ACU Security?

Occasional Contributor

ACU Security?


We have couple MSA1000s that we share out to clients that need additional space. By default we remove the ACU from their login profile but it does not prevent them from going to our profile (they are local admins of their server) or reinstall the ACU. I was thinking of just uninstalling the utility but it does not prevent them from installing and accessing the SAN. Is there a good way to prevent access to the SAN so they can not view or make any changes? I am surprised there is no sort of login to prevent unauthorized changes.
Ranjith M

Re: ACU Security?

Hello Wichard,

I guess you have to prevent the users to access SAN, rt? You can disable the ports thats not required for your setup.
For additional security change the password by login to switch as well.


Frequent Advisor

Re: ACU Security?

I have the same problem.
I want to prevent access to MSA1500cs via ACU,
but ACU does not have any Login to prevent unauthorized access.
Any Help?

Re: ACU Security?

Sorry to revive such an old thread but I just wanted to post my solution to this problem.

I've used ACLs to permit access to specific LUNS but I still needed a way to restrict the viewing of all my physical arrays via the HP ACU. My customers were local admins of the box and would have the ability to see all physical arrays via the ACU on my MSA regardless of using ACLs or SSP.

It seems to me the fix would be to uninstall the ACU or to use Windows software restriction policies.

I opted to deny access to the HP ACU executable via hash rules under my Windows 2008 server local group plicies and it worked great.

This obviously isn't a perfect solution because the hash rule only works for the installed version of the ACU. If the customer were to un-install/re-install with a older/newer version of the ACU, the policy would no longer work.

I guess taking it a step further would require a policy that would prevent the un-installation of the ACU for a specific local admin user.