The first principle of securing your server console is physical security. If you don’t provide physical security, nothing else you do matters very much.
The processing unit should be locked in a place where no one can remove it or reboot it. Some network administrators remove both the keyboard and the monitor and manage the server remotely by using Novell Remote Manager or RCONSOLEJ. We suggest that you also consider using a power-on password whether you manage at the console or use RCONSOLEJ at a workstation.
Two features that provide additional security at the console are the following:
After you have provided physical security for your server, you can use the SECURE CONSOLE command line utility to provide the following security features, while still allowing you to use the console:
HINT:To protect the server console by encrypting the RCONSOLEJ password in the autoexec.ncf file, see Remote Server Management for NetWare Administration Guide for OES.
To secure the server console, enter the following command at the System Console prompt:
To secure the server console whenever the server is booted, add the SECURE CONSOLE command to the server’s autoexec.ncf file. If the autoexec.ncf file loads modules from any directory other than sys:system or c:\nwserver, then in the .ncf file the SECURE CONSOLE command must follow the LOAD commands for these modules.
IMPORTANT:To disable SECURE CONSOLE, you must first shut down the NetWare server and reboot it. If the SECURE CONSOLE command is in the autoexec.ncf file, use EDIT or any text editor to remove it before you shut down the server and reboot it.
The console-locking feature in the scrsaver.nlm allows you to require a password before gaining access to the server console prompt. If a key is pressed when the console lock is enabled, a dialog box appears. You must then supply an eDirectory username and password. For more information, see Unlocking the Server Console.
When the screen saver is activated, it displays a moving snake for each processor on the server. Each snake is a different color: the first one is red, the second is blue, etc. The speed of each snake and the length of its tail are directly proportional to the processor’s utilization.
If the console is unlocked, press any key to activate the console. The snake screen will disappear.
To display command options for SCRSAVER, enter the following at the System Console prompt:
Command options allow you to enable and disable locking, check the status of the lock options, and change the length of time the console is allowed to be inactive before the screen saver is activated. The default is 600 seconds (10 minutes).
For more information about a command option, enter the following at the System Console prompt:
SCRSAVER HELP command_option
To load the SCRSAVER module, enter the following at the System Console prompt:
SCRSAVER [option; option...]
When you load the screen saver, the default is to enable the console-locking feature and to require a password for access.
To unlock the server console after locking it using scrsaver.nlm, complete the following:
While the screen-saver snake is displayed, press any key on the server console keyboard.
(Conditional) At the Login dialog box, press Enter to select thefield.
The login box appears only if the console is locked.
Enter an eDirectory username.
The eDirectory user must be either of the following:
Press Enter again to select thefield.
Type the password for the username and press Enter twice.
The screen-saver snake disappears and the server console screen appears.