Security guidelines

When you set up and use iLO, consider the following guidelines for maximizing security:

  • Set up iLO on a dedicated management network.

    Hewlett Packard Enterprise recommends establishing a private management network that is separate from your data network. Configure the management network so that it can be accessed only by administrators.

    If you connect iLO devices to a shared network, consider the iLO devices as separate servers and include them in security and network audits.

  • Do not connect iLO directly to the Internet.

    The iLO processor is a management and administration tool, not an Internet gateway. Connect to the Internet by using a corporate VPN that provides firewall protection.

    IMPORTANT:

    Change the iLO user account passwords immediately if iLO has been connected directly to the Internet.

  • Replace the default self-signed certificate by installing an SSL certificate that is signed by a Certificate Authority (CA).

    You can perform this task on the SSL Certificate Information page.

  • Install trusted CA certificates to enable certificate validation for external services such as LDAP.

  • Change the password for your user accounts, including the default user account.

    Change the iLO management passwords according to the same guidelines as the server administrative passwords.

    You can perform this task on the User Administration page.

    IMPORTANT:

    Follow the iLO user account password guidelines when you create and update user accounts.

  • Instead of creating user accounts with all privileges, create multiple accounts with fewer privileges.

  • Keep your iLO and server firmware up to date.

  • Implement two-factor authentication.

    This feature provides additional security, especially when you make connections remotely or outside the local network.

  • Protect SNMP traffic.

    Reset the community strings according to the same guidelines as the administrative passwords. Also set firewalls or routers to accept only specific source and destination addresses. Disable SNMP at the server if you do not need it.

  • Disable ports and protocols that you do not use (for example, SNMP or IPMI/DCMI over LAN).

    You can perform this task on the Access Settings page.

  • Disable features that you do not use (for example, remote console).

    You can perform this task on the Access Settings page.

  • Configure iLO to log authentication failures.

    You can perform this task on the Access Settings page.

  • Use the Security Log to monitor security-related events.

  • Enable the Require Host Authentication feature.

    You can perform this task on the Access Settings page.

  • Keep the Recovery Set up to date.