Intelligent Platform Management Interface (IPMI) technology underpins lights out management (LOM) in IT departments around the world. LOM allows an IT administrator or IT security manager to manipulate and manage servers using remote control. They can even switch the machines on when they are ‘off’.
These so-called ‘lights out’ cards are used by many manufacturers of computer servers and corporate workstations. Dell sells them as Dell Remote Access Cards (DRAC). HP refers to them as Integrated Lights Out cards (ILOs). No matter what the label, it is a potent technology. Even though each vendor has a different implementation and name for their lights out management, at a high level they all offer the same basic features.
IPMI allows IT staff, while sitting at their own terminals anywhere in the world, to log in and take control of a server and perform tasks as if they were actually right in front of the screen. Staff can turn it on, turn it off, and interact with it. Most useful of all, they can manage the BIOS of the machine, install software on it, form a network share, and boot up from that. Almost anything an interactive user with physical access to the box could do, a remote user can do.
As long as you are the right person, and you know what you’re doing, it’s a great capability to have. But put it in the wrong hands and you have a different situation.
IPMI – How secure is it?
IPMI may have some fundamental flaws that hackers could use to infiltrate the network, even if the device is turned off.
The bad guys have known about IPMI for years. To think that they won’t use this back door entrance into the enterprise shows a lack of imagination. Hackers can locate these devices on a network using free tools such as IPMIPing or a port scanner looking for port UDP 623.
The fact is that IPMI can be dangerous if you don’t have rigorous controls and effective privileged identity management.
It’s not only external cyber attackers who can do damage. Former employees could retain this back door access to the company if passwords are not changed regularly.
No one is suggesting ditching this useful technology because it has a downside. That would be akin to suggesting we stop using mobile devices because they may get stolen. The danger is not that you have IPMI. The problem is how you manage the credentials and access to these machines because, remember, you may have thousands of them.
The Default Password Security Threat
One major mistake many organizations make is to leave the devices’ default passwords unchanged. For example, it’s common knowledge that Dell delivers its DRAC cards with the default account ‘root’, and the password ‘calvin’. It’s a fair assumption that hackers know this. If this knowledge alone doesn’t make you change your default passwords, then maybe this will. Lists of default passwords are easily available on web sites like this: https://default-password.info/
A common IT security failure at many organizations is that privileged credentials are not properly managed and secured. If everyone on the IT team uses the same log-in details, there is no accountability for problems that arise – either accidental or intentional.
IT security auditors understand the reality of the risks posed by these ‘super user’ accounts. Most regulatory compliance frameworks stipulate that organizations cannot leave their systems with factory default passwords.
So failure to manage these credentials can put you in a big regulatory compliance mess if your auditor discovers that your systems are wide-open to manipulation, even when they’re switched off.
IPMI Security Best Practices
IPMI is a good technology – it just needs to be secure. Here are a few tips to start:
- Change credentials regularly. Use privileged identity management products that automatically discover, secure and audit privileged accounts.
- Place IPMI devices in a segregated network that is not available to all users.
- Change the default passwords immediately.
Also make sure that when someone wants to get access to a machine that their access request is checked and the individual is authorized. Having granted access to the device, a session timer should be used that terminates the validity of the credentials after a set period. The final piece is that all of these elements should be fully audited.
Finally, ensure that you have a process in place to change the password of an IPMI device if it has been disclosed to anyone and the specific need for access (i.e. repair, patch, etc.) has been completed.
IPMI is a fundamentally sound technology. But it’s a fundamentally dangerous one in the hands of an IT department which does not have the correct security policies in place. As long as you follow these best practices IPMI will be a valuable tool for your organization.
For more tips on securing access to your critical systems, see our white paper Best Practices in Privileged Identity Management.