This section discusses some technologies used in IBM PC Servers to comply with the United States Department of Defense (DoD) security requirements.  Security features in the IBM PC Server line vary by model and all models do not have all the security features described here. 

DoD requirements have been very influential in defining security standards used on computer system (both hardware and software) implementations around the world.  The source for these requirements is the Department of Defense, Trusted Computer System Evaluation Criteria, DoD 5200.28 STD, dated 12/85.  The essence of the requirements is contained in the Assurance section, Requirement 6:  a "a trusted mechanism must be continuously protected against tampering and/or unauthorized changes..."  The National Computer Security Center (NCSC) evaluates computer system security products with respect to the criteria defined by the U.S.  Department of Defense. 

There are seven computer system security product classifications in the DoD requirements:  A1, B3, B2, B1, C2, C1, and D. The requirements for these classifications fall into four basic groups:  security policy, accountability, assurance, and documentation.  Several criteria, which vary by security classification, are specified in each of these groups.  Currently, A1 is the highest classification, followed by B3, B2, and so on.  The C2 classification satisfies most of the security requirements for 
personal computing environments. 

On the IBM MCA PC Servers, IBM implements a collection of security features referred to as the LogicLock security system.  LogicLock is designed to be hardware compliant with the C2 security classification.  It goes far beyond basic PC security systems in its design to protect data against unauthorized access. 

LogicLock security features include: 

Tamper-evident switches 
Optional secure I/O cables 
   Power-On Password     
   Keyboard Password
   Privileged-access password 
      Forgotten PAP?
Optional secure removable media 
Selectable drive startup 
Unattended start/server mode 

Tamper-evident switches
   Systems equipped with a tamper-evident cover have a key lock for their covers and internal I/O devices.  In the locked position, it mechanically prevents the covers from being removed.  The key has been changed to a type that can be duplicated only by the manufacturer. 
   If the covers are forced open, an electro-mechanical switch and perimeter sensor detect the intrusion.  If the computer was on during the break-in attempt, depending on options specified during system setup, it will either defer action until the next IPL, lock up, or pass a non-maskable interrupt (NMI) to the software. 
   The next time the computer is started, the power-on self-test (POST) routine displays a message informing the user of the intrusion and requires that the automatic configuration program be run before the computer can be used.  This is done to flag any configuration changes that may have occurred due to the intrusion (for example, removal of a disk drive).  In addition, the system cannot be used without the privileged-access password if it has been set.  There is a provision for maintenance that 
allows the system to be used without the covers in place.  However, to use this feature, the key must have been used to remove the covers. 

   Other systems may have lockable covers.  However, it is not that difficult to pry the system unit cover off, disable or unplug the key mechanism, and get inside the system. The tamper-evident mechanism is an important feature that flags the intrusion and prevents the operation of the system after a forced entry has occurred.  This detection feature is very valuable for detecting the person most likely to break into the secured workstation, the user.  Once the machine has been disabled, the system owner or administrator must be contacted to reset the system. 

Optional secure I/O cables
   This rear-panel security option is an enclosure that is secured to the back of the computer by the cover lock.  Its function is to prevent the cables from being removed and other cables from being attached.  This effectively secures the serial, parallel, and SCSI cables, as well as other ports and cables provided by adapters.  This is because it prevents someone from attaching a device through these connectors and gaining access to the data in the system.  The cable cover also has a tamper-evident feature. (Ed. I have seen covers for 85/95 and 77 systems)

Power-On Passwords
IBM PC Servers are equipped with several layers of password protection.  The most basic is the power-on password.  The power-on password must be entered correctly each time the system is turned on.  After three incorrect attempts, the system must be turned off and back on in order to try again. (Ed. The POP can be erased)

Keyboard Password
   The keyboard password is another level of password protection and is used to lock the keyboard without turning the computer off.  It also prevents rebooting the system by pressing the Ctrl+Alt+Del keys. (Ed. You can install it by running KP.COM from your refdisk)

Privileged-access password
   Because the power-on and keyboard passwords can be defeated by deactivating the battery inside the system, another level of password protection is provided.  This security feature is called the privileged-access password.  It provides a much higher level of security. 

   The privileged-access password restricts access to system programs, prevents the IPL source and sequence from being changed, and effectively deters unauthorized modifications to the hardware.  Also, if a forced entry is detected by the tamper-evident cover switch, the privileged-access password (if it has been set) must be used in order to make the system operational again. 

The privileged-access password is stored in a special type of read only memory called flash EEPROM. is an acronym for electrically erasable programmable read only memory. 

   Systems are shipped with the privileged-access password disabled.  To set this password, a jumper on the system board must be moved in order to put the system in the change state.  Once this password is set, it cannot be overridden or removed by an unauthorized person. 

Forgotten Pprivileged-access password
     If the administrator misplaces or forgets the privileged-access password, the system board will have to be replaced.  There is no way to reset a forgotten privileged-access password. (Ed. To date, there's no way that has fully succeeded. None.)

Optional secure removable media 
   An optional 2.88 MB diskette drive with security features is available on some IBM PC Server systems.  The diskette drive is a 3.5-inch, one-inch high drive with media sense capability for the standard diskette capacities of 720 KB, 1.44 MB, and 2.88 MB.  It can read and write data up to a formatted capacity of 2.88 MB, while maintaining read and write capability with 720 KB and 1.44 MB diskette drives. 

   A control signal has been added to the diskette interface that supports LOCK, UNLOCK, and EJECT commands issued by the operating system.  If the privileged-access password is not set, the diskette is unlocked during POST.  If the password is set, the boot process does not unlock the diskette drive unless it is the designated IPL source. In this case, the LOCK and UNLOCK state is controlled by an operating system utility. (Ed. Thanks to "James" I dug a little and found the complete sentence)  For SCSI devices, there is a proposed standard UNLOCK command.  In this case, the operating system will control the LOCK command if the privileged-access password is set.  Access to the unlocking function with specific user authorization can be controlled by secured system software. 

In the event of power loss, the system retains its state (secured or unsecured) independent of the state of the battery.  A diskette can be inserted in the drive, but it cannot be removed if the power is off.  When the drive is turned on and locked, the media cannot be inserted or removed. 

Selectable drive startup 
   Selectable drive startup allows the system owner or administrator to select the IPL source and sequence.  This allows the system owner to control the IPL source, but prevents the user from modifying the source and sequence.  For example, the diskette drive can be excluded as an IPL 
source.  This feature helps to ensure that the system owner's specified operating system is loaded. 

   The IPL sequence is stored in the system EEPROM and can only be changed using the privileged-access password.  Storage of the IPL sequence in the EEPROM protects it from being deactivated by removing the battery.  The setup routine ensures that at least one IPL source is 
specified if the privileged-access password is used. 

Unattended start/server mode
   The unattended start mode automatically restarts the server after a power failure and resumes normal operation, without operator intervention. 
   It locks the keyboard when the system is powered on, but it allows the operating system and startup files to be loaded.  The keyboard remains locked until the power-on password is entered. 
   This mode is useful for unattended operations because it allows authorized network user access to information on the server but prohibits unauthorized access via the system keyboard. 
   When the system is in the unattended/server mode, the password prompt will not appear unless an attempt to start the system from a diskette or other removable media is issued.  If you start the system from a removable media, the password prompt will appear and you must enter the correct power-on password to continue. 

9595 Main Page