HP,Altiris Group

Back to Library

HP + Altiris + BIOS = Easy 

Oct 29, 2007 01:19 PM

At the univeristy IT department where I worked, we wanted to secure our computers against hackers. We realized that someone could take a CD, USB drive, or external hard drive and boot to it. Then, they could hack our systems and seal our data. Here's how we solved the problem.

Our Solution

We searched and searched for a solution that would allow us to secure the BIOS. We did not want to visit each computer to change and update the BIOS. Thankfully, we found the HP Altiris solution. It allows you to change every aspect of the BIOS.

When everything was said and done, we did the following:

  • Password protected the BIOS
  • Removed the "Press F* for" from the BIOS screen
  • Made booting from a CD and USB device impossible
  • Changed the boot order
  • Turned on PXE and remote wakeup
  • Set several alerts to inform us when people opened the computer case

This was all easily configured and deployed. It also worked like a charm. We were also able to monitor the health of our computers and track of driver updates. It is an amazing piece of technology.

Our Reward

This saved us a ton of time and money. If we had not found this solution we would have had to visit each computer and update the BIOS manually. This would have been problematic because quality of our work would have suffered (because of all of the settings we would have had to set). Not only did this package help us solve a current problem, it helped us predict future problems.

The best day of work deals with this software. I showed up to work and opened my email. I saw that I had 30+ new emails. I was shocked. Then I saw that the emails were from computers. Someone had opened the cases. Then I remembered that we were checking some parts in our HPs, the system had worked!

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Dec 28, 2009 10:56 AM

We have our rack rooms under close monitoring we needed to do some data recovery after an accident with an admin who wasn't familiar with the OS he was working on.

Migration User
Aug 18, 2009 06:34 PM

For some reason I  never got this to work.  It seems like it would never install the HP Client Manager......or maybe the Altiris Client never installed to allow the HPCM to install.

Do I  have to disable the Altiris Agent Install in NS, and then just enable it in HPCM?

Migration User
Oct 23, 2008 07:17 PM

We used similar steps to secure some networks especially getting notifications of anyone opening cases but to help prevent that we've swapped out the regular screws with hex head screws that were flush mounted. We also setup sensors on a laser printer since toner had been taken a few times.

Migration User
Jul 10, 2008 05:36 PM

As I said earlier for setting the CMOS on a HP Desktops I use a DOS Utility from HP called Repset.exe. The latest version with instruction is “SP38551” and is on HP’s Web site. I use that version on my DC7700, & DC7800, but on my D530 I use an older version I download with the other D530 drivers at the time. I noticed that they have been updating it with most new hardware releases, and never tested it to see if the latest version works on the older models like the DC5000 & DC5100 models. What you need to do is go into the CMOS on the model you’re wish and set everything as you like including password and then save to diskette. The file it saves is a clear text file called CPQSetup.txt. You modify that file and use. Note if that file format is very different between your DC5000, & DC5100 the you will need to get the file from each and to a little scripting to copy and use the correct file based on model. Something like:
IF "%#!COMPUTER@MODEL_NUM%"=="085Ch" GOTO D530
IF "%#!COMPUTER@MODEL_NUM%"=="09F8h" GOTO DC7600
IF "%#!COMPUTER@MODEL_NUM%"=="0A54h" GOTO DC7700
IF "%#!COMPUTER@MODEL_NUM%"=="0AA8h" GOTO DC7800

Migration User
Jul 10, 2008 12:38 PM

Found a bug, I think.
The console seems to behave differently between the NS 6.0x console and the 6.5 console. The Advanced Admin wizard wouldn't show up at all in 6.5, but it works fine in 6.0 and also seems to change the BIOS settings as I need them. I am testing further.

Migration User
Jul 10, 2008 11:47 AM

I am trying to do this on desktop machines, not servers. The machines are older dc5000 series and dc5100 series.
So, I need to capture the "personality" of the BIOS first? Thanks for the help, guys.
EDIT: I am looking at my console for HP BIOS Administration in NS and I do not have anything relating to BIOS profiles like the Dell CM has. Am I missing something?

Migration User
Jul 10, 2008 08:26 AM

I simply set the BIOS the way I wanted on a test machine, captured it with HP RDP (Altiris Deployment Server), and then redeployed the captured XML file to other servers that I wanted to have the same configuration.
RDP has some built-in jobs to assist with that. Under Server Deployment Toolbox -> Hardware Configuration -> System you should find a canned job called "Read ProLiant ML/DL/BL System Configuration". Use that to capture. Then use the corollary "Deploy" job to re-deploy the XML file containing the config you just captured.
Hope that helps!

Migration User
Jul 09, 2008 10:35 PM

It has been a while since I have done this with an HP BIOS. I just got done with a series of articles in my Dell BIOS series (http://juice.altiris.com/book/4894/dell-client-manager). I imagine that there is something in there that can help. Let me know if you are still having problems.

Migration User
Jul 09, 2008 07:27 PM

I would like to know how you disabled items in the BIOS. I have only been successful with changing the password to access the BIOS. Nothing else will change when we run the job.

Migration User
Jun 10, 2008 06:04 PM

I use it to set all the CMOS setting to my standard. Things like boot order, Num lock, and setup password. You can set power on password too, but I don't see why. I set a CMOS setup password, so the user can't change the setting. If someone presses F10 to enter CMOS it will give them a little blue prompt box and three attempt to get the password correct. It does what was asked earlier in this chain it prevents people ability to boot from CD, or USB it you set boot order and/or disable "Boot from removable media".

Migration User
Jun 10, 2008 08:36 AM

I haven't used this product, so don't know for sure, but the description says for running XPE. I have a DOS bootworks partition and use HP’s tool “REPSET.exe” SP38551.exe and run it as an Altiris DOS Job.

Migration User
Jun 09, 2008 11:31 PM

so you basically placed a password on the bios to prevent boot up.
is there a prompt screen for the password?

Migration User
Apr 02, 2008 04:48 PM

Does the machine need to be running the embedded (XPe) OS in order for the script to work?

Migration User
Apr 02, 2008 03:38 AM

Go to the HP support site for the HP t5720 and download the altirs XPe addon called Change bios settings (the filename is sp28580.exe).
Run this executable for install it into the Altiris system then read the doc file.

Migration User
Apr 01, 2008 09:12 AM

I see that you used the one from Altiris. Where is this script at? All we are wanting to do is change the boot order without having to go to each pc. This sounds liek it is just what we need.

Migration User
Feb 26, 2008 08:03 AM

I use Altiris Deployment Console to administer 30 HP Compaq T5720 (XP Embedded).
To Configure the BIOS I used Altiris BIOS change script.
MY Problem is ho to Disable the "Press F10 to network boot" from BIOS screen.
Into the file RepSetXP.txt there isn't a voice regarding this item.
If you have got a solution, would you help me for the scope?
Thank you in advance
Riccardo
P.S. Excuse me for the poor english

riva11
Oct 30, 2007 08:01 AM

Thanks for sharing your solution, interesting your post for some settings , ie. the alert in case of changed hardware configuration is a good way to keep updated about the real situation.

Related Entries and Links

No Related Resource entered.