This section discusses some technologies used in IBM PC Servers to comply
with the United States Department of Defense (DoD) security requirements.
Security features in the IBM PC Server line vary by model and all models
do not have all the security features described here.
DoD requirements have been very influential in defining security standards
used on computer system (both hardware and software) implementations around
the world. The source for these requirements is the Department of
Defense, Trusted Computer System Evaluation Criteria, DoD 5200.28 STD,
dated 12/85. The essence of the requirements is contained in the
Assurance section, Requirement 6: a "a trusted mechanism must be
continuously protected against tampering and/or unauthorized changes..."
The National Computer Security Center (NCSC) evaluates computer system
security products with respect to the criteria defined by the U.S.
Department of Defense.
There are seven computer system security product classifications in
the DoD requirements: A1, B3, B2, B1, C2, C1, and D. The requirements
for these classifications fall into four basic groups: security policy,
accountability, assurance, and documentation. Several criteria, which
vary by security classification, are specified in each of these groups.
Currently, A1 is the highest classification, followed by B3, B2, and so
on. The C2 classification satisfies most of the security requirements
personal computing environments.
On the IBM MCA PC Servers, IBM implements a collection of security features
referred to as the LogicLock security system. LogicLock is designed
to be hardware compliant with the C2 security classification. It
goes far beyond basic PC security systems in its design to protect data
against unauthorized access.
LogicLock security features include:
Optional secure I/O cables
Optional secure removable media
Selectable drive startup
Unattended start/server mode
Systems equipped with a tamper-evident cover have a key
lock for their covers and internal I/O devices. In the locked position,
it mechanically prevents the covers from being removed. The key has
been changed to a type that can be duplicated only by the manufacturer.
If the covers are forced open, an electro-mechanical switch
and perimeter sensor detect the intrusion. If the computer was on
during the break-in attempt, depending on options specified during system
setup, it will either defer action until the next IPL, lock up, or pass
a non-maskable interrupt (NMI) to the software.
The next time the computer is started, the power-on self-test
(POST) routine displays a message informing the user of the intrusion and
requires that the automatic configuration program be run before the computer
can be used. This is done to flag any configuration changes that
may have occurred due to the intrusion (for example, removal of a disk
drive). In addition, the system cannot be used without the privileged-access
password if it has been set. There is a provision for maintenance
allows the system to be used without the covers in place. However,
to use this feature, the key must have been used to remove the covers.
Other systems may have lockable covers. However,
it is not that difficult to pry the system unit cover off, disable or unplug
the key mechanism, and get inside the system. The tamper-evident mechanism
is an important feature that flags the intrusion and prevents the operation
of the system after a forced entry has occurred. This detection feature
is very valuable for detecting the person most likely to break into the
secured workstation, the user. Once the machine has been disabled,
the system owner or administrator must be contacted to reset the system.
Optional secure I/O
This rear-panel security option is an enclosure that is
secured to the back of the computer by the cover lock. Its function
is to prevent the cables from being removed and other cables from being
attached. This effectively secures the serial, parallel, and SCSI
cables, as well as other ports and cables provided by adapters. This
is because it prevents someone from attaching a device through these connectors
and gaining access to the data in the system. The cable cover also
has a tamper-evident feature. (Ed. I have
seen covers for 85/95 and 77 systems)
IBM PC Servers are equipped with several layers of password protection.
The most basic is the power-on password. The power-on password must
be entered correctly each time the system is turned on. After three
incorrect attempts, the system must be turned off and back on in order
to try again. (Ed. The POP can be erased)
The keyboard password is another level of password protection
and is used to lock the keyboard without turning the computer off.
It also prevents rebooting the system by pressing the Ctrl+Alt+Del keys.
(Ed. You can install it by running KP.COM
from your refdisk)
Because the power-on and keyboard passwords can be defeated
by deactivating the battery inside the system, another level of password
protection is provided. This security feature is called the privileged-access
password. It provides a much higher level of security.
The privileged-access password restricts access to system
programs, prevents the IPL source and sequence from being changed, and
effectively deters unauthorized modifications to the hardware. Also,
if a forced entry is detected by the tamper-evident cover switch, the privileged-access
password (if it has been set) must be used in order to make the system
The privileged-access password is stored in a special type of read only
memory called flash EEPROM. is an acronym for electrically erasable programmable
read only memory.
Systems are shipped with the privileged-access password
disabled. To set this password, a jumper on the system board must
be moved in order to put the system in the change state. Once this
password is set, it cannot be overridden or removed by an unauthorized
If the administrator misplaces or forgets
the privileged-access password, the system board will have to be replaced.
There is no way to reset a forgotten privileged-access password. (Ed.
To date, there's no way that has fully succeeded. None.)
Optional secure removable
An optional 2.88 MB diskette drive with security features
is available on some IBM PC Server systems. The diskette drive is
a 3.5-inch, one-inch high drive with media sense capability for the standard
diskette capacities of 720 KB, 1.44 MB, and 2.88 MB. It can read
and write data up to a formatted capacity of 2.88 MB, while maintaining
read and write capability with 720 KB and 1.44 MB diskette drives.
A control signal has been added to the diskette interface
that supports LOCK, UNLOCK, and EJECT commands issued by the operating
system. If the privileged-access password is not set, the diskette
is unlocked during POST. If the password is set, the boot process
does not unlock the diskette drive unless it is the designated IPL source.
In this case, the LOCK and UNLOCK state is controlled by an operating system
utility. (Ed. Thanks to "James"
I dug a little and found the complete sentence) For SCSI devices,
there is a proposed standard UNLOCK command. In this case, the operating
system will control the LOCK command if the privileged-access password
is set. Access to the unlocking function with specific user authorization
can be controlled by secured system software.
In the event of power loss, the system retains its state (secured or
unsecured) independent of the state of the battery. A diskette can
be inserted in the drive, but it cannot be removed if the power is off.
When the drive is turned on and locked, the media cannot be inserted or
Selectable drive startup allows the system owner or administrator
to select the IPL source and sequence. This allows the system owner
to control the IPL source, but prevents the user from modifying the source
and sequence. For example, the diskette drive can be excluded as
source. This feature helps to ensure that the system owner's
specified operating system is loaded.
The IPL sequence is stored in the system EEPROM and can
only be changed using the privileged-access password. Storage of
the IPL sequence in the EEPROM protects it from being deactivated by removing
the battery. The setup routine ensures that at least one IPL source
specified if the privileged-access password is used.
The unattended start mode automatically restarts the server
after a power failure and resumes normal operation, without operator intervention.
It locks the keyboard when the system is powered on, but
it allows the operating system and startup files to be loaded. The
keyboard remains locked until the power-on password is entered.
This mode is useful for unattended operations because
it allows authorized network user access to information on the server but
prohibits unauthorized access via the system keyboard.
When the system is in the unattended/server mode, the
password prompt will not appear unless an attempt to start the system from
a diskette or other removable media is issued. If you start the system
from a removable media, the password prompt will appear and you must enter
the correct power-on password to continue.
9595 Main Page