Dns-based restrictions, How user time restrictions are enforced, Creating multiple restrictions and roles – HP Integrated Lights-Out 2 User Manual

DNS-based restrictions

DNS-based restrictions use the network naming service to examine the logical name of the client
machine by looking up machine names assigned to the client IP addresses. DNS restrictions require
a functional name server. If the name service goes down or cannot be reached, DNS restrictions
cannot be matched and will fail.

DNS-based restrictions can limit access to a single, specific machine name or to machines sharing
a common domain suffix. For example, the DNS restriction, www.hp.com, matches hosts that are
assigned the domain name www.hp.com. However, the DNS restriction, *.hp.com, matches
any machine originating from HP.

DNS restrictions can cause some ambiguity because a host can be multi-homed. DNS restrictions
do not necessarily match one-to-one with a single system.

Using DNS-based restrictions can create some security complications. Name service protocols are
insecure. Any individual with malicious intent and access to the network can place a rogue DNS
service on the network creating fake address restriction criteria. Organizational security policies
must be taken into consideration when implementing DNS-based address restrictions.

How user time restrictions are enforced

Administrators can place a time restriction on directory user accounts. Time restrictions limit the
ability of the user to log in (authenticate) to the directory. Typically, time restrictions are enforced
using the time at the directory server, but if the directory server is located in a different time zone
or a replica in a different time zone is accessed, then time zone information from the managed
object can be used to adjust for relative time.

The directory server evaluates user time restrictions, but the determination can be complicated by
time zone changes or authentication mechanism.

Creating multiple restrictions and roles

The most useful application of multiple roles includes restricting one or more roles so that rights do
not apply in all situations. Other roles provide different rights under different constraints. Using
multiple restrictions and roles enables the administrator to create arbitrary, complex rights
relationships with a minimum number of roles.

For example, an organization might have a security policy in which LOM administrators are allowed
to use the LOM device from within the corporate network but are only able to reset the server
outside of regular business hours.

Directory administrators might be tempted to create two roles to address this situation, but extra
caution is required. Creating a role that provides the required server reset rights and restricting it

160 Directory services