HP Device Manager 4.5 - Security Mechanism

Executive summary

HP Device Manager (HPDM) is a solution designed to help the IT administrators manage and control remote HP thin clients.

The solution consists of the HPDM Console, HPDM Server, HPDM Gateway, HPDM Agent, Master Repository Controller, and

file repositories. A standard setup is shown in Figure 1. The solution needs to store highly sensitive data, such as the

passwords of the database and file repositories, and transfer it over the network. To protect the data, the solution

introduces several security measures to authenticate devices and encrypt sensitive data locally. The solution also provides

other measures to protect the client devices from misoperation.

Figure 1. HP Device Manager setup

HPDM Console

HPDM Server

Slave Repository

HPDM Gateway

HPDM Agent

Data

Control

Task/Report

Task/

Report

Transfer Files

Manage

Transfer Files

Master

Repository

MRC

Manage

Transfer Files

Database confidential

In the solution, only the HPDM Server needs to access the database. The HPDM Server stores database account information

on the local storage of the server and encrypts the password with a DES algorithm.

File repository confidential

HPDM stores file repository information in the database and encrypts the password with an AES algorithm.

HPDM logon confidential

When HPDM is installed, it will prompt you to set a password for the super administrator account. The HPDM Administrators’

usernames and the MD5 hash values of their passwords will be saved in the database you select. When an HPDM

Administrator tries to log on to the HPDM Console, the HPDM Server compares the input (username and MD5 hash value of

the password) to the data in the database to determine whether to allow or deny access. HPDM saves only the MD5 hash

value of the password, which is unlikely to reveal the original password to a hacker, because MD5 is an asymmetric

cryptographic algorithm.

Confidential data in log files

Each part of HPDM supports different log levels. Set different log levels to trace errors or detail information. If you set the

log level to the most detailed level, then the log messages might contain sensitive data, such as passwords in tasks. To

protect this sensitive data, HPDM automatically hides it with an asterisk sequence. For example, an FTP password such as

P@ssw0rd would be written in the log file as ********.

User management

HPDM supports the following user account and user group management tools to avoid any misoperation and make sure

that the system is stable.