November 28th, 2006, 04:44 PM
Clear pagefile at shutdown- Policy discussion
OK. So I'm providing feedback to our internal security group about their 2007 updates to our security policy. One item that has always been in our security policy is that all servers should be set to overwrite the page file on shutdown. I know that they don't have any good reason for it to be in the policy other than a lot of websites on the internet suggest this as a best practice... So here is my arguement against this setting-
First, here is some background-
1) I can guarantee a high level of physical security on all servers. They are all in locked datacenters that have a guard at the front entrance, and key card access to internal data center rooms that contain the servers. All server cages are also locked. People leaving the building are checked for equipment and equipment cannot be moved within the premise, or removed from the datacenter without proper paperwork and approvals.
2) Clearing the pagefile on a system with a large amount of memory and a large pagefile defined, or multiple large pagefiles defined takes a very long time. 20 minutes on servers running ultrawide scsi 15k RPM drives with 4GB of ram, and two 4GB page files defined. 20+ minutes to reboot a server is way to long in a high availability environment. I can't have a server down any longer than absolutely needed, and 20 minutes of just wiping page files in the reboot is way to long
OK. So here is my logic.
If a thief were to bypass our physical security and have physical access to the machine they would have to steal the harddrive in order to access the data. These servers are all monitored and an unexpected shutdown to run a linux password disk would not go unnoticed. So it is safe to say that an intruder would not have any way to physically login to the server at the console. So if I'm a thief, and this machine has something that I want I'm just going to grab the hot swappable drive, pull it out, and then make my way out of the building. I'm not going to shut the machine down gracefully. The clear pagefile security option only works if the machine is shutdown gracefully.
And then the other side of the picture is that somebody is able to gain a login to the machine, either at the physical console, or remotely over the network. If they can get a local login they have admin access for all purposes as there are no "user" accounts on these servers. Only administrators can login. So if you are able to get a login, and you have administrative rights, you would be able to do what you wish to the pagefile while the system is running. So once again, the option to clear the pagefile does nothing in this situation. Even on those limited servers that do have normal users on them, proper delegation of rights will deny the users from having access to the pagefile.
The only time I can see the clear pagefile at shutdown to be a useful option is if the system is going to be powered down and left down for an extended period of time. Say the system is being shipped from one location to another.
November 28th, 2006, 06:19 PM
This really depends on what else accompanies this setting. If you don't have any special "data at rest" protection then you're right, the page file clearing doesn't make any sense. If you have all of your data on an encrypted partition or something then I can see this being of some use as this would be unencrypted on the system drive most likely. All in all, if you have adaquate physical security around server 24/7 and its always online then this is probably not worthwhile.