HP Sure Admin User Manual

HP Sure Admin

HP Sure Admin provides modern security for firmware configuration management. HP Sure Admin enables administrators to securely manage BIOS settings using digital certificates and public-key cryptography that eliminate the need for passwords for both remote and local management.

Table of Contents
The Challenge ........................................................................................................................................................	2
HP Sure Admin Overview ......................................................................................................................................	3
HP Sure Admin Remote Management Tools ......................................................................................................	4
HP Sure Admin Local Access Authenticator ......................................................................................................	4
Enhanced BIOS Authentication Mode ..................................................................................................................	4
Conclusion ...............................................................................................................................................................	5

Technical Whitepaper

4AA7-7307ENW, April 2020

The Challenge

Managing PC firmware (BIOS) settings and controlling access to those settings is an important part of overall security management for any size organization. If left unprotected, BIOS security settings that provide protection against attackers with physical access to a device can be defeated by simply disabling those settings. For example, if Secure Boot is disabled, an attacker can install a root kit on the device that would be undetectable by the OS. In another example, an attacker could disable Direct Memory Access (DMA) attack protections that prevent an attacker from reading secrets directly from the OS memory via an external port. Therefore, it is critical to control access to BIOS settings.

HP, like the rest of the PC industry, has provided a password-based mechanism to protect the BIOS settings and privileged BIOS operations for many years. However, all password-based solutions (regardless of the application) have inherent deployment pitfalls including weak passwords, forgotten passwords, using the same password across multiple systems, or even no-password. Additionally, even in a scenario where strong and unique passwords are used for each device by an organization, that password must be revealed to authorize each BIOS setting change or privileged BIOS operation. The requirement to reveal the authorization secret on each use (inherent to password-based approaches) increases the risk that an attacker may obtain that secret.

In order to provide customers a path to move away from password-based BIOS management to a modern approach, HP Sure Admin now provides an optional “no-password required” BIOS management mechanism. This new approach is based on strong public key cryptography that can be used to securely manage HP business PC BIOS settings without any need to reveal the authorization secret.

2