Skip to content

Sever Security

Network EquipmentMost of us know that security for our systems isn’t just a one step process – in fact there can be many steps involved with getting a system secure. One of the most obvious steps is also one that I see most often ignored: physical security.

When I first started working for my current employer, they stashed the servers in a small corner room (maybe 10 x 10) and the door would sometimes be left open, sometimes closed, all depending on who was in there last. Realistically there should have been only two people allowed access to that room (three if you count me), but yet it was essentially a spare office for anyone who walked by.

On my first day when I was first showed the server room, I remember remarking how hot it was – there was no ventilation or A/C[1]. Later that day I found out that the door didn’t even have a lock on it. I also remarked about that, but it didn’t seem to be of much concern.

A couple of weeks later I walked in there to take care of something, and lo and behold someone (outside of the IT department) was in there taking a phone call. I was a little surprised to say the least. In fact she was sitting at a small desk in there making notes. I was just thankful that didn’t decide to log on to the server so that she could play solitaire or something [2].

It was shortly after that I really pushed to have a lock installed; if I was going to be responsible for these servers, then I wanted to make sure nobody was screwing around with them. I showed the powers that be how easily I can get into a system if I had physical access to it: I could pull out a hard drive, I could install a key logger, I could use a Linux boot disk to change the Administrator password, or I could even have changed the time in the BIOS of the domain controller – that would have really pooched things.

Long story short – if someone has physical access to your computer, you better have damn good encryption on the drive, otherwise it’s game over.

Note: This post from The Daily WTF reminded me of my experience.

[1] My request to get a portable A/C unit was finally approved after one of the systems overheated and shut down on a weekend.

[2] To make matters worse, the other two people in the department where consistently leaving the servers logged in under the Administrator accounts. That was just utterly ridiculous, but don’t get me started on that.

Post a Comment

You must be logged in to post a comment.