- Notes, cautions, and warnings
- Overview
- Built in iDRAC and PowerEdge Security
- Securely Configuring iDRAC Web Server
- Securely Using TLS/SSL Certificate
- Federal Information Processing Standards (FIPS)
- Secure Shell (SSH)
- Network Security Configuration
- Interfaces and Protocols to Access iDRAC
- iDRAC Port Configuration
- IPMI and SNMP Security Best Practices
- Secure Enterprise Key Manager (SEKM) Security
- iDRAC9 Group Manager
- Virtual Console and Virtual Media Security
- VNC Security
- User Configuration and Access Control
- Configuring Local Users
- Disabling Access to Modify iDRAC Configuration Settings on Host System
- iDRAC User Roles and Privileges
- Superroot User
- Recommended Characters in Usernames and Passwords
- Password Strength Policy
- Secure Default Password
- Changing the Default Login Password using Web Interface
- Force Change of Password (FCP)
- Simple 2-Factor Authentication (Simple 2FA)
- RSA SecurID Two Factor Authentication (2FA) iDRAC9 Datacenter
- Active Directory
- LDAP
- Customizable Security Banner
- System Lockdown Mode
- Securely Configuring BIOS System Security
- Secure Boot Configuration
- Securely Erasing Data
- LCD Panel
- Server Inventory, Lifecycle Log, Server Profiles, and Licenses Import and Export
- Security Events Lifecycle Log
- Default Configuration Values
- Network Vulnerability Scanning
- Security Licensing
- Field Service Debug (FSD)
- Best Practices
- Appendix - White papers
Bienvenue
Bienvenue dans l’univers Dell
Mon compte
- Passer des commandes rapidement et facilement
- Afficher les commandes et suivre l’état de votre expédition
- Profitez de récompenses et de remises réservées aux membres
- Créez et accédez à une liste de vos produits
- Gérer vos sites, vos produits et vos contacts au niveau des produits Dell EMC à l’aide de la rubrique Gestion des informations de l’entreprise.
iDRAC9 Security Configuration Guide
Securely Configuring BIOS System Security
iDRAC allows the user to configure the options under System Security in BIOS such as power, system or setup passwords, and secure boot policies.
NOTE:This is a BIOS option, but iDRAC can also configure BIOS settings.
To update System Security Settings:
- Go to .
- Select necessary security configurations and set to required values.
- Click Apply.
The following System Security settings can be configured:
| Menu Item | Option | Description |
|---|---|---|
|
System Password |
N/A |
Enables you to set the system password which is the password that you must enter to allow the system to boot to an OS. This option is read-only if the password jumper (PWRD_EN) is not installed in the system. A password has up to a maximum of 32 characters. Enable a Setup Password using SHA256 hash and salt. |
|
Setup Password |
Enables you to set the Setup password. The Setup password is the one you must enter to change any BIOS settings, except for the System password, which can be changed without entering the correct Setup password. This option is read-only if the password jumper (PWRD_EN) is not installed in the server. A password must have up to a maximum of 32 characters. Enable a System Password using SHA256 hash and salt. |
|
|
Password Status |
Unlocked/Locked |
Locks the system password. To prevent the system password from being modified, set this option to locked and enable Setup password. This field also prevents the system password from being disabled by the user while the system is booting. Set password status to “Locked”. |
|
Power Button |
Enabled/Disabled |
When set to Disabled, this blocks someone from pressing the power button to shut down the system, however, the system can still be powered on. This is a security setting as it protects from accidental or malicious powering off the system. |
|
UEFI Variable Access |
Standard/Controlled |
This field provides varying degrees of securing UEFI variables. When set to Standard, UEFI variables are accessible in the OS based on the UEFI specification. When set to Controlled, selected UEFI variables are protected in the environment and new UEFI boot option entries are forced to be appended to the end of the current boot order. |
|
In-Band Manageability Interface |
Enabled/Disabled |
When set to Disabled, this setting hides the Management Engine's (ME) HECI devices and the system's IPMI devices from the OS. This prevents the OS from changing the ME power capping settings, and blocks access to all in-band management tools. All management functions must be managed by using the out-of-band techniques. NOTE:BIOS update requires HECI devices to be operational, and DUP updates require IPMI interface to be operational. This setting must be set to Enabled to avoid update errors.
|
|
Secure Boot |
Enabled/Disabled |
Allows you to enable Secure Boot, where the BIOS authenticates each component that is executed during the boot process using the certificates in the Secure Boot Policy. The following components are validated in the boot process:
NOTE:Secure Boot is not available unless the Boot Mode (in the Boot Settings menu) is UEFI.
NOTE:Secure Boot is not available unless the “Load Legacy Video Option ROM” setting (in the Miscellaneous Settings menu) is disabled.
NOTE:A Setup password is recommended to be enabled for Secure Boot.
|
|
Secure Boot Policy |
Standard/Custom |
When Secure Boot Policy is Standard, the BIOS uses the system manufacturer’s key and certificates to authenticate pre-boot images. When Secure Boot Policy 33 Setting up BIOS on 14th Generation (14G) Dell PowerEdge Servers is set to Custom, the BIOS uses the user-customized key and certificates. NOTE:If Custom mode is selected, the Secure Boot Custom Policy Settings menu is displayed.
NOTE:Changing the default security certificates may cause the system to fail booting from certain boot options.
|
|
Secure Boot Mode |
User Mode/Deploy Mode |
Configures how the BIOS uses the Secure Boot Policy Objects (PK, KEK, db, and dbx). In Setup Mode and Audit Mode, PK is not present, and BIOS does not authenticate programmatic updates to the policy objects. In User Mode and Deployed Mode, PK is present, and BIOS performs signature verification on programmatic attempts to update policy objects. Deployed Mode is the most secure mode. Use Setup, Audit, or User Mode when provisioning the system, then use Deployed Mode for normal operation. Available mode transitions depend on the current mode and PK presence. For more information about transitions between the four modes, see Figure 77 in the UEFI 2.6 specification. In Audit Mode, the BIOS performs signature verification on pre-boot images and logs results in the Image Execution Information Table but executes the images whether they pass or fail verification. Audit Mode is useful for programmatically determining a working set of policy objects. |
|
Secure Boot Policy Settings |
N/A |
Enables you to configure the Secure Boot Custom Policy. A user can enroll and delete the PK, KEK, db, and dbx entries. |
For a complete list of BIOS settings, see the whitepaper – Setting up BIOS on 14th Generation Dell PowerEdge Servers - https://downloads.dell.com/solutions
Veuillez attribuer une note (1 à 5 étoiles).
Veuillez attribuer une note (1 à 5 étoiles).
Veuillez attribuer une note (1 à 5 étoiles).
Veuillez indiquer si l’article a été utile ou non.
Les commentaires ne doivent pas contenir les caractères spéciaux : <>()\