The most important rule is to lock the server console.
    At least one method has been posted a couple of times which
    explains how to switch off password verification using the
    server internal debugger.

    Anyone with console access can obtain supervisor access.

    Place any useful NLMs in SYS:SYSTEM and then add the following
    line to AUTOEXEC.NCF:
	SECURE CONSOLE

    Disable use of unencrypted passwords. Either type the following,
    or add it to the AUTOEXEC.NCF:
	SET ALLOW UNENCRYPTED PASSWORDS OFF

    If you have NCP packet signatures installed, add the following
    line to AUTOEXEC.NCF:
	SET NCP PACKET SIGNATURE OPTION = 3

    Use a password different from the Supervisor password for RCONSOLE.

    Load the MONITOR NLM and lock the console.

    Remember that access to the backups is just as bad as access
    to the server. Keep the backups secure too.

    Some other suggestions:
    Limit number of Supervisor accounts (not too many, but keep at
    least one, unless using the SUPER utility described below).
    Enable intruder detection and lockout.
    Require unique passwords on all accounts.
    Login as Supervisor as little as possible.

    Use the SUPER.EXE program, written by Wolfgang Schreiber, which
    will toggle instant supervisor-equivalency to a user. This isn't
    a loophole, since some preparation has to be done on the accounts
    which should be able to gain supervisor-equivalency, and those
    accounts will be reported by the SECURITY utility.
    SUPER is available from netwire (Look on ftp.novell.de or
    ftp.novell.com).