Securing the hardware

There is no security without physical security!

Without securing your environment from physical access, you have no security! Are you as an administrator safe from physical attacks on your servers, theft, or even from your own personnel? Do you (want to) trust the cleaning personnel? Is your company safe from industrial espionage?

1. Securing the server room(s)

• Deny physical access to unauthorized personnel (even from the cleaning personnel) by locking the room with keys, swipe card, smart cards, biometrics... However don't use fingerprint recognition, everybody can get your fingerprints and fake them because these devices are easily fooled.
• Choose a room with no windows, so gathering any sort of information by observing the room is difficult.
• The room should also have adequate surge protection (UPS). You can look at the ones from APC or Galaxy 3000.
• Fire suppression equipment (no sprinklers!).
• Use a room that has strong walls, strong ceiling, strong floor and no weak spots in it.
• Close hidden entries (airconditioning,...).
• Use a separate power circuit for your room.
• Protecting against tempest attack:The Complete, Unofficial TEMPEST Information Page. Of course you could do fun stuff too with tempest: Tempest for Eliza

2. Securing your servers and workstations

What if access was still forced in the rooms and one of your servers was compromised, or even stolen?

• Use titanium computer cases that are almost impossible to open without a key.
• Password protect the bios with a unique password
• Disable or at least do not allow booting from the floppy drive
• Do not allow booting from other devices like CD-ROM
• Do not use the auto detection of hard disks at startup, but set them manually, otherwise simply attaching another hard disk on your computer system as the boot disk can lead to a compromise
• Do not use cordless input devices (like cordless keyboard and mouse)
• Regularly check the cable of the keyboard to the system to make sure no keyboard logger is attached
• Use encryption for sensitive data, because not a single operating system is safe from physical access unless you use encrypted partitions or something similar.

3. Securing the network

• Check for exposed wires (to potential intruders) inside and outside the building.
• Use fiber if possible, because it is very hard to snoop in on these.
• Do not use wireless networks. If you do, you probably want to read this: securing wireless networks.
• Use encryption whenever possible in communication between hosts.

[top]