Skip to main content

General security considerations

Consider the following information when you are evaluating the security requirements for your environment:

  • The physical security of your environment is important; limit access to rooms and racks where systems-management hardware is kept.
  • Use a software-based firewall to help protect your network hardware and data from known and emerging security threats such as viruses and unauthorized access.
  • Keep the security-policy settings for the management node and CMM set to Secure (manufacturing default settings). The Secure setting enforces the use of strong password policies and secure communication protocols. See Security policies for more information.
  • Always change the default user names and passwords, but do not change the default security settings for the network switches and pass-thru modules. The manufacturing default settings for these devices disable the use of unsecure protocols and enable the requirement for signed firmware updates.
  • The management applications for the CMMs, IMMs, FSPs, and switches permit only signed code-update packages for these devices to help ensure that only trusted code is installed.
  • At a minimum, make sure that critical firmware updates are installed. After making any changes, always back up the configuration.
  • Make sure that all security-related updates for DNS servers are installed promptly and kept up-to-date.
  • Instruct your users to not accept any untrusted certificates. See Certificates for more information.
  • Tamper-evident options are available for the Flex System hardware. If the hardware is installed in an unlocked rack or located in an open area, install the tamper-evident options to deter and identify intrusions. See the documentation that comes with your Flex System products for more information about the tamper-evident options.
  • Where possible and practical, place the systems-management hardware in a separate subnet. Typically, only administrators should have access to the systems-management hardware, and no basic users should be given access.
  • When you choose passwords, do not use expressions that are easy to guess, such as password, lenovo, or the name of your company. Keep the passwords in a secure place and make sure that access to the passwords is restricted. Implement a password policy for your company.
    Important
    Always change the default user name and password. Strong password rules should be required for all users. Only the users who are authorized to update firmware components should have firmware-update privileges.
  • Establish power-on passwords for users as a way to control who has access to the data and setup program on the compute nodes. See the documentation that comes with your Flex System products for more information about power-on passwords.
  • Use the various authorization levels that are available for different users in your environment. Do not allow all users to work with the same supervisor user ID.