5.8 Securing the Server Console

The first principle of securing your server console is physical security. If you don’t provide physical security, nothing else you do matters very much.

The processing unit should be locked in a place where no one can remove it or reboot it. Some network administrators remove both the keyboard and the monitor and manage the server remotely by using Novell Remote Manager or RCONSOLEJ. We suggest that you also consider using a power-on password whether you manage at the console or use RCONSOLEJ at a workstation.

Two features that provide additional security at the console are the following:

5.8.1 Why Should I Use SECURE CONSOLE?

After you have provided physical security for your server, you can use the SECURE CONSOLE command line utility to provide the following security features, while still allowing you to use the console:

  • Prevent NetWare Loadable Module programs from being loaded from any directory other than sys:system or c:\nwserver. This means that no one can load an invasive NLM program from a server’s diskette drive or boot partition unless it is already in a search path.
  • Prevent keyboard entry into the operating system debugger. This restricts the ability to alter the operating system.
  • Prevent anyone from changing the date and time. Some security and accounting features depend on date and time for their enforcement.
  • When you issue the SECURE CONSOLE command, the server must be taken down and rebooted to unsecure the console. Now that server parameter settings are persistent in NetWare, you can shut down the server without losing the settings you made to optimize and tune your server.
  • When you use SECURE CONSOLE with the Novell Remote Manager or RCONSOLEJ, access is subject to the protections provided by SECURE CONSOLE.
  • SECURE CONSOLE does not lock the server console. You can lock the console by using SCRSAVER command. If the console is locked using the console-locking feature, an intruder can still access the console from a remote workstation; however, the intruder must still be authenticated to eDirectory through the SCRSAVER console lock.

    HINT:To protect the server console by encrypting the RCONSOLEJ password in the autoexec.ncf file, see Loading the RConsoleJ Agent at Startup in the Remote Server Management for NetWare Administration Guide for OES.

5.8.2 Using the SECURE CONSOLE Command

To secure the server console, enter the following command at the System Console prompt:

SECURE CONSOLE

To secure the server console whenever the server is booted, add the SECURE CONSOLE command to the server’s autoexec.ncf file. If the autoexec.ncf file loads modules from any directory other than sys:system or c:\nwserver, then in the .ncf file the SECURE CONSOLE command must follow the LOAD commands for these modules.

IMPORTANT:To disable SECURE CONSOLE, you must first shut down the NetWare server and reboot it. If the SECURE CONSOLE command is in the autoexec.ncf file, use EDIT or any text editor to remove it before you shut down the server and reboot it.

For more information on using SECURE CONSOLE, see SECURE CONSOLE in the Utilities Reference for OES.

5.8.3 Using SCRSAVER to Lock the Server Console

The console-locking feature in the scrsaver.nlm allows you to require a password before gaining access to the server console prompt. If a key is pressed when the console lock is enabled, a dialog box appears. You must then supply an eDirectory username and password. For more information, see Unlocking the Server Console.

When the screen saver is activated, it displays a moving snake for each processor on the server. Each snake is a different color: the first one is red, the second is blue, etc. The speed of each snake and the length of its tail are directly proportional to the processor’s utilization.

If the console is unlocked, press any key to activate the console. The snake screen will disappear.

  1. To display command options for SCRSAVER, enter the following at the System Console prompt:

    SCRSAVER HELP

    Command options allow you to enable and disable locking, check the status of the lock options, and change the length of time the console is allowed to be inactive before the screen saver is activated. The default is 600 seconds (10 minutes).

  2. For more information about a command option, enter the following at the System Console prompt:

    SCRSAVER HELP command_option

  3. To load the SCRSAVER module, enter the following at the System Console prompt:

    SCRSAVER [option; option...]

    When you load the screen saver, the default is to enable the console-locking feature and to require a password for access.

For more information, see SCRSAVER in the Utilities Reference for OES.

5.8.4 Unlocking the Server Console

To unlock the server console after locking it using scrsaver.nlm, complete the following:

  1. While the screen-saver snake is displayed, press any key on the server console keyboard.

  2. (Conditional) At the Login dialog box, press Enter to select the Username field.

    The login box appears only if the console is locked.

  3. Enter an eDirectory username.

    The eDirectory user must be either of the following:

    • A trustee of the Server object having the Write right to the access control list (ACL) property of the Server object.
    • A Console operator or a member of a group assigned as console operator with the user or group being a trustee of the Server object with at least the Read right to the [All Attributes Rights] property of the Server object.

  4. Press Enter again to select the Password field.

  5. Type the password for the username and press Enter twice.

    The screen-saver snake disappears and the server console screen appears.