server passwords

are there any sort of hardware level passwords on physical servers, I am not on about the OS installed on them, I mean the hardware level below. What exactly are these hardware level passwords protecting against? I.e. why do you need a password at that level, what cant you do until you enter the password, what does entereting the password give you access to etc.
LVL 3
pma111Asked:
Who is Participating?
 
Ram BalachandranConnect With a Mentor Commented:
If your server is locally accessible you can set BIOS password.
Else you need to have tools like DRAC for HP ILO for remotely connecting , as you will not able to provide password while restarting the server.
If this server is in Domain and if the disk is formatted with NTFS, you really dont want to provide BIOS passwords. Moreover there are methods to disable BIOS password.
Make sure you have complex password for your server and share only with authorised technicians
0
 
Ram BalachandranConnect With a Mentor Commented:
There are many disk encryption softwares available in market

Symantec Encryption - http://www.symantec.com/encryption
Truecrypt - http://www.truecrypt.org/docs/supported-operating-systems
Bitlocker  - http://technet.microsoft.com/en-us/library/hh831627.aspx
0
 
pma111Author Commented:
Are you saying without disk encryption there are no "hardware level" passwords on server hardware, as a general rule?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
SHBStorage Network SpecialistCommented:
You have BIOS level passwords to limit access to the BIOS.
0
 
pma111Author Commented:
whats the risk of not having bios level passwords
0
 
pma111Author Commented:
For say HP ILO though, what is that password giving the admin access too? I.e. why do they need a password, what does that password give them access to? They are HP servers.
0
 
SHBStorage Network SpecialistCommented:
Set password to access BIOS only. The risk of not having BIOS password is that any one can login to BIOS and change server configurations, like disable onboard network card, disable USB. like that..
0
 
pma111Author Commented:
So is HP ILO just like a piece of management software installed on say a windows laptop for managing the server hardware? What does the "ILO" stand for?
0
 
SHBStorage Network SpecialistCommented:
Yes - HP ILO runs from a browser using Java
ILO - Integrated Lighs Out
0
 
SHBStorage Network SpecialistCommented:
Read as * Integrated Lights-Out
0
 
pma111Author Commented:
Is it possible to not have ILO passwords? I.e. do you need to configure them manually during setup? If no ILO password can anyone essentially get access to the server hardware?

any idea how to check/prove all HP proliants have ILO passwords?
0
 
pma111Author Commented:
Is there a default password for ILO?
0
 
andyalderConnect With a Mentor Commented:
iLO is not like a piece of management software installed on say a windows laptop, it runs on the hardware below the OS, you can use it for remote control but you can also use it to power the machine on which is certainly something that you can't do with software that runs under Windows. It can be very useful since you can watch the machine boot up remotely, there is a dedicated chip on the motherboard that it runs through. The client that you run on a remote PC does admittedly use Java but that isn't iLO itself.

You can set the password with hponcfg.exe or during POST.
You get limited functionality without a license (no display after OS loads etc.

The HP iLO family datasheet comparison table PDF at www.hp.com/go/iLO describes what you get for free (standard) and the extras a license provides.
0
 
pma111Author Commented:
Andy, our auditors need some proof the ILO does have an admin password (I assume this is the admin password and the power up password is different), for an estate of over proliant 20 servers, any idea how they could get this evidence? is there anything in iLo that will show a password has been set? Is it default to have a password set or do you have to set this up manually?
0
 
pma111Author Commented:
> you can use it for remote control

What do you need on your PC in order to be able to use the ILO from your PC? How do you launch the program?
0
 
andyalderCommented:
If running Windows there's a powershell script at http://h30499.www3.hp.com/t5/ITRC-Remote-Lights-Out-Mgmt-iLO/Mass-iLO-Audit/td-p/4469687#.UpjYrOL6Tpc to do a mass configuration of the servers using hponcfg /f <filename.xml>

You can run hponcfg /w and get the current settings of one of them, then use that as the basis of your config file that you want to upload to all of them, you'll have to strip out lines such as <IP_ADDRESS VALUE = "x.x.x.x"/> or you'll set every one to the same address. There may be additional users on some of them though and hponcfg /f iloconfig.xml only adds users, it doesn't remove unknown ones so hponcfg /r can be used to reset them all to default which will delete all of the users except for Administrator.

You use a web browser to the iLO ip address to access it, it will probably install its preferred version of Java onto your PC first time you connect.
0
 
tliottaCommented:
...any idea how they could get this evidence?

For any such request from an auditor, the auditor needs to tell you what they expect and accept. Ask them. We have no way to know what they need. Different auditors have different expectations. Different kinds of auditors have different needs.

Tom
0
 
pma111Author Commented:
andyalder,

do you happen to have a sample output of that script, what specific parameter will show the password value?
0
 
Ram BalachandranCommented:
Hi,

I mentioned about ILO in a different contest and now it look like we are discussing in a different angle.

The point here is - you can always use BIOS password for additional security - But make sure you have strong UNIQUE password - and should not be disclosed with unathorised persons.

ILO does not have anything to do with BIOS Password

You can always install an ILO Adpater [ Hardware ] and configure a password so that technicans in the remote location can see/configure BIOS if required. BIOS of the Server will be accessible via Browser.
0
 
andyalderCommented:
iLOs have been on the motherboard for at least 10 years.

Some sample XML scripts for setting at http://setspn.blogspot.co.uk/2009/01/hp-c-class-blades-bulk-ilo.html although hponfig /w will get your current settings.
0
 
pma111Author Commented:
So within the output of hponfig /w will show whether the server has a password or not?
0
 
andyalderCommented:
I think so but I'm not sure if it's in plain text or encrypted which is why I suggested setting the iLO to default and then setting it to some secure password.
0
 
pma111Author Commented:
do you have access to any hp proliants to check?

I dont have access to any so could do with someone who could demonstrate this.
0
 
andyalderCommented:
Sorry, I don't have access to one any more except when I visit customers.
0
 
pma111Author Commented:
Does anyone else?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.