5-Minute Security Advisor - Basic Physical Security
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
It's easy to overlook physical security, especially if you work in a small or home-based business. However, physical security is an extremely important part of keeping your computers and data secure-- if an experienced hacker can just walk up to your machine, it can be compromised in a matter of minutes. That may seem like a remote threat, but there are other risks—like theft, data loss, and physical damage—that make it important to check your physical security posture for holes.
There are three simple principles to follow: keep people away, keep them out, and protect your plumbing.
On This Page
Keeping People Away
Most large corporations maintain very strict control over who can enter their datacenters. They use card key or keypad systems, log books and human security to limit unauthorized access. If you don't have a datacenter, this might seem like overkill—very small companies often tend to have their servers in hallways, reception areas, or other publicly-accessible spaces. Not only does this expose them to malicious attacks, it increases the risk of accidents from spilled coffee, people tripping over cables, and small, curious children.
If at all possible, sensitive servers should be kept behind a locked door, not just a door with a lock, and access should be limited to a select set of trustworthy administrators. Of course, you shouldn't let security concerns override the environmental requirements of your hardware. For instance, locking a server in a closet prevents malicious users from accessing it, but if not adequately ventilated, the computer will overheat and fail, rendering your security concerns pointless.
Of course, your computers aren't the only valuable asset you have: consider the worth of your backup tapes! If you want your backups to be generally useful, you'd better be storing them somewhere that protects them against fire, theft, and spilled diet Coke.
It's a good idea to restrict physical access, and limit potential damage, but someone's got to be able to use the computers—you can't keep everyone away from them. The next layer of a good physical security plan is to limit what can be done with the computers.
Here's a great security feature that costs nothing: lock your computer when you're walking away from it. In Windows NT, Windows 2000, or Windows XP, you only have to quickly hit Ctrl+Alt+Delete, then "k" (the shortcut for the Lock button). A fast-typing attacker can get to your machine and share its disk drives with no passwords in under 10 seconds—but not if the machine's locked!
Action Get in the habit of locking your computer whenever you're away from it.
A corollary to the idea of restricting physical access to the areas where your computers are is to restrict people's access to the computers' components. You can do this with the physical security features built in to your computers. What? You didn't know there were any? Good news: practically every desktop, tower, or laptop computer sold in the last 15 years or so has some useful security features that you can apply to make it harder to attack or steal your computer (or, at worst, to render it useless if stolen); Windows provides a number of useful features too.
Lock the CPU case. Most desktop and tower cases have locking lugs that you can use to keep an intruder from opening the case.
Use a cable-type security lock to keep someone from stealing the whole computer. This is particularly good advice for laptops or small desktops that can easily be hidden inside a backpack or coat.
Configure the BIOS not to boot from the floppy drive. This makes it harder for an intruder to remove passwords and account data from your system's disks.
Consider whether it's worth the expense of using a motion-sensor alarm in the room where the computer's located. (Remember, for home offices, security systems that cover the office area are generally deductible business expenses!)
Use the syskey utility (supported in Windows NT 4.0, Windows 2000, and Windows XP) to secure the local accounts database, local copies of EFS encryption keys, and other valuables that you don't want attackers to have.
Use the Encrypting File System (EFS) to encrypt sensitive folders on your machine. EFS is available for all versions of Windows 2000 and for Windows XP Professional—whether you're using a laptop, desktop, or server, EFS adds an extra layer of protection.
Protect Your Plumbing
Network cabling, hubs and even the external network interface are extremely vulnerable points in a network. An attacker who can attach to your network can steal data in transit or mount attacks against computers on your network—or on other networks! If at all possible, keep hubs and switches behind looked doors or in locked cabinets, run cabling through walls and ceilings to make it harder to tap, and ensure that your external data connection points are kept locked. A few other tips:
If you're using a DSL connection for your home or office computers, make sure the phone company's interface box is locked—if anything happens to its cabling, your DSL service will go away.
If you want to use wireless networking, be sure that you understand the security requirements. In brief, you need to secure your network so that an outside attacker can't intercept your traffic or join your network. The process of setting this up varies according to your wireless hardware vendor, but it's easy to do from Windows XP.
You could spend a great deal of time and effort fortifying the security of your network, only to find that you're vulnerable to an old-school "steal the computer" attack. Beefing up your physical security is easy, and it doesn't have to be expensive, especially compared to the security benefits it brings.