Skip to Content

Physical Security and Access Control

Physical Security and Access Control

physical security door access key

Photo by Vladimir Srajber on Pexels

Physical security is the foundation of all IT security. If someone can physically access a computer, they can bypass most software security measures. CompTIA A+ covers physical access control, authentication methods, and security best practices.

Physical Access Control Methods

Locks and Keys: Traditional door locks for server rooms and equipment closets. Use restricted key systems — keys cannot be copied without authorization. Change locks when employees with access leave.

Badge/RFID Readers: Electronic access cards or fobs. Each card has a unique ID tied to a person. Systems log entry/exit times. Cards can be deactivated instantly when someone leaves. Much more secure and auditable than keys.

Biometric Systems: Fingerprint, palm, retina, or facial recognition. Most secure — can't be lost, stolen, or shared. Used for high-security areas like data centers. Requires enrollment and maintenance.

Mantraps (Interlocking Doors): Two-door system where only one door can open at a time. Prevents tailgating — someone following an authorized person through a door. Common in data center entrances.

Security Cameras: CCTV at entrances, server rooms, and equipment storage. Use IP cameras with network storage (NVR). Record for 30-90 days. Check local privacy laws before installing.

Security Guards: For large facilities. Guards provide human judgment that electronic systems can't. Combine with badge readers for multi-factor physical security.

Authentication Methods

Something You Know (Type 1): Passwords, PINs. Weakest factor — can be guessed, stolen, or shared. Must be complex: 12+ characters, mix of upper, lower, numbers, symbols.

Something You Have (Type 2): Smart cards, security tokens, phone authenticators. Stronger than passwords alone. Can be lost or stolen, but can be deactivated.

Something You Are (Type 3): Fingerprints, face recognition, iris scans. Strongest individual factor. Can't be lost or shared. But can have false positives/negatives.

Multifactor Authentication (MFA): Using 2+ different factors. Something you know + something you have = MFA. Even if one factor is compromised, the attacker still needs the other.

Common MFA implementations:

• SMS code: Weak — SIM swapping attacks. Better than nothing.

• Authenticator app (Google, Microsoft, Authy, FreeOTP): Strong — generates time-based codes offline.

• Hardware key (YubiKey, FIDO2): Strongest — requires physical possession. Phishing-resistant.

• Push notification (Duo, Microsoft): Convenient — approve/deny on phone. Vulnerable to MFA fatigue attacks (repeated push until user approves).

Access Control Models

Discretionary Access Control (DAC): Resource owners decide who has access. Example: you set permissions on a shared folder you own. Flexible but can lead to inconsistent security.

Mandatory Access Control (MAC): System enforces access based on security labels (confidential, secret, top secret). Used in military and government. Very secure but inflexible.

Role-Based Access Control (RBAC): Access based on job role, not individual. 'Accountant' role gets access to financial systems. 'IT Admin' gets access to servers. Most common in business. Easy to manage — change role, access changes automatically.

Rule-Based Access Control: Access based on rules (time of day, location, device type). Example: only allow access from office IP between 8 AM and 6 PM. Often combined with RBAC.

Step-by-Step: Securing a Server Room

Step 1: Door: Solid core door with electronic badge lock. Log all entries.

Step 2: Lock: Electronic lock with badge reader. Fallback key lock in case of power failure.

Step 3: Access: Grant badge access only to authorized IT staff. Review access list quarterly.

Step 4: Camera: IP camera covering the door, recording 24/7 to a secure NVR.

Step 5: Environment: Temperature monitoring (alert if >80°F), water leak sensor, fire suppression (clean agent, not water).

Step 6: Equipment: Server racks locked. Cable management prevents accidental disconnection.

Step 7: Visitor log: Paper or digital log of all visitors with escort requirement.

Step 8: Review: Audit access logs monthly. Remove access for departed employees immediately.

Security Best Practices for IT Support

Screen Lock: All computers should auto-lock after 10-15 minutes of inactivity. Windows: Settings > Accounts > Sign-in options > Dynamic lock.

Cable Locks: Laptops in public areas should have Kensington locks ($20). Secures the physical device.

Equipment Disposal: Before disposing of any computer or drive, wipe it. Use DBAN or the manufacturer's secure erase tool. For SSDs, use the manufacturer's secure erase utility, not DBAN.

Shoulder Surfing: Position monitors away from high-traffic areas. Use privacy screens on laptops in public.

Tailgating Prevention: Require badge access to secure areas. Train employees to challenge or report people they don't recognize.

Lockable Cabinets: Store spare equipment and sensitive documents in locked cabinets. Don't leave USB drives or laptops visible on desks (clean desk policy).

Free Security Tools

Bitwarden: Free password manager with MFA support. Stores passwords securely and generates strong passwords.

Microsoft Authenticator: Free MFA app. Works with Microsoft accounts and any TOTP-based service.

VeraCrypt: Free disk encryption. Encrypts entire drives or creates encrypted containers.

DBAN (Darik's Boot and Nuke): Free data destruction tool. Bootable USB that securely wipes drives.

Nessus Essentials: Free vulnerability scanner. Scans your network for known vulnerabilities.

Key Takeaways

• Physical security is the foundation — software security is useless if someone can physically access the device

• MFA should use 2+ different factors (know + have, know + are, have + are)

• RBAC is the most practical access control model for businesses

• Badge access + cameras + logs + quarterly review = good server room security

• Always wipe drives before disposal — DBAN for HDDs, manufacturer secure erase for SSDs

Common Questions

Q: Is SMS-based MFA safe?
A: Better than no MFA, but vulnerable to SIM swapping. Use authenticator apps or hardware keys when possible.

Q: What is a clean desk policy?
A> Requirement to clear sensitive information from desks at end of day. Prevents unauthorized access and reduces risk of data theft.

Physical Security and Access Control

physical security door access key

Photo by Vladimir Srajber on Pexels

Physical security is the foundation of all IT security. If someone can physically access a computer, they can bypass most software security measures. CompTIA A+ covers physical access control, authentication methods, and security best practices.

Physical Access Control Methods

Locks and Keys: Traditional door locks for server rooms and equipment closets. Use restricted key systems — keys cannot be copied without authorization. Change locks when employees with access leave.

Badge/RFID Readers: Electronic access cards or fobs. Each card has a unique ID tied to a person. Systems log entry/exit times. Cards can be deactivated instantly when someone leaves. Much more secure and auditable than keys.

Biometric Systems: Fingerprint, palm, retina, or facial recognition. Most secure — can't be lost, stolen, or shared. Used for high-security areas like data centers. Requires enrollment and maintenance.

Mantraps (Interlocking Doors): Two-door system where only one door can open at a time. Prevents tailgating — someone following an authorized person through a door. Common in data center entrances.

Security Cameras: CCTV at entrances, server rooms, and equipment storage. Use IP cameras with network storage (NVR). Record for 30-90 days. Check local privacy laws before installing.

Security Guards: For large facilities. Guards provide human judgment that electronic systems can't. Combine with badge readers for multi-factor physical security.

Authentication Methods

Something You Know (Type 1): Passwords, PINs. Weakest factor — can be guessed, stolen, or shared. Must be complex: 12+ characters, mix of upper, lower, numbers, symbols.

Something You Have (Type 2): Smart cards, security tokens, phone authenticators. Stronger than passwords alone. Can be lost or stolen, but can be deactivated.

Something You Are (Type 3): Fingerprints, face recognition, iris scans. Strongest individual factor. Can't be lost or shared. But can have false positives/negatives.

Multifactor Authentication (MFA): Using 2+ different factors. Something you know + something you have = MFA. Even if one factor is compromised, the attacker still needs the other.

Common MFA implementations:

• SMS code: Weak — SIM swapping attacks. Better than nothing.

• Authenticator app (Google, Microsoft, Authy, FreeOTP): Strong — generates time-based codes offline.

• Hardware key (YubiKey, FIDO2): Strongest — requires physical possession. Phishing-resistant.

• Push notification (Duo, Microsoft): Convenient — approve/deny on phone. Vulnerable to MFA fatigue attacks (repeated push until user approves).

Access Control Models

Discretionary Access Control (DAC): Resource owners decide who has access. Example: you set permissions on a shared folder you own. Flexible but can lead to inconsistent security.

Mandatory Access Control (MAC): System enforces access based on security labels (confidential, secret, top secret). Used in military and government. Very secure but inflexible.

Role-Based Access Control (RBAC): Access based on job role, not individual. 'Accountant' role gets access to financial systems. 'IT Admin' gets access to servers. Most common in business. Easy to manage — change role, access changes automatically.

Rule-Based Access Control: Access based on rules (time of day, location, device type). Example: only allow access from office IP between 8 AM and 6 PM. Often combined with RBAC.

Step-by-Step: Securing a Server Room

Step 1: Door: Solid core door with electronic badge lock. Log all entries.

Step 2: Lock: Electronic lock with badge reader. Fallback key lock in case of power failure.

Step 3: Access: Grant badge access only to authorized IT staff. Review access list quarterly.

Step 4: Camera: IP camera covering the door, recording 24/7 to a secure NVR.

Step 5: Environment: Temperature monitoring (alert if >80°F), water leak sensor, fire suppression (clean agent, not water).

Step 6: Equipment: Server racks locked. Cable management prevents accidental disconnection.

Step 7: Visitor log: Paper or digital log of all visitors with escort requirement.

Step 8: Review: Audit access logs monthly. Remove access for departed employees immediately.

Security Best Practices for IT Support

Screen Lock: All computers should auto-lock after 10-15 minutes of inactivity. Windows: Settings > Accounts > Sign-in options > Dynamic lock.

Cable Locks: Laptops in public areas should have Kensington locks ($20). Secures the physical device.

Equipment Disposal: Before disposing of any computer or drive, wipe it. Use DBAN or the manufacturer's secure erase tool. For SSDs, use the manufacturer's secure erase utility, not DBAN.

Shoulder Surfing: Position monitors away from high-traffic areas. Use privacy screens on laptops in public.

Tailgating Prevention: Require badge access to secure areas. Train employees to challenge or report people they don't recognize.

Lockable Cabinets: Store spare equipment and sensitive documents in locked cabinets. Don't leave USB drives or laptops visible on desks (clean desk policy).

Free Security Tools

Bitwarden: Free password manager with MFA support. Stores passwords securely and generates strong passwords.

Microsoft Authenticator: Free MFA app. Works with Microsoft accounts and any TOTP-based service.

VeraCrypt: Free disk encryption. Encrypts entire drives or creates encrypted containers.

DBAN (Darik's Boot and Nuke): Free data destruction tool. Bootable USB that securely wipes drives.

Nessus Essentials: Free vulnerability scanner. Scans your network for known vulnerabilities.

Key Takeaways

• Physical security is the foundation — software security is useless if someone can physically access the device

• MFA should use 2+ different factors (know + have, know + are, have + are)

• RBAC is the most practical access control model for businesses

• Badge access + cameras + logs + quarterly review = good server room security

• Always wipe drives before disposal — DBAN for HDDs, manufacturer secure erase for SSDs

Common Questions

Q: Is SMS-based MFA safe?
A: Better than no MFA, but vulnerable to SIM swapping. Use authenticator apps or hardware keys when possible.

Q: What is a clean desk policy?
A> Requirement to clear sensitive information from desks at end of day. Prevents unauthorized access and reduces risk of data theft.

Rating
0 0

There are no comments for now.

to be the first to leave a comment.