Analyzing Your Physical Server Security | MCITP Administrator: Microsoft SQL Server 2005 Optimization and Maintenance (Exam 70-444) Study Guide

In today’s world of interconnected computers, it almost seems that physical security would be the least of your worries, but consider what can happen if someone has physical access to your server; they can do the following:

Boot from a removable disk and bypass Windows security.
Install a key-logging device to capture keystrokes from administrators.
Remove your physical hard drives or even the entire computer.

Any of these represent the opportunity for someone to copy all of your data, easily breaching any of the computer security that you might have implemented in your environment.

Your physical security involves more than just preventing the loss of your data or equipment through theft; it also is important to ensure that your systems cannot be disabled, preventing you from accessing them.

Physical security is the foundation of a strong data security environment, and just like the foundation on a building, it is critical to ensure the rest of the structure can perform its job. Therefore, you want to ensure that your physical security includes the following:

Locked door with access codes Access to your physical computers should be controlled through the use of locks. These should be electronic locks, preferably those that allow different codes or access for different individuals.
It is equally important that the structure of your computer area be secure as well. Raised floors or lowered ceilings (also called plenum spaces ), windows, or other spaces should not allow anyone to circumvent the locked doors.
Secure, reliable power, and HVAC (heating, ventilation, and air conditioning) Since computers require power, it is critical that your systems have reliable power; otherwise, a loss of power can disable your systems. Usually a battery backup in conjunction with a generator that is secured can meet this requirement.
Computers also generate heat and need to have this heat removed to function properly. The cooling system also needs to continue to run if your computers still run, even after a loss of power. Therefore, the cooling system should have backup power and be secured to prevent it from being disabled.
Secure fire suppression Since computer systems use electricity, it is important that in the event of a fire, water is not used to extinguish the flames, which would damage equipment. It is equally important that a fire on the floor above, or in an area adjacent to the computer systems, not allow water to flow into the computer area.
Many secure computer facilities use Halon or some other inert gas instead of water to displace the oxygen in the room and extinguish the fire. This works well, but it can be an expensive system to install. Usually a sprinkler system is required by building codes and installed in addition to a gas system. Be sure if you have both that the gas system has a lower threshold than the water-based one.
Logged access It is important that you keep track of access into and out of the secure area. This allows you to track down individuals who were in an area when a security breach occurred. It also functions as a deterrent against employees or authorized individuals attempting to disable your computers if they are aware their entrance and exit from the secure area are logged.
Video surveillance Logging access is a good way to track who is in the room at any time, but people share cards, codes, and passwords all the time in the real world. A video surveillance system that is periodically checked against the access logs helps ensure that the individual being logged in is actually the person in the room.

Each of these items is an important part of your physical security for any computer system, not just database servers. It is important that you properly secure all aspects of your data environment that have highly privileged access to your database server. This includes the following:

Test servers Often, development and quality assurance (QA) systems contain the same data that the production system holds, but they aren’t as secure. Do not allow test servers, development servers, or any other system that holds production data in an unsecured area, such as under someone’s desk.
Backup data A well-designed backup system will ensure that copies of backup data, whether on disk or tape, are moved off-site. This creates another place that allows someone to steal your data. If you move tapes off-site, do so in a secure manner using locked containers and a bonded agency.
For off-site disk backups, often made using high-speed data links, be sure the off-site computers are physically secured as well.
Administrators’ workstations System administrators, including database administrators, should sit in a secure location, not in open areas that anyone can physically access. Installing some software or a key-logging device can be done just as easily on a workstation as a server, so ensure your administrators’ computers are physically protected as well.

Real World Scenario-Build versus Buy

The cost of implementing physical security can easily exceed that of your servers in a smaller environment. Outfitting physical locks, renovating space for HVAC, and adding monitoring systems can cost thousands of dollars, if it is even possible.

I worked for a small import company a few years ago that employed about 50 people. When I arrived, I found one office that had been converted into a server room and library with a rack of servers, bookshelves full of manuals and software, and even a desk for the lone programmer.

I immediately moved out the programmer and requested an electronic lock on the door. Nearly $1,000 later, we had a secure room for two servers. However, we soon realized that adding two or three more computers required additional power and cooling to be installed. After completing renovations, we found that our small server room had cost nearly $50,000, and the total cost of computer equipment, even after upgrades, was less than $40,000.

At the time there were not many other options for small companies, but these days with collocation facilities in most cities and the relatively inexpensive high-speed lines available, it is likely more cost effective for many companies to rent a rack or two from an established hosting firm.

-Steve Jones

Comparing Existing Security to Business and Regulatory Requirements

Every organization should have policies in place that enforce security inside their walls, even if they are not written down. Even the smallest one-person consulting organization will have policies for locking the doors when no one is inside to protect equipment. As a DBA, you need to be aware of the policies that exist in your organization and ensure that you are adhering to them.

This is especially true in organizations that fall under some type of government regulatory control. The finance, banking, medical, military, and other industries are governed by laws and agency regulations that specify various security measures that must be in place. As a system administrator, you need to be sure that if there are applicable rules, you are complying with them.

Whether internal or external regulations exist, as a DBA you need to both compare the existing security policies with the regulation and identify possible holes in the policy that could lead to a breach of security. For example, you may have a requirement to ensure copies of your backup tapes are stored in a location separate from the servers. You can meet this requirement in many ways, but storing them in the administrator’s car would probably not be a wise decision. Instead, you should comply with the policy and additionally use your best judgment to find a secure, locked facility that provides protection from theft.

A system administrator should never assume that the current process or procedure correctly meets a requirement. You should have a physical list of requirements, and it should be verified so that each item is met. If you find that the existing policy does not meet one of your requirements, you should change the policy and procedure in accordance with your company’s policy.

Identifying Variations from the Security Design

Having a framework and a policy that provides security for your SQL Servers is not enough to ensure your data is protected. Instead, each administrator needs to compare the policy against the setup, configuration, and procedures that actually exist.

For example, you may be required to ensure that employees who leave no longer have access to the SQL Server. There may be a procedure that requires a manager to send an email to all system administrators that notifies them of the date that an employee is leaving or has left. However, unless you check to be sure that all managers are sending these emails, that each administrator is receiving them, and that the actions required to remove access are being followed in a timely manner, you cannot be sure of the security of your computer systems. You may find that the DBA files these emails and processes them only once a month. In that case, an ex-employee could conceivably have access for a whole month after they leave the organization.

For all of these areas that you protect from a physical attack, be sure that you periodically check to see that your security is in place and not being compromised. Perform audits that check to see whether the physical controls work and that systems are being checked for unauthorized devices, such as key loggers. For logical configurations and settings, compare them with the expected settings, and note the differences.

In any case where you find a deviation from your security policy or design, you should begin to make corrective actions immediately, but using the procedure for making changes to system. You should not compound one mistake in your security framework with another by making an unauthorized change, even if it is to correct a setting.