Consider the following information when you are evaluating
the security requirements for your environment:
The physical security of your environment is important; limit
access to rooms and racks where systems-management hardware is kept.
Use a software-based firewall to help protect your network hardware
and data from known and emerging security threats such as viruses
and unauthorized access.
Keep the security-policy settings for the management node and CMM set to Secure (manufacturing
default settings). The Secure setting enforces the use of strong
password policies and secure communication protocols. See Security policies for
more information.
Always change the default user names and passwords, but do not
change the default security settings for the network switches and
pass-thru modules. The manufacturing default settings for these devices
disable the use of unsecure protocols and enable the requirement for
signed firmware updates.
The management applications for the CMMs, IMMs, FSPs,
and switches permit only signed code-update packages for these devices
to help ensure that only trusted code is installed.
At a minimum, make sure that critical firmware updates are installed.
After making any changes, always back up the configuration.
Make sure that all security-related updates for DNS servers are
installed promptly and kept up-to-date.
Instruct your users to not accept any untrusted certificates.
See Certificates for
more information.
Tamper-evident options are available for the Flex System hardware.
If the hardware is installed in an unlocked rack or located in an
open area, install the tamper-evident options to deter and identify
intrusions. See the documentation that comes with your Flex System products
for more information about the tamper-evident options.
Where possible and practical, place the systems-management hardware
in a separate subnet. Typically, only administrators should have access
to the systems-management hardware, and no basic users should be given
access.
When you choose passwords, do not use expressions that are easy
to guess, such as password, lenovo, or the name of your company. Keep
the passwords in a secure place and make sure that access to the passwords
is restricted. Implement a password policy for your company.
Important: Always change the default user name and password.
Strong password rules should be required for all users. Only the users
who are authorized to update firmware components should have firmware-update
privileges.
Establish power-on passwords for users as a way to control who
has access to the data and setup program on the compute nodes. See
the documentation that comes with your Flex System products
for more information about power-on passwords.
Use the various authorization levels that are available for different
users in your environment. Do not allow all users to work with the
same supervisor user ID.