Anyone knows that losing a password is a horrible feeling. Even more so when it is for a server.
In this tutorial video, I step you through the process of recovering the local administrator password on a Server 2008 R2 system (Note: This is an old video – this product does work with newer versions of Windows Server). A process that can be completed in under a minute, saving you both time and money.
Disclaimer: I need to point out that Passware does not sponsor me in any way. However, this document does contain some affiliate links.
PassWare WinKey Business: Product Page
Are you protected?
‘Hmm, this is all well and good,’ you might say, ‘But how do I prevent someone from breaking into my servers?’
Over a decade ago, the answer was always, ensure that your servers are physically secure. Now with out-of-band management options and virtualization, that attack platform has grown significantly.
First, let’s cover the physical aspects. Here are some common questions to ask yourself.
Is your server in a locked room?
I have seen a lot of servers left out in the middle of an office setting, under someone’s desk, or tucked next to the cubicle plant. A dedicated space provides not only adequate cooling and power but also the necessary security. Hollywood often paints this picture that data is stolen through the firewall by some teenager wanting to play Global Thermonuclear War. Often overlooked is the disgruntled employee, or some guy claiming to be from your I.T. department. So server rooms are essential.
Who can access the server room?
A server room is only secure as its weakest point. There are a lot of server rooms out there that have been left unlocked. I have met them.
An unlocked server room cannot be controlled. So you need to find a way to control access. Traditional key locks are okay. But it doesn’t take much to get these duplicated at your local hardware store. Nor does it give you any form of reporting as to who is using those keys.
Key card systems are better as they are generally not easy to duplicate. Often the readers can report back whose card has been used and on what time of day. But cards can be lost or stolen.
Biometrics is a better option as fingerprints cannot be forged (well except in spy movies). I would hope that fingers and thumbs are not misplaced or stolen.
Like any security mechanism, a multi-tiered approach can definitely help.
How is the server room constructed?
Biometrics might control your door access. But if your server room is constructed out of drywall, windows, or has a conventional drop ceiling or crawlspace with the rest of the office, that door access control might turn into an effortless obstacle.
Piggybacking might also be an issue. This is where someone without access follows someone with access to the server room. At this point, locked racks are the best option. Locked racks can also work in a shared office space where a dedicated room is not possible. A locked rack is a great deterrent.
Are the servers locked?
A lockable bezel is another excellent option. The plastic bezels seem like they could be broken. A server with a metal front plate is a bonus. But we need to see what that bezel prevents access to.
A decade ago, it was quite commonplace to see an opening on a server for a tape slot. That is nice and convenient, but it doesn’t lend itself to security. Many data breaches occur due to lost backup tapes.
Hopefully, your server’s front panel covers everything, including the power button, optical drive, and USB ports. In my video, I was using a CD to boot into WinKey. But they also have a USB stick option. So, if I can force your server to restart and get a USB key plugged in, your server is hacked.
That brings us to the rear of the server—lots of USB ports back there. And pulling the power cord will force a reboot. The only real option at this point is a lockable back door on a rack.
Is their local console access?
If you have a KVM switch that requires password entry then that is just one more deterrent. Restricting access to the video and USB ports on the back of the server is a must though as technically a hacker could bypass your KVM.
Out of Band Access
Out of band management has become quite prevalent as it has matured. Products such as HP iLO (Integrated Lights Out) and Dell RAC (Remote Access Controller) allows administrators to have remote access to a server as if they were sitting right next to the console.
Administrators can power on the server, or, hard boot them. Administrators can even mount virtual CDs/DVDs and remote boot the servers from an ISO image. This creates a whole new challenge as it extends the physical attack surface out onto the network.
This opens a whole new set of questions.
Are you using complex passwords?
Hopefully, there is a policy already in your network for privileged accounts. You need to make your out-of-band access accounts contain as many characters as possible. Likely, you will only need to use these tools when troubleshooting an unresponsive server or to perform the remote deployment. So a password with 13+ characters shouldn’t be too cumbersome. Also, you need to make sure you are using a combination of uppers, lowers, numbers, and special characters.
Is access restricted?
Sometimes a server comes with a shared out-of-band management port with a buy-up option to a dedicated port. I would always recommend getting a dedicated port. This makes it easier to then plug that port into its dedicated management network or VLAN. From there, you can then control access onto that management network with access control lists.
Protecting Virtual Servers
Another extension of the physical attack plane is virtualization. With more and more servers being virtualized, this problem is only becoming more of a challenge.
The big question here is:
Who has access to your Hypervisor?
If a user has access to your Hypervisor, then they can power cycle servers, mount CDs, and more. When granting someone access to your virtual infrastructure, practice the rule of least privilege. Only give them the absolute minimum permissions required to perform their job. As mentioned already, complex passwords are essential here once again. An expiration and lockout policy help too.
I hope this article has been of great help to you. These are the more common areas to lockdown. As many of you know, the realm of I.T. security is boundless. As always, I would love to hear your feedback. Especially on measures, you have taken yourself to secure your servers.
PassWare WinKey Business: Product Page