- Notes, cautions, and warnings
- Overview
- Built in iDRAC and PowerEdge Security
- Securely Configuring iDRAC Web Server
- Securely Using TLS/SSL Certificate
- Federal Information Processing Standards (FIPS)
- Secure Shell (SSH)
- Network Security Configuration
- Interfaces and Protocols to Access iDRAC
- iDRAC Port Configuration
- IPMI and SNMP Security Best Practices
- Secure Enterprise Key Manager (SEKM) Security
- iDRAC9 Group Manager
- Virtual Console and Virtual Media Security
- VNC Security
- User Configuration and Access Control
- Configuring Local Users
- Disabling Access to Modify iDRAC Configuration Settings on Host System
- iDRAC User Roles and Privileges
- Superroot User
- Recommended Characters in Usernames and Passwords
- Password Strength Policy
- Secure Default Password
- Changing the Default Login Password using Web Interface
- Force Change of Password (FCP)
- Simple 2-Factor Authentication (Simple 2FA)
- RSA SecurID Two Factor Authentication (2FA) iDRAC9 Datacenter
- Active Directory
- LDAP
- Customizable Security Banner
- System Lockdown Mode
- Securely Configuring BIOS System Security
- Secure Boot Configuration
- Securely Erasing Data
- LCD Panel
- Server Inventory, Lifecycle Log, Server Profiles, and Licenses Import and Export
- Security Events Lifecycle Log
- Default Configuration Values
- Network Vulnerability Scanning
- Security Licensing
- Field Service Debug (FSD)
- Best Practices
- Appendix - White papers
iDRAC9 Security Configuration Guide
Default Configuration Values
The table below includes the security configurations described in this document and the default values.
| Configuration | Default Values |
|---|---|
|
iDRAC.Webserver.HttpsRedirection |
1 - Enabled |
|
iDRAC.Webserver.TLSProtocol |
1 -TLS 1.1 and Higher |
|
iDRAC.Webserver.SSLEncryptionBitLength |
1- 128-Bit or Higher |
|
iDRAC.Webserver.CustomCipherString |
None |
|
TLS/ SSL Certificates |
Self-signed certificate |
|
iDRAC.SCEP.Enable |
0 - Disabled |
|
iDRAC.Security.FIPSMode |
0 - Disabled |
|
iDRAC.Users.2.SSHPublicKey1 |
None |
|
iDRAC.SSHCrypto.KexAlgorithms |
curve25519-sha256,curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, diffie-hellman-group14-sha256 |
|
iDRAC.SSHCrypto.Ciphers |
chacha20-poly1305@openssh.com,aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com |
|
iDRAC.NIC.Selection |
1 - Dedicated |
|
iDRAC.NIC.VlanEnable |
0 – Disabled |
|
iDRAC.USB.PortStatus |
1 – Enabled |
|
iDRAC.OS-BMC.AdminState |
0 – Disabled |
|
iDRAC.OS-BMC.PTMode |
1 – usb-p2p |
|
iDRAC.IPBlocking.BlockEnable |
1 – Enabled |
|
iDRAC.IPBlocking.FailCount |
3 |
|
iDRAC.IPBlocking.FailWindow |
60 |
|
iDRAC.IPBlocking.PenaltyTime |
60 |
|
iDRAC.IPBlocking.RangeEnable |
0 – Disabled |
|
iDRAC.autodiscovery.EnableIPChangeAnnounce |
1 – Enabled |
|
iDRAC.IPMILan.Enable |
0 – Disabled |
|
iDAC.IPMISOL |
1 – Enabled |
|
iDRAC.Telnet.Enable |
0 – Disabled |
|
iDRAC.SNMP.AgentEnable |
1 – Enabled |
|
iDRAC.NTPConfigGroupEnable |
0 – Disabled |
|
iDRAC.GroupManager.Status |
0 – Disabled |
|
iDRAC.GUI.SecurityPolicyMessage |
By accessing this computer, you confirm that such access complies with your organization's security policy. |
|
iDRAC.VirtualConsole.PluginType |
3 – eHTML5 |
|
iDRAC.VirtualConsole.Enable |
1 – Enabled |
|
iDRAC.VirtualConsole.EncryptEnable |
1 – Enabled |
|
iDRAC.VirtualConsole.WebRedirect |
0 – Disabled |
|
iDRAC.VNCServer.SSLEncryptionBitLength |
1 – Auto Negotiate |
|
iDRAC.VNCServer.Enable |
0 – Disabled |
|
iDRAC.VNCServer.Timeout |
300 |
|
iDRAC.Users.2.IpmiLanPrivilege |
15 – No Access |
|
iDRAC.Users.2.ProtocolEnable If SNMPv3 is needed set Authentication Type to SHA and Privacy Type to AES |
0 – Disabled |
|
iDRAC.Users.2.AuthenticationProtocol |
2 – SHA |
|
iDRAC.Users.2.PrivacyProtocol |
2 – AES |
|
iDRAC.Users.2.Simple2FA |
0 – Disabled |
|
iDRAC.Security.MinimumPasswordScore |
1 – Weak Protection |
|
iDRAC.Security.PasswordRequireNumbers |
0 – Disabled |
|
iDRAC.Security.PasswordMinimumLength |
0 |
|
iDRAC.Security.PasswordRequireSymbols |
0 – Disabled |
|
iDRAC.Security.PasswordRequireUpperCase |
0 – Disabled |
|
iDRAC.SecureDefaultPassword.ForceChangePassword |
0 – False |
|
iDRAC.ActiveDirectory.Enable |
0 – Disabled |
|
iDRAC.LDAP.Enable |
0 – Disabled |
|
iDRAC.Lockdown.SystemLockdown |
0 – Disabled |
|
BIOS.Syssecurity.PasswordStatus |
Unlocked |
|
BIOS.Syssecurity.PwrButton |
Enabled |
|
BIOS.Syssecurity.UefiVariableAccess |
Standard |
|
BIOS In-Band Manageability Interface |
Enabled |
|
BIOS.Syssecurity.SecureBoot |
Disabled |
|
BIOS.Syssecurity.SecureBootPolicy |
Standard |
|
BIOS.Syssecurity.SecureBootMode |
DeployedMode |
|
LifeCycleController.LCAttributes.UserProxyPort |
80 |
|
LifeCycleController.LCAttributes.UserProxyType |
HTTP |
|
LifeCycleController Ignore Cert Warning to Off |
1 – On |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\