Back to Contents Page
Dell OpenManage Security
Dell OpenManage Version 5.1 Installation and Security User's Guide
Security Features
Built-in Security Features
Security Management
Security Features
The Dell OpenManage systems management software components provide the following security features:
- Authentication for users through hardware-stored user IDs and passwords, or by using the optional Microsoft® Active Directory®.
- Role-based authority that allows specific privileges to be configured for each user.
- User ID and password configuration through the Web-based interface or the command line interface (CLI), in most cases.
- SSL encryption of 128 bit and 40 bit (for countries where 128 bit is not acceptable).
|
NOTE: Telnet does not support SSL encryption. |
- Session time-out configuration (in minutes) through the Web-based interface or CLI.
- Configuration of many of the commonly known ports.
Built-in Security Features
Ports
Table 2-1 lists the ports used by the Dell OpenManage systems management software, other standard operating system services, and other agent applications. Correctly configured ports are necessary to allow Dell OpenManage systems management software to connect to a remote device through firewalls. If the attempt to communicate with a remote device fails, you may have specified an incorrect port number.
|
NOTE: "Version" in Table 2-1 refers to the minimum product version that uses the port (or explicit version if specified). |
Table 2-1. Dell OpenManage UDP/TCP Ports Default Locations
Port #
|
Protocol
|
Port Type
|
Version
|
Max. Encryption Level
|
Direction
|
Usage
|
Configurable
|
Dell OpenManage Baseboard Management Controller - PowerEdge x8xx systems
|
623
| RMCP
| UDP
| PowerEdge x800 systems only
| None
| In/Out
| IPMI access via LAN
| No
|
Dell OpenManage Baseboard Management Utility
|
623
| Telnet
| TCP
| 1.x
| None
| In/Out
| Accepts incoming Telnet connections
| Yes
|
623
| RMCP
| UDP
| 1.x
| None
| In/Out
| Basic BMC commands: server status, power up/down, and so on.
| No
|
623
| RMCP
| UDP
| 1.x
| None
| In/Out
| Basic BMC commands and console redirection
| No
|
Dell OpenManage Client Connector
|
135
| RPC
| TCP/UDP
| 2.0
| None
| In/Out
| Viewing of client management data
| No
|
389
| LDAP
| TCP
| 2.0
| 128 bit
| In/Out
| Domain authentication
| No
|
4995
| HTTPS
| TCP
| 2.0
| 128 bit SSL
| In/Out
| Web GUI
| Yes
|
1024 - 65535 (Dynamically assigned)
| DCOM
| TCP/UDP
| 2.0
| None
| In/Out
| Viewing of client management data
| Port range can be restricted.
|
Dell OpenManage Client Instrumentation
|
20
| HTTP and FTP
| TCP
| 6.x, 7.x
| None
| In/Out
| Flash BIOS communication
| No
|
21
| HTTP and FTP
| TCP
| 6.x, 7.x
| None
| In/Out
| Flash BIOS communication
| No
|
80
| HTTP and FTP
| TCP
| 6.x, 7.x
| None
| In/Out
| Flash BIOS communication
| No
|
135
| DCOM
| TCP/UDP
| 6.x, 7.x
| None
| In/Out
| Monitoring and configuration via WMI
| No
|
135
| DCOM
| TCP
| 7.x
| None
| Out
| Event transmission via WMI
| No
|
162
| SNMP
| UDP
| 6.x
| None
| Out
| Event transmission via SNMP
| No
|
1024-65535 (Dynamically assigned)
| DCOM
| TCP/UDP
| 6.x, 7.x
| None
| In/Out
| Monitoring and configuration via WMI
|
|
> 32780 (Dynamically assigned)
| DMI
| TCP/UDP
| 6.x
| None
| In/Out
| Monitoring and configuration via DMI
| Varies from one system to another.
|
Dell OpenManage IT Assistant
|
20
| FTP
| TCP
| 6.x
| None
| In/Out
| Flash BIOS
| No
|
22
| SSH
| TCP
| 7.x
| 128 bit
| In/Out
| IT Assistant contextual application launch SSH client
Remote software updates to Server Administrator For systems supporting Linux
| Yes
|
23
| Telnet
| TCP
| 7.x
| None
| In/Out
| IT Assistant contextual application launch Telnet to Linux device
| No
|
25
| SMTP
| TCP
| 7.x
| None
| In/Out
| Optional e-mail alert action from IT Assistant
| No
|
68
| UDP
| UDP
| 6.x, 7.x
| None
| Out
| Wake-on-LAN
| Yes
|
80
| HTTP
| TCP
| 6.x
| None
| In/Out
| Flash BIOS
| No
|
80
| HTTP
| TCP
| 7.x
| None
| In/Out
| IT Assistant contextual application launch PowerConnect console
| No
|
135
| RPC
| TCP
| 6.x, 7.x
| None
| In/Out
| Event reception via CIM from Server Administrator For systems supporting Windows®
| No
|
135
| RPC
| TCP/UDP
| 6.x
| None
| In/Out
| DMI discovery of remote systems
| No
|
135
| RPC
| TCP/UDP
| 7.x
| None
| In/Out
| Remote software update transfer to Server Administrator For systems supporting Windows
Remote Command Line For systems supporting Windows
| No
|
161
| SNMP
| UDP
| 6.x, 7.x
| None
| In/Out
| SNMP query management
| No
|
162
| SNMP
| UDP
| 6.x, 7.x
| None
| In
| Event reception via SNMP
| No
|
162
| SNMP
| UDP
| 7.x
| None
| Out
| SNMP trap forwarding action from IT Assistant
| No
|
389
| LDAP
| TCP
| 7.x
| 128 bit
| In/Out
| Domain authentication for IT Assistant log on
| No
|
1433
| Proprietary
| TCP
| 7.x
| None
| In/Out
| Optional remote SQL server access
| Yes
|
2606
| Proprietary
| TCP
| 6.x, 7.x
| None
| In/Out
| Network monitoring service communication port
| Yes
|
2607
| HTTPS
| TCP
| 7.x
| 128 bit SSL
| In/Out
| IT Assistant web GUI
| Yes
|
3389
| RDP
| TCP
| 7.x
| 128 bit SSL
| In/Out
| IT Assistant contextual application launch Remote desktop to Windows terminal services
| Yes
|
11487/11489
| Proprietary
| TCP/UDP
| 6.x
| None
| Out
| Flash BIOS
| No
|
443
| Proprietary
| TCP
| 8.0
| None
| In/Out
| EMC Storage discovery and inventory
| No
|
623
| RMCP
| UDP
| 8.0
| None
| In/Out
| IPMI access via LAN
| No
|
6389
| Proprietary
| TCP
| 8.0
| None
| In/Out
| Enables communication between a host system (through NaviCLI/NaviSecCLI or Navisphere Host Agent) and a Navisphere Array Agent on a Storage system.
| No
|
Dell OpenManage Server Administrator
|
22
| SSH
| TCP
| 2.0
| 128 bit
| In/Out
| Remote Server Administrator Command Line (for IT Assistant). Remote Software Update feature (for Linux).
| Yes
|
25
| SMTP
| TCP
| 2.0
| None
| In/Out
| Optional e-mail alert messages from Server Administrator
| No
|
135
| RPC
| TCP/UDP
| 2.0
| None
| In/Out
| CIM management queries
| No
|
135
| RPC
| TCP/UDP
| 2.0
| None
| In/Out
| Remote Server Administrator Command Line (for IT Assistant). Remote software update feature (for Windows).
| No
|
139
| NetBIOS
| TCP
| 2.0
| None
| In/Out
| Remote Server Administrator Command Line (for IT Assistant). Remote Software Update (for Windows).
| No
|
161
| SNMP
| UDP
| 1.x, 2.0
| None
| In/Out
| SNMP query management
| No
|
162
| SNMP
| UDP
| 1.x, 2.0
| None
| Out
| SNMP trap event
| No
|
445
| NetBIOS
| TCP
| 2.0
| None
| In/Out
| Remote software updates to Server Administrator (for Windows)
| No
|
1311
| HTTPS
| TCP
| 1.x
| 128 bit SSL
| In/Out
| Web GUI
| Yes
|
11487
| Proprietary
| UDP
| 1.x
| None
| In
| Remote Flash BIOS update initiation from IT Assistant
| Yes
|
11489
| Proprietary
| TCP
| 1.x
| None
| In
| Remote Flash BIOS update file transfer from IT Assistant
| Yes
|
1024 -65535
| DCOM
| TCP/UDP
| 2.0
| None
| In/Out
| CIM/WMI query management
| Yes
|
Dell Remote Access Controller (DRAC): DRAC III, DRAC III/XT, ERA, and ERA/O
|
21
| FTP
| TCP
| 1.0
| None
| In/Out
| Firmware update via FTP and certificate upload/download
| No
|
23
| Telnet
| TCP
| 1.0
| None
| In/Out
| Optional Telnet-based CLI management
| No
|
25
| SMTP
| TCP
| 1.0
| None
| In/Out
| Optional e-mail alert messages
| No
|
68
| DHCP
| UDP
| 1.2
| None
| In/Out
| DHCP assigned IP address
| No
|
69
| TFTP
| UDP
| 1.0
| None
| In/Out
| Firmware update via Trivial FTP. Remote floppy boot via TFTP
| No
|
80
| HTTP
| TCP
| 1.0
| None
| In/Out
| Web GUI redirected to HTTPS
| No
|
162
| SNMP
| UDP
| 1.0
| None
| Out
| SNMP trap event
| No
|
443
| HTTPS
| TCP
| 1.0
| 128 bit SSL
| In/Out
| Web management GUI
| No
|
443
| HTTPS
| TCP
| 3.2
| 128 bit SSL
| In/Out
| Remote racadm CLI utility
| No
|
5869
| Proprietary
| TCP
| 1.0
| None
| In/Out
| Remote racadm CLI utility
| No
|
5900
| VNC
| TCP
| 1.0
| 56 bit DES
| In/Out
| Video redirection
| Yes
|
5900
| VNC
| TCP
| 3.2
| 128 bit RC
| In/Out
| Video redirection
| Yes
|
5981
| VNC
| TCP
| 1.0
| None
| In/Out
| Video redirection
| Yes
|
random and > 32768
| Proprietary
| TCP
| 1.0
| None
| In/Out
| Firmware update from the Web GUI
| No
|
DRAC 4
|
22
| SSHv2
| TCP
| 1.30
| 128 bit
| In/Out
| Optional Secure Shell (SSH) CLI management
| Yes
|
23
| Telnet
| TCP
| 1.0
| None
| In/Out
| Optional Telnet CLI management
| Yes
|
25
| SMTP
| TCP
| 1.0
| None
| In/Out
| Optional e-mail alert messages
| No
|
53
| DNS
| UDP
| 1.20
| None
| In/Out
| Dynamic Domain name server (DNS) registration of the host name assigned within DRAC
| No
|
68
| DHCP
| UDP
| 1.0
| None
| In/Out
| DHCP assigned IP address
| No
|
69
| TFTP
| UDP
| 1.0
| None
| In/Out
| Firmware update via Trivial FTP
| No
|
80
| HTTP
| TCP
| 1.0
| None
| In/Out
| Web GUI redirected to HTTPS
| Yes
|
161
| SNMP
| UDP
| 1.0
| None
| In/Out
| SNMP query management
| No
|
162
| SNMP
| UDP
| 1.0
| None
| Out
| SNMP trap event
| No
|
443
| HTTPS
| TCP
| 1.0
| 128 bit SSL
| In/Out
| Web management GUI and remote racadm CLI utility
| Yes
|
636
| LDAPS
| TCP
| 1.0
| 128 bit SSL
| In/Out
| Optional Active Directory Services (ADS) authentication
| No
|
3269
| LDAPS
| TCP
| 1.0
| 128 bit SSL
| In/Out
| Optional Active Directory Services (ADS) authentication
| No
|
3668
| Proprietary
| TCP
| 1.0
| None
| In/Out
| CD/diskette virtual media service
| Yes
|
5869
| Proprietary
| TCP
| 1.0
| None
| In/Out
| Remote racadm
| No
|
5900
| Proprietary
| TCP
| 1.0
| 128bit RC4, Keyboard/mouse traffic only
| In/Out
| Video redirection
| Yes
|
DRAC/MC
|
23
| Telnet
| TCP
| 1.0
| None
| In/Out
| Optional Telnet CLI management
| Yes
|
25
| SMTP
| TCP
| 1.0
| None
| In/Out
| Optional e-mail alert messages
| No
|
53
| DNS
| UDP
| 1.0
| None
| In/Out
| Dynamic DNS registration of host name assigned within DRAC
| No
|
68
| DHCP
| UDP
| 1.0
| None
| In/Out
| DHCP assigned IP address
| No
|
69
| TFTP
| UDP
| 1.0
| None
| In/Out
| Firmware update via Trivial FTP
| No
|
80
| HTTP
| TCP
| 1.0
| None
| In/Out
| Web GUI redirected to HTTPS
| Yes
|
161
| SNMP
| UDP
| 1.0
| None
| In/Out
| SNMP query management
| No
|
162
| SNMP
| UDP
| 1.0
| None
| Out
| SNMP trap event
| No
|
389
| LDAP
| TCP
| 1.0
| None
| In/Out
| Optional Active Directory Services (ADS) authentication
| No
|
443
| HTTPS
| TCP
| 1.0
| 128 bit SSL
| In/Out
| Web management GUI and remote racadm CLI utility
| No
|
636
| LDAPS
| TCP
| 1.0
| 128 bit SSL
| In/Out
| Optional Active Directory Services (ADS) authentication
| No
|
3269
| LDAPS
| TCP
| 1.0
| 128 bit SSL
| In/Out
| Optional Active Directory Services (ADS) authentication
| No
|
Digital KVM
|
2068
| Proprietary
| TCP
| 1.0
| 128 bit SSL
| In/Out
| Video Redirection Keyboard/Mouse
| No
|
3668
| Proprietary
| TCP
| 1.0
| None
| In/Out
| Virtual Media
| No
|
8192
| Proprietary
| TCP
| 1.0
| None
| In/Out
| Video redirection to client viewer
| No
|
|
NOTE: CIM ports are dynamic. See the Microsoft knowledge base at support.microsoft.com for information on CIM port usage. |
|
NOTE: If you are using a firewall, you must open all of the ports listed in Table 2-1 to ensure that IT Assistant and other Dell OpenManage applications function properly. |
Security Management
Dell provides security and access administration through role-based access control (RBAC), authentication, and encryption, or through Active Directory for both the Web-based and command line interfaces.
Role-Based Access Control (RBAC)
RBAC manages security by determining the operations that can be executed by users in specific roles. Each user is assigned one or more roles, and each role is assigned one or more user privileges that are permitted to users in that role. With RBAC, security administration can correspond closely to an organization's structure. For information about setting up Dell OpenManage users, see "Assigning User Privileges."
User Privileges
Server Administrator grants different access rights based on the user's assigned group privileges. The three user levels are User, Power User, and Administrator.
Users can view most information.
Power Users can set warning threshold values, run diagnostic tests, and configure which alert actions are to be taken when a warning or failure event occurs.
Administrators can configure and perform shutdown actions, configure Auto Recovery actions in case a system has a hung operating system, and clear hardware, event, and command logs. Administrators can also send e-mail.
Server Administrator grants read-only access to users logged in with User privileges; read and write access to users logged in with Power User privileges; and read, write, and administrator access to users logged in with Administrator privileges. See Table 2-2.
Table 2-2. User Privileges
User Privileges
| Access Type
|
|
Admin
|
Write
|
Read
|
User
|
|
| X
|
Power User
|
| X
| X
|
Administrator
| X
| X
| X
|
Admin access allows you to shut down the managed system.
Write access allows you to modify or set the values on the managed system.
Read access allows you to view the data reported by Server Administrator. Read access does not allow you to change or set the values on the managed system.
Privilege Levels to Access Server Administrator Services
Table 2-3 summarizes which user levels have privileges to access and manage Server Administrator Services.
Table 2-3. Server Administrator User Privilege Levels
Service
| User Privilege Level Required
|
|
View
|
Manage
|
Instrumentation
| U, P, A
| P, A
|
Remote Access
| U, P, A
| A
|
Update
| U, P, A
| A
|
Storage Management
| U, P, A
| A
|
Table 2-4 defines the user privilege level abbreviations used in Table 2-3.
Table 2-4. Legend for Server Administrator User Privilege Levels
U
| User
|
P
| Power User
|
A
| Administrator
|
Authentication
The Server Administrator authentication scheme ensures that the correct access types are assigned to the correct user privileges. Additionally, when you invoke the CLI, the Server Administrator authentication scheme validates the context within which the current process is running. This authentication scheme ensures that all Server Administrator functions, whether accessed through the Server Administrator home page or CLI, are properly authenticated.
Microsoft Windows Authentication
For supported Windows operating systems, Server Administrator authentication uses Integrated Windows Authentication (formerly called NTLM) to authenticate. This authentication system allows Server Administrator security to be incorporated in an overall security scheme for your network.
Red Hat® Enterprise Linux and SUSE® Linux Enterprise Server Authentication
For supported Red Hat Enterprise Linux and SUSE Linux Enterprise Server operating systems, Server Administrator authentication is based on the Pluggable Authentication Modules (PAM) library. This documented library of functions allows an administrator to determine how individual applications authenticate users.
Encryption
Server Administrator is accessed over a secure HTTPS connection using secure socket layer (SSL) technology to ensure and protect the identity of the system being managed. Java Secure Socket Extension (JSSE) is used by supported Windows, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server operating systems to protect the user credentials and other sensitive data that is transmitted over the socket connection when a user accesses the Server Administrator home page.
Microsoft Active Directory
The Active Directory service software acts as the central authority for network security, letting the operating system readily verify a user's identity and control that user's access to network resources for Dell OpenManage applications running on supported Windows platforms. Dell provides schema extensions for customers to modify their Active Directory database to support remote management authentication and authorization. IT Assistant, Server Administrator, and Dell remote access controllers can now interface with Active Directory to add and control users and privileges from one central database. For information about using Active Directory, see "Using Microsoft® Active Directory®."
Back to Contents Page