Security; Preserving Password Integrity - HP xw4300 Technical White Paper

Security

While the HP Client Management Interface provides a high level of control over client management
instrumentation, that power must be guarded to prevent malicious, unauthorized usage.
HP CMI relies on two forms of authorization: OS level security and the BIOS administrative (F10
Setup) password assigned to each client system. Either of these security measures can be used alone,
or combined to create an additional level of protection over the interface.

Preserving Password Integrity

Many of the example applications of HP CMI presented in the previous section contained the
encoded password "E302E020304" that corresponds to the keyboard scan codes for the keys
"abc123". Notice that this is a form of encoding, not encryption. These examples were presented in
this manner to convey the simplicity in developing custom solutions based on HP CMI. However, in an
enterprise environment you probably do not want to leave traces of the Setup Password credential
scattered throughout your script files.
To help preserve the integrity of the Setup Password credential, HP recommends using one of the
following strategies.
Remote Execution
Executing scripts and applications from a central location such as an administrative console is more
practical and secure than distributing sample scripts to individual clients through software deployment
mechanisms and executing them locally. WMI supports remote invocation from any Windows system
and follows the same domain and local system security policies. The calling interface is secured with
stream based encryption. And by default remote method execution is prevent from WMI for all but
domain administrator accounts.
Use Dynamic Arguments
Another method to preserve password integrity is to avoid carrying extra copies of the Setup
Password in code, regardless of whether that code is script-based or complied. The following code
fragment demonstrates using command-line arguments to modify BIOS settings.
Const wbemFlagReturnImmediately = 16
Const wbemFlagForwardOnly = 32
lFlags = wbemFlagReturnImmediately + wbemFlagForwardOnly
Dim oArguments, strSetting, strValue, strPassword
set oArguments = WScript.Arguments
strSetting = oArguments(0)
strValue = oArguments(1)
strPassword = oArguments(2)
strService = "winmgmts:{impersonationlevel=impersonate}//"
strComputer = "."
strNamespace = "/root/HP/InstrumentedBIOS"
strQuery = "select * from HP_BIOSSettingInterface"
Set objWMIService = GetObject(strService & _
strComputer & strNamespace)
22