This page provides a list of recommended secure configuration checks for Dell EMC Data Domain, and is periodically updated.
Data Domain is part of a suite of appliances used for data protection, backup, storage and deduplication.
System | Category | Configuration check |
Data Domain | Access Control | Approved Syslog servers |
Data Domain | Access Control | CIFS status |
Data Domain | Access Control | DD Boost user role |
Data Domain | Access Control | DDBoost client ACL |
Data Domain | Access Control | Disable of expired users |
Data Domain | Access Control | FTP ACL |
Data Domain | Access Control | Host-based access lists |
Data Domain | Access Control | HTTP ACL |
Data Domain | Access Control | IPFilter status |
Data Domain | Access Control | Limit access to iDRAC Virtual Console |
Data Domain | Access Control | Login banner status |
Data Domain | Access Control | NFS/CIFS share ACL |
Data Domain | Access Control | Non-default local users |
Data Domain | Access Control | Number of concurrent sessions is limited |
Data Domain | Access Control | portmapper status |
Data Domain | Access Control | Session timeout |
Data Domain | Access Control | SSH ACL |
Data Domain | Access Control | SSH session timeout |
Data Domain | Access Control | Unused ports |
Data Domain | Access Control | Web session timeout |
Data Domain | Audit | External log host status |
Data Domain | Audit | External syslog server redundancy |
Data Domain | Audit | NTP configuration |
Data Domain | Audit | NTP server redundancy |
Data Domain | Audit | NTP status |
Data Domain | Audit | Required NTP servers |
Data Domain | Audit | Required Syslog servers |
Data Domain | Authentication | 2FA configuration (cert/pass) |
Data Domain | Authentication | 2FA configuration (SecurID) |
Data Domain | Authentication | Account lockout threshold |
Data Domain | Authentication | Authentication server configuration |
Data Domain | Authentication | Authentication server redundancy |
Data Domain | Authentication | BIOS password set |
Data Domain | Authentication | Central Certificate Authority (CA) status |
Data Domain | Authentication | Certificate Issuer |
Data Domain | Authentication | Client authentication enforcement |
Data Domain | Authentication | Default local user accounts |
Data Domain | Authentication | Default passwords |
Data Domain | Authentication | Global authentication mode |
Data Domain | Authentication | Initial password change |
Data Domain | Authentication | Kerberos for BoostFS |
Data Domain | Authentication | KMIP status |
Data Domain | Authentication | Maximum number of repeated password characters |
Data Domain | Authentication | Maximum password age |
Data Domain | Authentication | Minimum account lockout duration |
Data Domain | Authentication | Minimum passphrase length |
Data Domain | Authentication | Minimum password age |
Data Domain | Authentication | Minimum password digits |
Data Domain | Authentication | Minimum password length |
Data Domain | Authentication | Minimum password lowercase characters |
Data Domain | Authentication | Minimum password special characters |
Data Domain | Authentication | Minimum password uppercase characters |
Data Domain | Authentication | NDMP authentication type |
Data Domain | Authentication | Number of disallowed past passwords |
Data Domain | Authentication | Password hash strength |
Data Domain | Authentication | Replication peer authentication |
Data Domain | Authentication | SNMP community default string |
Data Domain | Authentication | SNMP user authentication |
Data Domain | Authentication | Two-factor authentication for iDRAC |
Data Domain | Authorization | Approved Admin user/group |
Data Domain | Authorization | Approved CIFS admin users / groups |
Data Domain | Authorization | CIFS anonymous user access restriction |
Data Domain | Authorization | Permission on sensitive directories/files |
Data Domain | Authorization | Root squash is enforced |
Data Domain | Authorization | Use of limited-admin |
Data Domain | Backup and Recovery | Remote replication |
Data Domain | Backup and Recovery | Replication topology |
Data Domain | Backup and Recovery | Retention lock configuration |
Data Domain | Configuration Management | DD boost user assignment to single unit |
Data Domain | Configuration Management | DNS server redundancy |
Data Domain | Configuration Management | DNS service status |
Data Domain | Configuration Management | File share export options |
Data Domain | Configuration Management | File share max connections |
Data Domain | Configuration Management | HTTP\HTTPS default port used |
Data Domain | Configuration Management | Remote support configuration |
Data Domain | Configuration Management | Security officer configuration |
Data Domain | Configuration Management | SSO configuration |
Data Domain | Configuration Management | Target Data Domain OS version |
Data Domain | Encryption | Certificate expiry |
Data Domain | Encryption | Certificate key size |
Data Domain | Encryption | Client session encryption is disabled |
Data Domain | Encryption | CRL configuration |
Data Domain | Encryption | Data at-rest encryption algorithm |
Data Domain | Encryption | DDBoost encryption enforcement |
Data Domain | Encryption | DDBoost encryption strength |
Data Domain | Encryption | DDBoost file replication encryption |
Data Domain | Encryption | Encryption of data at rest |
Data Domain | Encryption | ESRS secure connection |
Data Domain | Encryption | In-flight data encryption enforcement |
Data Domain | Encryption | MAC algorithm strength |
Data Domain | Encryption | NFS privacy (krb) |
Data Domain | Encryption | Replication encryption over wire |
Data Domain | Encryption | Secure LDAP |
Data Domain | Encryption | Self-signed certificates |
Data Domain | Encryption | SMB digital signing |
Data Domain | Encryption | SNMP message privacy |
Data Domain | Encryption | SNMP message privacy algorithm strength |
Data Domain | Encryption | SSH cipher strength |
Data Domain | Encryption | SSL certificate status |
Data Domain | Encryption | TLS for FTP |
Data Domain | Encryption | TLS level |
Data Domain | Encryption | TLS level |
Data Domain | Hardening | Disable default root account |
Data Domain | Hardening | FIPS mode status |
Data Domain | Hardening | USB ports disabled |
Data Domain | Monitoring | CloudIQ status |
Data Domain | Monitoring | Email alerts |
Data Domain | Services and Protocols | Approved NFS versions |
Data Domain | Services and Protocols | CIFS SMBv1 status |
Data Domain | Services and Protocols | Cloud status |
Data Domain | Services and Protocols | DDNS status |
Data Domain | Services and Protocols | ESRS status |
Data Domain | Services and Protocols | FTP service status |
Data Domain | Services and Protocols | HTTP service status |
Data Domain | Services and Protocols | IPMI status |
Data Domain | Services and Protocols | IPv6 status |
Data Domain | Services and Protocols | NDMP status |
Data Domain | Services and Protocols | NFS port |
Data Domain | Services and Protocols | SNMP status |
Data Domain | Services and Protocols | SNMPv1 / SNMPv2 status |
Data Domain | Services and Protocols | Telnet status |
Data Domain | Services and Protocols | Telnet uninstall |
Data Domain | Services and Protocols | VTL service status |
... and more. |
NOTE: Other than DDOS, additional security baseline checks should be performed against Data Domain Management Center (DDMC), Data Protection Central (DPC), Smart Scale, iDRAC and other Dell EMC components.
Interested to learn about StorageGuard secure configuration checks for Storage and Backup systems? |
Comments
0 comments
Please sign in to leave a comment.