HP Sure Admin User Manual

HP Sure Admin

HP Sure Admin provides modern security for firmware configuration
management. HP Sure Admin enables administrators to securely manage
BIOS settings using digital certificates and public-key cryptography that
eliminate the need for passwords for both remote and local management.

Table of Contents

The Challenge ........................................................................................................................................................ 2

HP Sure Admin Overview ...................................................................................................................................... 3

HP Sure Admin Remote Management Tools ...................................................................................................... 4

HP Sure Admin Local Access Authenticator ...................................................................................................... 4

Enhanced BIOS Authentication Mode .................................................................................................................. 4

Conclusion ............................................................................................................................................................... 5

Technical Whitepaper

4AA7

2

The Challenge

Managing PC firmware (BIOS) settings and controlling access to those settings is an important part of
overall security management for any size organization. If left unprotected, BIOS security settings that
provide protection against attackers with physical access to a device can be defeated by simply disabling
those settings. For example, if Secure Boot is disabled, an attacker can install a root kit on the device that
would be undetectable by the OS. In another example, an attacker could disable Direct Memory Access
(DMA) attack protections that prevent an attacker from reading secrets directly from the OS memory via an
external port. Therefore, it is critical to control access to BIOS settings.

HP, like the rest of the PC industry, has provided a password-based mechanism to protect the BIOS settings
and privileged BIOS operations for many years. However, all password-based solutions (regardless of the
application) have inherent deployment pitfalls including weak passwords, forgotten passwords, using the
same password across multiple systems, or even no-password. Additionally, even in a scenario where
strong and unique passwords are used for each device by an organization, that password must be revealed
to authorize each BIOS setting change or privileged BIOS operation. The requirement to reveal the
authorization secret on each use (inherent to password-based approaches) increases the risk that an
attacker may obtain that secret.

In order to provide customers a path to move away from password-based BIOS management to a modern
approach, HP Sure Admin now provides an optional “no-password required” BIOS management mechanism.
This new approach is based on strong public key cryptography that can be used to securely manage HP
business PC BIOS settings without any need to reveal the authorization secret.

-7307ENW, April 2020