Whenever possible, one of the first steps in securing your Terminal Server environment should be to establish a secure location to store the servers and all associated hardware. The goal is to limit physical contact to only authorized Terminal Server administrators. Surprisingly, physical security is not always practiced as diligently as might be expected. Once physical security has been compromised, an otherwise secured server is at risk to a number of threats. Aside from the obvious concerns such as theft, easy-to-use tools exist that can be used to reset an administrator's password simply by booting the server from a floppy disk or CD-ROM. Through this, code can easily be inserted onto the server allowing for further privilege elevation or data theft. Such physical attacks can completely bypass any other security and auditing measures that you may have in place. Aside from malicious threats, accidental interference is also a real concern. For example, a poorly placed server could be mistaken for a different piece of hardware and accidentally shut down.
I once audited an environment where they had to leave a note taped to the server reminding users not to turn the machine off. The server was stored in a stationary closet accessible by all the employees in the branch location. The note was required because certain users were frequently powering the machine off and on in order to try to fix the application problems they were experiencing instead of first contacting a support person.
Physical security should also be a consideration in large corporate data centers. Many large companies have a single data center containing all the servers (file, print, e-mail, and so on) for the organization. In these types of environments there are usually a large number of people with access to this room, all of whom are responsible for administering a subset of these servers. In this situation you should consider investing in secured server racks that can be locked to prevent administrators of another system from accidentally tampering with one of your servers.
Here are the two basic guidelines to follow when physically securing your servers:
Store servers in a room closed off from general staff traffic and accessible only with some form of card or key authentication.
If necessary, lock the servers in their own rack or shelving device accessible only by valid Terminal Server administrators.