T 2.120 Inappropriate siting of security-related IT systems

If security-related IT systems on which authentication data is stored are installed in easily accessible locations, the result can be a severe threat to the overall security of a network. Security-related IT systems include, for example, security gateways, directory servers providing a directory service for user identification data, and IT systems on which authentication data is stored. Unsuitable locations for their installation include, for example, public meeting rooms, hallways, and normal offices. Even small network switching elements which, in spite of their size, are relevant to security such as routers, switches, and access points must not be placed in insecure, open spaces. Access points, for example, should not be installed unprotected directly under the ceiling. This would enable easy physical access, which could then very easily be used to read the access information for the corresponding WLAN. When direct access to security-related IT systems is possible, the result may be that other security mechanisms could be disabled as well.

Example:

An access point was installed in a public meeting room to enable wireless access to the Internet. Access points are of a certain value which may be tempting to a thief. During a meeting, it was noticed that this access point was not available any more, and it turned out that it had been stolen several weeks before. Since an access point generally contains important information for accessing the WLAN, a thief would be able to obtain information to further compromise the network without being noticed or detected. Additional information, such as important certificates for authentication on the WLAN, was also stolen together with the access point. The network was susceptible to attack until the access point was blocked and changed.

Unfavourable environmental conditions (e.g. vibrations, inadequate climatic conditions, or large amounts of dust) can cause damage to security-related IT systems as well.