Information
Many servers have integrated hardware management controllers that can be extremely helpful when monitoring and updating hardware, settings, and firmware. These controllers should be checked to ensure that ALL unused functionality is disabled, ALL unused access methods are disabled, passwords and password controls are set, and firewalling and access control is in place so that the only access is from authorized access workstations for the virtualization administration team.
All "first boot" configuration options should be disabled, especially ones that reconfigure the system from USB devices that are inserted. Disable or protect USB ports attached to the management controllers. Where possible, USB ports should be set to only permit keyboards.
Default passwords for accounts should be changed.
External information displays should be secured to prevent information leakage. Power and information buttons should be secured against unauthorized use.
Many hardware management controllers provide mechanisms for alerting when hardware faults and configuration changes occur. You should consider those if you are not using another method for hardware monitoring.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Impact:
Disablement of connection methods may mean that future monitoring and management efforts require changes to the hardware management controller configurations across your fleet of servers.
Most hardware management controllers have CLI and API management methods that can be scripted and used from a management workstation, in lieu of additional management software or applications. Learning these techniques saves time, avoids the additional effort of installing and maintaining additional tools, and allows for timely changes to configurations.