Implementing a secure environment

It is important that you evaluate the security requirements in your environment, understand all security risks, and minimize those risks. Lenovo XClarity Administrator includes several features that can help you secure your environment. Use the following information to help you implement the security plan for your environment.

About this task

Important: You are responsible for the evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls for your system environment. Implementing the security features that are described in this section does not secure your environment completely.
Consider the following information when you are evaluating the security requirements for your environment:
  • The physical security of your environment is important; limit access to rooms and racks where systems-management hardware is kept.
  • Use a software-based firewall to protect your network hardware and data from known and emerging security threats such as viruses and unauthorized access.
  • Do not change the default security settings for the network switches and pass-thru modules. The manufacturing default settings for these components disable the use of unsecure protocols and enable the requirement for signed firmware updates.
  • The management applications for the CMMs, baseboard management controllers, FSPs, and switches permit only signed firmware-update packages for these components to ensure that only trusted firmware is installed.
  • Only the users who are authorized to update firmware components should have firmware-update authority.
  • At a minimum, ensure that critical firmware updates are installed. After making any changes, always back up the configuration.
  • Ensure that all security-related updates for DNS servers are installed promptly and kept up to date.
  • Instruct your users to not accept any untrusted certificates. For more information, see Working with security certificates.
  • Tamper-evident options are available for the Flex System hardware. If the hardware is installed in an unlocked rack or located in an open area, install the tamper-evident options to deter and identify intrusions. See the documentation that comes with your Flex System products for more information about the tamper-evident options.
  • Where possible and practical, place the systems-management hardware in a separate subnet. Typically, only administrators should have access to the systems-management hardware, and no basic users should be given access.
  • When you choose passwords, do not use expressions that are easy to guess, such as password or the name of your company. Keep the passwords in a secure place, and ensure that access to the passwords is restricted. Implement a password policy for your company.
    Important: Always change the default user name and password. Strong password rules should be required for all users.
  • Establish power-on passwords for users as a way to control who has access to the data and setup programs on the servers. See the documentation that comes with your servers for more information about power-on passwords.
  • Use the various authorization levels that are available for different users in your environment. Do not allow all users to work with the same supervisor user ID.
  • Ensure that your environment meets the following NIST 800-131A criteria to support secure communications:
    • Use Secure Sockets Layer (SSL) over the TLS v1.2 protocol.
    • Use SHA-256 or stronger hashing functions for digital signatures and SHA-1 or stronger hashing functions for other applications.
    • Use RSA-2048 or stronger, or use NIST approved Elliptic Curves that are 224 bits or stronger.
    • Use NIST-approved symmetric encryption with keys at least 128 bits in length.
    • Use NIST-approved random-number generators.
    • Where possible, support Diffie-Hellman or Elliptic Curve Diffie-Hellman key-exchange mechanisms.

    For more information about cryptography settings, see Configuring cryptography settings on the management server. For more information about NIST settings, see Implementing NIST SP 800-131A compliance.