NetBackup and Veritas Appliances Hardening Guide
- Top recommendations to improve your NetBackup and Veritas appliances security posture
- Introduction
- Keeping all systems and software updated
- Enabling multifactor authentication
- Enabling multiperson authorization
- Increasing the security level
- Implementing an immutable data vault
- Securing credentials
- Reducing network exposure
- Enabling encryption
- Enabling catalog protection
- Enabling malware scanning and anomaly detection
- Enabling security observability
- Restricting user access
- Configuring a sign-in banner
- Steps to protect Flex Appliance
- About Flex Appliance hardening
- Managing multifactor authentication
- Configuring the multi-factor authentication on NetBackup primary and media server instance
- Configuring the multi-factor authentication on NetBackup WORM storage server instance
- Managing single sign-on (SSO)
- Managing user authentication with smart cards or digital certificates
- About lockdown mode
- Using network access control
- Using an external certificate
- Forwarding logs
- Creating a NetBackup WORM storage server instance
- Configuring an isolated recovery environment using the web UI
- Protecting the NetBackup catalog on a WORM storage server
- Using a sign-in banner
- Steps to protect NetBackup Appliance
- About NetBackup Appliance hardening
- About multifactor authentication
- About single sign-on (SSO) authentication and authorization
- About authentication using smart cards and digital certificates
- Disable user access to the NetBackup appliance operating system
- About Network Access Control
- About data encryption
- FIPS 140-2 conformance for NetBackup Appliance
- About implementing external certificates
- About antimalware protection
- About forwarding logs to an external server
- Creating the appliance login banner
- Steps to protect NetBackup
- About NetBackup hardening
- About multifactor authentication
- Configure NetBackup for single sign-on (SSO)
- Configure user authentication with smart cards or digital certificates
- Workflow to configure multi-person authorization for NetBackup operations
- Access codes
- Workflow to configure immutable and indelible data
- Add a configuration for an external CMS server
- Configuring an isolated recovery environment on a NetBackup BYO media server
- About FIPS support in NetBackup
- Installing KMS
- Workflow for external KMS configuration
- Validating KMS credentials
- Configuring KMS credentials
- Configuring KMS
- Creating keys in an external KMS
- Workflow to configure data-in-transit encryption
- Workflow to use external certificates for NetBackup host communication
- About certificate revocation lists for external CA
- Configure an external certificate for the NetBackup web server
- Configuring the primary server to use an external CA-signed certificate
- Configuring an external certificate for a clustered primary server
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- ECA_TRUST_STORE_PATH for NetBackup servers and clients
- ECA_PRIVATE_KEY_PATH for NetBackup servers and clients
- ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients
- ECA_CRL_CHECK for NetBackup servers and clients
- ECA_CRL_PATH for NetBackup servers and clients
- ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and clients
- ECA_CRL_REFRESH_HOURS for NetBackup servers and clients
- ECA_DISABLE_AUTO_ENROLLMENT for NetBackup servers and clients
- ECA_DR_BKUP_WIN_CERT_STORE for NetBackup servers and clients
- MANAGE_WIN_CERT_STORE_PRIVATE_KEY option for NetBackup primary servers
- Guidelines for managing the primary server NetBackup catalog
- About protecting the MSDP catalog
- How to set up malware scanning
- About backup anomaly detection
- Send audit events to system logs
- Send audit events to log forwarding endpoints
- Display a banner to users when they sign in
- Steps to protect NetBackup Flex Scale
- About NetBackup Flex Scale hardening
- About the security meter
- STIG overview for NetBackup Flex Scale
- FIPS overview for NetBackup Flex Scale
- Managing the login banner
- Changing the password policy
- Support for immutability in NetBackup Flex Scale
- Authenticating users using digital certificates or smart cards
- About system certificates on NetBackup Flex Scale
- Deploying external certificates on NetBackup Flex Scale
- About multifactor authentication
- Considerations before configuring multifactor authentication
- Configuring multifactor authentication for your user account
- Disabling multifactor authentication for your user account
- Enforcing multifactor authentication for all users
- Configuring multifactor authentication for your user account when it is enforced in the cluster
- Resetting multifactor authentication for a user
- About single sign-on (SSO) configuration
About lockdown modes
Lockdown mode is one of the features of ransomware protection. The lockdown mode protects your cluster data from internal and external threats by securing all the external endpoints from unauthorized access. Access to all the services is protected and authenticated.
NetBackup Flex Scale lockdown mode offers additional security levels to protect your appliance and data, in addition to the hardened, secure operating environment that comes out of the box.
Lockdown mode provides the following benefits:
It prevents unauthorized access or modification to the underlying operating system (OS). Once the lockdown mode is enabled, administrators cannot make changes to the OS or the internal components. If you need access to the OS for emergency operations, you must contact Veritas Technical Support to obtain a Support Key and temporarily unlock the appliance. This functionality prevents unauthorized changes even if a malicious user gains access to stolen credentials.
It gives the appliance users options for managing WORM (Write Once Read Many) data. Your data is protected from being encrypted, modified, and deleted using WORM properties.
Different lockdown modes provide different level of granularity for WORM and retention. The NetBackup Flex Scale appliance support three lockdown modes.
Normal mode:
This is the default mode of the cluster if the lockdown mode is not specified during installation.
In this mode, WORM and retention capabilities are disabled. User cannot create worm STU in this mode.
Enterprise mode:
In this mode, WORM and data retention features are enabled.
User can choose to create WORM-enabled STU.
User has the option to remove the retention locks and expire image data.
User can extend the retention period but cannot reduce the retention period.
The retention time period can be extended from the NetBackup primary container only if the user has the NetBackup administrator role.
Retention can be disabled or retention lock can be removed using the MSDP Restricted Shell only if the user has the appliance administrator role.
After removing the images retention locks from the MSDP Restricted Shell, the user still cannot expire images from the NetBackup Administration Console, but can expire the images from the NetBackup primary server using the following command:
/usr/openv/netbackup/bin/admincmd/bpexpdate -backupid n155-h201.cdc.veritas.com_1631842421 -d 0 -copy 1 -try_expire_worm_copy
Compliance mode:
In this mode, WORM and data retention features are enabled.
The user can extend the retention period.
The user does not have the option to remove retention locks and expire image data before the predefined time.
Once appliance lockdown mode is set to compliance, user does not have the option to delete data until it is expired.
Veritas strongly recommends that you enable enterprise lockdown mode to prevent unauthorized access to the OS, even if you do not plan to create WORM storage instances.