Dell EMC Data Domain: Recommended Security Baseline Checks

This page provides a list of recommended secure configuration checks for Dell EMC Data Domain, and is periodically updated.

Data Domain is part of a suite of appliances used for data protection, backup, storage and deduplication.

System	Category	Configuration check
Data Domain	Access Control	Approved Syslog servers
Data Domain	Access Control	CIFS status
Data Domain	Access Control	DD Boost user role
Data Domain	Access Control	DDBoost client ACL
Data Domain	Access Control	Disable of expired users
Data Domain	Access Control	FTP ACL
Data Domain	Access Control	Host-based access lists
Data Domain	Access Control	HTTP ACL
Data Domain	Access Control	IPFilter status
Data Domain	Access Control	Limit access to iDRAC Virtual Console
Data Domain	Access Control	Login banner status
Data Domain	Access Control	NFS/CIFS share ACL
Data Domain	Access Control	Non-default local users
Data Domain	Access Control	Number of concurrent sessions is limited
Data Domain	Access Control	portmapper status
Data Domain	Access Control	Session timeout
Data Domain	Access Control	SSH ACL
Data Domain	Access Control	SSH session timeout
Data Domain	Access Control	Unused ports
Data Domain	Access Control	Web session timeout
Data Domain	Audit	External log host status
Data Domain	Audit	External syslog server redundancy
Data Domain	Audit	NTP configuration
Data Domain	Audit	NTP server redundancy
Data Domain	Audit	NTP status
Data Domain	Audit	Required NTP servers
Data Domain	Audit	Required Syslog servers
Data Domain	Authentication	2FA configuration (cert/pass)
Data Domain	Authentication	2FA configuration (SecurID)
Data Domain	Authentication	Account lockout threshold
Data Domain	Authentication	Authentication server configuration
Data Domain	Authentication	Authentication server redundancy
Data Domain	Authentication	BIOS password set
Data Domain	Authentication	Central Certificate Authority (CA) status
Data Domain	Authentication	Certificate Issuer
Data Domain	Authentication	Client authentication enforcement
Data Domain	Authentication	Default local user accounts
Data Domain	Authentication	Default passwords
Data Domain	Authentication	Global authentication mode
Data Domain	Authentication	Initial password change
Data Domain	Authentication	Kerberos for BoostFS
Data Domain	Authentication	KMIP status
Data Domain	Authentication	Maximum number of repeated password characters
Data Domain	Authentication	Maximum password age
Data Domain	Authentication	Minimum account lockout duration
Data Domain	Authentication	Minimum passphrase length
Data Domain	Authentication	Minimum password age
Data Domain	Authentication	Minimum password digits
Data Domain	Authentication	Minimum password length
Data Domain	Authentication	Minimum password lowercase characters
Data Domain	Authentication	Minimum password special characters
Data Domain	Authentication	Minimum password uppercase characters
Data Domain	Authentication	NDMP authentication type
Data Domain	Authentication	Number of disallowed past passwords
Data Domain	Authentication	Password hash strength
Data Domain	Authentication	Replication peer authentication
Data Domain	Authentication	SNMP community default string
Data Domain	Authentication	SNMP user authentication
Data Domain	Authentication	Two-factor authentication for iDRAC
Data Domain	Authorization	Approved Admin user/group
Data Domain	Authorization	Approved CIFS admin users / groups
Data Domain	Authorization	CIFS anonymous user access restriction
Data Domain	Authorization	Permission on sensitive directories/files
Data Domain	Authorization	Root squash is enforced
Data Domain	Authorization	Use of limited-admin
Data Domain	Backup and Recovery	Remote replication
Data Domain	Backup and Recovery	Replication topology
Data Domain	Backup and Recovery	Retention lock configuration
Data Domain	Configuration Management	DD boost user assignment to single unit
Data Domain	Configuration Management	DNS server redundancy
Data Domain	Configuration Management	DNS service status
Data Domain	Configuration Management	File share export options
Data Domain	Configuration Management	File share max connections
Data Domain	Configuration Management	HTTP\HTTPS default port used
Data Domain	Configuration Management	Remote support configuration
Data Domain	Configuration Management	Security officer configuration
Data Domain	Configuration Management	SSO configuration
Data Domain	Configuration Management	Target Data Domain OS version
Data Domain	Encryption	Certificate expiry
Data Domain	Encryption	Certificate key size
Data Domain	Encryption	Client session encryption is disabled
Data Domain	Encryption	CRL configuration
Data Domain	Encryption	Data at-rest encryption algorithm
Data Domain	Encryption	DDBoost encryption enforcement
Data Domain	Encryption	DDBoost encryption strength
Data Domain	Encryption	DDBoost file replication encryption
Data Domain	Encryption	Encryption of data at rest
Data Domain	Encryption	ESRS secure connection
Data Domain	Encryption	In-flight data encryption enforcement
Data Domain	Encryption	MAC algorithm strength
Data Domain	Encryption	NFS privacy (krb)
Data Domain	Encryption	Replication encryption over wire
Data Domain	Encryption	Secure LDAP
Data Domain	Encryption	Self-signed certificates
Data Domain	Encryption	SMB digital signing
Data Domain	Encryption	SNMP message privacy
Data Domain	Encryption	SNMP message privacy algorithm strength
Data Domain	Encryption	SSH cipher strength
Data Domain	Encryption	SSL certificate status
Data Domain	Encryption	TLS for FTP
Data Domain	Encryption	TLS level
Data Domain	Encryption	TLS level
Data Domain	Hardening	Disable default root account
Data Domain	Hardening	FIPS mode status
Data Domain	Hardening	USB ports disabled
Data Domain	Monitoring	CloudIQ status
Data Domain	Monitoring	Email alerts
Data Domain	Services and Protocols	Approved NFS versions
Data Domain	Services and Protocols	CIFS SMBv1 status
Data Domain	Services and Protocols	Cloud status
Data Domain	Services and Protocols	DDNS status
Data Domain	Services and Protocols	ESRS status
Data Domain	Services and Protocols	FTP service status
Data Domain	Services and Protocols	HTTP service status
Data Domain	Services and Protocols	IPMI status
Data Domain	Services and Protocols	IPv6 status
Data Domain	Services and Protocols	NDMP status
Data Domain	Services and Protocols	NFS port
Data Domain	Services and Protocols	SNMP status
Data Domain	Services and Protocols	SNMPv1 / SNMPv2 status
Data Domain	Services and Protocols	Telnet status
Data Domain	Services and Protocols	Telnet uninstall
Data Domain	Services and Protocols	VTL service status
... and more.

NOTE: Other than DDOS, additional security baseline checks should be performed against Data Domain Management Center (DDMC), Data Protection Central (DPC), Smart Scale, iDRAC and other Dell EMC components.

Interested to learn about StorageGuard secure configuration checks for Storage and Backup systems?

CONTACT US - Our team will be happy to assist you

Articles in this section

Comments

Articles in this section

Related articles