When I first started working for my current employer, they stashed the servers in a small corner room (maybe 10 x 10) and the door would sometimes be left open, sometimes closed, all depending on who was in there last. Realistically there should have been only two people allowed access to that room (three if you count me), but yet it was essentially a spare office for anyone who walked by.

On my first day when I was first showed the server room, I remember remarking how hot it was – there was no ventilation or A/C[1]. Later that day I found out that the door didn’t even have a lock on it. I also remarked about that, but it didn’t seem to be of much concern.

A couple of weeks later I walked in there to take care of something, and lo and behold someone (outside of the IT department) was in there taking a phone call. I was a little surprised to say the least. In fact she was sitting at a small desk in there making notes. I was just thankful that didn’t decide to log on to the server so that she could play solitaire or something [2].

It was shortly after that I really pushed to have a lock installed; if I was going to be responsible for these servers, then I wanted to make sure nobody was screwing around with them. I showed the powers that be how easily I can get into a system if I had physical access to it: I could pull out a hard drive, I could install a key logger, I could use a Linux boot disk to change the Administrator password, or I could even have changed the time in the BIOS of the domain controller – that would have really pooched things.

Long story short – if someone has physical access to your computer, you better have damn good encryption on the drive, otherwise it’s game over.

Note: This post from The Daily WTF reminded me of my experience.

[1] My request to get a portable A/C unit was finally approved after one of the systems overheated and shut down on a weekend.

[2] To make matters worse, the other two people in the department where consistently leaving the servers logged in under the Administrator accounts. That was just utterly ridiculous, but don’t get me started on that.

I first started working for the organization in 2003, and most of the systems were running Windows 2000 Professional. By the time Windows XP SP2 was released I had started looking into performing a company wide upgrade, but I was quickly shot down due to the cost of licensing. I talked to a Microsoft partner and we went through a bunch of different licensing options from retail to Open Volume, but I just couldn’t the number low enough to get the OK.

I knew that unless I could lower the cost, the only way the systems would ever get upgraded would be through buying new systems. Even at that, it would be a fight to spend the extra cash on upgrading from Windows XP Home to Windows XP Professional.

After some searching around, I found a true gem: TechSoup. TechSoup’s purpose is to be a middleman between non-profits and software companies. They administer relations between companies and take care of a lot of the leg work; in return they are able to provide software (and hardware in some cases) to non-profit organizations at huge discounts. All they charge is an administrative fee. Windows XP Professional upgrade, for example, costs $8 a license.

So if you are a non-profit looking to cut costs while still having access to great software, make sure you go to TechSoup and see what they have. It’s not just Microsoft software there either. Other vendors include Adobe, Cisco, and Symantec.