We often get the question ‘Should I lock my server room?’ While some IT professionals may recoil in horror at the thought of open access, it’s a query that comes up more often than you think.
The answer is absolutely yes. It doesn’t matter if you’re a small business or a massive enterprise, there should be barriers between your servers and the rest of the world. In this article, we explain why you should restrict access and how you can practically do that.
Why Should I Secure My Server?
There are several great reasons you should secure your server, but the biggest is security. Virtually everything that lives on a server is sensitive. From business information, customer and employee details to revenue figures, the whole reason you’re keeping it is because it’s either important to your business or business-critical.
But apart from that, here are some of the other reasons that your servers should be locked away from others.
When People See Open Space, They Fill It
If you leave the door open to the one room that most employees don’t understand, the inevitable happens – it becomes a storage room. That means boxes get stacked up against servers, people put beer kegs in there or food supplies (This is a real case), paper files get stacked in there by admin, or cleaning supplies get dumped in a corner.
None of this is good. Not only does it make it hard to get to your equipment, it’s several kinds of risk. E.g. Fire, water, and tripping. It’s not a storage shed out the back of your house, it’s a server room – it’s for server equipment only.
Locking it off is the only surefire way to stop employees from management downward using it as a dumping ground for all the office supplies.
Accidental – but catastrophic – damage
Imagine you’ve got the server room open. The cleaner comes in and unplugs your servers to use the power outlet for a vacuum cleaner, or uses a spare port and overloads the power supply. Both of these are true stories.
Someone comes in decides to use the room as a phone call area. They lean against the server rack and send it toppling over. Now a lot of very expensive equipment is damaged – and it all could have been prevented with a locked door.
It’s just not worth leaving such business-critical machines open to accidental damage.
There are so many ways this can happen. A lot of servers do not have their USB port locked, so a disgruntled employee can get their revenge by slipping in and plugging in a USB, with nobody being the wiser.
This is also how they can commit data theft or infect a server with ransomware (E.g. Ransomware-as-a-Service). One of the easiest ways to compromise a system is with physical access, which is why crucial government systems are often air-gapped (Read our guide on air-gapping your systems).
There are a few ways people can come to personal harm in a server room. One is tripping over cables. Server rooms are often not designed to be high traffic areas, and tripping and hitting your head against some very hard (and jagged) machine shelving is a good way to get sued.
Another – though admittedly rarer – is server room fire suppression systems. Some of the fire suppression systems used to keep servers safe and minimize fire damage can be dangerous, or even lethal, for humans if they do not evacuate in time.
Your server room typically needs to be kept cool, that’s what all the nifty sensors are for. But if someone walks in and leaves the door open, this can have two effects – either interfering with the control climate and causing damage to your systems, or forcing the cooling systems to have to work extra hard to make up for the open door (and racking up more in electricity costs).
This is the biggest one, hands down. There’s nothing to stop someone from plucking out a hard drive with all your business data and taking off with it, or downloading it onto their own device.
How Should I Secure My Server?
So you’re convinced that your server should not be a thorough-fare. Great! So how do you make that practically happen?
A Key Card Lock
Ideally, you want a coded lock with a limited amount of keys, and these keys are ONLY owned by the IT staff. Maybe five keys in total, with one belonging to the IT manager.
This approach is superior to a coded lock, because the problem with a coded lock is that people can be given the codes (and you can’t get them to forget it).
If you don’t have the money for a set of keycards, then biometric locks are surprisingly affordable. They also can’t be passed around between individuals. You can also get dual biometric / coded locks.
Lock-and-key / Pure Coded Locks (Not preferable)
Worst case scenario, go for a pure coded lock or the old lock and key. But because keys can be cut or lost (which requires resetting the lock) or codes can be handed out, biometrics or keycards are preferrable.
Logging Server Room Access
If you’re using a keycard or biometric set-up, you can log exactly who accesses the server room, when they did it, and for how long. This is especially useful if someone damages or sabotages the servers and you need to establish a timeline.
You can certainly use an access board on the front and just have people jot down when they were in there, but this sort of system relies a lot on honesty, which means if someone is up to something dishonest they’re not likely to write it down.
Auto-closing Door & Strike-plate Alarm
Have a door with spring-loaded hinges or a hydraulic door. This way the door always shuts behind you and it is never left open. This, combined with a strike-plate alarm, is a good way to secure the server room.
How a strike-plate alarm works is that if the door stays open for too long (The door does not meet the strike-plate), a security alert goes out to the IT staff. This prevents people from jamming something in the door to keep it open when someone has gone in or out.
Locked Rack Cages
Put your servers in cages that are under lock and key. This sort of set-up doesn’t make up for a locked door – after all, someone can probably break it with a crowbar. However. it does prevent physical touching and buy time (and make noise) if someone is trying to get to your servers.
Disable the USB Ports
Self-explanatory, but a lot of people forget to do this. Don’t leave the USB ports on your servers active – this is one of the easiest ways to infect it with ransomware or another malicious program.
A Backup Inside the Company Lock-box
Other approaches include using a third party offsite storage service. Regardless, your physical backups should not be open to access by anyone in the office so long as they know where they are. You should also use an offsite backup solution. E.g. Public or Private Cloud to secure your server data.
This one is going to depend on your budget, but ideally you want several cameras that capture all angles in the server room. Points if they are motion activated, so they can track anyone who walks into the room.
If you can’t manage this, look into having at least one camera seeing who goes in and out.
Through the IT Department / IT Manager’s Office
An effective way to stop people going in or out is having the server room located at the back of the IT manager’s office, or alternatively through the IT department. It’s really hard for people to sneak in there for a phone call or dump their stuff in there if they’ve got to go past prying eyes.
Don’t Let Cleaning Staff, Security, or Managers In
What possible reason does upper management have to get into the server room? There is none. If they really, desperately need access to the server room, they can request the IT manager unlocks it. But again, why?
Security staff and cleaning staff should also not be going into the server room. If need be, the IT staff can clean the room, or cleaners can be supervised when they go in there. These people are strangers, so why would you let them go in where your business data is stored?
Since you’re cleaning the room yourself, it’s a good time to do a regular inspection of the server room and make sure nothing is amiss. This is a good time to check to see if you’ve got a raccoon lodged between the server racks.
…. A sign (Not recommended)
This is probably the worst solution. A sign saying ‘no access other than by IT staff’ will keep the honest out, maybe. But if they need a mouse replacement, expect them to be scurrying to where all the equipment is kept and examining your server racks as if they were storage shelves.
If this is the only solution you are currently employing, you should seriously consider investing in a door lock. An unlocked door is a bomb waiting to explode.