provides defense in depth.

Consider the problem presented for remote management by the need to perform a secure remote restart. This cannot be done via terminal services if the system is not operational because Windows must be running in order to use terminal services. Possibilities include a smart UPS, remote access hardware that is integrated into the server, such as the Compaq RILO or Dell Drac II boards, or video switches that connect to the keyboard and mouse as well as the display and provide services, which are similar to terminal services. Remote management can be also be effective at corporate data centers and is often provided by RS 232 or Ethernet connectivity and managed as a separate management network that is isolated from clients.

To use syskey, follow these steps:

From a command prompt on the domain controller, enter Syskey.

In the popup, note that Encryption Enabled is selected, as shown in Figure 10-1, and click Update. Syskey is enabled by default on Windows 2000 and Windows Server 2003.

Figure 10-1. Starting the syskey utility.

On the Startup Key dialog box, as shown in Figure 10-2, either select Password Startup or, in the System Generated Password box, select Store Startup Key on Floppy Disk.

Figure 10-2. Configuring syskey.

If Password Startup is selected, enter a password, confirm it, and then click OK. Be sure to record the password and store it in a safe place, apart from the floppy disk. Without the password, you cannot start the server.

If Store Startup Key on Floppy Disk is chosen, insert a floppy disk and click OK. Make copies of this disk and secure all copies. This disk must be used when the system is rebooted.

As an alternative to requiring local management to manage and support the use of syskey, it is possible to use products, such as Compaq's Remote Insight Lights-Out (RILO) or Dell Remote Access Card III, to transfer the sysprep floppy disk image to a remote DC, start the DC, and then delete the remote image. Both of these cards enable additional remote management.

Physical Security for Extranets and Perimeter Networks

The authentication and management infrastructure that is provided by Active Directory can be an essential ingredient for applications that live in perimeter networks and extranets. However, these networks may be best and more securely served by creating a separate forest in the perimeter network. Because no connectivity with or replication to DCs in the corporate internal forest is necessary, if a perimeter network is breached, it cannot be used to directly compromise the internal forest.

Perimeter DCs, however, should be secured within the data center, along with web servers, database servers, and other devices that make up the perimeter network. Place the perimeter network on its own segment and use firewalls and/or packet-filtering routers to protect it from Internet access and to protect the internal network.

Best Practices for DC Physical Security

Consider the following best practices for physically securing DCs:

Place DCs in locked rooms.

Use locking racks or hardware locks on servers.

Require smart cards or biometric or other two-factor authentication for local logon to DCs.

Reduce the number of administrators that can physically access DCs and locally log on to manage them from the console.

Provide adequate power and other physical requirements for DCs.

Consider boot controls such as a BIOS password and syskey for branch office DCs.

Consider headless operation for branch offices.

When access to the corporate network is required for external employees, use VPNs and SSL.

Protect DCs from physical threats such as natural disasters and maintenance accidents.

Remove remote access tools with the exception of terminal services by administrators or other approved and secured remote administration tools.