Contents Overview 1 Lesson: Determining Threats and Analyzing Risks to Physical Resources 2 Lesson: Designing Security for Physical Resources 8 Lab A: Designing Security for Physical Resources 15 Module 5: Creating a Security Design for Physical Resources Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Module 5: Creating a Security Design for Physical Resources iii Instructor Notes In this module, students determine threats and analyze risks to physical resources in an organization. They then learn how to design security for facilities, computers, mobile devices, and hardware. Students will also learn about implementing disaster recovery as a way to protect physical resources. This module focuses on access to and protection of physical resources. Other modules will focus on access to and protection of data. After completing this module, students will be able to:  Determine threats and analyze risks to physical resources.  Design security for physical resources. To teach this module, you need Microsoft ® PowerPoint ® file 2830A_05.ppt. It is recommended that you use PowerPoint version 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides may not be displayed correctly. To prepare for this module:  Read all of the materials for this module.  Complete the practices.  Complete the lab and practice discussing the answers.  Read the additional reading for this module, located under Additional Reading on the Web page on the Student Materials CD.  Visit the Web links that are referenced in the module. Presentation: 60 minutes Lab: 45 minutes Required materials Important Preparation tasks iv Module 5: Creating a Security Design for Physical Resources How to Teach This Module This is the first module that deals with the building phase of the Microsoft Solutions Framework (MSF) mentioned in Module 2, “Creating a Plan for Network Security.” Modules 5 through 11 of this course involve designing security responses to the threats and risks presented in each module. Many IT professionals do not regularly consider the physical nature of their network. Explain to students that they must consider any threat that encroaches upon the perimeter of their network when designing security. Entrances such as doors, windows, and even loading docks all provide attackers with potential entry to their networks. Lesson: Determining Threats and Analyzing Risks to Physical Resources The structure of this lesson, and of this module in general, will be repeated in Modules 5 through 11 of this course. The first lesson deals with threats and risks, the second lesson with designing security responses to those threats and risks. This slide is presented in several other modules. It is not meant as a realistic network, but as a conceptual picture to represent different parts of a network. Use the slide to explain the concepts and as a springboard for conversation. For example, ask students what’s missing. This page is intended simply to give examples of vulnerabilities. To elaborate attacks, draw upon your own experiences. The next page deals with common vulnerabilities, so try not to skip ahead. Explain the threats, but do not discuss how to secure against them. The second lesson in the module covers that topic. Walk students through this exercise, which involves a simple quantitative risk analysis. Ensure that students realize this is a simple exercise to prevent them from becoming distracted by real-world details that were omitted for the sake of brevity, such as depreciation of hardware. Physical Resources to Protect Why Physical Security Is Important Common Threats to Ph ysical Security Practice: Analyzing Risks to Physical Security Module 5: Creating a Security Design for Physical Resources v Lesson: Designing Security for Physical Resources This section describes the instructional methods for teaching this lesson. You can mention threats to radio frequency emanations from monitors and keyboards in the context of physical security. Emphasize that students must ensure that their backup media is secured sufficiently. Also, explain that if students maintain cold spares and facilities, they must ensure that those resources are kept up to date with the latest firmware and other required updates. Answers may vary. Use the security responses that students give to generate classroom discussion. Use this page to review the content of the module. Students can use the checklist as a basic job aid. The phases mentioned on the page are from MSF. Use this page to emphasize that students must perform threat analysis and risk assessment on their own networks for the topic covered in this module, and then they must design security responses to protect the network. Assessment There are assessments for each lesson, located on the Student Materials compact disc. You can use them as pre-assessments to help students identify areas of difficulty, or you can use them as post-assessments to validate learning. Lab A: Designing Security for Physical Resources To begin the lab, open Microsoft Internet Explorer and click the name of the lab. Play the video interviews for students, and then instruct students to begin the lab with their lab partners. Give students approximately 30 minutes to complete this lab, and spend about 15 minutes discussing the lab answers as a class. This module uses Microsoft Visio ® documents to display building information about Contoso Pharmaceutical’s Geneva site. If students in your class are unfamiliar with Visio, spend a few moments explaining how Visio works. Before you conduct the lab, be sure to look at the Visio documents located in the Building Diagrams folder in the lab. Use the answers listed in the Lab section of this module to guide classroom discussion. For general lab suggestions, see the Instructor Notes in Module 2, “Creating a Plan for Network Security.” Those notes contain detailed suggestions for facilitating the lab environment used in this course. Methods for Securing Access to Computers Considerations for Disaster Recover y Practice: Risk and Response Security Policy Checklist Note General lab su ggestions vi Module 5: Creating a Security Design for Physical Resources Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. This module includes only computer-based interactive lab exercises, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization. The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Automated Classroom Setup Guide for Course 2830A, Designing Security for Microsoft Networks. Lab Setup There are no lab setup requirements that affect replication or customization. Lab Results There are no configuration changes on student computers that affect replication or customization. Important Module 5: Creating a Security Design for Physical Resources 1 Overview ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** In this module, you will determine threats and analyze risks to physical resources in an organization. You will then learn how to design security for facilities, computers, mobile devices, and hardware. You will also learn about implementing disaster recovery as a way to protect physical resources. This module focuses on access to and protection of physical resources. Other modules will focus on access to and protection of data. After completing this module, you will be able to:  Determine threats and analyze risks to physical resources.  Design security for physical resources. Introduction Objectives 2 Module 5: Creating a Security Design for Physical Resources Lesson: Determining Threats and Analyzing Risks to Physical Resources ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** If an attacker can gain access to physical resources, such as computers, buildings, and server closets, he can easily penetrate your network and access your organization’s confidential or secret information. Securing physical access requires diligence and awareness of threats that an attacker can easily perform on unsuspecting employees. After completing this lesson, you will be able to:  Describe physical resources to protect.  Explain why physical security is important.  List threats to physical security. Introduction Lesson objectives Module 5: Creating a Security Design for Physical Resources 3 Physical Resources to Protect ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** The key to securing physical resources is to secure access to those resources. Most of the protection on a computer or network is provided by software. If an attacker can gain physical access to a computer or network, there is generally little stopping the attacker from penetrating your network. You should physically secure access to your organization for:  Buildings.  Secure areas in buildings.  Physical data links.  Hardware. For more information about security, see the white paper, The Ten Immutable Laws of Security, at: http://www.microsoft.com/technet/columns/security/ essays/10imlaws.asp. For more information about physical security, see the white paper, Basic Physical Security, at: http://www.microsoft.com/technet/columns/security/ 5min/5min-203.asp. Key points Additional readin g 4 Module 5: Creating a Security Design for Physical Resources Why Physical Security Is Important ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Without proper physical security of a building, an external attacker could enter a facility unnoticed, locate an unattended computer, and load a Trojan horse application that sends keystrokes, including passwords, to a location on the Internet. Without proper physical security of a server room, an internal attacker could enter the room and extract an account database from a server by using a boot startup disk or CD. The attacker could then perform a brute force attack on the password hashes in the database and access confidential data from user accounts. External attacker scenario Internal attacker scenario [...]... Creating a Security Design for Physical Resources Lab A: Designing Security for Physical Resources Lab Questions and Answers Answers may vary The following are possible answers 1 What are the potential vulnerabilities to the exterior layout of Contoso’s Geneva research facility and headquarters? Area Vulnerabilities Garbage containers by headquarters (HQ) building Containers are unprotected and adjacent... from natural disasters such as tornados and hurricanes, and disasters caused by people such as unintentional or accidental acts, and intentional acts like vandalism and terrorism To plan for disaster recovery, consider using or maintaining: Off-site storage of backup media Storing backups of your critical data offsite protects your data if a disaster damages or destroys the data at your primary facility... wiring for the building in a common, secure room Mitigate Install physical security in the wiring room for your organization’s network and telephone wiring Mission-critical data servers are located in a secure data center in your organization Mitigate Develop redundant infrastructure for data servers, such as an online facility 14 Module 5: Creating a Security Design for Physical Resources Security. .. An offline facility may comprise access to a business facility where you could restore operations (but not as quickly as at an online facility) Additional reading For more information about disaster recovery, see Data Security and Data Availability in the Administrative Authority – Part 2, at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet /security/ bestprac/bpent/sec3/datasec.asp... of your data link for up to one mile from the location of the access point Or, your organization may share space for data wiring with other organizations, or share entrances and exits to your offices, such as in leased office buildings 6 Module 5: Creating a Security Design for Physical Resources Practice: Analyzing Risks to Physical Security *****************************ILLEGAL FOR NON-TRAINER USE******************************... Task Details Building Create policies and procedures for: Securing facilities Providing additional security for sensitive areas Securing physical access to computers, hardware, and mobile devices Recovering from disasters Module 5: Creating a Security Design for Physical Resources 15 Lab A: Designing Security for Physical Resources *****************************ILLEGAL FOR NON-TRAINER USE******************************... can centrally manage the security level of electronic badges, and you can review detailed access reports In addition to securing entrances and exits of facilities, ensure that you protect access to information inside facilities An internal attacker who finds an unused or forgotten network connection could potentially obtain information about your internal network If data cables are accessible, attackers... Objectives After completing this lab, you will be able to apply security design concepts to physical security of resources Scenario You are a consultant hired by Contoso Pharmaceuticals to help the company design security for its network Each lab uses an interactive application to convey scenario-based information To begin a lab, on the desktop, click Internet Explorer; this opens a Web page that contains... each lab Click a link to begin a lab Estimated time to complete this lab: 45 minutes Work with a lab partner to perform the lab To complete a lab 1 Read Ashley Larson’s e-mail in each lab to determine the goals for the lab 2 Click Reply, and then type your answer to Ashley’s questions 3 Click Send to save your answers to a folder on your desktop 4 Discuss your answers as a class 16 Module 5: Creating. .. can tap into them or attach listening devices that gather network data Not all information is electronic For example, an attacker could read valuable information from whiteboards in conference rooms by looking through windows or entering the room after a meeting has ended Although the probability of this occurring may be low, the cost of erasing the whiteboards is minimal 10 Module 5: Creating a Security . not as quickly as at an online facility). For more information about disaster recovery, see Data Security and Data Availability in the Administrative Authority. The attacker could then perform a brute force attack on the password hashes in the database and access confidential data from user accounts. External attacker