Assuming this physical access claim is truthful (and i have doubts), I would feel at this point its budget letting him down. If your threat model includes "targeted attacks from people with physical access", it's time to run a vm on aws or azure and use the tooling they make available to secure it further. If you want tonnes of resourcing at a quite low budget, there's only a certain amount of "calling out" the group that supplied it that's reasonable.
I believe most of these "physical attacks" are datacenter support teams being socially engineered and not state-level actors. They hook up a USB rescue drive to "help" you back into your server, using full disk encryption or locking down the BIOS can thwart such attacks.
You know as much as I'm generally unhappy with what MS is doing with forcing TPMs on Windows 11, I have to say Bitlocker on Windows is basically single click and a perfect solution, and I'm a bit disappointed in the scale of every comparable Linux guide I just Googled up. I can see why the average company doesn't have it deployed.
Sure, perhaps, but parent’s point still stands that AWS techs are not plugging USB drives into servers, because their threat-model already includes state-sponsored attacks.
Not necessarily SE, there's been tons of 0days exploited against stuff like WHMCS, Hostbill, Kayako and many other systems used by hosting companies to manage this kind of thing.
Colocation and epoxy in any relevant ports is the obvious way to avoid this.
