hi ho mate! harrybbb here, author of the purple book
(Windows Small Business Server 2003 Best Practices) and a fellow
Microsoft Small Business Specialist (SBSC). Each
day I am posting up some pages from said book for your
reading plesure until SBS 2008 ships!
Today we discuss physical security from Chapter 5.
enjoy the read…harrybbbb
Harry Brelsford, ceo at smb nation, www.smbnation.com
###
Physical Security and Management Practices
Just when you thought all security was
computer-related in the world of SBS, here comes a paradigm shift
wherein we’ll discuss the real, physical world! The reason
for broader security discussion is to get you to once again leave
the bits behind for a minute and put that business hat back on.
As an SBSer, you can’t help but be involved in business
matters such as physical security and management practices.
Let’s Get Physical!
After reading this section, walk
around your office and see if any of the following don’t
ring true or otherwise apply to you:
•
; Is the server physically secure? Or is it placed in the
open where a large gorilla (or heck, in this day and age, a
guerilla) could swoop it up and ship it to a chop shop.
•
; Lock down time. Locking down the disk and disc drives
(that’s the floppy and CD/DVD variety) can go along way to
preventing the introduction of malware. Don’t forget
USB ports!
Visit www.microsoft.com/technet for
the latest updates for any Microsoft product.
•
; Assuming the server isn’t sitting out in the open
and is placed in a room or closet, are the doors to this area
locked? Who has the keys?
•
; Speaking of key management, how many people have key
access to your office space? Any keys still in the hands of
disgruntled ex-employees?
Management
•
; Is there a written security policy for the use of the SBS
2003 network? Refer to Appendix A for SBS resources, such as the
Yahoo! Groups that include posted documents such as security
policies.
•
; A traditional bookkeeping matter to think about: Are the
company’s business checks secure? There’s nothing
like an employee with a gambling problem writing a check to
stall Bruno, the mob enforcer.
•
; How do you feel about employee background checks?
Remember some of the biggest crooks are the brightest people and
have the most engaging personalities!
•
; Beware of psychological warfare. Kevin Mitznick and Frank
Abagnale, two renowned white-collar criminals, used a form of
social engineering to talk their way into profitable illegal
activities—hacking into computer systems and stealing
money via check fraud respectively. Mitznick would ring an
employee of a company and harvest that person’s user name
and password to then penetrate the company’s networks.
Abagnale used things like wearing pilot uniforms to earn free
flights. Both have written well-received books about their
exploits and the power of social engineering.
BEST PRACTICE: Perhaps you’ve
got a war story about social engineering and psychological
warfare yourself that underscores the power of this penetration
method and its associated security risks. I’ve got a quick
one to share. Traveling home from the WWPC in New Orleans in
October 2003, I used my red press pass badge holder (a conference
badge holder that hangs around your neck) to
Visit www.smbnation.com for additional SMB and SBS
book, newsletter and conference resources.
carry my
passport identification and airline ticket. Once I cleared
security, I stopped in a restaurant for a bite to eat. When it
came time to pay my bill, I received a 10 percent discount
because, with my red badge holder, I was mistaken for being an
airport employee (in a secure area nonetheless) and granted the
employee discount. I took the 10 percent savings and ran and
didn’t further cause mayhem in the secure airport terminal
with my newfound identity! The point is that you or I could
impersonate someone else and gain access and favors we’re
not entitled to. And just try having a firewall service setting
block that attack!
