Management Console for Unix provides different levels of security to protect sensitive information stored on the server and in the Unix systems that you wish to manage. Management Console for Unix protection focuses on the following areas:
This section outlines the security features used by Management Console for Unix for each of these areas of protection.
Access to the Management Console for Unix server is controlled by the supervisor account when using the core version; or with Active Directory credentials when the mangement console is configured for Active Directory. When you enable Active Directory log on, you can configure access to the mangement console to allow individual users or members of Active Directory groups to access the mangement console. See Console Roles and Permissions System Settings for details on how to enable access for users and groups.
Note: Since Active Directory supports nested groups, a user may be granted access even if they are not a direct member of the nominated group, but are a member of one or more child groups. Care should be taken when using nested groups to ensure that access is not accidentally granted to the wrong users.
When authenticating with Active Directory credentials, you may
When a user logs on as 'supervisor', the password is hashed on the client with a known salt and compared with the stored value in the Management Console for Unix database. The plain text password is never stored on the server. The password encryption is irreversible. As a result, if the supervisor password is lost it cannot be recovered, but may be reset by a user with logon access to the machine where the Management Console for Unix server is running. (See Reset the Supervisor Password for details.)
Windows Integrated Authentication (WIA) allows a user to securely reuse their desktop credentials to log onto the mangement console when using a browser that supports WIA. Using WIA requires that the console server is installed and running on a Windows machine that is joined to the forest which you have chosen to manage, or is installed and running on a Unix machine that is running Authentication Services and is joined to the forest which you have chosen to manage. The client browser must also be joined to the same forest.