Security Policies

A key principle of security is to minimize the "attack surface" by disabling any services that you don't need. The BMC allows you to control which management protocols are active and to enforce system-wide rules for session timeouts and password strength.

This chapter shows you how to configure these global security policies to harden your BMC.

Enabling or disabling services

The Policies page gives you granular control to enable or disable individual services.

  1. In the sidebar menu, navigate to Security and access > Policies.

  2. In the Services section, you will see a list of toggles for various protocols.

[Image, EXISTING, Source: 9.4: 顯示「原則」頁面的螢幕截圖,其中包含服務和設定的各種切換和欄位。]

You can control key services such as:

  • Network IPMI: Allows remote management via ipmitool. This is a powerful but potentially insecure protocol if not managed correctly.

  • KVM: Enables the graphical remote console.

  • Virtual Media: Allows mounting of remote images.

  • SOL SSH: Enables text-based console access over SSH.

  • SNMP: Allows the server to be monitored by network management systems. You can enable different versions (v1, v2c, v3) individually.

Best Practice: Disable unused services

Every enabled service is a potential entry point for an attacker. As a standard security practice, you should disable any protocol you are not actively using. For example, if you only use the web interface and KVM, you should consider disabling IPMI, SNMP, and SOL SSH.

Setting session timeouts and password policies

The Configurations section on the same page lets you enforce global rules for all users.

  • Web Session Timeout: Sets the inactivity period (in seconds) before a user is automatically logged out of the web interface. A shorter timeout enhances security.

  • KVM Session Timeout: Sets a separate timeout for KVM sessions.

  • Password Complexity: Enforces minimum password requirements for all local users. You can choose from levels like Low, Medium, or High. This is a critical policy for preventing weak passwords.

  • Password History: Prevents users from reusing old passwords. You can set it to remember the last 1 to 15 passwords.

After making your changes, click the Save button next to the setting you modified.

Field Reference

Services

Service
Description

Network IPMI

Enables out-of-band platform management via IPMI tools (e.g., ipmitool).

KVM

Enables the graphical remote console. You can also set the KVM Port Value.

Web Port

Sets the port number for the web interface (default is 443 for HTTPS).

Virtual Media

Enables the ability to mount remote images for OS installation or diagnostics.

SOL SSH

Enables text-based Serial-over-LAN console access over SSH. You can also set the SOL SSH Port Value.

SSDP

Enables the Simple Service Discovery Protocol for network discovery.

SNMP

Enables the Simple Network Management Protocol for monitoring. You can enable SNMPv1, SNMPv2c, and SNMPv3 individually and set the SNMP Port value.

OpenSSL FIPS Mode

Enables FIPS (Federal Information Processing Standards) compliance mode for cryptographic modules.

Configurations

Configuration
Description

Web Session Timeout

Sets the inactivity period in seconds (between 30 and 86400) before a user is automatically logged out of the web interface.

KVM Session Timeout

Sets a separate inactivity timeout in seconds (between 30 and 86400) for KVM sessions.

SOL Non-Volatile Bit Rate

Selects the bit rate for the Serial-over-LAN communication.

Complexity

Enforces minimum password strength requirements for all local users. You can choose from Disabled, Low, Medium, or High.

Password History

Prevents users from reusing old passwords. You can set it to remember the last 0 to 5 passwords.

PreviousCentralized AuthenticationNextManaging Certificates

Last updated