Physische Sicherheit in der Informationssicherheit: Server, Büro und Zugangskontrolle
Physical security is the often-overlooked foundation of information security. This article covers server room security, access control systems, the clean desk policy, laptop theft protection, physical attack vectors (Evil Maid, USB drops), and how physical security measures relate to ISO 27001 and BSI IT-Grundschutz.
Table of Contents (5 sections)
Physical security is the area of information security that is most frequently underestimated. All technical security measures fail if an attacker gains physical access to servers, workstations, or sensitive areas. ISO 27001 therefore dedicates specific controls to physical security (A.7.1–A.7.14).
Why Physical Security Is Critical
Physical attack vectors – what happens with physical access:
Attacker has physical access to a powered-on PC:
→ DMA attack via Thunderbolt/FireWire: read memory directly
→ Cold boot attack: freeze RAM contents, read them
(Entropy key for BitLocker in RAM!)
→ Screensaver/lock screen: social engineering, tailgating
→ USB drop: tampered USB drive → malware upon insertion
(BadUSB, Rubber Ducky, O.MG-Cable)
Attacker has access to a powered-off PC:
→ Boot from USB: Extract password hashes
→ Remove HDD, mount in another system: All data readable
(without disk encryption!)
→ BIOS access: Change security settings
Evil Maid Attack:
→ Attacker has brief physical access (hotel room, office)
→ Manipulate boot sector → next login → password leaked
→ Hardware keylogger between keyboard and PC
→ Interface dongle installed → remote access upon return
Physical security measures prevent this:
→ BitLocker with pre-boot PIN: access to PC impossible without PIN
→ BIOS password: no booting from USB without password
→ Laptop Kensington lock: prevents theft in the office
→ Server in a locked rack: physical access blocked
→ No USB ports on the server: no USB drop possibleServer Room Security
Server room security requirements (BSI IT-Grundschutz INF.2):
Location:
□ Not on the ground floor (risk of break-in)
□ Not above water pipes (risk of water damage)
□ Not next to an exterior wall (temperature fluctuations)
□ No conspicuous "SERVER ROOM" sign on the door!
□ Physically separated from public areas
Access:
□ Access control: transponder/chip, no mechanical key
□ Logging: who entered/exited and when
□ No uncontrolled access for suppliers, cleaning staff
□ Escort: external persons must always be accompanied
□ Video surveillance at entrance (observe GDPR!)
Physical burglary protection:
□ Door: Security class (SK3 for important servers, SK4 for critical ones)
□ Walls/floor/ceiling: no vulnerabilities (raised floor, suspended ceiling → access?)
□ Burglar alarm system (BAS)
□ Locks: Cylinders with protective fittings
Server racks:
□ Locked racks (keys only held by IT admins)
□ No hot-plug ports accessible from outside the rack
□ Combination locks or electronic locks for racks
□ Front and rear panels locked
Environmental conditions:
□ Temperature: 18–24°C (redundant air conditioning!)
□ Humidity: 40–60%
□ Fire protection: Gas suppression system (no water sprinklers!), fire detectors
□ UPS (Uninterruptible Power Supply): min. 15–30 minutes of backup
□ Emergency generator for extended outages
□ Water leak detectors under raised floor
Documentation (for ISO 27001 audit):
□ Access log: who, when, why
□ Visitor logbook for external persons
□ Maintenance logs for air conditioning, UPS
□ Floor plan with security zonesAccess control systems
Types of access control systems:
Transponder/RFID systems:
→ Card readers on doors, employee badges with RFID chips
→ Centralized management: easily revoke access rights upon departure
→ Logging: complete audit trail
→ Cost: ~500–2000 EUR/door + management software
→ Known vulnerabilities: RFID can be cloned (Mifare Classic)
→ Solution: Mifare DESFire EV3 or SEOS for higher security
PIN keypads:
→ Simple, no card required
→ Disadvantage: PINs are shared (no audit trail of who entered!)
→ Disadvantage: Shoulder surfing (camera-based attack)
→ Only suitable for less critical areas
Biometrics:
→ Fingerprint, iris, palm vein, facial recognition
→ Highest security, non-transferable
→ GDPR: biometric data = special category → Data protection impact assessment!
→ Costs: significantly higher than RFID
→ Use: for particularly critical areas (data center core, safe)
Combined (physical two-factor):
→ Card + PIN = two factors
→ Card + fingerprint = very high security
→ For areas with very high security requirements
Recommendation for zoning:
Zone A (normal): Office areas → mechanical lock or simple RFID
Zone B (enhanced): Server room antechamber → RFID with logging
Zone C (high): Server room core area → RFID + PIN or biometrics
Zone D (critical): Control cabinets, safe → Mechanical + Electronic + BiometricsLaptop and Mobile Device Security
Mobile device protection:
Hard drive encryption - mandatory:
Windows: BitLocker
→ Full drive encryption via TPM
→ Activation via Intune:
Device Configuration → Endpoint Protection → BitLocker
→ Require device encryption: Yes
→ BitLocker startup authentication: Require PIN
macOS: FileVault
→ System Preferences → Privacy & Security → Enable FileVault
→ Keep recovery key safe (Intune can manage it)
Linux: LUKS (Linux Unified Key Setup)
cryptsetup luksFormat /dev/sda2 # Encrypt partition
Without disk encryption:
Laptop stolen → all data readable!
GDPR: Mandatory reporting of data breaches!
BitLocker with pre-boot PIN (against Evil Maid):
Without PIN: TPM unlocks automatically during boot → stolen laptop boots!
With PIN: Laptop requires PIN before every boot → stolen laptop unusable
GPO: Computer Configuration → BitLocker Drive Encryption
→ Configure startup PIN: "Require PIN at startup"
Remote Wipe:
→ MDM (Intune/JAMF) can remotely wipe the device
→ Prerequisite: Device must be online at the next available time
→ For immediate protection: Remote BitLocker key rotation
Kensington locks:
→ Mechanical anti-theft protection in the office
→ Useful for publicly accessible areas
→ Recommendation: Kensington ClickSafe 2.0 or MiniSaver
Clean Desk Policy:
→ Do not leave sensitive documents on the desk
→ Lock the screen when leaving the workstation (Windows+L, Ctrl+Command+Q)
→ Shredder for sensitive documents (DIN 66399 P-4 or higher)
→ Lockable rolling cabinet for sensitive documentsPhysical Attacks in Penetration Tests
Physical attack vectors in a red team context:
USB drops:
→ Leave a tampered USB drive in the parking lot or entrance area
→ Pre-printed label: "Q4 Payroll Summary" or "Application Documents"
→ 45% of people plug in found USB drives (IBM Security, 2016)
→ Protection: Disable USB ports in BIOS or allow only authorized devices (USB whitelist)
Tailgating:
→ Following authorized individuals through secured doors without proper authorization
→ Common scenarios: "I forgot my card," a delivery person carrying packages
→ Protection: Training (do not let anyone in without a card!), security gates (Mantrap)
Physical social engineering:
→ "IT technician" for maintenance → finds ways through the building
→ Uniforms, tools: build trust
→ Protection: escort all external visitors, verify identity, registration required
Dumpster diving:
→ Documents from the trash instead of the shredder
→ Found: Customer data, internal memos, login credentials on Post-its
→ Protection: Mandatory shredding for all sensitive documents
Physical testing (within pentest scope):
→ AWARE7 offers physical penetration tests
→ Test: How easy is it for outsiders to gain access to the server room?
→ Result: Report detailing identified vulnerabilities + recommendations for improvement
ISO 27001 Controls for Physical Security (A.7.x):
A.7.1: Physical Security Zones
A.7.2: Entry Controls
A.7.3: Securing Offices, Rooms, and Facilities
A.7.4: Physical Security Monitoring
A.7.5: Protection against physical threats
A.7.6: Working in security areas
A.7.7: Clean desk and clean screen (Clean Desk Policy)
A.7.8: Placement and protection of equipment
A.7.9: Security of assets outside business premises (mobile devices!)
A.7.10: Storage Media (Disposal, Transfer)
A.7.11: Utility Systems (Electricity, Air Conditioning)
A.7.12: Cabling Security
A.7.13: Maintenance of Equipment
A.7.14: Secure Disposal or Reuse of EquipmentQuestions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.
10 Publikationen
- Einsatz von elektronischer Verschlüsselung - Hemmnisse für die Wirtschaft (2018)
- Kompass IT-Verschlüsselung - Orientierungshilfen für KMU (2018)
- IT Security Day 2025 - Live Hacking: KI in der Cybersicherheit (2025)
- Live Hacking - Credential Stuffing: Finanzrisiken jenseits Ransomware (2025)
- Keynote: Live Hacking Show - Ein Blick in die Welt der Cyberkriminalität (2025)
- Analyse von Angriffsflächen bei Shared-Hosting-Anbietern (2024)
- Gänsehaut garantiert: Die schaurigsten Funde aus dem Leben eines Pentesters (2022)
- IT Security Zertifizierungen — CISSP, T.I.S.P. & Co (Live-Webinar) (2023)
- Sicherheitsforum Online-Banking — Live Hacking (2021)
- Nipster im Netz und das Ende der Kreidezeit (2017)
IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)
