Dell EMC Networker Security Configuration Guide CONTENTS
Total Page:16
File Type:pdf, Size:1020Kb
Dell EMC NetWorker Version 18.2 Security Configuration Guide 302-005-318 Rev 03 September, 2019 Copyright © 2014-2019 Dell Inc. or its subsidiaries. All rights reserved. Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.” DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE. Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published in the USA. Dell EMC Hopkinton, Massachusetts 01748-9103 1-508-435-1000 In North America 1-866-464-7381 www.DellEMC.com 2 Dell EMC NetWorker Security Configuration Guide CONTENTS Figures 7 Tables 9 Preface 11 Chapter 1 Introduction 15 Chapter 2 Access Control Settings 17 NetWorker Authentication Service....................................................................18 NetWorker Authentication Service database.....................................................18 Managing authentication ..................................................................................20 Configuring LDAP or AD authentication authorities............................. 20 Querying the LDAP or AD directory from NetWorker Authentication Service.................................................................................................35 Managing the NetWorker Authentication Service local database......... 38 Harden the Authentication Service on port 9090 ................................ 47 Managing the NetWorker Authentication Service options.................................48 Managing token policies.......................................................................48 Managing local database password policies..........................................49 Configure CLI options...........................................................................51 Changing the NetWorker Authentication Service port......................... 52 How user authentication and authorization works in NMC and NetWorker.......52 Modifying authentication methods for NetWorker servers in NMC......54 User authorization............................................................................... 55 Changing the NetWorker Authentication Service hostname and port number.................................................................................................77 How user authentication and authorization works in NWUI...............................78 Enabling HTTPS on an Apache Web Server...................................................... 79 Launching the NMC through an HTTPS port ...................................... 82 Disabling SSLv3 cipher connectivity to the PostgresSQL database on the NMC server................................................................................................................84 Component access control............................................................................... 85 Component authentication...................................................................85 Component authorization.....................................................................98 Generate self signed certificate....................................................................... 101 Enabling two factor authentication for AD and LDAP users.............................102 Chapter 3 Log Settings 103 NetWorker log files..........................................................................................104 NetWorker Server log files................................................................. 104 NMC server log files........................................................................... 107 NetWorker Client log files...................................................................108 View log files....................................................................................... 110 Raw log file management.................................................................... 114 Dell EMC NetWorker Security Configuration Guide 3 Contents Monitoring changes to the NetWorker server resources..................... 117 Configuring logging levels....................................................................118 NetWorker Authentication Service logs...........................................................126 NetWorker Authentication Service log files........................................ 126 NetWorker Authentication Service server log file management.......... 127 CLI log file management..................................................................... 128 Chapter 4 Communication Security Settings 131 Port usage and firewall support....................................................................... 132 Service ports...................................................................................... 132 Connection ports................................................................................ 133 Special considerations for firewall environments............................................. 133 Configuring TCP keepalives at the operating system level..................134 Determining service port requirements............................................................135 NetWorker client service port requirements....................................... 136 Service port requirements for NetWorker storage nodes................... 136 Service port requirements for the NetWorker server..........................137 Service port requirements for NMC Server........................................ 139 Configuring service port ranges in NetWorker.................................................139 Determine the available port numbers.................................................139 Configuring the port ranges in NetWorker .........................................139 Configuring the service ports on the firewall................................................... 142 How to confirm the NMC server service ports....................................147 Determining service port requirement examples ............................................. 147 Troubleshooting...............................................................................................153 Chapter 5 Data Security Settings 157 AES encryption for backup and archive data................................................... 158 Creating or modifying the lockbox resource....................................... 158 Defining the AES pass phrase.............................................................159 Configuring the client resource to use AES encryption.......................160 Configure encryption for a client-initiated backup..............................160 Recover encrypted data...................................................................... 161 Federal Information Processing Standard compliance..................................... 162 Data integrity...................................................................................................163 Verifying the integrity of the backup data...........................................163 Verifying the integrity of the NetWorker server media data and client file indexes..........................................................................................165 Data erasure.................................................................................................... 166 NetWorker server media database and index data management.........166 Manually erasing data on tape and VTL volumes................................. 167 Manually erasing data from an AFTD.................................................. 167 Security alert system settings......................................................................... 168 Monitoring changes to NetWorker server resources...........................168 Security audit logging......................................................................... 168 Chapter 6 Hardening the NetWorker 181 Security Hardening For The NetWorker Management Console........................182 Enabling the Modules Required To Harden Apache httpd................... 182 Enable Apache httpd directives ......................................................... 182 Enabling HTTPS................................................................................. 183 Configuring gconsole file to Enable HTTPS ....................................... 185 Replacing Default Tomcat Web Pages................................................185 Security Hardening For The NetWorker Authentication Tomcat Service.........186 4 Dell EMC NetWorker Security Configuration Guide Contents Hardening the NSR Tomcat Services................................................. 186 Harden the Authentication Service on port 9090 ............................................187 Dell EMC NetWorker Security Configuration Guide 5 Contents 6 Dell EMC NetWorker Security Configuration Guide FIGURES 1 NetWorker Authentication Service Database hierarchy.................................................... 20 2 External Authority pane in the NMC Console.....................................................................21 3 Create External Authentication Authority......................................................................... 22 4 User