Even with the best password, file, and network policies in place to secure access to the server, there is no substitute for solid physical security of the server. If anyone, thief or employee, has physical access to the server, company data can be deleted, compromised, or stolen. If the server box itself can be removed from the company site, any number of methods can be employed to access data stored on the server disks, even removing the disks and placing them in another machine in some cases.
Ideally, any server, including an SBS server, should be physically located in a locked area and access to the location should be limited to just a few key company employees. This reduces the risks of theft, accidental damage, and the temptation for employees to use the server as a desktop workstation, which could lead to the inadvertent loading of viruses or other malware on the server.
Securing the server computer is more than just protecting it and the data it contains from theft. Environmental issues can cause just as much damage. When Tropical Storm Allison struck the Texas coast and dumped rain on the area for five days in 2001, the resulting flood caught many IT operations off guard. Several data centers were destroyed outright because they were housed in otherwise secure locations underground that were not immune to the flooding. Those centers have now been rebuilt in secure areas above ground to eliminate flooding risks.
Water damage comes from more than just flooding. Broken water and sewer lines running above a server room can destroy a server computer with a much smaller volume of water. Not to mention fire, electrical spikes, or even spilled coffee.
Of course, physical security can be taken to the extreme, but many small businesses simply cannot afford these extreme measures. But just because an extreme security solution cannot be implemented does not mean that no attempt to secure the server physically should be made.
The location of the server should be selected in such a way as to minimize the risks of the physical world as much as possible. How many times have you heard the story of the server that was shutting down unexpectedly every night, only to find out that the janitorial staff was unplugging the server from the wall to plug in the floor sweeper? Although this story may be urban legend, it demonstrates the point that even when you think you have complete control over your environment, you may not.
One physical security aspect often overlooked is the ambient temperature of the area where the server is located. If the server is stored with other heat-generating equipment in a confined space, the air temperature in that space will be higher than in other areas. Prolonged exposure to higher temperatures reduces the server's capability to vent heat out of the computer enclosure, which results in a shorter life span for the computer components most sensitive to heat.
Small businesses may not have the physical or financial resources to protect their network resources in an enterprise-class server room, but you should still make every effort to ensure that the server is as physically protected as possible.