Reach DSS-ENC User's Guide Page 1

iDRAC6 Integrated Dell™ Remote Access Controller 6 Security Version 1.0 July 2010

10 Enable setting, reserving the Enable with Remote RACADM setting for iDRAC administrators needing to access the iDRAC6 to run scripts using remote

11 sent via an encrypted channel to Active Directory. When iDRAC6 establishes an SSL connection with Active Directory Domain Controller, it verifies

12 RacDevice, from which we are authenticating, is part of this attribute. Note that the dellProductMembers can be groups of RACs and will retain the

13 Single Sign On (SSO) iDRAC6 allows a user configured in the Active Directory with Standard Schema to log in directly to the iDRAC6 GUI without ex

14 Figure 5 Log in via Active Directory with Smart Card (TFA) Smart Card Authentication that uses the AD standard schema authentication is referred

15 Active Directory login troubleshooting If you want to verify whether your configuration works, or if you need to diagnose the problem with your fa

16 clients running Windows and ssh-keygen CLI for clients running Linux. The ssh-keygen CLI utility comes by default on all standard installations. L

17 Redirection server. Administrators can replace the iDRAC6 server SSL certificate using the following steps: • Generate the CSR and the Private K

18 have administrator privilege, an error message is displayed indicating that they do not have privileges. On a Linux-based system, a user must log

19 the client and the connection will be dropped. All virtual media data is encrypted with AES256 and key exchanges via SSL, if an encrypted connect

2 THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACI

20 NOTE: Dell strongly recommends setting the maximum number of console redirection sessions to one if additional simultaneous remote access is not r

21 Other Security Features VLAN Virtual LAN tagging can be configured in the web browser interface. If enabled, the iDRAC6 firmware requires the pre

22 Firewall To prevent unauthorized access to the remote system, IDRAC 6 provides the following features: • IP address filtering (IPRange) — defin

23 Recommended Practices Dell recommends the following practices to enhance security with iDRAC6. Use a dedicated NIC for the iDRAC. This isolates t

24 The Kerberos Network Authentication Service: http://tools.ietf.org/html/rfc4120 Appendix A: Supported SSL Cipher Suites IDRAC 6 supports SSL versi

25 Appendix B: Secure Shell Encryption IDRAC 6 supports only SSH-2.0 because SSH-1.0 is not considered secure. The following are ciphers supported by

3 Table of Contents Introduction ...

4 Firewall ...

5 Introduction The Integrated Dell Remote Acce

6 Figure 1 iDRAC physical connections Access to iDRAC6 from a local user of the server is assumed to be mitigated by operating system authenticatio

7 filtering. This feature is active with both the shared and dedicated network modes and provides protection against a denial of service attack. In

8 User Authentication and Authorization Local Accounts By default the iDRAC6 is configured with a local administrator account. This default user na

9 The users’ roles can be configured as administrator, operator, read only, or none. This role defines the maximum privileges available. Operator p