Introduction
In the past, HP NonStop System Console (NSC) has had a simple security specification: it is well isolated. It was connected to
the NonStop maintenance network (LAN), which was not connected to any public network. It sat in a physically secure
environment where physical walls and locks prevented its use by the unauthorized. The only connection it had to the
outside world was a thin phone line that dialed out problems. The software on these consoles was (and still is) highly
controlled and only a fully tested suite of software was allowed on it.
On the other hand, does this sound much like your environment? Increasingly, the requirements and expectations of
customers using NonStop systems have pushed this model out of the way. Consoles now routinely sit on public LANs.
NonStop system maintenance functions are often performed by PCs that are not NSCs. Though this model isnt approved,
it is often seen. In this more dynamic and connected world, how should the NSC be secured?
In response to this new environment, HP has changed the past held recommendations for the NSC. A new console security
policy details these changes. What do these changes mean for you? This paper details the new recommendations HP is
providing for securing the NSCs environment. This paper is not exhaustive by any means, but rather it is a set of best
practices upon which you will need to add the requirements of your particular application and your particular environment.
Any PC, no matter how well secured with software, can have malicious software added if physical access is allowed.
A rogue keystroke logger added to a laptop that remotely controls the console, onto which you routinely type your
super.super password, could be a disaster in the making.
The Audit Policy as set in figure 2 is a reasonable policy for the NonStop System Console. In this way, you will know who
logged on to the system, who failed to log on to the system, and what security changes have been made on the system and
by whom.
To view the event information that has been logged, use the Event Viewer, which is also available from the Administrative
Tools menu. The results of the logging are viewable from the Security log in the Event Viewer. The events may also be
published to management tools, such as HP Systems Insight Manager (SIM), that can manage many systems at a time, and
alert you about problems as they are happening.
Figure 3 is a reasonable setting for the security of the password. However, you should select settings that match the
password settings required by the rest of your organization. In this way, users have a consistent set of standards to follow
and if appropriate, can have matching (though personal) passwords for all systems.
Passwords have a limited life. Password changes limit the span of time over which a leaked password can do damage.
Be sure to change your passwords on a regular schedule. Changing it more frequently than 30 days is usually difficult
to manage, and results in passwords being written down and forgotten frequently. On the other hand, one year is a
practical limit on how infrequently passwords may be changed. Stronger passwords do not lead to longer spans between
password changes.
Passwords should be strong enough to avoid being guessed or broken, but password changes exist for passwords that are
compromised for other reasons, such as keystroke loggers and disgruntled employees.
Have limited permission accounts
Workstation PCs are usually configured so that any authorized network user may log in with correct network credentials.
Sometimes, the default permissions for such a user include local administrator rights. The NSC is not just any other
workstation. Ensure that your network environment is such that only users that have a need to be able to use the NSC have
credentials that would allow them to log onto the NSC.
function that is already installed on the NSC. Do not install another Web browser, for instance. Internet Explorer is the
only approved Web browser.
Do not use the NSC like a workstation or office PC. Don't run Microsoft Office applications, use email, or browse the
Web for any reason other than what is needed to manage the NonStop servers.
Do not run any unneeded services that are running on the console.
Run a security analyzer, such as Microsoft Baseline Security Analyzer (technet.microsoft.com/en-
shell (SSH).
Do not share folders on the console. If you need to get something from the console to another PC, share the folder
IE should be the only Web browser installed on the NSC. Be sure to set your security settings intelligently. IE includes a
concept called zones. Various IP addresses and domain names can be added to individual zones. For instance, all of the
systems and devices maintained by the NSC should sit inside the Trusted Zone. Network nodes including the NonStop
systems, the uninterruptible power supplies (UPS), the network switches, and other such devices should be here. This zone
must have most items turned on or set for Prompt. The tools that run here depend on tools such as JavaScript and
Java applets to do their work.
Interestingly, the zone that requires the least attention is Restricted sites. There is no practical way to filter out all possible
bad websites. Instead, the Internet zone should be set up as if every site were potentially malicious. In this zone, most
items should be set to Disable or Prompt. The NSC should not be used for general Web browsing, and websites that are
used on the NSC should be moved to Trusted.
If you wish to have remote access to applications that may only run on the maintenance LAN, such as OSM Low-Level Link,
HP recommends using Remote Desktop Connection to connect to the NSC. Only allow access to the console to those users
that legitimately have a need to connect remotely. To activate Remote Desktop on the console, use the System Properties
dialog box available from Start->Control Panel->System.
Figure 6. Enable Remote Desktop from System Properties
Some manageability applications, such as OSM Service Connection and OSM Event Viewer, are certified to operate on the
public LAN. For such applications, the configuration may allow connections on both the public LAN and the maintenance
LAN. Access to OSM Service Connection and OSM Event Viewer must always be present on the maintenance LAN. If you
wish for these to also be available on the public LAN, refer to the OSM Configuration Guide for instructions on how to
configure this.
Protocol
Notes
20
FTP
21
FTP
FTP
22
SSH/SFTP
SSH for Tandem Advanced Command Language (TACL) and SSH File Transfer Protocol (SFTP)
23
Telnet
53
DNS
67
DHCP/BOOTP
69
TFTP
Trivial FTP
80
HTTP
Many maintenance interface are Web servers on the port 80, including maintenance switches and UPSs
162
SNMP
280
HTTP
443
HTTPS
630
ONC/RPC
5988
HTTP
5989
HTTPS
9990
HTTP
9991
HTTP or HTTPS
50000
HTTPS
There are occasions when the console is being used as a server. In those cases, some ports will need to be open for
incoming connections.
10
Protocol
Notes
20
FTP
21
FTP
22
SSH/SFTP
53
DNS
67
DHCP/BOOTP
If this console is being used as a Dynamic Host Configuration Protocol (DHCP) server
69
TFTP
161
SNMP
162
SNMP
280
HTTP
3389
RDP
5989
HTTPS
7905
HTTPS
7906
HTTPS
50000
HTTPS
Refer to the documentation provided with your firewall software for instructions on how to set these ports.
Learn more at
hp.com/go/nonstop-security
Copyright 2008, 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only
warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should
be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Microsoft and Windows are U.S. registered trademarks of the Microsoft group of companies. Oracle and Java are registered trademarks of Oracle and/or
its affiliates.
4AA2-2863ENW, July 2014, Rev. 1