Understanding Hardware Security
Physical isolation and access control are the foundation on which you should build the security
architecture. Ensuring that the physical server is installed in a secure environment protects the
server against unauthorized access. Likewise, recording all serial numbers helps prevent the use
of unauthorized hardware components.
These sections provide general hardware security guidelines for the servers.
■
“Access Restrictions” on page 9
■
■
Access Restrictions
■
Install servers and related equipment in a locked, restricted-access room.
■
If equipment is installed in a rack with a locking door, always lock the rack door until you
have to service the components within the rack. Locking the doors also restricts access to
hot-plug or hot-swap devices.
■
Store all spare replacement parts in a locked cabinet. Restrict access to the locked cabinet to
authorized personnel.
■
Periodically, verify the status and integrity of the locks on the rack and the spares cabinet to
guard against, or detect, tampering or doors being accidentally left unlocked.
■
Store cabinet keys in a secure location with limited access.
■
Restrict access to USB consoles. Devices such as system controllers, power distribution
units (PDUs), and network switches can have USB connections. Physical access is a more
secure method of accessing a component since it is not susceptible to network-based attacks.
■
Connect the console to an external KVM to enable remote console access. KVM devices
often support two-factor authentication, centralized access control, and auditing. For
more information about the security guidelines and best practices for KVMs, refer to the
documentation that came with the KVM device.
Understanding Hardware Security
9
