Harden Baseboard Management Controllers

This Joint Cybersecurity Information Sheet, authored by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), highlights threats to Baseboard Management Controllers (BMCs) and details actions organizations can use to harden them.

BMCs are trusted components designed into a computer’s hardware that operate separately from the operating system and firmware to allow for remote management and control, even when the system is shut down.

A BMC differs from the basic input output system and the Unified Extensible Firmware Interface, which have a later role in booting a computer, and management engine, which has different remote management functionality. BMC firmware is highly privileged, executes outside the scope of operating system (OS) controls, and has access to all resources of the server-class platform on which it resides. It executes the moment power is applied to the server. Therefore, boot to a hypervisor or OS is not necessary as the BMC functions even if the server is shut down.