Sei sulla pagina 1di 11

Technical white paper

HP NonStop System Console


Security best practices
Table of contents
Introduction .................................................................................................................................................................................... 2
Securing your location .................................................................................................................................................................. 2
Secure your operating system ................................................................................................................................................... 2
Stay up to date on operating system patches ................................................................................................................... 2
Know what is happening on your console ........................................................................................................................... 4
Restrict access to the console................................................................................................................................................ 5
Protect against malicious code .............................................................................................................................................. 6
Limit your exposure.................................................................................................................................................................. 6
Protect your applications ........................................................................................................................................................ 7
Secure your network .................................................................................................................................................................... 8
Isolate your networks .............................................................................................................................................................. 8
Use a software firewall .......................................................................................................................................................... 10

Technical white paper | HP NonStop System Console Security best practices

Introduction
In the past, HP NonStop System Console (NSC) has had a simple security specification: it is well isolated. It was connected to
the NonStop maintenance network (LAN), which was not connected to any public network. It sat in a physically secure
environment where physical walls and locks prevented its use by the unauthorized. The only connection it had to the
outside world was a thin phone line that dialed out problems. The software on these consoles was (and still is) highly
controlled and only a fully tested suite of software was allowed on it.
On the other hand, does this sound much like your environment? Increasingly, the requirements and expectations of
customers using NonStop systems have pushed this model out of the way. Consoles now routinely sit on public LANs.
NonStop system maintenance functions are often performed by PCs that are not NSCs. Though this model isnt approved,
it is often seen. In this more dynamic and connected world, how should the NSC be secured?
In response to this new environment, HP has changed the past held recommendations for the NSC. A new console security
policy details these changes. What do these changes mean for you? This paper details the new recommendations HP is
providing for securing the NSCs environment. This paper is not exhaustive by any means, but rather it is a set of best
practices upon which you will need to add the requirements of your particular application and your particular environment.

Securing your location


It may seem odd to start a software security paper with physical security, but the first step to a secure system is a system
that is secure physically. Chances are that you already have excellent physical security for your NonStop systems. Locked,
access-controlled data centers are the norm for such mission-critical computers. Does your console meet the same level of
security? It should be treated like the vital part of your NonStop system that it is!
Details about physical security are outside the scope of this document, but consider the entire continuum of equipment that
comprises your NonStop system when planning your physical security:
HP NonStop server
HP NonStop System Console
The networking equipment
Any other desktops or laptops that connect to the maintenance LAN
Any other desktops or laptops that remotely control the NonStop System Console

Any PC, no matter how well secured with software, can have malicious software added if physical access is allowed.
A rogue keystroke logger added to a laptop that remotely controls the console, onto which you routinely type your
super.super password, could be a disaster in the making.

Secure your operating system


A strongly secured operating system is the basis for any secure computer. On the NSC, the operating system is
Microsoft Windows.

Stay up to date on operating system patches


On the second Tuesday of every month, Microsoft releases that months patches for Windows. At that point, HP starts to
test the most recent set of patches with the software that runs on the console. Refer to the NonStop Console security policy
for more information on HPs policy in this area, including how quickly HP certifies these patches. Once HP is done testing
the patches, its your turn. Its important to stay current on these patches. These patches close holes in the operating
system kernel and other important operating system components. There are multiple ways to push the patches to the
console for installation, and you should use the method applicable to your environment.

Technical white paper | HP NonStop System Console Security best practices

Download with Microsoft Update


If the console is connected to a public LAN that has access to the Internet, patches can be pulled directly from Microsoft,
using Microsoft Update. Navigate to update.microsoft.com with Microsoft Internet Explorer (IE) on the console, and follow
the instructions. Install all recommended patches. If you wish, you may install only the recommended security patches,
though the installation of all recommended patches is also acceptable. This can be automated with Microsoft Automatic
updates, but this is not recommended, as this will force you to pick up the patches before HP has tested them for use on the
console. If you do use Automatic Updates, please select the More Options button, then the option for Download updates for
me, but let me choose when to install them. Then, the updates will be ready for installation, but will install at the moment
of your choosing.
Figure 1. Microsoft Update Automatic Updates

Download with an application manager


If your internal IT organization has prescribed method for managing applications on your workstations (for instance,
Microsoft System Management Server), it is acceptable to use this solution to push patches to the console, but only if it can
meet certain criteria. It is important to realize that the console is not just another workstation in the network. It is a
specialized tool that is an important part of keeping your NonStop system running without fail. Although HP is expanding
the acceptable software that is installed on the console, and for the first time, allowed you to install software that was not
provided by HP, this does not mean that the configuration of the console is now free to be like any other workstation in your
organization. The applications that are installed on the console continue to be highly controlled to be able to maintain the
high level of reliability that you expect from a NonStop system, of which the console is a part. Any application manager used
on the console must have the ability to differentiate the console from other workstations in the network and install only
software that is approved for use on an NSC. This means that typical office software, such as Microsoft Office, must not be
installed on the console. Only operating system patches and security software updates (to be discussed later) should be
managed by any such application manager. There are many ways of accomplishing this, depending on your network.
IP addresses, subnets, and MAC addresses are examples of ways of isolating and identifying consoles and specifying
different application configurations from the rest of your network environment.

Technical white paper | HP NonStop System Console Security best practices

Download from the Microsoft website


Patches can also be obtained as executable installers directly from Microsoft. Microsoft provides many ways of getting
notification about what patches are available for each version of Windows. Refer to technet.microsoft.com/en-us/security
for more information about Microsoft security for Windows. Downloading and installing the patches manually is the only
solution for consoles that remain disconnected from any public or corporate LAN. For consoles that require this level of
security, we still recommend the installation of operating system patches. In this case, you will need to download the
installers from the Microsoft website and move the patches to the console through some form of removable media
(CD-R or USB drive, for instance). Be very careful about having nothing but the patches you wish to install on any
removable media! Removable media is a viable vector for transporting malicious programs such as viruses. Using fresh
media (such as an unused CD-R) is an excellent way of avoiding malicious code.

Know what is happening on your console


It is very important that what happens on your console is recorded. Logging and auditing are critical components to
both deterring attacks on the console and identifying problems before and after they occur. Often, a security breach
is made more damaging because there is no audit trail to either detect the problem or determine what went wrong and
what to fix. To alter your consoles security configuration, use the Local Security Settings, which is available from
Start->Control Panel->Administrative Tools.
Figure 2. Local Security Settings for Audit Policy

The Audit Policy as set in figure 2 is a reasonable policy for the NonStop System Console. In this way, you will know who
logged on to the system, who failed to log on to the system, and what security changes have been made on the system and
by whom.
To view the event information that has been logged, use the Event Viewer, which is also available from the Administrative
Tools menu. The results of the logging are viewable from the Security log in the Event Viewer. The events may also be
published to management tools, such as HP Systems Insight Manager (SIM), that can manage many systems at a time, and
alert you about problems as they are happening.

Technical white paper | HP NonStop System Console Security best practices

Restrict access to the console


Not everyone needs access to the NonStop System Console. Make sure that only authorized people can log onto
the console.
Have individual user accounts
The current practice at many sites that have NonStop systems is to have a shared account and shared password for the
console. Often, users log in as Administrator, and every user of the console will know this Administrator password. This
defeats any accountability. Each user should have his or her individual account on the console. The password used for
such an account should be private to the user and not shared with coworkers.
Additionally, these accounts do not need administrative rights. Only an operator installing new software or modifying
configurations of the console itself needs such rights. The applications for managing the NonStop server do not need
administrative rights on the console, even when the user needs such rights on the NonStop system.
Some exceptions to this rule exist. Very specialized roles may use shared accounts for limited purposes.
One exception to this rule is that there may be a designated console account for use by HP service personnel for managing
the NonStop System Console and the NonStop server. In this case, the appearance of this account in the auditing logs would
not be conclusive as to who was responsible for a particular action. However, external logging of service personnel activity
would fill in the missing details from Windows own event log.
Another exception would be a login for monitoring the system in a lights-out environment. If a management application like
Open System Management (OSM) Service Connection stays up for long periods, with multiple people watching the same
display for monitoring purposes only, it is reasonable to have a shared account for this function. However, if action needs to
be taken, its better to log out and log back in as an individual user and perform the action so that the user is logged with
the action.
When a user has left the organization or no longer needs access, be sure to revoke access immediately. Be certain to have a
process in place that tracks which user has access to what resources and the privileges they have on those resources.
Embedding this process into other processes that would change access, such as employee termination, is the way to help
ensure that it happens reliably.
Have secure passwords
Now that you have an individual account for each user of the console, ensure that each of these accounts has a secure
password. Available from Local Security Settings is the password policy.
Figure 3. Local Security Settings for Password Policy

Figure 3 is a reasonable setting for the security of the password. However, you should select settings that match the
password settings required by the rest of your organization. In this way, users have a consistent set of standards to follow
and if appropriate, can have matching (though personal) passwords for all systems.

Technical white paper | HP NonStop System Console Security best practices

Passwords have a limited life. Password changes limit the span of time over which a leaked password can do damage.
Be sure to change your passwords on a regular schedule. Changing it more frequently than 30 days is usually difficult
to manage, and results in passwords being written down and forgotten frequently. On the other hand, one year is a
practical limit on how infrequently passwords may be changed. Stronger passwords do not lead to longer spans between
password changes.
Passwords should be strong enough to avoid being guessed or broken, but password changes exist for passwords that are
compromised for other reasons, such as keystroke loggers and disgruntled employees.
Have limited permission accounts
Workstation PCs are usually configured so that any authorized network user may log in with correct network credentials.
Sometimes, the default permissions for such a user include local administrator rights. The NSC is not just any other
workstation. Ensure that your network environment is such that only users that have a need to be able to use the NSC have
credentials that would allow them to log onto the NSC.

Protect against malicious code


Even with the best systems, malicious code may occasionally find its way onto the NSC. Malicious code could come in the
form of a virus shipped on a USB key or it could be a worm that hikes its way across the network through an unpatched
operating system vulnerability. The line of defense against this is antivirus software.
Under the NSC security policy, HP tests the software destined to run on the console in a limited number of environments
that include antivirus software. Refer to the NSC security policy document for which antivirus packages are on our list of
tested and approved for use. HP highly recommends that you run antivirus software on the console.
When running antivirus software, it is critical that the software stays up to date. If the NSC has access to the public LAN, it is
imperative that the antivirus software be configured for automatic updates of both the antivirus software and the virus
definitions. Daily scheduled updates are recommended. Refer to the documentation provided with your antivirus software
for instructions on how to configure the product for update.
The only technical issue discovered at the time of the writing of this paper in the testing of antivirus software is an
incompatibility between email scanning and the console software. The NSC is not an email platform, and should not be used
for this purpose. Only specialized, automated email is to be sent from the console. The stringent requirements of this email
can be affected by email scanning. Turn off email scanning if it is an option in your antivirus software.

Limit your exposure


The NSC is a specialized PC that runs specialized software to do a specific task: manage NonStop servers. This should be all
that this PC is doing. Any use of the NSC for a purpose other than this increases the security risk on the NSC, and by
extension, to your NonStop server.
Do not install software other than what is approved for the NSC. This includes installing software of a similar type or

function that is already installed on the NSC. Do not install another Web browser, for instance. Internet Explorer is the
only approved Web browser.
Do not use the NSC like a workstation or office PC. Don't run Microsoft Office applications, use email, or browse the

Web for any reason other than what is needed to manage the NonStop servers.
Do not run any unneeded services that are running on the console.
Run a security analyzer, such as Microsoft Baseline Security Analyzer (technet.microsoft.com/en-

us/security/cc184924.aspx), to catch flaws in your security configuration.


Remote access to the PC should always be handled through a secure network, such as a VPN or through secure

shell (SSH).
Do not share folders on the console. If you need to get something from the console to another PC, share the folder

on the other PC and push the data up.

Technical white paper | HP NonStop System Console Security best practices

Protect your applications


Many applications run on the NSC and each of them could be a potential source of security issues. Perhaps the mostly
widely run software and the most prone to security issues is the Web browser. On the NSC, the Web browser is
Microsoft Internet Explorer, and IE should be configured to be well protected.
Internet Explorer
Figure 4. Internet Explorer security settings

IE should be the only Web browser installed on the NSC. Be sure to set your security settings intelligently. IE includes a
concept called zones. Various IP addresses and domain names can be added to individual zones. For instance, all of the
systems and devices maintained by the NSC should sit inside the Trusted Zone. Network nodes including the NonStop
systems, the uninterruptible power supplies (UPS), the network switches, and other such devices should be here. This zone
must have most items turned on or set for Prompt. The tools that run here depend on tools such as JavaScript and
Java applets to do their work.
Interestingly, the zone that requires the least attention is Restricted sites. There is no practical way to filter out all possible
bad websites. Instead, the Internet zone should be set up as if every site were potentially malicious. In this zone, most
items should be set to Disable or Prompt. The NSC should not be used for general Web browsing, and websites that are
used on the NSC should be moved to Trusted.

Technical white paper | HP NonStop System Console Security best practices

Java Runtime Environment


The Java Runtime Environment (JRE) from Oracle/Sun is an important part of many applications that run on the NSC.
There are many versions of the JRE available from Oracle/Sun. A product that works on one version may or may not
work on another version. It is important that the NSC have each version of Java available to it that is needed to run all of
the applications.
However, it is also important that you update the JREs on your system to get new security patches to the JRE. These
two seemingly incompatible requirements are solved by examining the version number of the JRE. Sun splits the version
number of the JRE into four parts. For instance, one version of the JRE that shipped with OSM Service Connection is
1.6.0_35. The first part is 1 and is always 1. This can be ignored. The second part refers to the major revision. In
this case, it is 6 and this version of Java is referred to as Java 6. The third part is the minor revision, and is rarely used by
Sun recently. The last part is the update version, in this case, it is 35. This version of Java can also be referred to as
Java 6u35.
For example, if you have applications on the NSC that require Java 5 and also Java 6, you may have 1.5.0_22 and
1.6.0_35 installed. These two versions will co-exist without conflicting with each other. However, if the latest versions
are 1.5.0_25 and 1.6.0_45, then, in this case, you would want to install both 1.5.0_25 and 1.6.0_45 to get the latest
security updates for the JRE.
It is important that the major and minor revisions be present on the NSC. These numbers refer to broad functionality
changes in the Java system. It is entirely possible that a piece of software designed to run on Java 5 will not function
correctly on Java 6. However, the update revision is used for security patches and bug fixes. These updates are the ones
that should be installed on the NSC. Refer to the console security policy for HPs policy on JRE updates.

Secure your network


Your corporate network is the primary entry point for most security attacks. Great care should be taken to secure this entry
point to the console.

Isolate your networks


HP recommends maintenance LAN to be separate from your public and corporate LANs. This network that comprises the
Service Processors (SP), Maintenance Entities (ME), Onboard Administrators (OA), Integrated Lights-Out (iLO), and other
maintenance interfaces is a sensitive part of the NonStop system. The recommended way to get corporate LAN access to
the console is by having two network interfaces available on the NSC. All currently shipping NSCs come with a minimum
of two NICs. Some older NSCs do not have two NICs. Contact HP Support for assistance with the upgrade to two NICs on
your NSC.

Technical white paper | HP NonStop System Console Security best practices

Figure 5. Maintenance LAN and corporate LAN

If you wish to have remote access to applications that may only run on the maintenance LAN, such as OSM Low-Level Link,
HP recommends using Remote Desktop Connection to connect to the NSC. Only allow access to the console to those users
that legitimately have a need to connect remotely. To activate Remote Desktop on the console, use the System Properties
dialog box available from Start->Control Panel->System.
Figure 6. Enable Remote Desktop from System Properties

Technical white paper | HP NonStop System Console Security best practices

Some manageability applications, such as OSM Service Connection and OSM Event Viewer, are certified to operate on the
public LAN. For such applications, the configuration may allow connections on both the public LAN and the maintenance
LAN. Access to OSM Service Connection and OSM Event Viewer must always be present on the maintenance LAN. If you
wish for these to also be available on the public LAN, refer to the OSM Configuration Guide for instructions on how to
configure this.

Use a software firewall


Under the NSC security policy, HP tests the software destined to run on the console in a limited number of environments
that include a software firewall package. Refer to the NSC security policy for which software firewalls are currently tested
and approved. HP highly recommends that you run a software firewall on the console. This provides a last line of defense
against intrusions onto the console from other workstations in your organizations network that are already inside the
protected zone within looks good your hardware firewall.
There are many ways to install, configure, and manage a firewall installation on the console. Smaller organizations can do
so with local settings on the console and manual updates and installations. Larger organizations may want a centralized
security management server to maintain currency on all firewalls installed inside the organization. Either way is acceptable
for the console if you are using one of the firewall packages that HP has approved.
HP has found that the default configuration of most firewall packages works quite well for the NSC. The NSC does not
require any inbound ports, except in some limited circumstances. It does require to be connected to a number of ports on
the NonStop system.
Table 1. Ports the console connects to
Port

Protocol

Notes

20

FTP

File Transfer Protocol (FTP)

21

FTP

FTP

22

SSH/SFTP

SSH for Tandem Advanced Command Language (TACL) and SSH File Transfer Protocol (SFTP)

23

Telnet

Telnet for TACL

53

DNS

Domain names lookups

67

DHCP/BOOTP

If you are running dynamic addressing

69

TFTP

Trivial FTP

80

HTTP

Many maintenance interface are Web servers on the port 80, including maintenance switches and UPSs

162

SNMP

If the console is managed with SNMP (for instance, by HP SIM)

280

HTTP

HP Systems Insight Manager

443

HTTPS

Some maintenance interfaces are HTTPS also

630

ONC/RPC

Low Level Link connection

5988

HTTP

Unencrypted OSM Common Information Model Object Manager (CIMOM)

5989

HTTPS

Secure Sockets Layer (SSL)-enabled OSM CIMOM

9990

HTTP

OSM Service Connection server

9991

HTTP or HTTPS

OSM Event Viewer server

50000

HTTPS

HP Systems Insight Manager

There are occasions when the console is being used as a server. In those cases, some ports will need to be open for
incoming connections.

10

Technical white paper | HP NonStop System Console Security best practices

Table 2. Incoming ports for the NSC


Port

Protocol

Notes

20

FTP

FTP for cluster I/O module (CLIM) update

21

FTP

FTP for CLIM update

22

SSH/SFTP

If running SSH access to the NSC

53

DNS

If this console is being used as a Domain Name System (DNS)

67

DHCP/BOOTP

If this console is being used as a Dynamic Host Configuration Protocol (DHCP) server

69

TFTP

Trivial FTP for HSS

161

SNMP

If the system is managed by SNMP

162

SNMP

If running as HP Systems Insight Manager Central Management Server (CMS)

280

HTTP

If running as HP Systems Insight Manager CMS

3389

RDP

If Remote Desktop is enabled

5989

HTTPS

If running System Management Homepage (SMH)

7905

HTTPS

If running as HP Systems Insight Manager CMS, HP Remote Support (version 7+)

7906

HTTPS

If running as HP Systems Insight Manager CMS, HP Remote Support

50000

HTTPS

If running as HP Systems Insight Manager CMS

Refer to the documentation provided with your firewall software for instructions on how to set these ports.

Learn more at
hp.com/go/nonstop-security

Sign up for updates


hp.com/go/getupdated

Share with colleagues

Rate this document

Copyright 2008, 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only
warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should
be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Microsoft and Windows are U.S. registered trademarks of the Microsoft group of companies. Oracle and Java are registered trademarks of Oracle and/or
its affiliates.
4AA2-2863ENW, July 2014, Rev. 1