2

We have a server room and right now it's like in wild west: the strongest one can get in and do whatever he wants. I would like to prepare a list of rules to follow to monitor the access and understand who got in so we can track who did what to troubleshoot problems or understand if someone stole gear.

I thought about keeping keys in a single and secure place and giving it only to a person who sign a register when taking the keys and when giving them back (both signatures with time details).

Is it a good idea? Can it be improved without messing too much with people with the need to work fastly?

thanks!

Pitto
  • 2,009
  • 10
  • 33
  • 49

4 Answers4

4

Don't use keys, use access cards: access cards can be logged.

Institute a policy of documentation to track changes: the access logs will be backup only so if someone forgets to log a change to the system you can ask them. Every change should be written up afterwards.

Most importantly: if you don't trust your admins, get new ones. It's impossible to force limits on an admin's access to your network. It's counter-productive and will alienate them.

If the problem is just one of everyone trying to do what they think best and interfering with each other, consider selecting a chief admin. This can be difficult; some sysadmins (while competent) are poor at relationship-managing and consensus-building. If you have such an admin, count yourself lucky, give them more responsibility, and a pay raise.

Michael Lowman
  • 3,584
  • 19
  • 36
2

Your request seems a little strange...the wording sounds like you want a list of rules to post outside the server room so it'll be easier to tell who went in and did what, but you sound like you're rejecting security suggestions. No one is going to sign out those keys if they can just take them when their motive is to take something they're not supposed to. I mean...really, you're asking the fox to guard the henhouse.

If you want an actual secure record, you need to lock the door, give access cards/keys to people who actually need the access and are responsible for said keys and access, and you need to install security cameras that record to a secured spot for an actual record of who's entering and leaving the room.

Cameras aren't that expensive to use, and many now have motion sensing recording. This verifies that people entering and leaving the room are people that should be entering the room.

BMDan
  • 7,129
  • 2
  • 22
  • 34
Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
1

First before anything be clear to everyone that you are serious about changing the way the server room operates, and take in everyone's input about how to make it better. You might find that the staff using it have a good idea. If a "strong person" can get in, maybe it is as simple as fixing the lock.

I would recommend implementing a security fob system to accomplish this. Then each user will have a fob assigned to them that unlocks the door. This will track exactly who was in or out. Unfortunately this sounds like it is a more costly solution than you are looking for.

Keyscan is popular for a low end system and somewhat low cost/maintenance. http://www.keyscan.ca/English/Security_E.html

Consider implementing a webcam pointed at the door snapping pictures every few minutes, or a more advanced one that can do motion tracking.

Another way to do it is with light detection. When leaving the server room turn the lights off. You can use a light sensor such as http://www.eesensors.com/Websensor.html to monitor the light values, and if integrated into a nagios monitoring solution can email you whenever someone enters the room. Use these emails in conjunction with the sign in sheet to ensure people are following the rules.

With all of the above as you say implementing a sign in/sign out system would be a good idea.

pablo
  • 3,020
  • 1
  • 18
  • 23
  • Those are really good points but I'm looking for a procedure to regulate the access more than a way to caught someone sneaking in... It's just to let regular workers start to think to lock the door when they leave and pay serious attention to what they do because someone will know they were there. – Pitto Feb 18 '11 at 17:47
  • What do you mean "regular workers"? Does every employee have access to the server room and the servers? – joeqwerty Feb 18 '11 at 17:58
  • Is the OP looking for security information or information on how to coax people doing whatever they want into understanding that doing whatever they want is unappreciated, even if they are going to continue doing whatever they want? – Bart Silverstrim Feb 18 '11 at 19:02
  • Different people have access to this room because we have servers there but also our pbx, air conditioners, medical equipment. Not only sysadmins have access... – Pitto Feb 22 '11 at 22:18
0

If you don't change anything else, you have almost no chance to succeed in enforcing this kind of rule.

You could start by understanding why do people have to go into the server room and fix this firstly.

Except for hardware related activities, there is no reason to enter in a server room and your coworkers, being lazy as everyone, should stop to walk into it if they can do the same work from their desk. Then you will be able to enforce strong rules about server room access without disrupting the work and everybody.

jon_d
  • 693
  • 4
  • 7