This page provides a list of recommended secure configuration checks for NetApp ONTAP systems, and is periodically updated.
ONTAP or Data ONTAP or Clustered Data ONTAP or Data ONTAP 7-Mode is NetApp's proprietary operating system used in storage disk arrays such as NetApp FAS and AFF, ONTAP Select and Cloud Volumes ONTAP.
| System | Category | Configuration check |
| NetApp cDOT / Filer | Access Control | Allowed protocols |
| NetApp cDOT / Filer | Access Control | Anonymous user access is enabled |
| NetApp cDOT / Filer | Access Control | Approved admin user / group |
| NetApp cDOT / Filer | Access Control | Approved NTP Servers |
| NetApp cDOT / Filer | Access Control | Approved syslog servers |
| NetApp cDOT / Filer | Access Control | banner status |
| NetApp cDOT / Filer | Access Control | CIFS SMBv1 status |
| NetApp cDOT / Filer | Access Control | File share client access list |
| NetApp cDOT / Filer | Access Control | FIPS mode status |
| NetApp cDOT / Filer | Access Control | Firewall restrictions |
| NetApp cDOT / Filer | Access Control | Firewall status |
| NetApp cDOT / Filer | Access Control | iSCSI interface acl |
| NetApp cDOT / Filer | Access Control | Motd status |
| NetApp cDOT / Filer | Access Control | NFS cached credential time |
| NetApp cDOT / Filer | Access Control | NFS idle connection timeout |
| NetApp cDOT / Filer | Access Control | NFS privileged ports |
| NetApp cDOT / Filer | Access Control | Non-default local users |
| NetApp cDOT / Filer | Access Control | root (vol0) volume export |
| NetApp cDOT / Filer | Access Control | Root user status |
| NetApp cDOT / Filer | Access Control | Sensitive data removal (autosupport) |
| NetApp cDOT / Filer | Access Control | Session timeout |
| NetApp cDOT / Filer | Access Control | SP SSH ACL |
| NetApp cDOT / Filer | Audit | Audit logging status |
| NetApp cDOT / Filer | Audit | Centralized log server |
| NetApp cDOT / Filer | Audit | Centralized log server redundancy |
| NetApp cDOT / Filer | Audit | External fpolicy server resilient logging |
| NetApp cDOT / Filer | Audit | Firewall logging status |
| NetApp cDOT / Filer | Audit | NTP server configuration |
| NetApp cDOT / Filer | Audit | NTP server redundancy |
| NetApp cDOT / Filer | Audit | Required External (central) log servers |
| NetApp cDOT / Filer | Audit | Required NTP Servers |
| NetApp cDOT / Filer | Audit | Security audit logging - read-only |
| NetApp cDOT / Filer | Audit | syslog min severity |
| NetApp cDOT / Filer | Audit | Syslog server authentication |
| NetApp cDOT / Filer | Audit | Time server (NTP) authentication |
| NetApp cDOT / Filer | Authentication | Account lockout threshold |
| NetApp cDOT / Filer | Authentication | Admin password complexity |
| NetApp cDOT / Filer | Authentication | Authentication server configuration |
| NetApp cDOT / Filer | Authentication | Autosupport digital certificate validation |
| NetApp cDOT / Filer | Authentication | Central authentication for file share access |
| NetApp cDOT / Filer | Authentication | Central Certificate Authority (CA) status |
| NetApp cDOT / Filer | Authentication | Certificate Issuer |
| NetApp cDOT / Filer | Authentication | CIFS AD session security level |
| NetApp cDOT / Filer | Authentication | CIFS domain password change |
| NetApp cDOT / Filer | Authentication | CIFS password complexity |
| NetApp cDOT / Filer | Authentication | CIFS server minimum authentication security level |
| NetApp cDOT / Filer | Authentication | Cluster peer min passphrase length |
| NetApp cDOT / Filer | Authentication | Default passwords |
| NetApp cDOT / Filer | Authentication | Initial password change |
| NetApp cDOT / Filer | Authentication | Ipsec configuration |
| NetApp cDOT / Filer | Authentication | iSCSI initiator authentication |
| NetApp cDOT / Filer | Authentication | kerberos configuration |
| NetApp cDOT / Filer | Authentication | Maximum password age |
| NetApp cDOT / Filer | Authentication | Minimum account lockout duration |
| NetApp cDOT / Filer | Authentication | Minimum password age |
| NetApp cDOT / Filer | Authentication | Minimum password digits |
| NetApp cDOT / Filer | Authentication | Minimum password length |
| NetApp cDOT / Filer | Authentication | Minimum password lowercase characters |
| NetApp cDOT / Filer | Authentication | Minimum password special characters |
| NetApp cDOT / Filer | Authentication | Minimum password uppercase characters |
| NetApp cDOT / Filer | Authentication | Multifactor authentication status |
| NetApp cDOT / Filer | Authentication | NDMP authentication type |
| NetApp cDOT / Filer | Authentication | NDMP cleartext password |
| NetApp cDOT / Filer | Authentication | NDMP password length |
| NetApp cDOT / Filer | Authentication | Number of disallowed past passwords |
| NetApp cDOT / Filer | Authentication | Password hash strength |
| NetApp cDOT / Filer | Authentication | Password rules status |
| NetApp cDOT / Filer | Authentication | Peer to peer communication authentication |
| NetApp cDOT / Filer | Authentication | SNMP community default string |
| NetApp cDOT / Filer | Authorization | Admin group mapping |
| NetApp cDOT / Filer | Authorization | Anonymous user mapping |
| NetApp cDOT / Filer | Authorization | CIFS anonymous user access restriction |
| NetApp cDOT / Filer | Authorization | CIFS file access to non-owners |
| NetApp cDOT / Filer | Authorization | NFS export rule setuid status |
| NetApp cDOT / Filer | Authorization | NFS File ownership change permission |
| NetApp cDOT / Filer | Authorization | NFS unknown UID mapping |
| NetApp cDOT / Filer | Authorization | nosuid option enabled |
| NetApp cDOT / Filer | Authorization | Security types for NFS export |
| NetApp cDOT / Filer | Authorization | Share access rights |
| NetApp cDOT / Filer | Authorization | SNMP community permission |
| NetApp cDOT / Filer | Backup and Recovery | Aggr mirror status |
| NetApp cDOT / Filer | Backup and Recovery | Configuration backup |
| NetApp cDOT / Filer | Backup and Recovery | Remote copy |
| NetApp cDOT / Filer | Backup and Recovery | Secure data copy retention (snaplock config) |
| NetApp cDOT / Filer | Backup and Recovery | Snaplock retention |
| NetApp cDOT / Filer | Backup and Recovery | Snaplock type |
| NetApp cDOT / Filer | Backup and Recovery | Snapshot autodelete configuration |
| NetApp cDOT / Filer | Backup and Recovery | Snapshot autodelete status |
| NetApp cDOT / Filer | Configuration Management | Approved DNS servers |
| NetApp cDOT / Filer | Configuration Management | CIFS dialect for widelinks access |
| NetApp cDOT / Filer | Configuration Management | DDNS status |
| NetApp cDOT / Filer | Configuration Management | DNS service redundancy |
| NetApp cDOT / Filer | Configuration Management | DNS service status |
| NetApp cDOT / Filer | Configuration Management | iSNS configuration |
| NetApp cDOT / Filer | Configuration Management | NDMP node-scoped mode |
| NetApp cDOT / Filer | Configuration Management | NetBIOS over TCP status |
| NetApp cDOT / Filer | Configuration Management | NetBIOS status |
| NetApp cDOT / Filer | Configuration Management | NFS AUTH_SYS extended groups status |
| NetApp cDOT / Filer | Configuration Management | NFS over UDP |
| NetApp cDOT / Filer | Configuration Management | NFSv3 MS-DOS client support |
| NetApp cDOT / Filer | Configuration Management | NFSv3 security changes |
| NetApp cDOT / Filer | Configuration Management | Remote support status |
| NetApp cDOT / Filer | Configuration Management | SP firmware image |
| NetApp cDOT / Filer | Configuration Management | Target ONTAP version |
| NetApp cDOT / Filer | Configuration Management | Updated node security settings |
| NetApp cDOT / Filer | Data Integrity | NFS checksum for replay-cache |
| NetApp cDOT / Filer | Encryption | AES encryption for CIFS |
| NetApp cDOT / Filer | Encryption | Certificate algorithm |
| NetApp cDOT / Filer | Encryption | CIFS encryption for DC connections |
| NetApp cDOT / Filer | Encryption | Data encryption status |
| NetApp cDOT / Filer | Encryption | External policy engine SSL option |
| NetApp cDOT / Filer | Encryption | FTP service status |
| NetApp cDOT / Filer | Encryption | HTTP service status |
| NetApp cDOT / Filer | Encryption | HTTP service status (node) |
| NetApp cDOT / Filer | Encryption | Key size |
| NetApp cDOT / Filer | Encryption | KMIP configuration |
| NetApp cDOT / Filer | Encryption | LDAP client session security |
| NetApp cDOT / Filer | Encryption | NFS encryption strength |
| NetApp cDOT / Filer | Encryption | Node Autosupport unsecure transport |
| NetApp cDOT / Filer | Encryption | OCSP configuration |
| NetApp cDOT / Filer | Encryption | Peer to peer communication encryption |
| NetApp cDOT / Filer | Encryption | Permitted encryption types for NFS Kerberos |
| NetApp cDOT / Filer | Encryption | Secure LDAP for CIFS connections |
| NetApp cDOT / Filer | Encryption | Secure NDMP (NDMP SSL) used |
| NetApp cDOT / Filer | Encryption | Signing for CIFS traffic |
| NetApp cDOT / Filer | Encryption | SMB encryption enabled |
| NetApp cDOT / Filer | Encryption | SSH cipher strength |
| NetApp cDOT / Filer | Encryption | SSH MAC strength |
| NetApp cDOT / Filer | Encryption | SSL certificate status |
| NetApp cDOT / Filer | Encryption | SSL options |
| NetApp cDOT / Filer | Encryption | TLS level |
| NetApp cDOT / Filer | Encryption | Unencrypted syslog traffic |
| NetApp cDOT / Filer | Information Security | object store security settings |
| NetApp cDOT / Filer | Malware Protection | Anti-ransomware configuration |
| NetApp cDOT / Filer | Malware Protection | Antivirus server redundancy |
| NetApp cDOT / Filer | Malware Protection | External file policy server |
| NetApp cDOT / Filer | Malware Protection | Ransomware protection Policy |
| NetApp cDOT / Filer | Malware Protection | Ransomware protection policy definition |
| NetApp cDOT / Filer | Malware Protection | Share scan status |
| NetApp cDOT / Filer | Malware Protection | vscan-on-access-policy status |
| NetApp cDOT / Filer | Malware Protection | Vserver vscan status |
| NetApp cDOT / Filer | Monitoring | Email notification |
| NetApp cDOT / Filer | Monitoring | SMTP configuration |
| NetApp cDOT / Filer | Monitoring | SNMP min severity |
| NetApp cDOT / Filer | Services and Protocols | NFS versions enabled |
| NetApp cDOT / Filer | Services and Protocols | RSH service status |
| NetApp cDOT / Filer | Services and Protocols | SMB version enabled |
| NetApp cDOT / Filer | Services and Protocols | SMB version enabled for DC connections |
| NetApp cDOT / Filer | Services and Protocols | SNMP versions enabled |
| NetApp cDOT / Filer | Services and Protocols | SP IPv6 |
| NetApp cDOT / Filer | Services and Protocols | Storage protocol status |
| NetApp cDOT / Filer | Services and Protocols | Telnet service status |
| NetApp cDOT / Filer | Services and Protocols | Unused protocols |
| ... and more. |
NOTE: Additional security baseline checks should be performed against NetApp storage management products such as Active IQ Unified Manager, OnCommand Insight, OnCommand Workflow Automation, NetApp cluster switches, ONTAP tools, NetApp plugins, ONTAP connectors, Snap Manager, SnapDrive and other NetApp software components.
|
Interested to learn about StorageGuard secure configuration checks for Storage and Backup systems? |
Comments
0 comments
Please sign in to leave a comment.