Pretty impressive server room, wait WTF



  • Yesterday I was running new cable for a rather large doctor's office that just expanded their offices some more - I also installed some POE Wireless Access Points, and other garbage, but that doesn't matter. Naturally the servers were very important, contained massive amounts of patient information. Each server was on a UPS, had redundant everything, and the office manager told me that each server set them back about $15K.

    I said "I guess that's why these walls are so thick". She laughed and said "yes". The walls around the server room were about 2 1/2FT (0.7m) thick concrete, and she told me that the floors and ceiling were too. They also had this giant metal door with a deadbolt that locked on all four sides of the door. I was pretty impressed and everything (I've seen better, but this isn't bad for a doctor's office) until I started running my initial wires. I was in the server room punching down into the patch panel when a printer on one of the racks started printing, "that was weird", I thought, but then thought "well, maybe it prints out some kind of log or something."

    Then a woman came in and got the paper out of the printer and left. About 2 minutes later the same thing happened again, and again, and all day long I saw people going into the server room to receive paper. I asked the office manager what was going on and she told me that "the reports printer is very important, so we keep it in the server room." I then had to ask "So, the server room stays open all the time, to all employees?" she replied "Well, of course." There goes your security.

    After going back to the server room, I looked at the printer and it was a regular network printer, some kind of HP laserjet garbage that was around 10 years old - I didn't write down the model to share, unfortunately. Anyway I told the office manager that she should really reconsider and put that printer anywhere else in the building. I pointed out that if you wanted to keep the printer secure, giving all employees access to it in the first place made it a really WTF situation - and it being in the server room made it worse at least 10 fold.

    She wouldn't budge from her security position. And after hooking up some new machines for the new wires I ran, I got a chance to talk to other employees who thought it didn't make sense either, and also told me several times if a server was beeping or making a weird sound, several different employees thought it urgent to completely unplug the server - in one case a janitor took a server off the rack and tried to "fix" it and ended up shorting a bunch of stuff out.

    After discussing this with the office manager again, she again stood on her stance it was more secure. I spoke to the head doctor who actually owned the building and he didn't even know it was in the server room, and he then got into a huge argument with the office manager and even he pointed out her severe stupidity and illogical thinking. In the end he decided to go with what the office manager was saying; I gave him too much credit - I guess so he didn't have to deal with her.

    Before leaving I said "When you're ready to move that printer, I'll come do it for you." She didn't say anything, just cut my check. I have to say their stupidity goes over financially as well; for about 6 hours of total work, I made about $250 US an hour.



  • This is why I use wifi in my house. We dont have these security issues with wifi connecting everything. Who needs cables. Doors? What doors?



  • @menta said:

    This is why I use wifi in my house. We dont have these security issues with wifi connecting everything. Who needs cables. Doors? What doors?


    dude really... that was over months ago.
    You're not funny you're just annoying the pee out of everyone



  • @helpfulcorn said:

    There goes your security.
     

    I never understood the need to secure a server room from your own employees.  Like a doctor's going to walk out with a server? (and if they do you have bigger problems).  Except for

     @helpfulcorn said:

    if a server was beeping or making a weird sound, several different employees thought it urgent to completely unplug the serve

     But that's a training issue.  No one locks up the microwave because I might put metal in there and start a fire.

    The outside world, sure, but the employees?  Maybe there's a legitimate reason I'm missing.



  • @maweaver said:

    @helpfulcorn said:

    There goes your security.
     

    I never understood the need to secure a server room from your own employees.

    Ask banks why they do this. It has more to do with personal information being stored there; someone might just go in at night, mirror-copy the HDD and walk out with thousands of patient records. Same goes with banks, where even IT security doesn't have physical access to the servers. Oh, and add big freakin' guns to that server room as well... now that's security.


  •  What is funny about using wifi? Everything uses wifi now.



  • several times if a server was beeping or making a weird sound, several different employees thought it urgent to completely unplug the server - in one case a janitor took a server off the rack and tried to "fix" it and ended up shorting a bunch of stuff out.

    Crowdsourcing system maintainance - it's the future!



  •  What's funny is the assertion that wifi is more secure than wired networking.



  •  It is if you use WEP2



  • @Arancaytar said:

    several times if a server was beeping or making a weird sound, several different employees thought it urgent to completely unplug the server - in one case a janitor took a server off the rack and tried to "fix" it and ended up shorting a bunch of stuff out.

    Crowdsourcing system maintainance - it's the future!

    I wonder if this policy would change when someone decides to "fix" the server by giving it a couple of kicks. Or tapping it with a hammer.


  • @menta said:

    It is if you use WEP2

     

    WEP2?  Um, WEP2 was stillborn because increasing the IV keyspace didn't fix the fact that WEP was a security comedy of errors.  Did you mean WPA2, which is at least less susceptible to funny stuff like node capture by a rogue AP, but still has packet injection vulnerabilities inherited from WEP.  If real-time decryption isn't necessary, rainbow table attacks and parallel processing can provide security risks substantially after the fact, too.

    And, really, at the end of the day, wireless broadcasts can be intercepted a mile off (or more).  That is never going to be as secure, prima facie, as a wired network.



  •  @menta said:

     It is if you use WEP2

    Sure, WEP2 makes realtime decryption much more difficult. However, you can still divert traffic, you can still forge packets, and it actually includes vulnerabilities not in WEP1. You can still find out the password used fairly easily (due to the ability to forge packet and obtain key streams), it's really not that much secure than WEP1.


  •  The place where I work the servers are behind 3 (yes, three!) locked doors (to all other staff. about 6 doors to the outside world), to which only managers have access to the first, and only 2 IT people have access to the second two (and then the access is logged via there keycard and the camera system which is controlled by 2 other non-IT people). The reason behind this is that most employees only have limited access, and to ensure this access is enforced, they should not ever have physical access to the servers. 



  • @maweaver said:

    never understood the need to secure a server room from your own employees.
    I recall a claim made back when I joined this site that 60% of attacks come from within the firewall.  If that were true, it could stand to reason that 60% of physical attacks would be made by employees as well.



  • @belgariontheking said:

    @maweaver said:

    never understood the need to secure a server room from your own employees.
    I recall a claim made back when I joined this site that 60% of attacks come from within the firewall.  If that were true, it could stand to reason that 60% of physical attacks would be made by employees as well.

    Or miscreants pretending to be employees.  With some social engineering, it probably isn't that hard to sneak in to most places.  Or you could just mug an employee on the street and take his keycard and ID badge.


  • @tdb said:

    Or you could just mug an employee on the street and take his keycard and ID badge.

    I've tried that, it doesn't work.


  • @Havstein said:

    @tdb said:
    Or you could just mug an employee on the street and take his keycard and ID badge.
    I've tried that, it doesn't work.
    It works in the movies though!  Hire a stripper to steal it for you.  I think that's the secret.



  • @Mole said:

     The place where I work the servers are behind 3 (yes, three!) locked doors (to all other staff. about 6 doors to the outside world), to which only managers have access to the first, and only 2 IT people have access to the second two (and then the access is logged via there keycard and the camera system which is controlled by 2 other non-IT people). The reason behind this is that most employees only have limited access, and to ensure this access is enforced, they should not ever have physical access to the servers. 

     

    That's how it is here too.  I work for a financial institution, I am in IT and can't even get close to the servers (the way it should be, need to know kind o thing).  

     We have the following:

    * Door 1: Secure building that is Hurricane proof and has power generator backup that all employees can get into with a security badge and access code

    * Door 2: Secure door number 2 that only certain members of IT can get through, badge swipe and code (no, I am not that privledged, just a programmer).

    * Door 3: Secure door number 3 can only be opened by the managers of the Systems Support/Infrastructure team.

    And that's the way it should be.  Very few people ever need to touch the servers.  Your average programmer doesn't know crap about the physical hardware involved.  Granted most people on here probably do (one of my coworkers has his own server rack ect. ect.), but on average most wouldn't even know how to set up the racks, routers and everything else involved.



  • @tdb said:

    Or you could just mug an employee on the street and take his keycard and ID badge.
    That will not work.  The last two doors are marked as "secure doors" in the system, which means that you need both the persons keycard and pin code before the door unlocks (There's a keypad next to the door). The rest of the doors (or at least, the doors I've seen) don't have the keypad, just keycard readers. 

    So you'd have to mug his brain too, or at least get him to give you his pin, and hope it's the right one. (I suppose you could force him to open the doors for you, but that might be a little suspicious). 



  • @maweaver said:

    I never understood the need to secure a server room from your own employees.  Like a doctor's going to walk out with a server? (and if they do you have bigger problems).  Except for

     

    It goes something like this: object on the floor + an employee drinking coffee + server in front of him == hp/ibm/whoever just sold another server...

    The less people get into the server room the better - it's easy to touch something by accident even if you really doing your work... pull a cable out or something like that, you don't notice for couple of days until it just disconnects and pops out due to gravity ;)



  • I used to work for a financial org, it had security doors to the computer building, it then had double security doors to reach the server room which had a secure "airlock" entry

    the only problem was this same computer room had a fire door to the ajoining loading bay ( a bay that was open to all most of the day)  this fire door was unalarmed and secured by cheap (and often faulty) mag lock.

     to cap this, the server room had its own toilet ( a minor wtf in its own right) the loading bay staff new this and would often let visiting delivery drivers use it (one door as opposed to 3 that need security cards to open)

    so it was easier to access the room via the loading bay than the  though all the security.

    Talk about being more worried about staff than outsiders!



  • @amischiefr said:

    @Mole said:

     The place where I work the servers are behind 3 (yes, three!) locked doors (to all other staff. about 6 doors to the outside world), to which only managers have access to the first, and only 2 IT people have access to the second two (and then the access is logged via there keycard and the camera system which is controlled by 2 other non-IT people). The reason behind this is that most employees only have limited access, and to ensure this access is enforced, they should not ever have physical access to the servers. 

     

    That's how it is here too.  I work for a financial institution, I am in IT and can't even get close to the servers (the way it should be, need to know kind o thing).  

     We have the following:

    * Door 1: Secure building that is Hurricane proof and has power generator backup that all employees can get into with a security badge and access code

    * Door 2: Secure door number 2 that only certain members of IT can get through, badge swipe and code (no, I am not that privledged, just a programmer).

    * Door 3: Secure door number 3 can only be opened by the managers of the Systems Support/Infrastructure team.

    And that's the way it should be.  Very few people ever need to touch the servers.  Your average programmer doesn't know crap about the physical hardware involved.  Granted most people on here probably do (one of my coworkers has his own server rack ect. ect.), but on average most wouldn't even know how to set up the racks, routers and everything else involved.

    Wow, you actually know what's behind Door #2. I worked for 1 year at my previous job (financial institution) and the most I ever got to see was the "command center" room. But I didn't even reach the server area's door. So basically I know Door #1 and some stuff after it, but nothing more.

    Oh, and Door #1 is really an "airlock" configuration, with a security station observing it. This checkpoint is also where the shotgun-toting guards are stationed. Even without the PIN + keycard combo, if the guards don't know you they'll definitely ask for ID.



  •  The fun thing about my place of work besides the "6 doors to the server room" and "3 internal doors between most staff and server room" is that there's exactly one (1) window between outside and the server room.Its true that you'll be recorded if you enter via that entrance, and that if you don't cover up all the hole pretty damn quick, the alarms will sound when the temperature and humidity sensors start changing values too quickly, but you could probably nick a server or two in that time, assuming you had the tools to force open the cabinet doors. I don't think anyone would care much if they just got a single "server failure" notification (they've left it over a weekend before). 

    Also, some things give the server room away from the outside: The server room is the only room to use mirrored glass to stop people looking in from outside; and secondly, that mirrored glass only works when its lighter outside than inside, so if you go at night, the place is litup like a christmas tree :-D

     



  • @belgariontheking said:

    @maweaver said:

    never understood the need to secure a server room from your own employees.
    I recall a claim made back when I joined this site that 60% of attacks come from within the firewall.  If that were true, it could stand to reason that 60% of physical attacks would be made by employees as well.

    I seem to recall hearing that it was 80% of physical attacks.  I'm uncertain if this was due to assumed physical security, actual physical security being sufficient to thwart attacks before their target was apparent, or due to insiders being more prone to making physical attacks.  I'd guess it's probably more of the latter.

    In any event, it sounds like the employees at that office had more than sufficient access to pull any physical attack, so long as they could handle the logistics...



  •  At the place I work we have 10 armed guards guarding the server room 24/7, and by armed guards I don't mean stupid security guards with tiny revolvers. I mean bad ass military personel with assault rifles that lives behind that door #2.

    Anyone who can to beat that?



  • @Gnonthgol said:

     At the place I work we have 10 armed guards guarding the server room 24/7, and by armed guards I don't mean stupid security guards with tiny revolvers. I mean bad ass military personel with assault rifles that lives behind that door #2.

    Anyone who can to beat that?

    Yes, our server room is left unlocked with the door open to help vent some of the heat.  Its guarded by a small patch of floor that's strangely more slippery than elsewhere...we taped a manilla folder over top of it with a warning written on it.



  • @Mole said:

    The server room is the only room to use mirrored glass to stop people looking in from outside;
     

    At least there's some measure to stop people looking in. My work's "server room" is also the "junk room" where we store the stationery, boxes, spare monitors, spare furniture, etc in a normal room on the ground floor (my work's building used to be a set of residential apartments) and you can see in from the outside. An open window is the cooling system - there is a security grill on it. It is on the southern end of the building so it avoids the direct sun. This is on the Gold Coast where the summer temperature can reach into the 30s°C with high humidity...

    But our mission-critical servers are actually in some datacentre; these servers are just development and internal mail/file/database servers.



  • The old server room at my college was a cupboard under the stairs basically. Not exactly great security, but not awful (and rather crammed). No street-facing windows, only one overlooking the court. Cooling was a free-standing aircon unit with the hose taken out the window. Door is locked, and door to staircase has a code-lock.

    Not all the servers were there mind - some were in the IT office.

    There's a new server room now though. Dunno where it is, somewhere in the new buildings 'up the hill'.


Log in to reply