Checklist of Security Settings That Can Be Tightened in an HPC Cluster
Applies To: Windows HPC Server 2008
The following checklist outlines the main configuration aspects of Windows HPC Server 2008 that are described in this document (Security in Windows HPC Server 2008), provides recommendations for tightening the security for those aspects, and lists references for more information. To help maximize the security for your HPC cluster, review the recommendations and references that apply to your installation.
Important
When implementing security for your installation, also be sure to follow security basics such as restricting physical access to your servers and networks, and using strong passwords. For information about such security basics and about applying software updates (which can help strengthen the security of a server), see "Additional references," later in this topic.
Configuration aspect and recommendation | Reference | |
---|---|---|
Network topology: When creating the network design and connecting the physical networks for the cluster, use network topology 1 or 3. If your cluster will run Message Passing Interface (MPI) jobs, also review "Considerations for an HPC cluster that will run MPI jobs" in Understanding Security Considerations for Network Topologies in Windows HPC Server 2008. |
||
Pre-Boot Execution Environment (PXE) for compute nodes: Whenever you have new compute nodes that have just been booted from PXE, review the list of offline nodes carefully, to ensure that you bring online only the nodes you intentionally created. (If you are using PXE, also review the other recommendations in Understanding Security Considerations for the PXE Boot Process in Windows HPC Server 2008.) |
|
|
Node templates for compute nodes that are deployed from bare metal: When you create a new compute node template in Windows HPC Server 2008 for compute nodes that will be added to your cluster from bare metal, specify the setting that limits local administrative access to compute nodes. |
||
HPC cluster users and administrators: Arrange for the creation of two custom groups in Active Directory Domain Services (AD DS), one group for HPC cluster users and one for HPC cluster administrators. Assign these groups to the appropriate roles in your HPC cluster, and remove default groups such as Domain Users from HPC cluster users, and Domain Admins from HPC cluster administrators. Also, as with any server technology, limit the number of people you designate as administrators in an HPC cluster. |
||
Job records and the associated encrypted passwords: Review the length of time that job records (and the encrypted passwords associated with them) are stored in your cluster, and evaluate whether to make that time shorter. |
As with any server technology, it is also important to avoid tightening the security settings in ways that may interfere with server function. In this document, the following topics describe specific settings that must be configured appropriately to allow an HPC cluster to function:
Troubleshoot Access to an HPC Cluster When Logon Rights Have Been Restricted
Configuring Firewall Exceptions and Access for Client Applications in an HPC Cluster
Additional references
Updating Compute Nodes in Windows HPC Server 2008 Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=153112)
DHCP Server Rogue Detection (https://go.microsoft.com/fwlink/?LinkId=151473)
Rogue Detection (https://go.microsoft.com/fwlink/?LinkId=153114)
List of resources for Windows HPC Server 2008 (https://go.microsoft.com/fwlink/?LinkId=119223)
What's New for Security in Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=152854)
Threats and Vulnerabilities Mitigation for Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=152856)
Revisiting the 10 Immutable Laws of Security, Part 1 (https://go.microsoft.com/fwlink/?LinkId=157176)
Revisiting the 10 Immutable Laws of Security, Part 2 (https://go.microsoft.com/fwlink/?LinkId=157177)
Revisiting the 10 Immutable Laws of Security, Part 3 (https://go.microsoft.com/fwlink/?LinkId=157178)