Physical SecurityWhen you purchase Mac OS X Server, it's assumed you'll be using one of the several services on the server. This means data is being stored on the serverwhether it's user information such as the LDAP directory or files stored by usersand that data must be protected.If you set up your Mac OS X Server where anyone has access to the box, you're leaving it open to a physical attack. There are several ways in which someone can attack your server if they have physical access to the box:Opening the box and stealing the hard disk(s)Stealing the drive bays and disks out of an XserveShutting down the server by either holding down the power button or unplugging the power cable, and then booting into a less secure mode (Table 10.1).Chapter 11, "Running a NetBoot Server.")View all bootable mediaOptionPermits any person to view (and boot from), as icons, any other bootable disks, partitions, and bootable media that contain a blessed and bootable system. Preventing unauthorized loginsUsing the methods listed in Table 10.1, any person can boot off another device and view, erase, change, or otherwise tamper with your server. To thwart these types of intrusion, download and install Open Firmware Password, which you can obtain from Apple's Web site ([http://docs.info.apple.com/articlel?artnum=120095]).Once Open Firmware Password is installed, any person attempting any of the boot methods in Table 10.1 will be denied. The only variance is that Open Firmware Password allows any user to boot while holding down the Option key. However, when Open Firmware Password is implemented, the user sees only a padlock and an entry field rather than all possible bootable media. The user must know the Open Firmware Password application's password to view all the supported bootable media and subsequently temporarily change the boot disk to one of the available choices.To use Open Firmware Password:
Securing the server roomThe second piece of physical security is, of course, the room in which the server resides. This isn't just a Mac OS X Server issue, but it's worth mentioning that any good administrator limits access to the room where the servers are stored. Out of site, out of mind, as the old adage goes. If placing the server in a locked room isn't feasible, use the locking methods and remove the keyboard, mouse, and monitor unless they're absolutely necessary.Remember, you can administer Mac OS X Server with a few main tools, all of which run remotely. Most of the tools can be found in the /Applications/Server directory. The Terminal application and Directory Access both reside in the /Applications/Utilities directory. Apple Remote Desktop, which you must purchase separately, lets you (from a remote computer) see and control the screen, keyboard, and mouse as if you were sitting in front of the server itself. These tools should be on your Mac OS X client computer.
|