Solved

server passwords

Posted on 2013-11-29
26
312 Views
Last Modified: 2014-01-13
are there any sort of hardware level passwords on physical servers, I am not on about the OS installed on them, I mean the hardware level below. What exactly are these hardware level passwords protecting against? I.e. why do you need a password at that level, what cant you do until you enter the password, what does entereting the password give you access to etc.
0
Comment
Question by:pma111
  • 12
  • 5
  • 5
  • +2
26 Comments
 
LVL 14

Assisted Solution

by:Ram Balachandran
Ram Balachandran earned 334 total points
ID: 39685124
There are many disk encryption softwares available in market

Symantec Encryption - http://www.symantec.com/encryption
Truecrypt - http://www.truecrypt.org/docs/supported-operating-systems
Bitlocker  - http://technet.microsoft.com/en-us/library/hh831627.aspx
0
 
LVL 3

Author Comment

by:pma111
ID: 39685132
Are you saying without disk encryption there are no "hardware level" passwords on server hardware, as a general rule?
0
 
LVL 9

Expert Comment

by:Shani Basha
ID: 39685209
You have BIOS level passwords to limit access to the BIOS.
0
 
LVL 3

Author Comment

by:pma111
ID: 39685214
whats the risk of not having bios level passwords
0
 
LVL 14

Accepted Solution

by:
Ram Balachandran earned 334 total points
ID: 39685220
If your server is locally accessible you can set BIOS password.
Else you need to have tools like DRAC for HP ILO for remotely connecting , as you will not able to provide password while restarting the server.
If this server is in Domain and if the disk is formatted with NTFS, you really dont want to provide BIOS passwords. Moreover there are methods to disable BIOS password.
Make sure you have complex password for your server and share only with authorised technicians
0
 
LVL 3

Author Comment

by:pma111
ID: 39685270
For say HP ILO though, what is that password giving the admin access too? I.e. why do they need a password, what does that password give them access to? They are HP servers.
0
 
LVL 9

Expert Comment

by:Shani Basha
ID: 39685276
Set password to access BIOS only. The risk of not having BIOS password is that any one can login to BIOS and change server configurations, like disable onboard network card, disable USB. like that..
0
 
LVL 3

Author Comment

by:pma111
ID: 39685281
So is HP ILO just like a piece of management software installed on say a windows laptop for managing the server hardware? What does the "ILO" stand for?
0
 
LVL 9

Expert Comment

by:Shani Basha
ID: 39685285
Yes - HP ILO runs from a browser using Java
ILO - Integrated Lighs Out
0
 
LVL 9

Expert Comment

by:Shani Basha
ID: 39685288
Read as * Integrated Lights-Out
0
 
LVL 3

Author Comment

by:pma111
ID: 39685292
Is it possible to not have ILO passwords? I.e. do you need to configure them manually during setup? If no ILO password can anyone essentially get access to the server hardware?

any idea how to check/prove all HP proliants have ILO passwords?
0
 
LVL 3

Author Comment

by:pma111
ID: 39685295
Is there a default password for ILO?
0
 
LVL 9

Expert Comment

by:Shani Basha
ID: 39685607
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 55

Assisted Solution

by:andyalder
andyalder earned 166 total points
ID: 39685659
iLO is not like a piece of management software installed on say a windows laptop, it runs on the hardware below the OS, you can use it for remote control but you can also use it to power the machine on which is certainly something that you can't do with software that runs under Windows. It can be very useful since you can watch the machine boot up remotely, there is a dedicated chip on the motherboard that it runs through. The client that you run on a remote PC does admittedly use Java but that isn't iLO itself.

You can set the password with hponcfg.exe or during POST.
You get limited functionality without a license (no display after OS loads etc.

The HP iLO family datasheet comparison table PDF at www.hp.com/go/iLO describes what you get for free (standard) and the extras a license provides.
0
 
LVL 3

Author Comment

by:pma111
ID: 39685671
Andy, our auditors need some proof the ILO does have an admin password (I assume this is the admin password and the power up password is different), for an estate of over proliant 20 servers, any idea how they could get this evidence? is there anything in iLo that will show a password has been set? Is it default to have a password set or do you have to set this up manually?
0
 
LVL 3

Author Comment

by:pma111
ID: 39685675
> you can use it for remote control

What do you need on your PC in order to be able to use the ILO from your PC? How do you launch the program?
0
 
LVL 55

Expert Comment

by:andyalder
ID: 39685799
If running Windows there's a powershell script at http://h30499.www3.hp.com/t5/ITRC-Remote-Lights-Out-Mgmt-iLO/Mass-iLO-Audit/td-p/4469687#.UpjYrOL6Tpc to do a mass configuration of the servers using hponcfg /f <filename.xml>

You can run hponcfg /w and get the current settings of one of them, then use that as the basis of your config file that you want to upload to all of them, you'll have to strip out lines such as <IP_ADDRESS VALUE = "x.x.x.x"/> or you'll set every one to the same address. There may be additional users on some of them though and hponcfg /f iloconfig.xml only adds users, it doesn't remove unknown ones so hponcfg /r can be used to reset them all to default which will delete all of the users except for Administrator.

You use a web browser to the iLO ip address to access it, it will probably install its preferred version of Java onto your PC first time you connect.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 39686369
...any idea how they could get this evidence?

For any such request from an auditor, the auditor needs to tell you what they expect and accept. Ask them. We have no way to know what they need. Different auditors have different expectations. Different kinds of auditors have different needs.

Tom
0
 
LVL 3

Author Comment

by:pma111
ID: 39689354
andyalder,

do you happen to have a sample output of that script, what specific parameter will show the password value?
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39689414
Hi,

I mentioned about ILO in a different contest and now it look like we are discussing in a different angle.

The point here is - you can always use BIOS password for additional security - But make sure you have strong UNIQUE password - and should not be disclosed with unathorised persons.

ILO does not have anything to do with BIOS Password

You can always install an ILO Adpater [ Hardware ] and configure a password so that technicans in the remote location can see/configure BIOS if required. BIOS of the Server will be accessible via Browser.
0
 
LVL 55

Expert Comment

by:andyalder
ID: 39689642
iLOs have been on the motherboard for at least 10 years.

Some sample XML scripts for setting at http://setspn.blogspot.co.uk/2009/01/hp-c-class-blades-bulk-ilo.html although hponfig /w will get your current settings.
0
 
LVL 3

Author Comment

by:pma111
ID: 39689650
So within the output of hponfig /w will show whether the server has a password or not?
0
 
LVL 55

Expert Comment

by:andyalder
ID: 39690734
I think so but I'm not sure if it's in plain text or encrypted which is why I suggested setting the iLO to default and then setting it to some secure password.
0
 
LVL 3

Author Comment

by:pma111
ID: 39692242
do you have access to any hp proliants to check?

I dont have access to any so could do with someone who could demonstrate this.
0
 
LVL 55

Expert Comment

by:andyalder
ID: 39692317
Sorry, I don't have access to one any more except when I visit customers.
0
 
LVL 3

Author Comment

by:pma111
ID: 39692319
Does anyone else?
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Does your iMac really need a hardware upgrade? Will upgrading RAM speed-up your computer? If yes, then how can you proceed? Upgrading RAM in your iMac is not as simple as it may seem. This article will help you in getting and installing right RA…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now