Until about a year and a 1/2 a go, my DC and my member server were in an
office location that had no lock, other than the lock on the front door
of the building.
Sometimes in small businesses, the same "best practices" that big server
land take for granted are deemed acceptable by us based on the risks.
I now have a lock and a deadbolt on that office but in order to do that
I had to get a small ductless air conditioner.
Granted any one of those 20 folks could take an admin password reset
disk and "own" the box... but those 20 employees also have to have a bad
egg in the lot.
Law three of computer security means I own the box.
If I want to break that lock.. there's a chance I can do that as well
(my server has a locked floppy drive but I'll bet if I wanted to rip the
front panel off I could if I wanted to.
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true
Does this server have to be physically in this location? Can it go into
a colo?
Robinson, Chuck wrote:
The following article might help.
http://www.insurancejournal.com/news/national/2006/06/20/69691.htm
Chuck Robinson, MCSE: Messaging, VCP, Senior Solutions Consultant
EMC Microsoft Practice
tel 732-321-3644 xt.45, mobile 973-865-0394, fax 732-321-6855
email: [EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Wednesday, June 28, 2006 10:29 AM
To: [email protected]
Subject: [ActiveDir] Ammunition, please!
I am being asked to install a single server in a remote location (about 20
miles from here, 20 users) that will be a DC for our entire network, running
DHCP and DNS, acting as a file server and print server for this remote
location. And, this server will be in an unlocked rack in a semi-public area
where literally anyone could gain physical access to the box. At the very
least, the 20 employees will be walking past it every day.
There are many red flags about this scenario. I can think of a few. But, what I need is
documentation from an *external* source that tells management just how bad an idea this
is. After all, they won't believe me, but they might believe an "expert."
At the very least, I would want the rack in which this server is placed to be
locked 24/7. Better would be a locked room.
All help welcomed with many thanks.
--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will
hunt you down...
http://blogs.technet.com/sbs
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
