Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup and NetBackup Appliances Hardening Guide
  3. Steps to protect NetBackup Flex Scale
  4. Support for immutability in NetBackup Flex Scale
  5. Restricted access to Remote Management Platform (HPe iLO)
NetBackup and NetBackup Appliances Hardening Guide

Restricted access to Remote Management Platform (HPe iLO)

If you select enterprise or compliance mode, you can restrict remote management access to the node by selecting the Restrict remote management access check box. This option is not available for normal lockdown mode. Restricting remote management access to nodes provides an additional level of data security and limits the privileges and operations that you can perform.

After you enable this restriction, an IPMI Administrator user on an HPE platform has only Login and Virtual Power and Reset privileges. With these privileges, the user can only view settings in iLO and perform power-related operations.

After you enable restricted remote access, remember that:

  • In enterprise lockdown mode, you can enable or disable restricted remote management access.

  • In compliance lockdown mode, you can only enable restricted remote management access, but cannot disable the remote management access restriction.

  • You can also choose to enable or disable restricted remote management access after the initial configuration is complete.

Warning:

Once you enable restricted remote management access, all destructive operations are disabled for all the IPMI users. Users can view and perform limited operations in the IPMI web GUI but cannot access the remote console. Physical access to the system is required to logon to the console.

Table: HPE iLO lists the privileges given for a local account in iLO.

Table: HPE iLO

Privileges

Description

Login

Enables a user to log on to iLO.

Remote Console

Enables a user to access the host system remote console, including video, keyboard, and mouse control. Users with this privilege can access the BIOS, and therefore may be able to perform host-based BIOS, iLO, storage, and network tasks.

User Config

Enables a user to add, edit, and delete local iLO user accounts. A user with this privilege can change privileges for all users. If you are not assigned this privilege, you can view your own settings and change your own password.

iLO Config

Enables a user to configure most iLO settings, including security settings, and to update the iLO firmware. This privilege does not enable local user account administration. After iLO is configured, revoking this privilege from all users prevents reconfiguration from the following interfaces:

  • iLO web interface

  • iLO RESTful API

  • CLI

  • HPQLOCFG

Users who have access to the following interfaces can still reconfigure iLO:

  • UEFI System Utilities

  • HPONCFG

Only a user who has the Administer User Accounts privilege can enable or disable this privilege.

Virtual Media

Enables a user to use the virtual media feature on the host system.

Virtual Power and Reset

Enables a user to power-cycle or reset the host system. These activities interrupt the system availability. A user with this privilege can diagnose the system by using the Generate NMI to System button.

Host NIC Config

Enables a user to configure the host NIC settings. This privilege does not affect configuration through host-based utilities.

Host Bios Config

Allows configuration of the host BIOS settings by using the UEFI System Utilities. This privilege is required for replacing the active system ROM with the redundant system ROM. This privilege does not affect configuration through host-based utilities.

Host Storage Config

Enables a user to configure the host storage settings. This privilege does not affect configuration through host-based utilities.

Recovery Set

Enables a user to manage the System Recovery Set.

By default, the Recovery Set privilege is assigned to the default administrator account. This privilege can be added to a user account only by creating or editing the account with an account that already has this privilege.

If there is no user account with the Recovery Set privilege, and an account with this privilege is required, reset the management processor to the factory default settings. The factory default reset creates a default Administrator account with the Recovery Set privilege. This privilege is not available when iLO security is disabled with the system maintenance switch. For information about the default account credentials and how to configure this privilege without access to an account that has this privilege, see the iLO User Guide.

Feedback

Was this page helpful?
Previous

Selecting or changing the lockdown mode

Next

Configuring immutability using GUI

Feedback

Was this page helpful?