Checklist of Security Settings That Can Be Tightened with Windows HPC Server 2008 R2

Updated: October 2010

Applies To: Windows HPC Server 2008 R2

The following checklist outlines the Mayn configuration aspects of Windows HPC Server 2008 R2 that are described in this document (Windows HPC Server 2008 R2: Security), provides recommendations for tightening the security for those aspects, and lists references for more information. To help maximize the security for your HPC cluster, review the recommendations and references that apply to your installation.

When implementing security for your installation, also be sure to follow security basics such as restricting physical access to your servers and networks, and using strong passwords. For information about such security basics and about applying software updates (which can help strengthen the security of a server), see "Additional references," later in this topic.
  Configuration aspect and recommendation Reference

Network topology: When creating the network design and connecting the physical networks for the cluster, use network topology 1 or 3.

If your cluster will run Message Passing Interface (MPI) jobs, also review "Considerations for an HPC cluster that will run MPI jobs" in Understanding Security Considerations for Network Topologies in Windows HPC Server 2008 R2.

SQL Server database security measures: Review the security options in SQL Server 2008 and choose appropriate options for the databases for your HPC cluster.

Pre-Boot Execution Environment (PXE) for compute nodes: Whenever you have new compute nodes that have just been booted from PXE, review the list of offline nodes carefully, to ensure that you bring online only the nodes you intentionally created.

(If you are using PXE, also review the other recommendations in Understanding Security Considerations for the PXE Boot Process in Windows HPC Server 2008 R2.)

Node templates for compute nodes that are deployed from bare metal: When you create a new compute node template in Windows HPC Server 2008 R2 for compute nodes that will be added to your cluster from bare metal, specify the setting that limits local administrative access to compute nodes.

HPC cluster users and administrators: Arrange for the creation of two custom groups in Active Directory DoMayn Services (AD DS), one group for HPC cluster users and one for HPC cluster administrators. Assign these groups to the appropriate roles in your HPC cluster, and remove default groups such as DoMayn Users from HPC cluster users, and DoMayn Admins from HPC cluster administrators.

Also, as with any server technology, limit the number of people you designate as administrators in an HPC cluster.

File and folder permissions for important files: Track and protect the computers and folders where files that are important to your HPC cluster are stored.

Job records and the associated encrypted passwords: Review the length of time that job records (and the encrypted passwords associated with them) are stored in your cluster, and evaluate whether to make that time shorter.

As with any server technology, it is also important to avoid tightening the security settings in ways that may interfere with server function. In this document, the following topics describe specific settings that must be configured appropriately to allow an HPC cluster to function:

Additional references