HP + Altiris + BIOS = Easy
Filed under:
HP Client Manager
Security
Submitted by trb48 on Mon, 2007-10-29 11:19.
At the univeristy IT department where I worked, we wanted to secure our computers against hackers. We realized that someone could take a CD, USB drive, or external hard drive and boot to it. Then, they could hack our systems and seal our data. Here's how we solved the problem.
Our Solution
We searched and searched for a solution that would allow us to secure the BIOS. We did not want to visit each computer to change and update the BIOS. Thankfully, we found the HP Altiris solution. It allows you to change every aspect of the BIOS.
When everything was said and done, we did the following:
- Password protected the BIOS
- Removed the "Press F* for" from the BIOS screen
- Made booting from a CD and USB device impossible
- Changed the boot order
- Turned on PXE and remote wakeup
- Set several alerts to inform us when people opened the computer case
This was all easily configured and deployed. It also worked like a charm. We were also able to monitor the health of our computers and track of driver updates. It is an amazing piece of technology.
Our Reward
This saved us a ton of time and money. If we had not found this solution we would have had to visit each computer and update the BIOS manually. This would have been problematic because quality of our work would have suffered (because of all of the settings we would have had to set). Not only did this package help us solve a current problem, it helped us predict future problems.
The best day of work deals with this software. I showed up to work and opened my email. I saw that I had 30+ new emails. I was shocked. Then I saw that the emails were from computers. Someone had opened the cases. Then I remembered that we were checking some parts in our HPs, the system had worked!
(37 votes)
- Login or register to post comments
- 2899 reads
- Printer-friendly version
Thanks for sharing your
Thanks for sharing your solution, interesting your post for some settings , ie. the alert in case of changed hardware configuration is a good way to keep updated about the real situation.
Removed the "Press F* for" from the BIOS screen
I use Altiris Deployment Console to administer 30 HP Compaq T5720 (XP Embedded).
To Configure the BIOS I used Altiris BIOS change script.
MY Problem is ho to Disable the "Press F10 to network boot" from BIOS screen.
Into the file RepSetXP.txt there isn't a voice regarding this item.
If you have got a solution, would you help me for the scope?
Thank you in advance
Riccardo
P.S. Excuse me for the poor english
Bios Change script
I see that you used the one from Altiris. Where is this script at? All we are wanting to do is change the boot order without having to go to each pc. This sounds liek it is just what we need.
Bios Change Script
Go to the HP support site for the HP t5720 and download the altirs XPe addon called Change bios settings (the filename is sp28580.exe).
Run this executable for install it into the Altiris system then read the doc file.
Does the machine need to be
Does the machine need to be running the embedded (XPe) OS in order for the script to work?
Setting CMOS / BIOS
I haven't used this product, so don't know for sure, but the description says for running XPE. I have a DOS bootworks partition and use HP’s tool “REPSET.exe” SP38551.exe and run it as an Altiris DOS Job.
so you basically placed a
so you basically placed a password on the bios to prevent boot up.
is there a prompt screen for the password?
CMOS / BIOS
I use it to set all the CMOS setting to my standard. Things like boot order, Num lock, and setup password. You can set power on password too, but I don't see why. I set a CMOS setup password, so the user can't change the setting. If someone presses F10 to enter CMOS it will give them a little blue prompt box and three attempt to get the password correct. It does what was asked earlier in this chain it prevents people ability to boot from CD, or USB it you set boot order and/or disable "Boot from removable media".
I would like to know how
I would like to know how you disabled items in the BIOS. I have only been successful with changing the password to access the BIOS. Nothing else will change when we run the job.
Try this...
It has been a while since I have done this with an HP BIOS. I just got done with a series of articles in my Dell BIOS series (http://juice.altiris.com/book/4894/dell-client-man...). I imagine that there is something in there that can help. Let me know if you are still having problems.
I simply set the BIOS the
I simply set the BIOS the way I wanted on a test machine, captured it with HP RDP (Altiris Deployment Server), and then redeployed the captured XML file to other servers that I wanted to have the same configuration.
RDP has some built-in jobs to assist with that. Under Server Deployment Toolbox -> Hardware Configuration -> System you should find a canned job called "Read ProLiant ML/DL/BL System Configuration". Use that to capture. Then use the corollary "Deploy" job to re-deploy the XML file containing the config you just captured.
Hope that helps!
I am trying to do this on
I am trying to do this on desktop machines, not servers. The machines are older dc5000 series and dc5100 series.
So, I need to capture the "personality" of the BIOS first? Thanks for the help, guys.
EDIT: I am looking at my console for HP BIOS Administration in NS and I do not have anything relating to BIOS profiles like the Dell CM has. Am I missing something?
Found a bug, I think. The
Found a bug, I think.
The console seems to behave differently between the NS 6.0x console and the 6.5 console. The Advanced Admin wizard wouldn't show up at all in 6.5, but it works fine in 6.0 and also seems to change the BIOS settings as I need them. I am testing further.
Setting the CMOS on HP workstations
As I said earlier for setting the CMOS on a HP Desktops I use a DOS Utility from HP called Repset.exe. The latest version with instruction is “SP38551” and is on HP’s Web site. I use that version on my DC7700, & DC7800, but on my D530 I use an older version I download with the other D530 drivers at the time. I noticed that they have been updating it with most new hardware releases, and never tested it to see if the latest version works on the older models like the DC5000 & DC5100 models. What you need to do is go into the CMOS on the model you’re wish and set everything as you like including password and then save to diskette. The file it saves is a clear text file called CPQSetup.txt. You modify that file and use. Note if that file format is very different between your DC5000, & DC5100 the you will need to get the file from each and to a little scripting to copy and use the correct file based on model. Something like:
IF "%#!COMPUTER@MODEL_NUM%"=="085Ch" GOTO D530
IF "%#!COMPUTER@MODEL_NUM%"=="09F8h" GOTO DC7600
IF "%#!COMPUTER@MODEL_NUM%"=="0A54h" GOTO DC7700
IF "%#!COMPUTER@MODEL_NUM%"=="0AA8h" GOTO DC7800