This guide is intended as high level overview of best practices for security hardening for Redstor customers running their own self-hosted Storage Platform, or Storage Servers attached to the Redstor Storage Platform.
It is recommended that:
- Operating systems:
- Should be kept up to date, and are patched on a regular schedule including security updates. Failure to do this may leave the servers open to known security vulnerabilities within the operating system.
- Windows Defender service should be enabled.
- Out of support operating systems should not be used, and it is strongly recommended to use operating systems that are within Microsoft’s “Mainstream Support” period.
- Note that by using an Operating System in Mainstream Support you are best positioned for any future ciphers and changes to recommendations (see below).
- The servers can be joined to Active Directory as desired.
- Complex passwords should be used for all logins and access to the servers should be restricted to a defined group of administrators.
- The Redstor Storage Platform software should be updated on a regular schedule to address known bugs, including any known security issues.
- Complex passwords should be used for the administrator password, storage pool passwords and any access user passwords.
- Use of an Identity Management System for access user authentication is recommended – see https://support.redstor.com/hc/en-gb/articles/360019589653-1210-How-to-set-up-an-Identity-Management-System-IMS-for-accessing-the-Redstor-Storage-Platform
- Operating System Firewalls should be enabled and set to allow only required traffic:
- Account Servers require inbound connections to their service ports from their client estate, Storage Servers and Mirror Servers, all typically on TCP port 443.
- Storage Servers require inbound connections to their service ports from their client estate and Account Server(s). The default TCP ports for this are typically 443 or 8443.
- Mirror Servers require inbound connections to their service ports from their Account Servers and Storage Servers, and additionally access from the client estate to allow for restores from Mirror Servers (recommended). The default TCP ports for this are typically 443 or 8443.
- If the client estate is within a defined set of network ranges, access inbound to the servers on port 443 should be restricted to this range. Otherwise, inbound TCP port 443 can be allowed from the internet.
- Storage Platform Console access for self-hosted Storage Platforms need to allow access to the Storage Platforms Servers on the same ports as above from management workstations as part of the above recommendations.
- The SQL Server(s) used by the Account Server should allow access only from the Account Server machine. SQL Management Studio can be installed locally to allow for admin access to this. SQL Servers should not be exposed to the Internet.
- Remote Desktop and Windows Remote Management can be used for administration, but access should be restricted to the customer’s own management networks, and not exposed to the Internet.
- It is not recommended to allow any inbound connections for SMB, NFS or any other file share protocols.
- It is generally recommended to block all inbound traffic except that which is known to be required.
- Outbound connectivity to the Internet is required by the Account Servers for licencing purposes.
- It is recommended to configure NTP protocol, which may have an outbound connectivity requirement.
- Operating System Network Categories should be set correctly to apply the correct firewall security categories – “Public” category for Internet / client facing interfaces for example, with “Private”/”Domain” categories for administrative network interfaces.
- It is also recommended to configure network based firewall solutions, whether these are physical or virtual such as Azure Network Security Groups, to apply the same rules described above.
- Should you be using Network Address Translation from external IPs on a router to internal IPs on the servers, only the Redstor platform service ports should be forwarded (eg TCP 443 as described above).
- Certificates signed by a trusted Certificate Authority can be installed if desired. The key benefit to these is that they will allow the servers to pass penetration test scans (see below point on SSL Labs). Beyond this, there is no change to core behaviour for self-hosted platform or storage hosted customers as Redstor signed certificates are used for platform communications.
- Servers should be set to disable insecure protocols and ciphers as described in the following Knowledgebase article: https://support.redstor.com/hc/en-gb/articles/115002690453-875-How-to-set-the-cipher-suite-on-the-Storage-Platform
- SSL Ciphers security for Storage Platform servers can be tested using third party tools such as SSL Labs SSL Server Test: https://www.ssllabs.com/ssltest/analyze.html
Note - if Certificate Authority signed certificates are not in use, trust / certificate name mismatch errors may be encountered. These can be ignored during the test - to understand why, please see: https://support.redstor.com/hc/en-gb/articles/4408062832913-1368-Understanding-Redstor-Pro-Platform-Certificates.
- Third party Anti-virus / Anti-Malware software can be installed, but it is recommended to exclude the data paths where customer data is stored – this data is encrypted and should not be accessed by other applications.