iLO security setting recommendations

Hewlett Packard Enterprise recommends the following iLO security settings. For details about these settings, see the iLO 5 online help or the HPE iLO 5 User Guide. If a setting is not listed with a recommendation, determine the appropriate value based on your environment and security priorities.

Security Dashboard

Monitor all the security parameters without setting the Ignore option (default).

Remote Console security

  • Enable Remote Console Computer Lock and, optionally, configure a custom computer lock key sequence.

  • Enable IRC requires a trusted certificate in iLO to launch the .NET IRC by using an HTTPS connection.

Local user account controls

Configure up to 12 local user accounts, with a range of individual user privilege settings to support the security principle of least access.

Directory group account controls

Configure up to six directory groups to use with Kerberos authentication or schema-free directory integration.

Key management

Use an optional key manager to generate, store, serve, control, and audit access to data encryption keys. It enables you to protect and preserve access to business-critical, sensitive, data-at-rest encryption keys.

Firmware verification

Configure the Enable Background Scan option and choose the Integrity Failure Action.

Server access settings

  • Server Name—Leave this value blank and let the host OS assign it.

  • Server FQDN/IP Address—Leave this value blank and let the host OS assign it.

Account Service access settings

  • Authentication Failures Before Delay—One failure causes no delay (default)

  • Authentication Failure Delay Time—Ten seconds (default)

  • Authentication Failure Logging—Enabled-Every Failure

  • Minimum Password Length—Eight characters (default)

  • Password Complexity—Enabled

iLO access settings

  • Downloadable Virtual Serial Port Log—Disabled (default)

  • Idle Connection Timeout (minutes)—30 minutes (default)

  • iLO Functionality—Enabled (default)

  • iLO RIBCL Interface—Enabled (default)

    Hewlett Packard Enterprise recommends using the iLO RESTful API.

  • iLO ROM-Based Setup Utility—Enabled (default)

  • iLO Web Interface—Enabled (default)

  • Remote Console Thumbnail—Disabled

  • Require Host Authentication—Enabled

    The default value depends on the configured security state:

    • Production mode—Disabled by default.

    • High Security—Enabled by default.

    • FIPS or CNSA—Enabled by default and cannot be disabled.

  • Require Login for iLO RBSU—Enabled

  • Serial Command Line Interface Status—Enabled-Authentication Required (default)

    You must also set the Serial Command Line Interface Speed.

  • Show iLO IP during POST—Enabled (default)

  • Show Server Health on External Monitor—Enabled (default)

  • VGA Port Detect Override—Enabled (default)

  • Virtual NIC—Disabled

    The default setting in most versions of iLO is Disabled. In iLO 5 v2.10, the default setting is Enabled. When you reset iLO to the factory default settings, the Virtual NIC setting returns to the default setting for the installed version of iLO. Firmware upgrades or downgrades do not affect this setting.

Network access settings

  • Anonymous Data—Enabled (default)

  • IPMI/DCMI over LAN—Disabled (default, includes port setting)

  • Remote Console—Enabled (default, includes port setting)

  • Secure Shell (SSH)—Enabled (default, includes port setting)

  • SNMP—Disabled (includes port settings)

    This setting is disabled automatically when you enable a security state higher than Production or High Security.

  • Virtual Media—Enabled (default, includes port setting)

  • Virtual Serial Port Log Over CLI—Disabled (default)

  • Web Server—Enabled (default, must set non-SSL and SSL ports)

    If disabled, access is removed for RIBCL, iLO RESTful API, remote console, iLO Federation, and the iLO web interface.

  • 802.1X Support—Enabled

Update service settings

  • Downgrade Policy—Allow downgrades (default)

    CAUTION:

    Review the options in the HPE iLO 5 User Guide before you modify this setting.

  • Accept 3rd Party Firmware Update Packages—Disabled

iLO Service Port

  • iLO Service Port—Enabled (default)

  • USB flash drives—Disabled

  • Require authentication—Enabled

  • USB Ethernet adapters—Disabled

Secure Shell Key

Using SSH keys provides better security than simple password authorization.

Keys must be 2048-bit DSA or RSA (or ECDSA 384-bit keys in CNSA security state)

Authorized certificates for smart card or CAC environment

Each local user account must have an associated certificate.

Using a smart card with certificates provides better security than simple password authentication.

CAC/Smartcard settings:

  • CAC Smartcard Authentication—Enabled (requires an iLO Advanced license)

  • CAC Strict Mode—(Optional) Enabled

  • Directory User Certificate Name Mapping—When using directory integration, select the correct option according to your user certificate.

  • Import Trusted CA Certificates and revocation list—At least one trusted CA certificate must be installed, along with a revocation list.

  • OCSP Settings—Enter the URL of an accepted OCSP provider to check user certificates for authentication.

SSL certificates

Install a trusted SSL certificate for each iLO. Default self-signed certificates are not secure.

Security State

High Security (minimum)

Single sign-on

SSO Trust Mode—Trust by Certificate

Some HPE applications may not successfully use SSO when the iLO 5 security state is set to High Security and above. See your application documentation for more information.