How to protect an OS X Server from an unauthorized physical connection?

security vnc mac-osx

I have an OS X 10.6 server, which I administer via SSH and VNC (via SSH tunnel).

I can't leave it at the login window since then VNC connections are refused. Therefore I currently leave it logged with my user account.

Since it doesn't have a monitor attached, it doesn't go into screen saver mode, which means it doesn't require a password to retake control. This means it is very easy for anyone connecting a keyboard/mouse and monitor to take control of the system.

The screen saver password protection, which I can't get to activate, unlike the system's login window, is perfectly compatible with VNC connections.

How could I prevent such direct access to the server without connecting a monitor and without blocking my ability to connect with VNC?

Thanks!


Solution 1:

There are at least two ways you can do this. You can initiate the screensaver at any time using the optional menubar item, which isn't present by default. Open /Applications/Utilities/Keychain Access.app --> Preferences --> General [tab] --> Show status in Menu Bar. Here, you can choose Lock Screen from the lock icon in your menu. In the least, you should choose Lock All Keychains to prohibit your admin credentials from being used in a GUI tool, then Lock Screen.

Alternatively, in System Preferences --> Security --> General [tab] --> Require Password [pulldown menu] after sleep or screen saver begins. And then System Preferences --> Desktop & Screen Saver --> Start Screen Saver [slider indicating time to automatically start screensaver].

Solution 2:

Have you considered using Remote Desktop instead of VNC?

Solution 3:

Have you considered locking it up? Put it in a box and lock it. Leave only enough holes for airflow(many small and/or thin ones) and the only big holes are there to permit power and network cables.

Solution 4:

I can't test if this might work in your environment, but you can launch the screen saver from the command line with the following command

/System/Library/Frameworks/ScreenSaver.framework/Resources/ScreenSaverEngine.app/Contents/MacOS/ScreenSaverEngine

You could wrap this in a bash script or something like that to call it in a more simple way.

Related

How to dump multiple subversion repositories at once on various OSs
Distinction between Cloud Servers and VPS
OpenJDK vs. Sun Java6 on Ubuntu
Penetration testing - common examples?
Is it "OK" to use a low end NIC for a dedicated heart beat between two servers?
Published software not displayed in Add/Remove Programs
Puppet causes endless restarts of CUPS (how does one prevent this)
Any security tips for my first server? (complete beginner) [closed]
sudo or acl or setuid/setgid?
cron output options when using curl
cpio VS tar and cp
Use linefeed or carriage return in Subversion commit message from the command line