HPE Server Security Optimized Service for HPE ProLiant

iLO Security State: High Security

Configuring iLO to use High Security mode reduces the attack surface for cyber attackers, making it more difficult to insert compromised code or malware into the server firmware.

Security state locks down the host and requires specific authentication through encryption before a user can log into the server.

UEFI Secure Boot feature: Enabled

For customers who ask Hewlett Packard Enterprise to load an OS at the factory, enabling UEFI Secure Boot connects the Silicon Root of Trust to the OS.

An industry-recognized feature, affixing the UEFI firmware to the boot loader ensures that the genuine and authenticated OS is initialized.

Any antivirus software actually runs in the OS, but cannot detect hackers or an intrusion until the OS is fully running. Some astute bad actors try to compromise the OS before its antivirus tools have a chance to start.

The UEFI Secure Boot feature provides protection against this scenario. If a customer chooses to load the OS on their own, they can configure this feature when the HPE Trusted Supply Chain server is delivered to the end-user location.

HPE Server Configuration Lock: Enabled

This feature takes cryptographic measurements, or images, of the supported HPE Trusted Supply Chain server firmware, hardware components, and options. It creates a digital fingerprint of the server configuration. If any firmware, hardware, or options are altered, an alert is displayed at startup.

Enabling this feature at the factory essentially prevents all tampering or compromise to the server composition, no matter how slight.

This feature uses a password, created by Hewlett Packard Enterprise, to lock down the server configuration at the factory. The password is securely transmitted to the customer, who unlocks the server when it arrives.

HPE chassis intrusion detection switch: Enabled

This mechanism protects the HPE Trusted Supply Chain server from physical intrusion.

Complementing and reinforcing the protection from the Server Configuration Lock, the chassis intrusion detection switch registers an alert if the top of the server chassis is removed.

It logs an event in the iLO firmware, even if the server is powered off. If any cyber attacker or unauthorized personnel open the server chassis, the customer will know that someone might have tampered with the server.