iLO security guidelines

When you set up and use iLO, consider the following guidelines for maximizing security. For information about configuring these options, see the HPE iLO 5 User Guide at the following website: https://www.hpe.com/support/ilo5-ug-en.

Dedicated management network

Set up iLO on a dedicated management network.

Hewlett Packard Enterprise recommends establishing a private management network that is separate from your data network. Configure the management network so that it can be accessed only by administrators.

If you connect iLO devices to a shared network, consider the iLO devices as separate servers and include them in security and network audits.

Internet connection

Do not connect iLO directly to the Internet.

The iLO processor is a management and administration tool, not an Internet gateway. Connect to the Internet by using a corporate VPN that provides firewall protection.

IMPORTANT:

Change the iLO user account passwords immediately if iLO has been connected directly to the Internet.

SSL certificate

Replace the default self-signed certificate by installing an SSL certificate that is signed by a Certificate Authority (CA).

Trusted CA certificates

Install trusted CA certificates to enable certificate validation for external services such as LDAP.

Passwords

Follow the Password guidelines.

Depending on the configured Minimum Password Length value, the password can have a minimum of zero characters (no password) and a maximum of 39 characters. Hewlett Packard Enterprise recommends using a Minimum Password Length of eight or more characters. The default value is eight characters.

IMPORTANT:

Do not set the Minimum Password Length to fewer than eight characters unless you have a physically secure management network that does not extend outside the secure data center.

User account privileges

Instead of creating user accounts with all privileges, create multiple accounts with fewer privileges.

Firmware updates

Keep your iLO and server firmware up to date.

Authentication

Use an authentication service (for example, Active Directory or OpenLDAP), preferably with two-factor authentication.

This feature allows authentication and authorization using the same login process throughout the network. It provides a way to control multiple iLO devices simultaneously. Directories provide role-based access to iLO with specific roles and privileges based on time and location.

Implement two-factor authentication to provide additional security, especially when you make connections remotely or outside the local network.

Protect SNMP traffic

Reset the community strings according to the same guidelines as the administrative passwords. Also set firewalls or routers to accept only specific source and destination addresses. Disable SNMP at the server if you do not need it.

Port and protocol settings

Disable ports and protocols that you do not use (for example, SNMP or IPMI/DCMI over LAN).

Use HTTPS for the .NET remote console

To configure this option, install a trusted SSL certificate that is signed by a Certificate Authority (CA) and enable the IRC requires a trusted certificate in iLO setting.

Unused features

Disable features that you do not use (for example, remote console).

Lock the server OS console

Configure the remote console to automatically lock the server OS console.

Security state

Configure a higher security state such as High Security, FIPS, or CNSA.

Configuration utilities

Disable the iLO 5 Configuration Utility in the UEFI System Utilities or configure iLO to require login credentials when users access it.

Log authentication failures

Configure iLO to log authentication failures.

Firmware verification

Enable firmware verification scans.

Security Dashboard and Security Log

Use the Security Dashboard and Security Log to monitor security risks and recommendations.

Host authentication

Enable the Require Host Authentication feature.

Firmware downgrade policy

Set the Downgrade Policy to Downgrade requires Recovery Set privilege.

Recovery Set

Keep the Recovery Set up to date.

HTTP connections

Configure iLO to avoid access over an HTTP connection.

To configure this behavior, install a trusted SSL certificate that is signed by a Certificate Authority (CA) and enable the IRC requires a trusted certificate in iLO setting.

In this configuration, when you access the iLO web interface, iLO returns an HTTP Strict Transport Security (HSTS) flag in the response header, which enables the browser to automatically redirect any HTTP request to HTTPS.