Physical Security | Microsoft Small Business Server 2003 Unleashed

Even with the best password, file, and network policies in place to secure access to the server, there is no substitute for solid physical security of the server. If anyone, thief or employee, has physical access to the server, company data can be deleted, compromised, or stolen. If the server box itself can be removed from the company site, any number of methods can be employed to access data stored on the server disks, even removing the disks and placing them in another machine in some cases.

Ideally, any server, including an SBS server, should be physically located in a locked area and access to the location should be limited to just a few key company employees. This reduces the risks of theft, accidental damage, and the temptation for employees to use the server as a desktop workstation, which could lead to the inadvertent loading of viruses or other malware on the server.

Securing the server computer is more than just protecting it and the data it contains from theft. Environmental issues can cause just as much damage. When Tropical Storm Allison struck the Texas coast and dumped rain on the area for five days in 2001, the resulting flood caught many IT operations off guard. Several data centers were destroyed outright because they were housed in otherwise secure locations underground that were not immune to the flooding. Those centers have now been rebuilt in secure areas above ground to eliminate flooding risks.

Water damage comes from more than just flooding. Broken water and sewer lines running above a server room can destroy a server computer with a much smaller volume of water. Not to mention fire, electrical spikes, or even spilled coffee.

Of course, physical security can be taken to the extreme, but many small businesses simply cannot afford these extreme measures. But just because an extreme security solution cannot be implemented does not mean that no attempt to secure the server physically should be made.

The location of the server should be selected in such a way as to minimize the risks of the physical world as much as possible. How many times have you heard the story of the server that was shutting down unexpectedly every night, only to find out that the janitorial staff was unplugging the server from the wall to plug in the floor sweeper? Although this story may be urban legend, it demonstrates the point that even when you think you have complete control over your environment, you may not.

One physical security aspect often overlooked is the ambient temperature of the area where the server is located. If the server is stored with other heat-generating equipment in a confined space, the air temperature in that space will be higher than in other areas. Prolonged exposure to higher temperatures reduces the server's capability to vent heat out of the computer enclosure, which results in a shorter life span for the computer components most sensitive to heat.

Small businesses may not have the physical or financial resources to protect their network resources in an enterprise-class server room, but you should still make every effort to ensure that the server is as physically protected as possible.

Best Practice: Power Protection

Without fail, one of the most compromised aspects of server security is power protection. An uninterruptible power supply (UPS) is an absolute necessity to help protect an SBS installation, yet there are many times when no UPS is used, or if one is put into place, it does not have sufficient capacity.

As the price of small office sized UPS systems continues to drop, it becomes easier for the small business consultant to justify obtaining a larger UPS unit than the client might otherwise agree to. The general guideline for what size UPS to purchase is not really measured in amp-hours or system uptime in case of failure. The general rule is "buy as much as you can afford."

Most UPS systems now include monitoring software that can be installed on the server so that the server is alerted when the UPS goes on battery power. Many consumer-grade units include a USB connection from the UPS to the server, but a unit that has a serial (RS-232) connection should be used to connect to a server. Although the SBS community at large is still split over the stability of using USB devices on a server, an RS-232 serial connection does and will work reliably and should be selected if there is any doubt whether a USB interface will be reliable enough to protect the server.

Ideally, a UPS for a server should have only the server and possibly the server monitor connected to it. A UPS with more than one computer connected is going to have a shorter uptime during a power failure than if the server alone is connected. The amount of uptime is important, especially when the server is monitoring the UPS device, so that the server has plenty of time to perform a normal shutdown when the UPS goes on battery power.