This article lists best practices for security hardening for Redstor customers running their own self-hosted Storage Platform, or StorageServers attached to the Redstor Storage Platform.
It is recommended that:
- Operating systems:
- Should be kept up to date and be patched on a regular schedule, including security updates. Failure to do this may leave the servers open to known security vulnerabilities within the operating system.
- Windows Defender service should be enabled.
- Out-of-support operating systems should not be used, and it is strongly recommended to use operating systems that are within Microsoft’s “Mainstream Support” period.
- Note that by using an operating system in Mainstream Support you are best positioned for any future ciphers and changes to recommendations (see below).
- The servers can be joined to Active Directory as desired.
- Complex passwords should be used for all logins, and access to the servers should be restricted to a defined group of administrators.
- The Redstor Storage Platform software should be updated on a regular schedule to address known bugs, including any known security issues.
- Complex passwords should be used for the administrator password, Storage Pool passwords and any Access User passwords.
- Use of an Identity Management System for Access User authentication is recommended – see Article 1210.
- Operating system firewalls should be enabled and set to allow only required traffic:
- AccountServers require inbound connections to their service ports from their client estate. StorageServers and MirrorServers are all typically on TCP port 443.
- StorageServers require inbound connections to their service ports from their client estate and AccountServer(s). The default TCP ports for this are typically 443 or 8443.
- MirrorServers require inbound connections to their service ports from their AccountServers and StorageServers, and additionally access from the client estate to allow for restores from MirrorServers (recommended). The default TCP ports for this are typically 443 or 8443.
- If the client estate is within a defined set of network ranges, access inbound to the servers on port 443 should be restricted to this range. Otherwise, inbound TCP port 443 can be allowed from the internet.
- Storage Platform Consoles for self-hosted Storage Platforms need to allow access to the Storage Platform's servers on the same ports as above from management workstations as part of the above recommendations.
- The SQL Server(s) used by the AccountServer should allow access only from the AccountServer machine. SQL Management Studio can be installed locally to allow for admin access to this. SQL Servers should not be exposed to the Internet.
- Remote Desktop and Windows Remote Management can be used for administration, but access should be restricted to the customer’s own management networks, and not be exposed to the Internet.
- It is not recommended to allow any inbound connections for SMB, NFS or any other file share protocols.
- It is generally recommended to block all inbound traffic except that which is known to be required.
- Outbound connectivity to the Internet is required by the AccountServers for licencing purposes.
- It is recommended to configure NTP protocol, which may have an outbound connectivity requirement.
- Operating system network categories should be set correctly to apply the correct firewall security categories: “Public” category for Internet / client facing interfaces, for example, with “Private”/”Domain” categories for administrative network interfaces.
- It is also recommended to configure network-based firewall solutions, whether these are physical or virtual (such as Azure Network Security Groups), to apply the same rules described above.
- Should you be using Network Address Translation from external IPs on a router to internal IPs on the servers, only the Redstor Platform service ports should be forwarded (eg TCP 443 as described above).
- Certificates signed by a trusted certificate authority can be installed if desired. The key benefit of these is that they will allow the servers to pass penetration test scans (see point on SSL Labs below). Beyond this, there is no change to core behaviour for self-hosted platform or storage-hosted customers, as Redstor-signed certificates are used for platform communications.
- Servers should be set to disable insecure protocols and ciphers as described in Article 875.
- SSL Ciphers security for Storage Platform servers can be tested using third-party tools such as the SSL Labs SSL Server Test.
Note: If certificate authority signed certificates are not in use, trust / certificate name mismatch errors may be encountered. These can be ignored during the test. For more information, see Article 1368.
- Third-party anti-virus/anti-malware software can be installed, but it is recommended to exclude the data paths where customer data is stored – this data is encrypted and should not be accessed by other applications.