MBSS - HP Chassis - v1

Note: Fill in control reference from CIS/other standards in 'Control number' column.
Minim
Control
Sr. No. Control Objective
number
1 Install intrusion detection switch
Enable Authentication Failures

2
Before Delay
3 Set Idle connectoion timeout

4 Require Host Authentication
5 Configure SSL
Configuring Kerberos authentication

6
settings in iLO
Configuring schema-free directory
7
settings in iLO
Configuring HPE Extended Schema

8
directory settings in iLO
Enabling the Production or High
10
Security security state
Enabling the FIPS and CNSA

11
security states
number' column.
Minimum Baseline Security Standard – HP Ch

Description
General Settings
Prerequisites
Before installing this option, be sure that you have the following:
The components included with the hardware option kit
Enables you to configure the number of failed login attempts that are allowed
before iLO imposes a login delay. Configure it to 3 failures cause no delay
Specifies how long iLO sessions can be inactive before they end
automatically. The iLO web interface and the .NET IRC and Java IRC track
idle time separately because each connection is a separate session. When the
Idle Connection Timeout is reached, only the idle session ends. The iLO web
interface and the HTML5 remote console share one iLO session. When the
Idle Connection Timeout is
reached, the shared session ends.
Determines whether iLO user credentials are required to use host-based
configuration utilities that access the management processor. These utilities
run from the host operating system command line in the host context of
Administrator or root.
• When this setting is enabled, valid credentials are required for all commands.
The Secure Sockets Layer (SSL) protocol is a standard for encrypting data so
that it cannot be viewed or modified while in transit on the network. An SSL
certificate is a small computer file that digitally combines a cryptographic key
(the server public key) with the server name. Only the server itself has the
corresponding private key, allowing for authenticated two-way
communication between a user and the server.
A certificate must be signed to be valid. If it is signed by a Certificate
Authority (CA), and that CA is trusted, all certificates signed by the CA are
also trusted. A self-signed certificate is one in which the owner of the
certificate acts as its own CA.
Prerequisites
• Your environment meets the prerequisites for using this feature.
• The Kerberos keytab file you created during the environment setup tasks is
available
Your environment meets the prerequisites for using this feature.
Your environment meets the prerequisites for using this feature.

Use this procedure to configure iLO to use one of the following security
states: Production or High Security
Use this procedure to configure iLO to use the FIPS and CNSA security states.
To configure iLO to use the Production or
High Security security states, see Enabling the Production or High Security
security state.
To configure iLO in a FIPS-validated environment, see Configuring a FIPS-
validated environment with iLO.
The FIPS security state might be required for Common Criteria compliance,
Payment Card Industry compliance, or other
standards.
If your license expires or is downgraded after you enable the FIPS or CNSA
security states, iLO will continue to operate with the configured security state,
but all other features activated by the expired or downgraded license will be
unavailable
mum Baseline Security Standard – HP Chassis
Remediation
General Settings
Procedure
1. Power down the server
2. Remove all power:
-- a. Disconnect each power cord from the power source.
-- b. Disconnect each power cord from the server
3. Do one of the following:
• Extend the server from the rack
• Remove the server from the rack
4. Remove the access panel
5. Install the intrusion detection switch.
6. Install the access panel
7. Install the server into the rack
8. Connect each power cord to the server.
9. Connect each power cord to the power source.
10. Power up the server
1. Click Security in the navigation tree.

The Access Settings page is displayed.
2. Click next to the Access Settings category that you want to update.
Choose iLO
3. Go to Account Service section on the Access Settings page.
The Edit Setting Type page opens.
3. Update the settings to failures cause no delay, and then click OK.
4. For some settings, you might observe an immediate impact when the setting
is changed, before a reset is complete. Other settings that require a reset allow
you to manually revert the configuration back to its original state without a
reset taking place.
5. If a reset is required and you are done updating access settings, click Reset
iLO. iLO prompts you to confirm the request.
6. Click Yes, reset iLO.

Choose iLO
3. The Edit Setting Type page opens.
3. Update the idle timeout to 15 minutes, and then click OK.
reset taking place.
Choose iLO
3. The Edit Setting Type page opens.
4. Enabled Host Authentication setting
reset taking place.
1. Click Security in the navigation tree, and then click the SSL Certificate tab.
2. Click Customize Certificate.
3. Enter values for the following:
• Country (C)
• State (ST)
• City or Locality (L)
• Organization Name (O)
• Organizational Unit (OU)
• Common Name (CN)
4. (Optional) To include the iLO IP addresses in the CSR, select the include
iLO IP Address(es) check box.
When this option is enabled, the iLO IP addresses will be included in the CSR
Subject Alternative Name (SAN)
extension.
5. Click Generate CSR.
A message notifies you that a CSR is being generated and that the process
might take up to 10 minutes.
6. After a few minutes (up to 10), click Generate CSR again.
The CSR is displayed.
7. Select and copy the CSR text.
8. Open a browser window and navigate to a third-party CA.
9. Follow the onscreen instructions and submit the CSR to the CA.
• When prompted to select a certificate purpose, make sure that you select the
option for a server certificate.
• When you submit the CSR to the CA, your environment might require the
specification of Subject Alternative Names. If necessary, enter the iLO DNS
name
10. After you obtain the certificate, make sure that:
• The CN matches the iLO FQDN. This value is listed as the iLO Hostname
on the Overview page.
• The certificate is a Base64-encoded X.509 certificate.
• The first and last lines are included in the certificate
Importing a trusted certificate
Procedure
1. Click Security in the navigation tree, and then click the SSL Certificate tab.
2. Click Customize Certificate.
3. Click Import Certificate.
4. In the Import Certificate window, paste the certificate into the text box, and
then click Import.
iLO prompts you to confirm the request and reset iLO.
5. Click Yes, apply and reset.
1. Click Security in the navigation tree, and then click the Directory tab.
2. Enable Kerberos Authentication.
3. Set Local User Accounts to enabled if you want to use local user accounts
at the same time as Kerberos
authentication.
4. Enter the Kerberos Realm name.
5. Enter the Kerberos KDC Server Address.
6. Enter the Kerberos KDC Server Port.
7. To add the Kerberos Keytab file, click Browse (Internet Explorer, Edge, or
Firefox) or Choose File (Chrome), and then
follow the onscreen instructions.
8. Click Apply Settings.
9. To configure directory groups, click the Directory Groups link.
Procedure
2. Select Use Directory Default Schema from the LDAP Directory
Authentication menu.
at the same time as directory integration.
4. OpenLDAP users only: Enable Generic LDAP.
This setting is available only if Use Directory Default Schema is selected.
5. For configurations with CAC/Smartcard authentication enabled, enter the
CAC LDAP service account and password
in the iLO Object Distinguished Name CAC LDAP Service Account and iLO
Object Password boxes.
6. Enter the FQDN or IP address of a directory server in the Directory Server
Address box.
7. Enter the directory server port number in the Directory Server LDAP Port
box.
8. (Optional) Import a new CA certificate.
a. Click Import in the Certificate Status box.
b. Paste the Base64-encoded X.509 certificate data into the Import Certificate
window, and then click Import.
9. (Optional) Replace an existing CA certificate.
a. Click View in the Certificate Status box.
b. Click New in the Certificate Details window.
c. Paste the Base64-encoded X.509 certificate data into the Import Certificate
10. Enter valid search contexts in one or more of the Directory User Context
boxes.
12. To test the communication between the directory server and iLO, click
Test Settings.
13. To configure directory groups, click the Directory Groups link.
2. Select Use HPE Extended Schema from the LDAP Directory
Authentication menu.
at the same time as directory integration.
4. Enter the location of this iLO instance in the directory tree in the iLO
Object Distinguished Name/CAC LDAP Service Account box.
5. Enter the FQDN or IP address of a directory server in the Directory Server
Address box.
6. Enter the directory server port number in the Directory Server LDAP Port
box.
7. (Optional) Import a new CA certificate.
a. Click Import in the Certificate Status text box.
b. Paste the Base64-encoded X.509 certificate data into the Import Certificate
8. (Optional) Replace an existing CA certificate.
a. Click View in the Certificate Status text box.
b. Click New in the Certificate Details window.
c. Paste the Base64-encoded X.509 certificate data into the Import Certificate
9. Enter valid search contexts in one or more of the Directory User Context
boxes.
11. To test the communication between the directory server and iLO, click
Test Settings
Procedure
1. (Optional) Install any needed firmware and software updates.
2. Click Security in the navigation tree, and then click the Encryption tab.
3. Select Production or High Security in the Security State menu.
4. Click Apply. iLO prompts you to confirm that you want to restart iLO to
apply the new settings.
5. To end your browser connection and restart iLO, click Yes, apply and reset.
It might take several minutes before you can re-establish a connection.
6. Close all open browser windows.
Any browser sessions that remain open might use the wrong cipher for the
configured security state.
7. (Optional) If you enabled the High Security security state, confirm that
Anonymous Data is disabled on the Access
Settings page.
1. (Optional) Capture the current iLO configuration by using the iLO backup
feature or HPONCFG.
For more information, see iLO backup and restore or the iLO scripting and
CLI guide.
2. (Optional) Install any needed firmware and software updates.
3. Click Security in the navigation tree, and then click the Encryption tab.
4. Select FIPS in the Security State menu, and then click Apply.
iLO prompts you to confirm the request.
5. To confirm the request to enable the FIPS security state, click Yes, apply
and reset.
iLO reboots with the FIPS security state enabled. Wait at least 90 seconds
before attempting to re-establish a
connection.
6. (Optional) Enable the CNSA security state.
a. Log in to iLO by using the default user credentials.
b. Click Security in the navigation tree, and then click the Encryption tab.
c. Select CNSA in the Security State menu, and then click Apply.
iLO prompts you to confirm the request.
d. To confirm the request to enable the CNSA security state, click Yes, apply
and reset.
iLO reboots with the CNSA security state enabled. Wait at least 90 seconds
before attempting to re-establish a
connection.
e. Log in to iLO again by using the default iLO credentials.
7. Install a trusted certificate.
The default self-signed SSL certificate is not allowed when the FIPS security
state is enabled. Previously installed
trusted certificates are deleted when you set iLO to use the FIPS security state.
8. Disable the IPMI/DCMI over LAN Access, Anonymous Data, and SNMP
Access options on the Access Settings
Chassis
Verification Severity
-- High

2. Click next to the Access Settings category that you want to update. High
Choose iLO
3. Go to Account Service section and Check for setting

Choose iLO
3. Check for idle timeout setting
Choose iLO
3. Check for Require Host authentication setting
Click Security in the navigation tree, and then click the SSL Certificate
tab.
• Issued To—The entity to which the certificate was issued.
When you view the iLO self-signed certificate, this value displays
information related to the Hewlett Packard Enterprise Houston office.
• Issued By—The CA that issued the certificate. When you view the iLO
self-signed certificate, this value displays information related to the High
Hewlett Packard Enterprise Houston office.
• Valid From—The first date that the certificate is valid.
• Valid Until—The date that the certificate expires.
• Serial Number—The serial number assigned to the certificate. This
value is generated by iLO for the self-signed certificate, and by the CA
for a trusted certificate
-- High
Procedure
2. At the bottom of the Directory page, click Test Settings.
iLO displays the results of a series of simple tests designed to validate the
directory settings. After your directory settings are configured correctly,
you do not need to rerun these tests. The Directory Tests page does not
require
you to log in as a directory user.
3. In the Directory Test Controls section, enter the DN and password of a
directory administrator in the Directory
Administrator Distinguished Name and Directory Administrator
Password boxes. Hewlett Packard Enterprise recommends that you use Optional
the same credentials that you used when creating the iLO objects in the
directory. iLO does not store these credentials; they are used to verify the
iLO object and user search
contexts.
4. In the Directory Test Controls section, enter a test user name and
password in the Test User Name and Test User
Password boxes.
5. Click Start Test.
Several tests begin in the background, starting with a network ping of the
directory user by establishing an SSL connection to the server and
evaluating user privileges
Procedure
2. At the bottom of the Directory page, click Test Settings.
iLO displays the results of a series of simple tests designed to validate the
directory settings. After your directory settings are configured correctly,
you do not need to rerun these tests. The Directory Tests page does not
require
you to log in as a directory user.
3. In the Directory Test Controls section, enter the DN and password of a
directory administrator in the Directory
Administrator Distinguished Name and Directory Administrator
Password boxes. Hewlett Packard Enterprise recommends that you use Optional
the same credentials that you used when creating the iLO objects in the
directory. iLO does not store these credentials; they are used to verify the
iLO object and user search
contexts.
4. In the Directory Test Controls section, enter a test user name and
password in the Test User Name and Test User
Password boxes.
5. Click Start Test.
Several tests begin in the background, starting with a network ping of the
directory user by establishing an SSL connection to the server and
evaluating user privileges
Click Security in the navigation tree, and then click the Encryption tab.
Optional
Check if Production or High Security is enabled in the Security State
Click Security in the navigation tree, and then click the Encryption tab.
Optional
Check if FIPS is enabled in the Security State
Sr. No. Control Impact
2.1 Ensure 'User Account Control: Admin Approval Malicious software running under elevated
Mode for the Built-in Administrator account' is credentials without the user or administrator
set to 'Enabled' being aware of its activity can occur if the User
Account control feature is not enabled. An
attack vector for these programs was to
discover the password of the account named
"Administrator" because that user account was
created for all installations of Windows.
2.2 Ensure 'User Account Control: Only elevate UIAccess Integrity allows an application to
UIAccess applications that are installed in secure bypass User Interface Privilege Isolation (UIPI)
locations' is set to 'Enabled' restrictions when an application is elevated in
privilege from a standard user to an
administrator. If not enabled then accessibility
features such as screen readers that are
transmitting user interfaces to alternative
forms won’t be supported.
2.3 Ensure 'User Account Control: Switch to the Standard elevation prompt dialog boxes can be
secure desktop when prompting for elevation' is spoofed, which may cause users to disclose
set to 'Enabled' their passwords to malicious software. The
secure desktop presents a very distinct
appearance when prompting for elevation,
where the user desktop dims, and the
elevation prompt UI is more prominent. This
increases the likelihood that users who
become accustomed to the secure desktop will
recognize a spoofed elevation prompt dialog
box and not fall for the trick.
2.4 Ensure 'Allow log on through Remote Desktop Any account with the Allow log on through
Services' is set to 'Administrators' (DC only) Remote Desktop Services user right can log on
to the remote console of the computer. If you
do not restrict this user right to legitimate
users who need to log on to the console of the
computer, unauthorized users could
download and run malicious software to
elevate their privileges.
2.5 Ensure 'Allow log on through Remote Desktop Any account with the Allow log on through
Services' is set to 'Administrators, Remote Remote Desktop Services user right can log on
Desktop Users' (MS only) to the remote console of the computer. If you
do not restrict this user right to legitimate
users who need to log on to the console of the
computer, unauthorized users could
download and run malicious software to
elevate their privileges.
2.6 Ensure 'Accounts: Guest account status' is set to The default Guest account allows
'Disabled' unauthenticated network users to log on as
(MS only) Guest with no password. These unauthorized
users could access any resources that are
accessible to the Guest account over the
network. This capability means that any
network shares with permissions that allow
access to the Guest account, the Guests group,
or the Everyone group will be accessible over
the network, which could lead to the exposure
or corruption of data.
2.7 Ensure 'Enforce password history' is set to '24 or A system is more vulnerable to unauthorized
more access when system users recycle the same
password(s)' password several times without being required
to change a password to a unique password on
a regularly scheduled basis. This enables users
to effectively negate the purpose of mandating
periodic password changes. Enforcing
password history would require the usage of
previously unused passwords hence enforcing
stringent password policy controls.
2.8 Ensure 'Maximum password age' is set to '60 or The longer a password is in use, the greater
fewer days, the opportunity for someone to gain
but not 0' unauthorized knowledge of the passwords.
Scheduled changing of passwords hinders the
ability of unauthorized system users to crack
passwords and gain access to a system.
2.9 Ensure 'Minimum password age' is set to '1 or Permitting passwords to be changed in
more day(s)' immediate succession within the same day
allows users to cycle passwords through their
history database. This enables users to
effectively negate the purpose of mandating
periodic password changes.
2.1 Ensure 'Minimum password length' is set to '14 Information systems not protected with strong
or more password schemes (including passwords of
character(s)' minimum length) provide the opportunity for
anyone to crack the password, thus gaining
access to the system and compromising the
device, information, or the local network.
2.11 Ensure 'Password must meet complexity Information systems not protected with
requirements' is set complex password schemes provide the
to 'Enabled' opportunity for anyone to crack the password,
thus gaining access to the system and
compromising the device, information, or the
local network.
2.12 Ensure 'Store passwords using reversible Storing passwords using reversible encryption
encryption' is set to 'Disabled' is essentially the same as storing clear-text
versions of the passwords. For this reason, this
policy must never be enabled.
2.13 Ensure 'Account lockout duration' is set to '15 or More than a few unsuccessful password
more submissions during an attempt to log on to a
minute(s)' computer might represent an attacker's
attempts to determine an account password
by trial and error. A shorter account lockout
duration may enable a attacker to continue the
trail and error method for password guessing,
while a very long account lockout policy may
result in the wastage of productive hours.
2.14 Ensure 'Account lockout threshold' is set to '10 or The account lockout feature, when enabled,
fewer prevents brute-force password attacks on the
invalid logon attempt(s), but not 0' system. The higher this value is, the less
effective the account lockout feature will be in
protecting the local system. The number of
bad logon attempts should be reasonably small
to minimize the possibility of a successful
password attack, while allowing for honest
errors made during a normal user logon.
2.15 Ensure 'Reset account lockout counter after' is The account lockout feature, when enabled,
set to '15 or prevents brute-force password attacks on the
more minute(s)' system. This parameter specifies the period of
time that must pass after failed logon attempts
before the counter is reset to "0". The smaller
this value is, the less effective the account
lockout feature will be in protecting the local
system.
2.16 Ensure 'Microsoft network server: Amount of idle Each SMB session consumes server resources,
time and numerous null sessions will slow the
required before suspending session' is set to '15 server or possibly cause it to fail. An attacker
or fewer minute(s)' could repeatedly establish SMB sessions until
the server's SMB services become slow or
unresponsive.
2.17 Ensure 'Microsoft network server: Disconnect If your organization configures logon hours for
clients when logon hours expire' is set to users, then it makes sense to enable this policy
'Enabled' setting. Otherwise, users who should not have
access to network resources outside of their
logon hours may actually be able to continue
to use those resources with sessions that were
established during allowed hours.
2.18 Ensure 'Accounts: Administrator account status' In some organizations, it can be a daunting
is set to 'Disabled' (MS only) management challenge to maintain a regular
schedule for periodic password changes for
local accounts. Therefore, you may want to
disable the built-in Administrator account
instead of relying on regular password changes
to protect it from attack. Another reason to
disable this built-in account is that it cannot be
locked out no matter how many failed logons it
accrues, which makes it a prime target for
brute force attacks that attempt to guess
passwords. Also, this account has a well-known
security identifier (SID) and there are third-
party tools that allow authentication by using
the SID rather than the account name. This
capability means that even if you rename the
Administrator account, an attacker could
launch a brute force attack by using the SID to
log on.
2.19 Ensure 'Accounts: Block Microsoft accounts' is set Organizations that want to effectively
to 'Users can't add or log on with Microsoft implement identity management policies and
accounts' maintain firm control of what accounts are
used to log onto their computers will probably
want to block Microsoft accounts.
Organizations may also need to block
Microsoft accounts in order to meet the
requirements of compliance standards that
apply to their information systems.
2.2 Ensure 'Allow Microsoft accounts to be optional' Enabling this setting allows an organization to
is set to use their enterprise user accounts instead of
'Enabled' using their Microsoft accounts when accessing
Windows store apps. This provides the
organization with greater control over relevant
credentials. Microsoft accounts cannot be
centrally managed and as such enterprise
credential security policies cannot be applied
to them, which could put any information
accessed by using Microsoft accounts at risk.
2.21 Configure 'Accounts: Rename administrator The Administrator account exists on all
account' computers that run the Windows 2000 or
newer operating systems. If you rename this
account, it is slightly more difficult for
unauthorized persons to guess this privileged
user name and password combination. The
built-in Administrator account cannot be
locked out, regardless of how many times an
attacker might use a bad password. This
capability makes the Administrator account a
popular target for brute force attacks that
attempt to guess passwords.
2.22 Configure 'Accounts: Rename guest account' The Guest account exists on all computers that
run the Windows 2000 or newer operating
systems. If you rename this account, it is
slightly more difficult for unauthorized persons
to guess this privileged user name and
password combination.
Implementation Procedure
To establish the recommended configuration via GP,
set the following UI path to Enabled:
Computer Configuration\Policies\Windows Settings\
Security Settings\Local Policies\Security Options\User
Account Control: Admin Approval Mode for the Built-
in Administrator account

set the following UI path to enabled:
Account Control: Only elevate UIAccess
applications that are installed in secure locations

set the following UI path to enabled:

Account Control: Switch to the secure desktop when
prompting for elevation

configure the following UI path:

Security Settings\Local Policies\User Rights
Assignment\Allow log on through Remote Desktop
Services

Security Settings\Local Policies\User Rights
Assignment\Allow log on through Remote Desktop
Services
set the following UI path to Disabled:
Security Settings\Local Policies\Security Options\
Accounts: Guest account status

set the following UI path to 24 or more password(s):
Security Settings\Account Policies\Password Policy\
Enforce password history

set the following UI path to 60 or fewer days, but not
0:

Maximum password age

set the following UI path to 1 or more day(s):

Minimum password age

set the following UI path to 14 or more character(s):
Minimum password length


Password must meet complexity requirements
Store passwords using reversible encryption

set the following UI path to 15 or more minute(s):
Security Settings\Account Policies\Account Lockout
Policy\Account lockout duration

set the following UI path to 10 or fewer invalid login
attempt(s), but not 0:
Policy\Account lockout threshold

set the following UI path to 15 or more minute(s):

Policy\Reset account lockout counter after

set the following UI path to 15 or fewer minute(s):
Microsoft network server: Amount of idle time
required before suspending session

Microsoft network server: Disconnect clients when
logon hours expire
Accounts: Administrator account status

set the following UI path to Users can't add or log on
with Microsoft accounts:
Accounts: Block Microsoft accounts

Computer Configuration\Policies\Administrative
Templates\Windows Components\App runtime\
Allow Microsoft accounts to be optional

Accounts: Rename administrator account
Accounts: Rename guest account

MBSS - HP Chassis - v1

Uploaded by

Copyright:

Available Formats

You might also like

MBSS - HP Chassis - v1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MBSS - HP Chassis - v1

Uploaded by

Copyright:

Available Formats

Note: Fill in control reference from CIS/other standards in 'Control number' column.

1 Install intrusion detection switch

Enable Authentication Failures

3 Set Idle connectoion timeout

Configuring Kerberos authentication

Configuring HPE Extended Schema

Enabling the FIPS and CNSA

Minimum Baseline Security Standard – HP Ch

Your environment meets the prerequisites for using this feature.

1. Click Security in the navigation tree.

1. Click Security in the navigation tree.

Importing a trusted certificate

1. Click Security in the navigation tree.

1. Click Security in the navigation tree.

To establish the recommended configuration via GP,

To establish the recommended configuration via GP,

Computer Configuration\Policies\Windows Settings\

To establish the recommended configuration via GP,

Computer Configuration\Policies\Windows Settings\

To establish the recommended configuration via GP,

To establish the recommended configuration via GP,

To establish the recommended configuration via GP,

Computer Configuration\Policies\Windows Settings\

To establish the recommended configuration via GP,

Computer Configuration\Policies\Windows Settings\

To establish the recommended configuration via GP,

To establish the recommended configuration via GP,

Computer Configuration\Policies\Windows Settings\

To establish the recommended configuration via GP,

To establish the recommended configuration via GP,

To establish the recommended configuration via GP,

Computer Configuration\Policies\Windows Settings\

To establish the recommended configuration via GP,

To establish the recommended configuration via GP,

To establish the recommended configuration via GP,

To establish the recommended configuration via GP,

To establish the recommended configuration via GP,

You might also like