iDRAC9 Security Configuration Guide Contents iDRAC9 Security Configuration Guide ........................................................................................................................................................................ 1 1 Overview of iDRAC9 Security Configuration Guide............................................................................................................................................. 4 2 Built in iDRAC and PowerEdge Security ........................
Disabling IPMI over LAN using Web Interface ............................................................................................................................................ 22 Disabling Serial Over LAN using Web Interface .......................................................................................................................................... 22 Configuring Services using Web Interface ...............................................................................................
Using HTTPS with a Proxy Securely ....................................................................................................................................................... 46 22 Security Events Lifecycle Log ...................................................................................................................................................................... 48 23 Default Configuration Values .....................................................................................
1 Overview of iDRAC9 Security Configuration Guide Dell EMC PowerEdge servers have featured robust security for several generations, including the innovation of using silicon-based data security. As a key management component in Dell EMC PowerEdge servers, the integrated Dell Remote Access Controller (iDRAC) offers industry-leading security features that adhere to and are certified against well-known NIST standards, Common Criteria, and FIPS-140-2.
2 Built in iDRAC and PowerEdge Security The iDRAC boot process uses its own independent silicon-based Root-of-Trust that verifies the iDRAC firmware image. The iDRAC Root-ofTrust also provides a critical trust anchor for authenticating the signatures of Dell EMC firmware update packages (DUPs). Silicon-based Root-of-Trust 14th generation PowerEdge servers (both Intel or AMD-based) now use an immutable, silicon-based Root-of Trust to cryptographically attest to the integrity of BIOS and iDRAC firmware.
SELinux SELinux is based on defense-in-depth design, with multiple layers of protection and functionality to help secure this critical system component. SELinux is a core Linux security technology that is merged in the standard Linux kernel. SELinux has been gaining adoption within many Linux distributions. Red Hat Enterprise Linux (RHEL) was one of the first adopters other Linux users followed.
Auto recovery of BIOS primary image/recovery image — BIOS image is recovered automatically during the host boot process after the BIOS corruption is detected by Intelboot Guard or by BIOS itself. Forced recovery of BIOS Primary/recovery image — User initiates an out-of-band (OOB) request to update BIOS either because they have a new updated BIOS or BIOS fails to boot or crashes. Primary BIOS ROM update — The single Primary ROM is split into Data ROM and Code ROM. iDRAC has full access/control over Code ROM.
3 Securely Configuring iDRAC Web Server One of the most widely used interfaces that is offered in iDRAC is the web server which supports remote RACADM, Redfish, WS-Man, and iDRAC GUI communication. The web server includes various configurable security settings to meet user security requirements such as HTTPS redirection, encryption strength, TLS protocol, and filtering the available TLS cipher suites. Below are the recommended configurations to maximize security for iDRAC’s webserver.
1. Go to iDRAC Settings > Services. 2. Click the Services tab and then click Web Server. 3. In the TLS Protocol drop-down, select TLS 1.2 version and click Apply. Configuring Encryption Strength iDRAC offers four encryption strength configurations. By default, iDRAC is configured to use an encryption strength of 128-bit or higher. The recommended secure configuration is 256-bit or higher.
Setting Cipher Suite Selection using the iDRAC GUI To set ciphers in iDRAC GUI go to iDRAC Setting -> Services -> Web Server. If you would like to block more than one cipher use a colon, space, or comma as a separator.
4 Securely Using TLS/SSL Certificate The iDRAC web server uses an TLS/SSL certificate to establish and maintain secure communications with remote clients. Web browsers and command-line utilities, such as RACADM and WS-Man, use this TLS/SSL certificate for server authentication and establishing an encrypted connection. There are several options available to secure the network connection using an TLS/SSL certificate. iDRAC’s web server has a self-signed TLS/SSL certificate by default.
5 Federal Information Processing Standards (FIPS) FIPS is a system security standard that United States government agencies and contractors must use. Starting from version 2.40.40.40, iDRAC supports enabling FIPS mode. iDRAC supports FIPS 140-2 certification operation modes. Enabling FIPS mode results in iDRAC using a certified FIPS module for cryptographic functionality.
6 Secure Shell (SSH) SSH or Secure Shell is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution. On iDRAC, SSH can be used to run RACADM commands. It provides the same capabilities as the legacy telnet console (deprecated in iDRAC9 4.40.00.00) using an encrypted transport layer for higher security. The SSH service is enabled by default on iDRAC.
diffie-hellman-group-exchange-sha256 diffie-hellman-group16sha512 diffie-hellman-group18sha512 diffie-hellman-group14-sha256 Encryption chacha20-poly1305@openssh.com aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com MAC umac-128-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha1-etm@openssh.com umac-128@openssh.
7 Network Security Configuration iDRAC provides optional networking interfaces that can be used for connection and management. As a security best practice, it is recommended to disable networking interfaces that are unused.
Dedicated NIC and Shared LOM The most secure network connection is the iDRAC's Dedicated NIC because it can be connected to a network that is physically separated from the production network. This physically segregates the iDRAC management traffic from the production network traffic. If use of the iDRAC's Dedicated NIC is not feasible for any reason, the iDRAC can be run in Shared LOM mode with a VLAN enabled. But the iDRAC's management traffic is sent across the same wire as the production network.
Provisioning server works with a static IP address. Auto-discovery feature on the iDRAC is used to find the provisioning server using DHCP/Unicast DNS/mDNS. • • When iDRAC has the console address, it sends its own service tag, IP address, Redfish port number, Web certificate etc. This information is periodically published to consoles. DHCP, DNS server, or the default DNS hostname discovers the provisioning server.
3. From the iDRAC management interface: USB XML Configuration drop-down menu, select options to configure a server by importing XML configuration files stored on a USB drive: • Disabled • Enabled only when server has default credential settings • Enabled For information about the fields, see the iDRAC Online Help. 4. Click Apply to apply the settings.
8 Interfaces and Protocols to Access iDRAC The following table lists the interfaces to access iDRAC: Table 4. Interfaces and protocols to access iDRAC Interface or Protocol Description iDRAC Settings Utility (F2) Use the iDRAC Settings utility to perform pre-OS operations. It has a subset of the features that are available in iDRAC web interface along with other features. To access iDRAC Settings utility, press during boot and then click iDRAC Settings on the System Setup Main Menu page.
WSMan The LC-Remote Service is based on the WSMan protocol to do one-to-many systems management tasks. You must use WSMan client such as WinRM client (Windows) or the OpenWSMan client (Linux) to use the LC-Remote Services functionality. You can also use Power Shell or Python to script to the WSMan interface. Web Services for Management (WSMan) is a Simple Object Access Protocol (SOAP)–based protocol that is used for systems management.
9 iDRAC Port Configuration The following table lists the ports that are required to remotely access iDRAC through firewall. These are the default ports iDRAC listens to for connections. Optionally, you can modify most of the ports. To modify ports, see Configuring services on page 93. Table 5.
NOTE: When node-initiated discovery or Group Manager is enabled, iDRAC uses mDNS to communicate through port 5353. However, when both are disabled, port 5353 is blocked by iDRAC's internal firewall and appears as open|filtered port in the port scans. 514 UDP Remote syslog Yes None Ports Internally used by iDRAC (These cannot be changed by the end user and cannot be used for other purposes).
Configuring Services using Web Interface You can configure and enable the following services on iDRAC: • Local Configuration • Web Server • SEKM Configuration • SSH • Telnet (Telnet is removed from iDRAC firmware 4.40.00.00 and forward) • Remote RACADM • SNMP Agent • Automated System Recovery Agent • Redfish To configure the services using iDRAC Web interface: 1. In the iDRAC Web interface, go to iDRAC Settings > Services. The Services page is displayed. 2.
10 IPMI and SNMP Security Best Practices iDRAC has multiple options for secure connection and management. Users can configure IPMI and SNMP which are protocols that have known security limitations. If these protocols are necessary, below are the security recommendations to minimize potential risk: SNMP Security Best Practices: iDRAC supports SNMP 2/3 for information gathering, alerting, and configuration. The SNMP protocol can potentially leak sensitive information if configured improperly.
MD5 and SHA1 are the most commonly used key types, since they meet basic security and provides time accuracy in millisecond level with timeservers within the company infrastructure. In theory, any encryption type that is supported by openssl can be used for symmetric keys, but higher encryption can result in high CPU usage and high latency in processing the time data. Secure NTP Configuration iDRAC group and property name to enable NTP is “NTPConfigGroup.NTPEnable”.
racadm set idrac.ntpconfiggroup.NTP2SecurityType 2 racadm set idrac.ntpconfiggroup.NTP2SecurityKeyNumber 17 racadm set idrac.ntpconfiggroup.ntp3 100.64.24.26 racadm set idrac.ntpconfiggroup.NTP3SecurityKey carlos racadm set idrac.ntpconfiggroup.NTP3SecurityType MD5 racadm set idrac.ntpconfiggroup.NTP3SecurityKeyNumber 13 Example showing RACADM script to disable secure NTP (default configuration in iDRAC) racadm set idrac.ntpconfiggroup.NTPEnable 0 racadm set idrac.ntpconfiggroup.ntp1 "" racadm set idrac.
11 Secure Enterprise Key Manager (SEKM) Security The OpenManage SEKM enables you to use an external Key Management Server (KMS) to manage keys that can then be used by iDRAC to lock and unlock storage devices on a Dell EMC PowerEdge server. iDRAC requests the KMS to create a key for each storage controller, and then fetches and provides that key to the storage controller on every host boot so that the storage controller can then unlock the SEDs.
NOTE: For enabling SEKM, ensure that the supported PERC firmware is installed. • • Only TLS 1.2 is supported for SEKM. You cannot downgrade the PERC firmware to the previous version if SEKM is enabled. Downgrading of other PERC controller firmware in the same system which is not in SEKM mode may also fail. To downgrade the firmware for the PERC controllers that are not in SEKM mode, you can use OS DUP update method, or disable SEKM on the controllers and then retry the downgrade from iDRAC.
12 iDRAC9 Group Manager The iDRAC Group Manager feature makes basic server management tasks simple. With an iDRAC9 Enterprise license, Group Manager provides integrated, one-to-many monitoring and inventory of local iDRACs and their associated 14th generation PowerEdge servers. It is ideal for small and midsized users who do not want to install and maintain a separate monitoring console. Only iDRAC admin users can access the Group Manager functionality.
• • 5670 (Multicast group communication) C000 -> F000 dynamically identifies one free port for each member to communicate in the group NOTE: Security scanners flag Group Manager usage of mDNS on the IPv6 link local network to discover neighbor iDRAC’s. iDRAC sends group name, Service Tag, and IPv6 address in the mDNS record. Group Manager Security Best Practices • • • • Use the dedicated iDRAC network port to limit what has access to the Group.
13 Virtual Console and Virtual Media Security You can use the virtual console to manage a remote system using the keyboard, video, and mouse on your management station to control the corresponding devices on a managed server. This is a licensed feature for rack and tower servers. It is available by default in blade servers. You can launch virtual console in a supported web browser by using Java, ActiveX, or eHTML5 plug-in.
• After confirming that the certificate is trusted, user should confirm the “Publisher” is Dell Inc. and the “Locations” match the intended iDRAC IP or FQDN.
14 VNC Security The VNC feature can be enabled and configured on iDRAC to manage the remote server using both desktop and mobile devices such as Dell Wyse PocketCloud. The VNC viewer can connect to OS/Hypervisor on the server and provide access to keyboard, video, and mouse of the host server. Before launching the VNC client, you must enable the VNC server and configure the VNC server settings in iDRAC such as password, VNC port number, SSL encryption, and the time-out value.
15 User Configuration and Access Control You can setup user accounts with specific privileges (role-based authority) to manage your system using iDRAC and maintain system security. By default, iDRAC is configured with a local administrator account. The default iDRAC username and unique password are provided with the system badge unless default credentials were specified at time of purchase, then iDRAC is configured with the default password.
iDRAC User Roles and Privileges The iDRAC role and privilege names have changed from earlier generation of servers. The role names are shown in the table below. Table 7.
Table 8. Recommended characters for usernames Characters 0-9 Length 1–16 A-Z a-z -!#$%&()*;?[\]^_`{|}~+<=> Table 9. Recommended characters for passwords Characters 0-9 Length 1–40 A-Z a-z '-!"#$%&()*,./:;?@[\]^_`{|}~+<=> NOTE: You may be able to create usernames and passwords that include other characters. However, to ensure compatibility with all interfaces, Dell Technologies recommends using only the characters that are listed here.
A warning message is also displayed when you log in to iDRAC using SSH, Telnet, remote RACADM, or the Web interface. For Web interface, SSH, and Telnet, a single warning message is displayed for each session. For remote RACADM, the warning message is displayed for each command. When you log in to the iDRAC web interface, if the Default Password Warning page is displayed, you can change the password. To do this: 1. Select the Change Default Password option. 2.
• The document goes through how to configure iDRAC9 to enable RSA SecurID 2FA on local users, and Active Directory and LDAP users. Active Directory If your company uses the Microsoft Active Directory software, you can configure the software to provide access to iDRAC, allowing you to add and control iDRAC user privileges to your existing users in your directory service. This is a licensed feature. You can configure user authentication through Active Directory to log in to the iDRAC.
LDAP iDRAC provides a generic solution to support Lightweight Directory Access Protocol (LDAP)-based authentication. This feature does not require any schema extension on your directory services. To make iDRAC LDAP implementation generic, the commonality between different directory services is used to group users and then map the user-group relationship. The directory service-specific action is the schema.
16 System Lockdown Mode System Lockdown mode helps in preventing unintended changes after a system is provisioned. This feature can help in protecting the system from unintentional or malicious changes. Lockdown mode is applicable to both configuration and firmware updates. When the system is locked down, any attempt to change the system configuration is blocked. If any attempts are made to change the critical system settings, an error message is displayed.
17 Securely Configuring BIOS System Security iDRAC allows the user to configure the options under System Security in BIOS such as power, system or setup passwords, and secure boot policies. NOTE: This is a BIOS option, but iDRAC can also configure BIOS settings. To update System Security Settings: 1. Go to Configuration > BIOS Settings > System Security. 2. Select necessary security configurations and set to required values. 3. Click Apply.
• • • UEFI drivers that are loaded from PCIe cards UEFI drivers and executables from mass storage devices Operating System boot loaders NOTE: Secure Boot is not available unless the Boot Mode (in the Boot Settings menu) is UEFI. NOTE: Secure Boot is not available unless the “Load Legacy Video Option ROM” setting (in the Miscellaneous Settings menu) is disabled. NOTE: A Setup password is recommended to be enabled for Secure Boot.
18 Secure Boot Configuration UEFI Secure Boot is a technology that eliminates a major security void that may occur during a handoff between the UEFI firmware and UEFI operating system (OS). In UEFI Secure Boot, each component in the chain is validated and authorized against a specific certificate before it can load or run. Secure Boot removes the threat and provides software identity checking at every step of the boot— Platform firmware, Option Cards, and OS BootLoader.
19 Securely Erasing Data Data security is a key consideration throughout the lifecycle of a server, including when the server is repurposed or retired. Many servers are repurposed as they are transitioned from workload to workload, or as they change ownership from one organization to another. All servers are retired when they reach the end of their useful life.
20 LCD Panel The three LCD panel’s buttons and ID button have different functionality based on a security setting set in BBB (BMC BIOS Binary) and other tools. There is no method to set these states through the LCD menu system. Control Panel Access: • • • View and Modify (Default) - The user has full access to the LCD menu and can modify values (e.g. the IPv4 address, or the selection of the System Descriptor).
21 Server Inventory, Lifecycle Log, Server Profiles, and Licenses Import and Export iDRAC9 with Lifecycle Controller firmware enables multiple protocols to perform export of server inventory, export of the Lifecycle Controller log, import and export of server profiles, and import of iDRAC with Lifecycle Controller licenses. These interfaces expand the options for network file share support with the Lifecycle Controller UI to include CIFS, NFS, HTTP, and HTTPS simplifying Lifecycle Controller UI operations.
LifeCycleController.LCAttributes.UserProxyType LifeCycleController.LCAttributes.UserProxyUserName These attributes are used with both HTTP and HTTPS. The UserProxyServer is an important attribute. If it is not set, then the other attributes cannot be used, and the behavior is as if none of them are set. The LifeCycleController.LCAttributes.IgnoreCertWarning attribute is used only with HTTPS. If set to "On" then certificate warnings are ignored.
22 Security Events Lifecycle Log Security Events are logged in the Lifecycle Log for access-related security events such as new user creation, user password/privilege modification, successful or failed login attempts etc. Security events are also logged for encryption-related events on storage such as cryptographic erase, secure key encryption/decryption etc. Table 14.
passphrase is passed for the controller identified in the message. No response action is required. CTL133 The security key for the controller identified in the message is successfully changed. CTL134 The controller identified in the message is in the Secure Enterprise Key Manager mode. No response action is required. CTL135 The Key exchange process for the controller identified in the message failed.
USR0030 Successfully logged in using , from and . No response action is required. USR0031 Unable to log in for from using . Ensure the login credentials are valid and retry the operation. USR0032 The session for from using is logged off. No response action is required.
23 Default Configuration Values The table below includes the security configurations described in this document and the default values. Table 15. Default Configuration Values Configuration Default Values iDRAC.Webserver.HttpsRedirection 1 - Enabled iDRAC.Webserver.TLSProtocol 1 -TLS 1.1 and Higher iDRAC.Webserver.SSLEncryptionBitLengt 1- 128-Bit or Higher h iDRAC.Webserver.CustomCipherString None TLS/ SSL Certificates Self-signed certificate iDRAC.SCEP.Enable 0 - Disabled iDRAC.Security.
iDRAC.OS-BMC.PTMode 1 – usb-p2p iDRAC.IPBlocking.BlockEnable 1 – Enabled iDRAC.IPBlocking.FailCount 3 iDRAC.IPBlocking.FailWindow 60 iDRAC.IPBlocking.PenaltyTime 60 iDRAC.IPBlocking.RangeEnable 0 – Disabled iDRAC.autodiscovery.EnableIPChangeAn nounce 1 – Enabled iDRAC.IPMILan.Enable 0 – Disabled iDAC.IPMISOL 1 – Enabled iDRAC.Telnet.Enable 0 – Disabled iDRAC.SNMP.AgentEnable 1 – Enabled iDRAC.NTPConfigGroupEnable 0 – Disabled iDRAC.GroupManager.Status 0 – Disabled iDRAC.GUI.
iDRAC.VNCServer.SSLEncryptionBitLengt h 1 – Auto Negotiate iDRAC.VNCServer.Enable 0 – Disabled iDRAC.VNCServer.Timeout 300 iDRAC.Users.2.IpmiLanPrivilege 15 – No Access iDRAC.Users.2.ProtocolEnable If SNMPv3 is needed set Authentication Type to SHA and Privacy Type to AES 0 – Disabled iDRAC.Users.2.AuthenticationProtocol 2 – SHA iDRAC.Users.2.PrivacyProtocol 2 – AES iDRAC.Users.2.Simple2FA 0 – Disabled iDRAC.Security.MinimumPasswordScore 1 – Weak Protection iDRAC.Security.
BIOS.Syssecurity.PwrButton Enabled BIOS.Syssecurity.UefiVariableAccess Standard BIOS In-Band Manageability Interface Enabled BIOS.Syssecurity.SecureBoot Disabled BIOS.Syssecurity.SecureBootPolicy Standard BIOS.Syssecurity.SecureBootMode DeployedMode LifeCycleController.LCAttributes.UserPro 80 xyPort LifeCycleController.LCAttributes.
25 Network Vulnerability Scanning Network vulnerability scanning is one of the many controls included as part of iDRAC’s Security Design Lifecycle (SDL). Multiple industry leading tools are used to verify that iDRAC maintains secure protocols and is not exposed to newly published CVEs and vulnerabilities. The table below outlines the known findings that may be highlighted when using these scanning tools and the Dell EMC Response.
12 SNMP GETBULK reflected distributed DOS 9, 8, 7 161 13 IPMIv2 Password Hash exposure (CVE-20134786, CVE-2013-4037) 9, 8, 7 623 14 IPMIv1.5 GetChannelAuth response information disclosure 9, 8, 7 623 15 IPMIv2 Authentication Username Disclosure 9, 8, 7 623 16 Telnet Server not encrypted 9, 8, 7 23 17 Remote management 9 service accepting unencrypted credentials This is a result of Telnet being enabled. To remove this finding, disable Telnet and use SSH instead.
25 Non-absolute directory entries found in the PATH variable 9, 8, 7 26 TCP timestamp response 9, 8, 7 Dell EMC does not consider the TCP timestamp response to be a security vulnerability given iDRAC’s design and use. Knowledge of iDRAC’s uptime is not considered a risk and its operating system is well-known and documented. 9 Dell EMC considers CVE-2004-0230 to be a vulnerability with minimal security risk, as it mainly effects long-lived connections, such as BGP routers.
26 Security Licensing iDRAC offers various security features that require different licenses. Table 17.
27 Best Practices Dell EMC iDRAC Security Best Practices Dell EMC Best Practices regarding iDRAC: • • • • • • • The iDRAC is intended to be on a separate management network. The iDRAC is not designed nor intended to be placed on, nor connected directly to the Internet. Doing so could expose the connected system to security and other risks for which Dell EMC is not responsible.
28 Appendix - Whitepapers • • • • • • • • • • • • • • • • • iDRAC9 Documentation - https://www.dell.com/support/home/en-in/product-support/product/idrac9-lifecycle-controller-v4.xseries/docs iDRAC9 Redfish API Documentation - https://api-marketplace.dell.com/#/overview-doc/2978/6818 iDRAC9 RACADM CLI Guide - https://www.dell.com/support/home/en-in/product-support/product/idrac9-lifecycle-controllerv4.x-series/docs iDRAC Redfish Scripts on GitHub - https://github.