Security policies

The Flex System Chassis Management Module (CMM) and other management devices each have their own independent security policies that control, audit, and enforce the security settings. The security settings include the network settings and protocols, password and firmware update controls, and trusted computing properties such as secure boot. The security policy is distributed to the chassis devices during the provisioning process.

The CMM and management device security-policy settings can be different. The CMM distributes its security policy to its user registry and to the chassis devices, and a management device distributes its security policy to its user registry.

An administrator or a user with administrative privileges can use the management device or CMM user interfaces and the CMM command-line interface to change the security-policy settings. If the security-policy settings are changed after the chassis devices are up and running, the security policy status will remain in the Pending state until the management processors in the chassis devices restart.

The following security-policy settings are available for the management device and CMM:
  • Secure: This is the default setting. It helps to ensure a secure chassis infrastructure and enforces the use of the following:
    • Strong password policies with automatic validation and verification checks
    • Updated passwords that replace the manufacturing default passwords after the initial setup
    • Only secure communication protocols can be enabled
    • Secure and trusted connections are required for all communication with the management device
  • Legacy: This setting provides significant flexibility for managing the chassis security, but it is the least secure setting. It permits the use of the following:
    • Weak (default) or strong password policies
    • Manufacturing default passwords that do not have to be changed
    • Unencrypted communication protocols such as Telnet, SNMPv1, TCP Command Mode, FTP Server, and TFTP Server

See CMM security, Using the Lenovo Chassis Management Module 2 CLI, and the security documentation for your management device for more information.