This page provides a list of recommended secure configuration checks for Dell EMC Data Domain, and is periodically updated. Data Domain is part of a suite of appliances used for data protection, backup, storage and deduplication.
Interested to learn about StorageGuard Benchmark Checks for Data Domain? |
||
|
|
ID | System | Category | Configuration check |
K010CI0MP0100 | Data Domain | Access Control | Approved NTP servers |
K010CI0M00105 | Data Domain | Access Control | Approved Syslog servers |
K010C000P0110 | Data Domain | Access Control | CIFS status |
K010CI0M00115 | Data Domain | Access Control | DD Boost user role |
K010CI00P0120 | Data Domain | Access Control | DDBoost client ACL |
K170CI0MP0125 | Data Domain | Access Control | Disable of expired users |
K010CI0MP0130 | Data Domain | Access Control | FTP ACL |
K070CI0MP0135 | Data Domain | Access Control | Host-based access lists |
K070CI0MP0140 | Data Domain | Access Control | HTTP ACL |
K070CI0MP0145 | Data Domain | Access Control | HTTPS allowed hosts list |
K010CI0MP0150 | Data Domain | Access Control | IPFilter status |
K010CI0MP0155 | Data Domain | Access Control | Limit access to iDRAC Virtual Console |
K010CI0MP0160 | Data Domain | Access Control | Login banner status |
K010CI0MP0165 | Data Domain | Access Control | Multifactor authentication status |
K010CI00P0170 | Data Domain | Access Control | NFS export client ACL |
K010CI0MP0175 | Data Domain | Access Control | NFS/CIFS share ACL |
K010CI0000180 | Data Domain | Access Control | Non-default local users |
K150CI0MP0185 | Data Domain | Access Control | Number of concurrent sessions is limited |
K010CI0M00190 | Data Domain | Access Control | portmapper status |
K010CI0MP0195 | Data Domain | Access Control | Session timeout |
K010CI0MP0200 | Data Domain | Access Control | SSH ACL |
K110CI0MP0205 | Data Domain | Access Control | SSH allowed hosts list |
K110CI0MP0210 | Data Domain | Access Control | SSH session timeout |
K010CI0MP0215 | Data Domain | Access Control | Unused ports |
K010CI0M00220 | Data Domain | Access Control | Web session timeout |
K010CI0M00223 | Data Domain | Access Control | Replication interface access |
K010CI0MP0225 | Data Domain | Audit Logging | External log host status |
K010CI0MP0230 | Data Domain | Audit Logging | External syslog server redundancy |
K010CI0MP0235 | Data Domain | Audit Logging | NTP configuration |
K010CI0MP0240 | Data Domain | Audit Logging | NTP server redundancy |
K010CI0MP0245 | Data Domain | Audit Logging | NTP status |
K010CI0MP0250 | Data Domain | Audit Logging | Required NTP servers |
K010CI0000255 | Data Domain | Audit Logging | Required Syslog servers |
K010CI0MP0260 | Data Domain | Audit Logging | Secure NTP |
K010CI0M00265 | Data Domain | Authentication | 2FA configuration (cert/pass) |
K010CI0MP0270 | Data Domain | Authentication | 2FA configuration (SecurID) |
K010CI00P0275 | Data Domain | Authentication | Account lockout threshold |
K010CI0MP0280 | Data Domain | Authentication | Authentication server configuration (if used) |
K010CI0MP0285 | Data Domain | Authentication | Authentication server redundancy (if used) |
K110CI0MP0290 | Data Domain | Authentication | BIOS password set |
K010CI00P0295 | Data Domain | Authentication | Central Certificate Authority (CA) status |
K010C00MP0300 | Data Domain | Authentication | Certificate Issuer |
K010CI0MP0305 | Data Domain | Authentication | Client authentication enforcement |
K010CI0MP0310 | Data Domain | Authentication | Default local user accounts |
K130CI0MP0315 | Data Domain | Authentication | Default passwords |
K010CI0MP0320 | Data Domain | Authentication | Global authentication mode |
K010CI0MP0325 | Data Domain | Authentication | Initial password change |
K010CI0MP0330 | Data Domain | Authentication | Kerberos for BoostFS |
K010CI0MP0335 | Data Domain | Authentication | KMIP configuration |
K010CI0000340 | Data Domain | Authentication | Maximum number of repeated password characters |
K010CI0MP0345 | Data Domain | Authentication | Maximum password age |
K010CI0MP0350 | Data Domain | Authentication | Minimum account lockout duration |
K010CI0MP0355 | Data Domain | Authentication | Minimum passphrase length |
K010CI0M00360 | Data Domain | Authentication | Minimum password age |
K010CI0MP0365 | Data Domain | Authentication | Minimum password digits |
K010CI0MP0370 | Data Domain | Authentication | Minimum password length |
K080CI0MP0375 | Data Domain | Authentication | Minimum password lowercase characters |
K080CI0MP0380 | Data Domain | Authentication | Minimum password special characters |
K010CI0MP0385 | Data Domain | Authentication | Minimum password uppercase characters |
K010CI0MP0390 | Data Domain | Authentication | NDMP authentication type |
K010CI0MP0395 | Data Domain | Authentication | Number of disallowed past passwords |
K010CI00P0400 | Data Domain | Authentication | Password hash strength |
K010CI0MP0405 | Data Domain | Authentication | Replication peer authentication |
K010CI0MP0410 | Data Domain | Authentication | SNMP community default string |
K010CI0MP0415 | Data Domain | Authentication | SNMP user authentication |
K070CI00P0420 | Data Domain | Authentication | Two-factor authentication for iDRAC |
K010CI0MP0425 | Data Domain | Authorization | Approved Admin user/group |
K010CI0MP0430 | Data Domain | Authorization | Approved CIFS admin users / groups |
K010CI0MP0435 | Data Domain | Authorization | CIFS anonymous user access restriction |
K010CI0MP0440 | Data Domain | Authorization | Permission on sensitive directories/files |
K190CI0M00445 | Data Domain | Authorization | Root squash is enforced |
K010CI0MP0450 | Data Domain | Authorization | Use of limited-admin |
K010CI0MP0455 | Data Domain | Backup and Recovery | Align backup retention period policy with retention lock time |
K010CI0MP0460 | Data Domain | Backup and Recovery | Approved target Data Domain |
K010C00MP0465 | Data Domain | Backup and Recovery | Automatic lock delay |
K010CI0M00470 | Data Domain | Backup and Recovery | Automatic retention period |
K010CI0MP0475 | Data Domain | Backup and Recovery | Backup application commits files for retention locking |
K090CI0MP0480 | Data Domain | Backup and Recovery | iDRAC Retention Lock Compliance |
K090CI0000485 | Data Domain | Backup and Recovery | Maximum retention period |
K040CI0MP0490 | Data Domain | Backup and Recovery | Minimum retention period |
K040CI0MP0495 | Data Domain | Backup and Recovery | Mtree with retention lock |
K010CI0MP0500 | Data Domain | Backup and Recovery | Remote replication |
K110CI0MP0505 | Data Domain | Backup and Recovery | Replication pair status |
K010CI0MP0510 | Data Domain | Backup and Recovery | Replication topology |
K010CI0MP0515 | Data Domain | Backup and Recovery | Required Mtree lock |
K010CI0MP0520 | Data Domain | Backup and Recovery | Retention Lock Compliance license |
K010CI0MP0525 | Data Domain | Backup and Recovery | Retention Lock configuration |
K010CI0MP0530 | Data Domain | Backup and Recovery | Retention Lock mode status |
K010CI0MP0535 | Data Domain | Backup and Recovery | Retention Lock use (manual vs automatic) |
K010CI0MP0540 | Data Domain | Backup and Recovery | Retention Locking mode |
K010CI0MP0545 | Data Domain | Backup and Recovery | Security Officer authorization enabled |
K010CI00P0550 | Data Domain | Backup and Recovery | Target Mtree Replication propagate retention lock |
K120CI0MP0555 | Data Domain | Configuration Management | DD boost user assignment to single unit |
K010CI00P0560 | Data Domain | Configuration Management | DNS server redundancy |
K010CI0MP0565 | Data Domain | Configuration Management | DNS service status |
K010CI0MP0570 | Data Domain | Configuration Management | File share export options |
K010CI0MP0575 | Data Domain | Configuration Management | File share max connections |
K020CI0000580 | Data Domain | Configuration Management | HTTP\HTTPS default port used |
K020CI0MP0585 | Data Domain | Configuration Management | Remote support configuration |
K010CI0MP0590 | Data Domain | Configuration Management | Security officer configuration |
K010CI0MP0595 | Data Domain | Configuration Management | SSH non-default port |
K010CI0MP0600 | Data Domain | Configuration Management | SSO configuration |
K010CI0MP0605 | Data Domain | Configuration Management | Target Data Domain OS version |
K010C00MP0610 | Data Domain | Encryption | Certificate expiry |
K010CI0MP0615 | Data Domain | Encryption | Certificate key size |
K010CI0MP0620 | Data Domain | Encryption | Client session encryption is disabled |
K170CI0M00625 | Data Domain | Encryption | CRL configuration |
K010CI0MP0630 | Data Domain | Encryption | Data at-rest encryption algorithm |
K010CI0MP0635 | Data Domain | Encryption | DDBoost encryption enforcement |
K010CI0MP0640 | Data Domain | Encryption | DDBoost encryption strength |
K010CI0MP0645 | Data Domain | Encryption | DDBoost file replication encryption |
K010CI0MP0650 | Data Domain | Encryption | Encryption of data at rest |
K010CI0000655 | Data Domain | Encryption | ESRS secure connection |
K050CI0MP0660 | Data Domain | Encryption | In-flight data encryption enforcement |
K010CI0MP0665 | Data Domain | Encryption | MAC algorithm strength |
K010CI0000670 | Data Domain | Encryption | Mtree replication encryption |
K110CI0MP0675 | Data Domain | Encryption | NFS privacy (krb) |
K010CI00P0680 | Data Domain | Encryption | Replication encryption over wire |
K010CI0MP0685 | Data Domain | Encryption | Secure LDAP (if used) |
K010CI0MP0690 | Data Domain | Encryption | Self-signed certificates |
K010CI0MP0695 | Data Domain | Encryption | SMB digital signing |
K010CI0MP0700 | Data Domain | Encryption | SNMP message privacy |
K010CI0MP0705 | Data Domain | Encryption | SNMP message privacy algorithm strength |
K010CI0MP0710 | Data Domain | Encryption | SSH cipher strength |
K010CI0MP0715 | Data Domain | Encryption | SSL certificate status |
K010CI0MP0720 | Data Domain | Encryption | TLS for FTP |
K010CI0MP0725 | Data Domain | Encryption | TLS level |
K010CI0MP0730 | Data Domain | Hardening | Disable default root account |
K010CI0MP0735 | Data Domain | Hardening | FIPS mode status |
K010CI0MP0740 | Data Domain | Hardening | Time change limits |
K010CI0MP0745 | Data Domain | Hardening | USB ports disabled |
K010CI0000750 | Data Domain | Monitoring | CloudIQ settings |
K010CI0MP0755 | Data Domain | Monitoring | Email alerts |
K010CI0000760 | Data Domain | Monitoring | ESRS settings and state |
K010CI0MP0765 | Data Domain | Services and Protocols | Approved NFS versions |
K010CI0MP0770 | Data Domain | Services and Protocols | CIFS SMBv1 status |
K010CI0M00775 | Data Domain | Services and Protocols | Cloud status |
K010CI00P0780 | Data Domain | Services and Protocols | DDNS status |
K010C00MP0785 | Data Domain | Services and Protocols | FTP service |
K010CI0MP0790 | Data Domain | Services and Protocols | HTTP service |
K030CI0MP0795 | Data Domain | Services and Protocols | IPMI configuration |
K180CI0MP0800 | Data Domain | Services and Protocols | IPv6 configuration |
K010CI0MP0805 | Data Domain | Services and Protocols | NDMP configuration |
K110CI0000810 | Data Domain | Services and Protocols | NFS port |
K010CI0MP0815 | Data Domain | Services and Protocols | SNMP service |
K010CI0M00820 | Data Domain | Services and Protocols | SNMPv1 / SNMPv2 version |
K010CI0MP0825 | Data Domain | Services and Protocols | Telnet service |
K010CI0MP0830 | Data Domain | Services and Protocols | Telnet uninstall |
K010CI0MP0835 | Data Domain | Services and Protocols | VTL service |
K010CI0MP0840 | Data Domain | Isolation | Unique credentials |
K010CI0MP0845 | Data Domain | Isolation | Use of local users (No AD) |
... and more. |
NOTE: Other than DDOS, additional security baseline checks should be performed against Data Domain Management Center (DDMC), Data Protection Central (DPC), Smart Scale, iDRAC and other Dell EMC components.
Interested to learn about StorageGuard Security Posture Management for Dell Data Domain?
|
||
|
|
Comments
0 comments
Please sign in to leave a comment.