98-367 Chapter Nine

Chapter 9: Understanding Physical Security

Topics Covered:

  • Comparing site security and computer security
  • Using Group Policy to enhance computer security
  • Exploring mobile device security
Comparing Site Security and Computer Security

Physical security includes all elements to protect facilities and IT resources. 2 contexts:

  • Site Security: All elements to control movement within an organization, starts at the property line.
  • Computer Security: This includes all the elements used to protect IT resources.

####### Understanding the Importance of Physical Security

“If an attacker has unrestricted physical access to a system, the attacker owns it”

An attacker with such access could:

  • Reset the Administrator Password
  • Install Unauthorized Software
  • Steal the system
  • Physically damage the system
  • Modify data
  • Steal data

####### Controlling Physical Access

Important to have layers of physical security such as perimeter fences, lobby checkpoints and restricted server rooms.

Proximity cards are small cards that have data embedded on them that identifies the carrier, when placed next to a reader
can grant access. With these cards times of entry and exit can be recorded and audited.

Tailgating: following an authorized user into a facilities, many people will hold the door for others to be polite. Man traps
help prevent tailgating. Turnstiles also serve a similar purpose. Proximity card readers can be programmed to only allow certain
employees such as IT staff into server rooms etc.

Using Switches Instead of Hubs

Hub sends data to all connections, switch only sends out to destination MAC which is more secure. If an attacker is sniffing a hub
they can see all traffic, not so on a switch.

Using Group Policy to Enhance Computer Security

Policy can be used to set restrictions on what devices can be used with computers (USB, DVD drives etc). Group policy can also
enhance physical security.

####### Understanding Default GPOs

OU (Organization Units) type of active directory object can organization objects within it.

Every domain has two default GPOs:

  • Default Domain Policy: Linked to the domain and applies to all users and computers in the domains, includes several default settings.
  • Default Domain Controllers Policy: GPO linked to Domain Controllers OU and applies to all domain controllers in the OU. When server
    is promoted to domain controller it is added into this OU.
Designing OUs and GPOs to Manage Users and Computers

You can create OUs in a domain, organizae objects in the OUs you create and create additional GPOs to manage users and computer in
these OUs.

Default domain policy is applied to domain.
Default Domain Controllers Policy is Applied to Domain Controllers OU.
Server Security GPO may be applied to Servers OU or Sales GPO may be applied to Sales OU etc.

How to set this up:

  • Create an OU
  • Moved Active Directory Objects into the OU
  • Create and link the GPO
  • Configure the GPO

####### Understanding Security Settings in a GPO

Most GPO settings apply when a GPO is linked to any OU but some exceptions:

  • Account Policies (Password Policy, Account Lockout, Kerberos) are applied only at the domain level.

You can still modify these Account Policy settings in a GPO and link the GPO to an OU however the setting are not applied
to any domain accounts unless the GPO is linked at the domain level. Server 2008 has Password Settings Objects that can be applied
to an administrators group to enhance the password policy.

Disabling Log On Locally with Group Policy

By default users in a domain can log into any domain computer except domain controllers.
Log on Locally: user sitting at computer and logging on to the console
Local Security Policy tool only affects the local computer, GPO applies across domain or OU

  • Allow Log on Locally: Identifies specific users and groups that are allowed to log on.
  • Deny Log On Locally: Identifies specific users and groups that are blocked from logging onto the system. Deny takes precedence.
    By default only Admins are allowed to log into domain controllers.

Things easier to manage when permissions are assigned to groups, and then people are added and removed from those groups.

####### Controlling Removable Storage Access with Group Policy

Control capabilities of removable devices and drives, has the following settings:

  • Time (In Seconds) To Force Reboot: Settings are not applied until system reboots, this policy sets time a reboot is forced
    after settings are changed.
  • CD and DVD: Controls all CD/DVD drive both internal and external
  • Custom Classes: Identify specific device using globally unique identifier, example deny specific type of flash drive.
  • Floppy Drives: Most systems control include them, this policy also covers external floppy drives.
  • Removable Disks: Any external drive connected via USB or FireWire, HDD and Flash Drives
  • Tape Drives: Internal and External Tape Drives
  • WPD Devices: Windows Portable Devices such as media players, smart phones etc.
Exploring Mobile Device Security

Mobile devices hold lots of personal information so important to secure them. First simple step
is password protect them. Can install AntiVirus on most phones now.

Protecting Mobile Devices Against Malware

Malware now appearing on phones, which can now do most of what computers can do. Infection via website, mail attachment etc.

Minimizing Risks with Bluetooth Devices

Bluetooth connects via process called pairing, to pair both devices must be in “discovery” mode.
After connecting discovery mode should be turned off.

Bluesnarfing: unauthorized access of information on a Bluetooth Device
Bluejacking: hijacks and sends messages, emails etc.

Chapter Review Questions:

  1. Of the following choices, what can be used to prevent tailgating?
    a. Cipher lock
    b. Proximity Card
    c. Mantrap
    d. Cameras
  2. You want to improve basic security with network devices. Which of the following steps can you take?
    a. Replace all hubs with switches
    b. Replace all switches with hubs
    c. Replace all routers with switches
    d. Replace all switches with routers
  3. True or false: You can create GPOs, modify their settings, link a GPO to an OU and manage all users and computers in the OU with the GPO settings
  4. True or false: The Default Domain Controllers policy applies to all users can computers in the domain.
  5. You want to restrict what computers and user can log onto. What Group Policy setting should you configure.
  6. You have modified the Password Policy settings for a GPO so that passwords must be at least 15 characters long. You have linked the GPO to an OU
    named IT, which includes administrators working in the IT department. What is the effect on these administrators?
    a. Unable to determine
    b. The administrators are required to have a password 15 chracters long
    c. This policy is ignored because only a password policy linked to the domain will be used.
    d. None. Group Policy settings do not apply to administrators
  7. A user named Joe is in the Administrators group. The Administrators group is added to the Allow Log On Locally Group Policy setting
    for a server. Joe’s account has been added to the Deny Log On Locally setting for this server. What is the effect for Joe?
    a. Unable to determine
    b. Joe is unable to log on because deny takes precedence
    c. Joe is able to log on because he is in the Administrators group
    d. Joe is able to log on locally, because he can’t log on remotely
  8. True or false: You can restrict access to removable devices with Group Policy
  9. What can be done to protect mobile devices such as mobile phones? (Choose all that apply)
    a. Password-protect them
    b. Install antivirus software
    c. Enable discovery mode
    d. Add Internet Access

Answers:

  1. C
  2. A
  3. True
  4. False
  5. Allow Log On Locally
  6. C
  7. B
  8. True
  9. A, B

Relevant sections of Certification Exam

Notes