Most systems administrators have a desk in a cubicle, rather than a desk in the server room. Although server rooms can be great places to hang out in the summer (at one place I worked, it was the only air conditioned room in the building), they are often noisy environments that don’t do much towards promoting long term concentration. The great thing about server rooms is that they are often quite secure. What most people don’t think about, however, is that you can access almost everything that is held in the server room from outside it. That’s the principle of remote administration.
It comes back to something I’ve talked about in earlier posts. Server rooms have great security because people perceive the server hardware itself to be the most valuable asset in the room. But are the servers or the data they hold more valuable?
Because if it turns out that the valuable thing is the data, there probably needs to be some thinking done about the security of the computers that have regular and complete access to those servers. The workstations of the sysadmins.
Want to get the keys to a network? You don’t need to break the smart card / finger print reader security on the server room door. Just plug a twenty dollar USB pass-through key logger into the back of a systems administrator’s workstation. Do it before they have had coffee in the morning (not that they are likely to check their computer each time for such a device, but pre-coffee sysadmins are more docile) and you’ve got their authentication credentials.
Server room security requires systems administrator workstation security. Leaving systems administrator’s workstations out in cubicle land where it is possible for anyone to wander up and fiddle with the cables at the back makes the hyper-expensive biometric super lock on the server room a little pointless.
In today’s uncertain economic environment workers are a lot more likely to be disgruntled. Get admin credentials and you can take out that anger by damaging the business. Delete everything or steal a whole lot of data. Get admin credentials and you don’t need a lot of skill – you are already the bull in the china shop.
One solution is to make sure that administrator workstations are in a secure environment where they cannot be casually tampered with. That could be as simple as putting your organization’s sysadmin in an office that has a locked door.
Or a cage …
But the office is probably a better idea.