Dell EMC Data Domain: Recommended Security Baseline Checks

This page provides a list of recommended secure configuration checks for Dell EMC Data Domain, and is periodically updated. Data Domain is part of a suite of appliances used for data protection, backup, storage and deduplication.

ID	System	Category	Configuration check
K010CI0MP0100	Data Domain	Access Control	Approved NTP servers
K010CI0M00105	Data Domain	Access Control	Approved Syslog servers
K010C000P0110	Data Domain	Access Control	CIFS status
K010CI0M00115	Data Domain	Access Control	DD Boost user role
K010CI00P0120	Data Domain	Access Control	DDBoost client ACL
K170CI0MP0125	Data Domain	Access Control	Disable of expired users
K010CI0MP0130	Data Domain	Access Control	FTP ACL
K070CI0MP0135	Data Domain	Access Control	Host-based access lists
K070CI0MP0140	Data Domain	Access Control	HTTP ACL
K070CI0MP0145	Data Domain	Access Control	HTTPS allowed hosts list
K010CI0MP0150	Data Domain	Access Control	IPFilter status
K010CI0MP0155	Data Domain	Access Control	Limit access to iDRAC Virtual Console
K010CI0MP0160	Data Domain	Access Control	Login banner status
K010CI0MP0165	Data Domain	Access Control	Multifactor authentication status
K010CI00P0170	Data Domain	Access Control	NFS export client ACL
K010CI0MP0175	Data Domain	Access Control	NFS/CIFS share ACL
K010CI0000180	Data Domain	Access Control	Non-default local users
K150CI0MP0185	Data Domain	Access Control	Number of concurrent sessions is limited
K010CI0M00190	Data Domain	Access Control	portmapper status
K010CI0MP0195	Data Domain	Access Control	Session timeout
K010CI0MP0200	Data Domain	Access Control	SSH ACL
K110CI0MP0205	Data Domain	Access Control	SSH allowed hosts list
K110CI0MP0210	Data Domain	Access Control	SSH session timeout
K010CI0MP0215	Data Domain	Access Control	Unused ports
K010CI0M00220	Data Domain	Access Control	Web session timeout
K010CI0MP0225	Data Domain	Audit Logging	External log host status
K010CI0MP0230	Data Domain	Audit Logging	External syslog server redundancy
K010CI0MP0235	Data Domain	Audit Logging	NTP configuration
K010CI0MP0240	Data Domain	Audit Logging	NTP server redundancy
K010CI0MP0245	Data Domain	Audit Logging	NTP status
K010CI0MP0250	Data Domain	Audit Logging	Required NTP servers
K010CI0000255	Data Domain	Audit Logging	Required Syslog servers
K010CI0MP0260	Data Domain	Audit Logging	Secure NTP
K010CI0M00265	Data Domain	Authentication	2FA configuration (cert/pass)
K010CI0MP0270	Data Domain	Authentication	2FA configuration (SecurID)
K010CI00P0275	Data Domain	Authentication	Account lockout threshold
K010CI0MP0280	Data Domain	Authentication	Authentication server configuration
K010CI0MP0285	Data Domain	Authentication	Authentication server redundancy
K110CI0MP0290	Data Domain	Authentication	BIOS password set
K010CI00P0295	Data Domain	Authentication	Central Certificate Authority (CA) status
K010C00MP0300	Data Domain	Authentication	Certificate Issuer
K010CI0MP0305	Data Domain	Authentication	Client authentication enforcement
K010CI0MP0310	Data Domain	Authentication	Default local user accounts
K130CI0MP0315	Data Domain	Authentication	Default passwords
K010CI0MP0320	Data Domain	Authentication	Global authentication mode
K010CI0MP0325	Data Domain	Authentication	Initial password change
K010CI0MP0330	Data Domain	Authentication	Kerberos for BoostFS
K010CI0MP0335	Data Domain	Authentication	KMIP configuration
K010CI0000340	Data Domain	Authentication	Maximum number of repeated password characters
K010CI0MP0345	Data Domain	Authentication	Maximum password age
K010CI0MP0350	Data Domain	Authentication	Minimum account lockout duration
K010CI0MP0355	Data Domain	Authentication	Minimum passphrase length
K010CI0M00360	Data Domain	Authentication	Minimum password age
K010CI0MP0365	Data Domain	Authentication	Minimum password digits
K010CI0MP0370	Data Domain	Authentication	Minimum password length
K080CI0MP0375	Data Domain	Authentication	Minimum password lowercase characters
K080CI0MP0380	Data Domain	Authentication	Minimum password special characters
K010CI0MP0385	Data Domain	Authentication	Minimum password uppercase characters
K010CI0MP0390	Data Domain	Authentication	NDMP authentication type
K010CI0MP0395	Data Domain	Authentication	Number of disallowed past passwords
K010CI00P0400	Data Domain	Authentication	Password hash strength
K010CI0MP0405	Data Domain	Authentication	Replication peer authentication
K010CI0MP0410	Data Domain	Authentication	SNMP community default string
K010CI0MP0415	Data Domain	Authentication	SNMP user authentication
K070CI00P0420	Data Domain	Authentication	Two-factor authentication for iDRAC
K010CI0MP0425	Data Domain	Authorization	Approved Admin user/group
K010CI0MP0430	Data Domain	Authorization	Approved CIFS admin users / groups
K010CI0MP0435	Data Domain	Authorization	CIFS anonymous user access restriction
K010CI0MP0440	Data Domain	Authorization	Permission on sensitive directories/files
K190CI0M00445	Data Domain	Authorization	Root squash is enforced
K010CI0MP0450	Data Domain	Authorization	Use of limited-admin
K010CI0MP0455	Data Domain	Backup and Recovery	Align backup retention period policy with retention lock time
K010CI0MP0460	Data Domain	Backup and Recovery	Approved target Data Domain
K010C00MP0465	Data Domain	Backup and Recovery	Automatic lock delay
K010CI0M00470	Data Domain	Backup and Recovery	Automatic retention period
K010CI0MP0475	Data Domain	Backup and Recovery	Backup application commits files for retention locking
K090CI0MP0480	Data Domain	Backup and Recovery	iDRAC Retention Lock Compliance
K090CI0000485	Data Domain	Backup and Recovery	Maximum retention period
K040CI0MP0490	Data Domain	Backup and Recovery	Minimum retention period
K040CI0MP0495	Data Domain	Backup and Recovery	Mtree with retention lock
K010CI0MP0500	Data Domain	Backup and Recovery	Remote replication
K110CI0MP0505	Data Domain	Backup and Recovery	Replication pair status
K010CI0MP0510	Data Domain	Backup and Recovery	Replication topology
K010CI0MP0515	Data Domain	Backup and Recovery	Required Mtree lock
K010CI0MP0520	Data Domain	Backup and Recovery	Retention Lock Compliance license
K010CI0MP0525	Data Domain	Backup and Recovery	Retention Lock configuration
K010CI0MP0530	Data Domain	Backup and Recovery	Retention Lock mode status
K010CI0MP0535	Data Domain	Backup and Recovery	Retention Lock use (manual vs automatic)
K010CI0MP0540	Data Domain	Backup and Recovery	Retention Locking mode
K010CI0MP0545	Data Domain	Backup and Recovery	Security Officer authorization enabled
K010CI00P0550	Data Domain	Backup and Recovery	Target Mtree Replication propagate retention lock
K120CI0MP0555	Data Domain	Configuration Management	DD boost user assignment to single unit
K010CI00P0560	Data Domain	Configuration Management	DNS server redundancy
K010CI0MP0565	Data Domain	Configuration Management	DNS service status
K010CI0MP0570	Data Domain	Configuration Management	File share export options
K010CI0MP0575	Data Domain	Configuration Management	File share max connections
K020CI0000580	Data Domain	Configuration Management	HTTP\HTTPS default port used
K020CI0MP0585	Data Domain	Configuration Management	Remote support configuration
K010CI0MP0590	Data Domain	Configuration Management	Security officer configuration
K010CI0MP0595	Data Domain	Configuration Management	SSH non-default port
K010CI0MP0600	Data Domain	Configuration Management	SSO configuration
K010CI0MP0605	Data Domain	Configuration Management	Target Data Domain OS version
K010C00MP0610	Data Domain	Encryption	Certificate expiry
K010CI0MP0615	Data Domain	Encryption	Certificate key size
K010CI0MP0620	Data Domain	Encryption	Client session encryption is disabled
K170CI0M00625	Data Domain	Encryption	CRL configuration
K010CI0MP0630	Data Domain	Encryption	Data at-rest encryption algorithm
K010CI0MP0635	Data Domain	Encryption	DDBoost encryption enforcement
K010CI0MP0640	Data Domain	Encryption	DDBoost encryption strength
K010CI0MP0645	Data Domain	Encryption	DDBoost file replication encryption
K010CI0MP0650	Data Domain	Encryption	Encryption of data at rest
K010CI0000655	Data Domain	Encryption	ESRS secure connection
K050CI0MP0660	Data Domain	Encryption	In-flight data encryption enforcement
K010CI0MP0665	Data Domain	Encryption	MAC algorithm strength
K010CI0000670	Data Domain	Encryption	Mtree replication encryption
K110CI0MP0675	Data Domain	Encryption	NFS privacy (krb)
K010CI00P0680	Data Domain	Encryption	Replication encryption over wire
K010CI0MP0685	Data Domain	Encryption	Secure LDAP
K010CI0MP0690	Data Domain	Encryption	Self-signed certificates
K010CI0MP0695	Data Domain	Encryption	SMB digital signing
K010CI0MP0700	Data Domain	Encryption	SNMP message privacy
K010CI0MP0705	Data Domain	Encryption	SNMP message privacy algorithm strength
K010CI0MP0710	Data Domain	Encryption	SSH cipher strength
K010CI0MP0715	Data Domain	Encryption	SSL certificate status
K010CI0MP0720	Data Domain	Encryption	TLS for FTP
K010CI0MP0725	Data Domain	Encryption	TLS level
K010CI0MP0730	Data Domain	Hardening	Disable default root account
K010CI0MP0735	Data Domain	Hardening	FIPS mode status
K010CI0MP0740	Data Domain	Hardening	Time change limits
K010CI0MP0745	Data Domain	Hardening	USB ports disabled
K010CI0000750	Data Domain	Monitoring	CloudIQ settings
K010CI0MP0755	Data Domain	Monitoring	Email alerts
K010CI0000760	Data Domain	Monitoring	ESRS settings and state
K010CI0MP0765	Data Domain	Services and Protocols	Approved NFS versions
K010CI0MP0770	Data Domain	Services and Protocols	CIFS SMBv1 status
K010CI0M00775	Data Domain	Services and Protocols	Cloud status
K010CI00P0780	Data Domain	Services and Protocols	DDNS status
K010C00MP0785	Data Domain	Services and Protocols	FTP service
K010CI0MP0790	Data Domain	Services and Protocols	HTTP service
K030CI0MP0795	Data Domain	Services and Protocols	IPMI configuration
K180CI0MP0800	Data Domain	Services and Protocols	IPv6 configuration
K010CI0MP0805	Data Domain	Services and Protocols	NDMP configuration
K110CI0000810	Data Domain	Services and Protocols	NFS port
K010CI0MP0815	Data Domain	Services and Protocols	SNMP service
K010CI0M00820	Data Domain	Services and Protocols	SNMPv1 / SNMPv2 version
K010CI0MP0825	Data Domain	Services and Protocols	Telnet service
K010CI0MP0830	Data Domain	Services and Protocols	Telnet uninstall
K010CI0MP0835	Data Domain	Services and Protocols	VTL service
... and more.

NOTE: Other than DDOS, additional security baseline checks should be performed against Data Domain Management Center (DDMC), Data Protection Central (DPC), Smart Scale, iDRAC and other Dell EMC components.

Interested to learn about StorageGuard Security Posture Management for Dell EMC Data Domain?

Contact us

Articles in this section

Comments

Articles in this section

Related articles