Contents
Overview 1
Lesson: Determining Threats and
Analyzing Risks to Physical Resources 2
Lesson: Designing Security for Physical
Resources 8
Lab A: Designing Security for Physical
Resources 15
Module 5: Creating a
Security Design for
Physical Resources
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2002 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio,
and Windows Media
are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 5: Creating a Security Design for Physical Resources iii
Instructor Notes
In this module, students determine threats and analyze risks to physical
resources in an organization. They then learn how to design security for
facilities, computers, mobile devices, and hardware. Students will also learn
about implementing disaster recovery as a way to protect physical resources.
This module focuses on access to and protection of physical resources. Other
modules will focus on access to and protection of data.
After completing this module, students will be able to:
Determine threats and analyze risks to physical resources.
Design security for physical resources.
To teach this module, you need Microsoft
®
PowerPoint
®
file 2830A_05.ppt.
It is recommended that you use PowerPoint version 2002 or later to
display the slides for this course. If you use PowerPoint Viewer or an earlier
version of PowerPoint, all the features of the slides may not be displayed
correctly.
To prepare for this module:
Read all of the materials for this module.
Complete the practices.
Complete the lab and practice discussing the answers.
Read the additional reading for this module, located under Additional
Reading on the Web page on the Student Materials CD.
Visit the Web links that are referenced in the module.
Presentation:
60 minutes
Lab:
45 minutes
Required materials
Important
Preparation tasks
iv Module 5: Creating a Security Design for Physical Resources
How to Teach This Module
This is the first module that deals with the building phase of the Microsoft
Solutions Framework (MSF) mentioned in Module 2, “Creating a Plan for
Network Security.” Modules 5 through 11 of this course involve designing
security responses to the threats and risks presented in each module.
Many IT professionals do not regularly consider the physical nature of their
network. Explain to students that they must consider any threat that encroaches
upon the perimeter of their network when designing security. Entrances such as
doors, windows, and even loading docks all provide attackers with potential
entry to their networks.
Lesson: Determining Threats and Analyzing Risks to Physical
Resources
The structure of this lesson, and of this module in general, will be repeated in
Modules 5 through 11 of this course. The first lesson deals with threats and
risks, the second lesson with designing security responses to those threats and
risks.
This slide is presented in several other modules. It is not meant as a realistic
network, but as a conceptual picture to represent different parts of a network.
Use the slide to explain the concepts and as a springboard for conversation. For
example, ask students what’s missing.
This page is intended simply to give examples of vulnerabilities. To elaborate
attacks, draw upon your own experiences. The next page deals with common
vulnerabilities, so try not to skip ahead.
Explain the threats, but do not discuss how to secure against them. The second
lesson in the module covers that topic.
Walk students through this exercise, which involves a simple quantitative risk
analysis. Ensure that students realize this is a simple exercise to prevent them
from becoming distracted by real-world details that were omitted for the sake of
brevity, such as depreciation of hardware.
Physical Resources to
Protect
Why Physical Security Is
Important
Common Threats to
Ph
ysical Security
Practice: Analyzing
Risks to Physical
Security
Module 5: Creating a Security Design for Physical Resources v
Lesson: Designing Security for Physical Resources
This section describes the instructional methods for teaching this lesson.
You can mention threats to radio frequency emanations from monitors and
keyboards in the context of physical security.
Emphasize that students must ensure that their backup media is secured
sufficiently. Also, explain that if students maintain cold spares and facilities,
they must ensure that those resources are kept up to date with the latest
firmware and other required updates.
Answers may vary. Use the security responses that students give to generate
classroom discussion.
Use this page to review the content of the module. Students can use the
checklist as a basic job aid. The phases mentioned on the page are from MSF.
Use this page to emphasize that students must perform threat analysis and risk
assessment on their own networks for the topic covered in this module, and then
they must design security responses to protect the network.
Assessment
There are assessments for each lesson, located on the Student Materials
compact disc. You can use them as pre-assessments to help students identify
areas of difficulty, or you can use them as post-assessments to validate learning.
Lab A: Designing Security for Physical Resources
To begin the lab, open Microsoft Internet Explorer and click the name of the
lab. Play the video interviews for students, and then instruct students to begin
the lab with their lab partners. Give students approximately 30 minutes to
complete this lab, and spend about 15 minutes discussing the lab answers as a
class.
This module uses Microsoft Visio
®
documents to display building information
about Contoso Pharmaceutical’s Geneva site. If students in your class are
unfamiliar with Visio, spend a few moments explaining how Visio works.
Before you conduct the lab, be sure to look at the Visio documents
located in the Building Diagrams folder in the lab. Use the answers listed in the
Lab section of this module to guide classroom discussion.
For general lab suggestions, see the Instructor Notes in Module 2, “Creating a
Plan for Network Security.” Those notes contain detailed suggestions for
facilitating the lab environment used in this course.
Methods for Securing
Access to Computers
Considerations for
Disaster Recover
y
Practice: Risk and
Response
Security Policy
Checklist
Note
General lab su
ggestions
vi Module 5: Creating a Security Design for Physical Resources
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
This module includes only computer-based interactive lab exercises, and as a
result, there are no lab setup requirements or configuration changes that affect
replication or customization.
The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Automated Classroom Setup Guide for Course 2830A, Designing
Security for Microsoft Networks.
Lab Setup
There are no lab setup requirements that affect replication or customization.
Lab Results
There are no configuration changes on student computers that affect replication
or customization.
Important
Module 5: Creating a Security Design for Physical Resources 1
Overview
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
In this module, you will determine threats and analyze risks to physical
resources in an organization. You will then learn how to design security for
facilities, computers, mobile devices, and hardware. You will also learn about
implementing disaster recovery as a way to protect physical resources.
This module focuses on access to and protection of physical resources. Other
modules will focus on access to and protection of data.
After completing this module, you will be able to:
Determine threats and analyze risks to physical resources.
Design security for physical resources.
Introduction
Objectives
2 Module 5: Creating a Security Design for Physical Resources
Lesson: Determining Threats and Analyzing Risks to
Physical Resources
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
If an attacker can gain access to physical resources, such as computers,
buildings, and server closets, he can easily penetrate your network and access
your organization’s confidential or secret information. Securing physical access
requires diligence and awareness of threats that an attacker can easily perform
on unsuspecting employees.
After completing this lesson, you will be able to:
Describe physical resources to protect.
Explain why physical security is important.
List threats to physical security.
Introduction
Lesson objectives
Module 5: Creating a Security Design for Physical Resources 3
Physical Resources to Protect
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
The key to securing physical resources is to secure access to those resources.
Most of the protection on a computer or network is provided by software. If an
attacker can gain physical access to a computer or network, there is generally
little stopping the attacker from penetrating your network.
You should physically secure access to your organization for:
Buildings.
Secure areas in buildings.
Physical data links.
Hardware.
For more information about security, see the white paper, The Ten Immutable
Laws of Security, at:
essays/10imlaws.asp.
For more information about physical security, see the white paper, Basic
Physical Security, at:
5min/5min-203.asp.
Key points
Additional readin
g