The first principle of server console security is physical security. If you don't provide physical security, nothing else you do matters very much.
The processing unit should be locked in a place where no one can remove it or reboot it. Some network administrators remove both the keyboard and the monitor and manage the server remotely by using the Remote Management Facility (RCONSOLE and REMOTE). We suggest that you also consider using a power-on password whether you manage at the console or use RCONSOLE at a workstation.
Two utilities provide additional security at the console:
Procedures for using the utilities follow:
When you have provided physical security for your server, you should secure the console. The SECURE CONSOLE utility provides the following security features, while still allowing administrators to use the console:
Keep in mind that when you issue SECURE CONSOLE, the server must be taken down and rebooted to un-secure the console. (Now that server parameter settings are persistent in NetWare 5, you can down the server without losing the settings you made to optimize and tune your server.) For more information, see Reference > Utilities Reference > Utilities > SECURE CONSOLE.
When you use SECURE CONSOLE with the Remote Management Facility, access via RCONSOLE is subject to the protections provided by SECURE CONSOLE.
SECURE CONSOLE does not lock the server console. You can lock the console by using SCRSAVER. If the console is locked using the console-locking feature, an intruder can still access the console from a remote workstation; however, the intruder must still be authenticated to NDS® through the SCRSAVER console lock.
HINT: To protect the server console by encrypting the RCONSOLE password in the autoexec.ncf file, see Remote Server Management > Setting Up RConsoleJ > Loading RConsoleJ Modules at Startup. To restrict remote connections, see Reference > Utilities Reference > Utilities > REMOTE.
To secure the server console, enter at the server console prompt:
SECURE CONSOLE
To secure the server console whenever the server is booted, add the SECURE CONSOLE command to the server's autoexec.ncf file. If the autoexec.ncf file loads modules from any directory other than sys:system or c:\nwserver, then in the .ncf file the SECURE CONSOLE command must follow the LOAD commands for these modules.
IMPORTANT: To remove SECURE CONSOLE, you must first down the NetWare server and reboot it. If the SECURE CONSOLE command is in the autoexec.ncf file, use EDIT or any text editor to remove it before you down the server and reboot.
The console-locking feature has been removed from MONITOR and included with the screen saver in its own module, scrsaver.nlm.
When the screen saver is activated, it displays a moving snake for each processor on the server. Each snake is a different color: the first one is red; the second is blue, etc. The speed of each snake and the length of its tail are directly proportional to the processor's utilization.
The console-locking feature allows you to require a password before gaining access to the server console prompt. If a key is pressed when the console lock is enabled, a dialog box appears. You must then supply an NDS username and password. In addition, the User object must have Write rights to the access control list (ACL) of the Server object to gain access to the server console prompt .
If the console is unlocked, press any key to activate the console. The snake screen will disappear.
To display command options for SCRSAVER, enter at the server console prompt
SCRSAVER HELP
Command options allow you to enable and disable locking, check the status of the lock options, and change the length of time the console is allowed to be inactive before the screen saver is activated. The default is 600 seconds (10 minutes).
For more information about a command option, enter at the console prompt
SCRSAVER HELP command_option
To load the SCRSAVER module, enter at the server console prompt
SCRSAVER [option; option...]
When you load the screen saver, the default is to enable the console-locking feature and to require a password for access. The corresponding NDS user must have Write rights to the Access Control List (ACL) of the Server object.
For more information, see Reference > Utilities Reference > Utilities > SCRSAVER in Utilities Reference.
The console-locking feature has been removed from MONITOR and included with the screen saver in its own module, scrsaver.nlm.
From the screen saver snake display, press any key.
At the login box, press Enter to highlight the username field.
The login box appears only if the console is locked.
Enter the username.
The User object must have Write rights to the ACL for the Server object.
If the username field is blank or if you want to change the username, type in an NDSTM username and context. Again the User object must have the required rights.
Press Enter again to highlight the password field.
Type the password for the username and press Enter twice.
The screen saver disappears and the server console screen appears.