Security features deter unauthorized use of your system and data. If you use your server in a public environment, such as an office, you might want to protect it and the data stored on it, by using one or more security features. Before implementing any security features, you might begin by evaluating your security needs. Where will the system be located? Does it need to be secured to permanent furniture or fixtures? Should use of the system be limited? When you have identified your security needs, you can activate or implement the appropriate security features. LogicLock (comes with SurePath systems) Securing
Hardware
Securing
Data
Securing Data
from Loss
LogicLock
(Comes
with SurePath systems) NOTE:
We are not sure on how the LogicLock switches provide
input to the CMOS. At this point, I am not sure if
there are ancillary ICs involved with storing status
outside of the CMOS. So until further notice, don't
enable the PAP (Unauthorized Access Monitor). LogicLock (advanced security features)
that come with
your server include tamper-evident switches. This active
security feature
uses microswitches on the covers to indicate if someone
has tried to open
the front cover. Location and pinout of Cover Interlock
Connector (JMP3)
If the case cover is forced while PAP is enabled, the CMOS user configuration will be erased and the system power will be shut off. This will force an autoconfiguration or manual configuration, but either will require the use of the Administrator or Privileged Access Password (PAP). NOTE: If the PAP
is forgotten, the planar must be replaced or returned
for repair. Extended Control Register A (Hex 4A) Michal Necasek said ![]() Cover Interlock Connector
Notes:
The upper assembly has a plunger sticking out of
the front side.
That plunger is actuated by a long post that is part of
the front case
cover.
Securing Hardware
Subtopics:
U-Bolt
Facility
Door Locks
and Keys
Two keys are provided with your server. Always store the keys in a safe place. If you lose them, you must order a replacement lock mechanism and keys from IBM. Please note that anyone who has the key serial number and manufacturer's address can order duplicate keys, so store the tag in a safe place. The cable-cover option prevents the cables from being removed from the rear of the server, and prohibits other computers or devices from being attached to the unused connectors. Note: The cable cover does not protect against unauthorized access through devices attached outside of the system. Unauthorized-Access
Monitor
When you set an administrator password, the unauthorized-access monitor is automatically enabled. If you do not want the system to stop operations if the covers are tampered with, set the unauthorized-access monitor to Disable. You can change the setting of this feature through the Change Configuration screen. Removable
Media
Not all operating systems support this feature. Securing
Data
Some advanced network management programs
can actually
audit usage, based on names, adapter addresses, date,
time, and unsuccessful
attempts to access a file. This type of
information can help you
identify users who are attempting to access restricted
data. To secure extremely sensitive data, you might want to consider using a commercially available data-encryption tool. These tools encode the data files so that they are unintelligible, thus useless if stolen. There are two ways that you can encrypt data: by using a program or using an encryption device. The software programs are usually less expensive than the hardware devices, but they also are slower. Subtopics:
Power-On Password
The power-on password locks the keyboard
and mouse (if
attached to the mouse port) to help prevent unauthorized
use of your server.
If you are using a mouse that is connected to the serial
port, the mouse
remains active. After you set a power-on password, Enter password appears each time you turn on the server. Before you can use the server, you must enter the correct password. (The password does not appear on the screen as you type it.) When you enter the correct password, Password accepted appears on the screen, the keyboard and mouse are unlocked, and the system resumes normal operation. If you type the wrong password, Incorrect password appears on the screen and Enter password is again displayed. After three incorrect attempts, you must turn off the server and start again. Unattended
Start Mode
Although Enter password does not appear, the keyboard and mouse remain locked until you enter the correct password. This mode is ideal for systems that operate unattended. If a power failure occurs, the system automatically restarts when power returns and resumes normal operation, without operator intervention. ATTENTION MOUSE USERS: The following statement applies only to those who use a PS/2-style mouse; a serial mouse is not affected. In the unattended start mode, the keyboard and mouse ports are disabled (locked). Because of this, the system cannot detect that a mouse is attached, and an error occurs. You must do one of the following: o In the
CONFIG.SYS file,
set the operating system so that it does not stop on a
device-driver error.
For example, under OS/2 , use the PAUSEONERROR=NO
statement.
When using the OS/2 operating system, if
you do not perform
one of the previous steps, the system issues an error
message, halts, and
prompts you to press Enter to continue. Before
pressing Enter, type
the power-on password. Administrator
Password
The administrator password allows you to control who has access to the system programs. If an administrator password is set, you must enter it to use the system programs in the System Partition on the hard disk or on the Reference Diskette. The administrator password also can be used to override the power-on password. After an administrator password is set, only those who know the password can perform tasks such as: o Altering computer settings or features controlled by
the system programs
Your server is shipped with the administrator
password feature
Disabled. You must move a jumper
on the system board before an administrator password can
be set for the
first time. The jumper has two positions:
Warning: If an administrator password is set, then forgotten, it cannot be overridden or removed. The system board must be replaced in order to access the system programs. Subtopics:
How
the Administrator Password Works
You can use any combination of up to seven
characters
(A-Z, a-z, and 0-9) for your administrator password,
just as you can with
your power-on password. For additional security,
the two passwords
should not be the same. One important difference between the
power-on password
and the administrator password is that a forgotten
administrator password
cannot be overridden or disabled. The single most
important reason
for setting an administrator password is that when one
is set, only those
who know the password can access the system programs and
modify the hardware
or change any of the settings. If you type the wrong password, Incorrect password appears and Enter the privileged-access password is again displayed. After three incorrect attempts, The system is locked message is displayed and you must turn off the server and start again. Setting
an Administrator Password
Forgotten
Administrator Password
Keyboard Password
The way you set the keyboard password
depends on the operating
system you are using. The OS/2 operating system
provides keyboard-password
protection as a standard feature. If you forget your keyboard password, turn off the server for at least 5 seconds; then turn it on. The keyboard password is erased from memory when you turn off the server. Selectable
Drive Startup
In most cases, you do not need to change
the default drive-startup
sequence. However, if you set an administrator
password, or are working
with multiple hard disk drives, multiple operating
systems, or different
sized diskette drives, you might want to change the
default drive-startup
sequence. The default drive-startup sequence checks
the primary
diskette drive for a self-starting (bootable)
diskette. If one is
present, the operating system or program is loaded from
the diskette.
If not, the system checks the primary hard disk for an
operating system.
If one is present, it is loaded from that hard
disk. If you start the system from a diskette,
the drive containing
the diskette becomes drive A, regardless of the defined
sequence, and the
first hard disk selected in the startup sequence becomes
drive C.
You can choose a startup sequence of up to four
drives. You can customize the startup sequence by changing the order in which the system checks the drives. You decide which four drives are the first to be checked, and the order in which the system checks them. Notes:
2. When you change the startup sequence, the drive letters also might change. The operating system assigns the drive letters when the system starts. Letters A and B always are assigned to diskette drives. Subsequent drive letters can be assigned to any type of drive based on the operating system or the device drivers used. Warning: If you changed your startup sequence, you must be extremely careful when doing write operations (for example, copying, saving, or formatting). You can accidentally overwrite data or programs if you select the wrong drive. Secure IPL
Source
The setup routine ensures that at least
one source is
specified if the privileged-access password is
used. Earlier PS/2 models could also specify the
startup sequence;
however, the sequence was stored in CMOS and could be
erased. In
these systems, the sequence is stored in nonvolatile
memory and cannot
be deactivated by removing a battery.
Securing
Data from Loss
There are primarily three ways that you can protect your data from loss. You can wait until the data accumulates on the server, and then make backup copies of all the hard disks. You can configure a disk array to duplicate data (create a redundant copy) as it is entered, and then store the duplicate copy on a separate hard disk. Or, you can configure a disk array to store the parity information about the data on the array as the data is being entered. Subtopics:
Backup
Copies
Backing up the entire contents of a hard
disk to diskettes
can be very time-consuming and, in the case of a network
server that has
multiple hard disks, might require hundreds of
diskettes. A faster
and more efficient way to back up the data is to use a
tape-backup drive.
Using a tape-backup drive, you can copy several billion
bytes of data from
the hard disks to a single tape. Redundant
Copies
Parity Information
Viruses
Viruses are difficult to detect.
Many stay inactive
until triggered by a specified event such as a date,
command, or some other
operation. Others are activated when an infected
program is started
a specified number of times. When the symptoms of
thevirus appear,
it might be difficult to determine if the problem is a
hardware failure,
a problem in the software, or a virus in action. Several programs are available that can
detect the presence
of many known viruses. These programs typically
examine files and
look for patterns associated with these viruses, or look
for changes in
the size of files. These programs are best used as
a preventive measure
to detect a virus before it becomes widespread or causes
damage.
Many computer users check for viruses on a regular
basis. When a virus is found, it must be
removed. This
might be as simple as replacing a file, or it might
require the assistance
of a trained technician. Viruses are generally spread unknowingly from computer to computer when programs are exchanged or shared. If you don't know where a program came from, be careful. Most reputable program distributors and bulletin-board owners scan their files to guard against viruses and maintain records to identify program owners. Here are a few tips to help
guard against computer
viruses:
Remember, not every problem is caused by a virus. If your system starts acting erratically, refer to your troubleshooting charts in the User's Handbook to test the system. Erased
Files
One way to help ensure that no readable
information is
left on a hard disk is to do a low-level format.
An operating-system
format operation does not remove all information from a
hard disk. The operating-system format operation
works a little differently
with diskettes. It writes a repeated pattern over
the entire surface.
Any information that was on the diskette becomes
unreadable. Depending on the type of information stored, you might require additional safeguards. Backup
Power Supply
Subtopics:
Uninterruptible
Power Supplies
Personal Experience!
Standby
Power Supplies
|