The hardware and firmware of platforms are managed
Hardware and firmware vulnerabilities are some of the hardest to detect and remediate because they sit below the operating system layer. A compromised UEFI firmware persists through OS reinstalls. An out-of-date iDRAC or BMC is a remote management interface with no host-based defenses in front of it. Managing hardware and firmware as part of your security program closes a gap that many organizations ignore until it is exploited.
Implementation steps
- 1
Inventory hardware components and firmware versions
For each server, network device, and security appliance, record the model, current firmware version, and the date of the last firmware update. Include BIOS/UEFI, BMC/iDRAC/iLO, network interface cards, and storage controllers. Automated tools can collect most of this from managed devices.
lansweepermicrosoft-intunejamftenable - 2
Subscribe to firmware security advisories and apply updates
Sign up for security advisories from hardware vendors (Dell, HP, Lenovo, Cisco, etc.). When a firmware vulnerability with a severity of high or critical is announced, apply the firmware update within your defined patching SLA. Include firmware in your monthly or quarterly patching cycle for non-critical updates.
- 3
Enable and configure Secure Boot where supported
Enable UEFI Secure Boot on servers and endpoints to prevent loading of unsigned or malicious firmware and bootloaders. Verify that Secure Boot is enforced in the BIOS/UEFI settings and not just enabled in the OS. Audit Secure Boot configuration as part of your server hardening baseline.
microsoft-intunejamfansible
Evidence required
Hardware and firmware inventory
A current inventory of hardware assets with firmware versions recorded.
- · Asset inventory export showing firmware versions for servers and network devices
- · Lansweeper or similar scan report with hardware component details
- · Dell OpenManage or HP iLO management console showing firmware versions
Firmware patch records
Evidence that firmware updates are applied on a scheduled basis and in response to security advisories.
- · Firmware update change records showing applied updates and dates
- · Patch management report including firmware update coverage
- · Vendor advisory response log showing firmware updates applied
Related controls
The software of platforms is managed, including operating systems and applications
Platform Security
Data are destroyed according to policy when platforms or storage media are decommissioned
Platform Security
Log records are generated and made available for continuous monitoring
Platform Security
Installation and execution of unauthorized software are prevented
Platform Security