This blog post is written by Shine KA and Mondeep Dutta from Dell iDRAC team
iDRAC7 1.30.30 has improved its security features over its predecessors. One such feature is User Default Password Warning. Default username and password of iDRAC is widely known to everyone. It is important to change the default password or any user can access the server and make changes using default credentials. With Default Password Warning feature in iDRAC, you will be warned when iDRAC have default username and password (root/calvin).The warning is displayed when below conditions are met:
- Default Password Warning feature is in enabled state.
- The logged-in user has the rights to changeiDRAC user’s password. i.e. “Configure Users” privilege.
- iDRAC Local User “root” is Enabled.
- iDRAC Local User “root” have password as “calvin”
Whenever a user, with the Configure User privilege, logs in to iDRAC or SSH/Telnet or executes racadm commands remotely and the default credentials are configured, a warning message will be displayed. Because GUI and SSH/Telnet users logs in once per session they will see a single warning message for each session. Because remote racadm users login for every command they will see a warning message for every command.
While having default credentials makes iDRAC insecure, iDRAC can become even more insecure if it can be accessed from the internet (or other large network where different trust boundaries exist) when the default credentials are configured. If any of the following items is configured the possibility exists that iDRAC could go from being inaccessible on the internet to being accessible. Hence the warning message will also be displayed when below mentioned network properties are changed using local racadm.
- Changing either the IPv4 or IPv6 IP address
- Changing the hostname
- Changing the gateway IP or the net mask
- Flexaddress change (applies only to blades)
- Enabling DHCP / Auto config
iDRAC7 Web GUI
Whenever a user, with the Configure User privilege, logs in to iDRAC via Web GUI and the default credentials are configured, the Default Password Warning Message will be displayed. From this page user can either change the password for root user or user can keep default password and proceed with iDRAC login. There will be an option to disable Default Password Warning feature on this page. This page will not be shown, if user changes the password for user “root” or disables the Default Password Warning feature.
If user decides to “Keep Default Password” and clicks on Continue, the iDRAC home page will load. But this page will be displayed every time any user tries to login to iDRAC7 with default credentials in place. So, to avoid this page from loading, user can select “Do not show this warning again” from Default Password warning page.
Default Password Warning feature can be enabled or disabled from iDRAC Overview -> iDRAC Settings -> User Authentication -> Local Users page under the section titled “Default Password Warning”.
RACADM
With Remote RACADM, Default Password Warning message is displayed with every command. You need to install racadm (Local or Remote) from OM 7.2 or later to use this feature
For FW RACADM (SSH, Telnet or Serial) Default Password Warning Message will be displayed once after Login
The Default Password Warning will be shown in Local Racadm when you modify some network settings
Using RACADM you can disable this feature by disabling Default Password Warning.
Additional Information
Learn more about iDRAC7 at http:/www.delltechcenter.com/iDRAC