It is important that you evaluate the security requirements
in your environment, understand all security risks, and minimize those
risks. Lenovo XClarity Administrator includes several features that can help you secure your
environment. Use the following information to help you implement the
security plan for your environment.
About this
task
Important: You are responsible for the evaluation, selection,
and implementation of security features, administrative procedures,
and appropriate controls for your system environment. Implementing
the security features that are described in this section does not
secure your environment completely.
Consider the following
information when you are evaluating the security requirements for
your environment:
- The physical security of your environment is important; limit
access to rooms and racks where systems-management hardware is kept.
- Use a software-based firewall to protect your network hardware
and data from known and emerging security threats such as viruses
and unauthorized access.
- Do not change the default security settings for the network switches
and pass-thru modules. The manufacturing default settings for these
components disable the use of unsecure protocols and enable the requirement
for signed firmware updates.
- The management applications for the CMMs, baseboard management
controllers, FSPs, and switches permit only signed firmware-update
packages for these components to ensure that only trusted firmware
is installed.
- Only the users who are authorized to update firmware components
should have firmware-update authority.
- At a minimum, ensure that critical firmware updates are installed.
After making any changes, always back up the configuration.
- Ensure that all security-related updates for DNS servers are installed
promptly and kept up to date.
- Instruct your users to not accept any untrusted certificates.
For more information, see Working with security certificates.
- Tamper-evident options are available for the Flex System hardware. If the hardware is installed in an unlocked
rack or located in an open area, install the tamper-evident options
to deter and identify intrusions. See the documentation that comes
with your Flex System products for more information about the tamper-evident
options.
- Where possible and practical, place the systems-management hardware
in a separate subnet. Typically, only administrators should have access
to the systems-management hardware, and no basic users should be given
access.
- When you choose passwords, do not use expressions that are easy
to guess, such as
password
or the name of your company. Keep
the passwords in a secure place, and ensure that access to the passwords
is restricted. Implement a password policy for your company.Important: Always change the default user name and password.
Strong password rules should be required for all users.
- Establish power-on passwords for users as a way to control who
has access to the data and setup programs on the servers. See the
documentation that comes with your servers for more information about
power-on passwords.
- Use the various authorization levels that are available for different
users in your environment. Do not allow all users to work with the
same supervisor user ID.
- Ensure that your environment meets the following NIST 800-131A
criteria to support secure communications:
- Use Secure Sockets Layer (SSL) over the TLS v1.2 protocol.
- Use SHA-256 or stronger hashing functions for digital signatures
and SHA-1 or stronger hashing functions for other applications.
- Use RSA-2048 or stronger, or use NIST approved Elliptic Curves
that are 224 bits or stronger.
- Use NIST-approved symmetric encryption with keys at least 128
bits in length.
- Use NIST-approved random-number generators.
- Where possible, support Diffie-Hellman or Elliptic Curve Diffie-Hellman
key-exchange mechanisms.
For more information about cryptography settings, see Configuring cryptography settings on the management server. For more information about
NIST settings, see Implementing NIST SP 800-131A compliance.