This page provides a list of recommended secure configuration checks for Dell PowerProtect DD, and is periodically updated. PowerProtect DD is part of a suite of appliances used for data protection, backup, storage and deduplication.
Interested to learn about StorageGuard Benchmark Checks for Dell PowerProtect? | ||
|
|
|
| ID | System | Category | Configuration check |
| K010CI0MP0100 | PowerProtect DD | Access Control | Approved NTP servers |
| K010CI0M00105 | PowerProtect DD | Access Control | Approved Syslog servers |
| K010C000P0110 | PowerProtect DD | Access Control | CIFS status |
| K010CI0M00115 | PowerProtect DD | Access Control | DD Boost user role |
| K010CI00P0120 | PowerProtect DD | Access Control | DDBoost client ACL |
| K170CI0MP0125 | PowerProtect DD | Access Control | Disable of expired users |
| K010CI0MP0130 | PowerProtect DD | Access Control | FTP ACL |
| K070CI0MP0135 | PowerProtect DD | Access Control | Host-based access lists |
| K070CI0MP0140 | PowerProtect DD | Access Control | HTTP ACL |
| K070CI0MP0145 | PowerProtect DD | Access Control | HTTPS allowed hosts list |
| K010CI0MP0150 | PowerProtect DD | Access Control | IPFilter status |
| K010CI0MP0155 | PowerProtect DD | Access Control | Limit access to iDRAC Virtual Console |
| K010CI0MP0160 | PowerProtect DD | Access Control | Login banner status |
| K010CI0MP0165 | PowerProtect DD | Access Control | Multifactor authentication status |
| K010CI00P0170 | PowerProtect DD | Access Control | NFS export client ACL |
| K010CI0MP0175 | PowerProtect DD | Access Control | NFS/CIFS share ACL |
| K010CI0000180 | PowerProtect DD | Access Control | Non-default local users |
| K150CI0MP0185 | PowerProtect DD | Access Control | Number of concurrent sessions is limited |
| K010CI0M00190 | PowerProtect DD | Access Control | portmapper status |
| K010CI0MP0195 | PowerProtect DD | Access Control | Session timeout |
| K010CI0MP0200 | PowerProtect DD | Access Control | SSH ACL |
| K110CI0MP0205 | PowerProtect DD | Access Control | SSH allowed hosts list |
| K110CI0MP0210 | PowerProtect DD | Access Control | SSH session timeout |
| K010CI0MP0215 | PowerProtect DD | Access Control | Unused ports |
| K010CI0M00220 | PowerProtect DD | Access Control | Web session timeout |
| K010CI0M00223 | PowerProtect DD | Access Control | Replication interface access |
| K010CI0MP0225 | PowerProtect DD | Audit | External log host status |
| K010CI0MP0230 | PowerProtect DD | Audit | External syslog server redundancy |
| K010CI0MP0235 | PowerProtect DD | Audit | NTP configuration |
| K010CI0MP0240 | PowerProtect DD | Audit | NTP server redundancy |
| K010CI0MP0245 | PowerProtect DD | Audit | NTP status |
| K010CI0MP0250 | PowerProtect DD | Audit | Required NTP servers |
| K010CI0000255 | PowerProtect DD | Audit | Required Syslog servers |
| K010CI0MP0260 | PowerProtect DD | Audit | Secure NTP |
| K010CI0M00265 | PowerProtect DD | Authentication | 2FA configuration (cert/pass) |
| K010CI0MP0270 | PowerProtect DD | Authentication | 2FA configuration (SecurID) |
| K010CI00P0275 | PowerProtect DD | Authentication | Account lockout threshold |
| K010CI0MP0280 | PowerProtect DD | Authentication | Authentication server configuration (if used) |
| K010CI0MP0285 | PowerProtect DD | Authentication | Authentication server redundancy (if used) |
| K110CI0MP0290 | PowerProtect DD | Authentication | BIOS password set |
| K010CI00P0295 | PowerProtect DD | Authentication | Central Certificate Authority (CA) status |
| K010C00MP0300 | PowerProtect DD | Authentication | Certificate Issuer |
| K010CI0MP0305 | PowerProtect DD | Authentication | Client authentication enforcement |
| K010CI0MP0310 | PowerProtect DD | Authentication | Default local user accounts |
| K130CI0MP0315 | PowerProtect DD | Authentication | Default passwords |
| K010CI0MP0320 | PowerProtect DD | Authentication | Global authentication mode |
| K010CI0MP0325 | PowerProtect DD | Authentication | Initial password change |
| K010CI0MP0330 | PowerProtect DD | Authentication | Kerberos for BoostFS |
| K010CI0MP0335 | PowerProtect DD | Authentication | KMIP configuration |
| K010CI0000340 | PowerProtect DD | Authentication | Maximum number of repeated password characters |
| K010CI0MP0345 | PowerProtect DD | Authentication | Maximum password age |
| K010CI0MP0350 | PowerProtect DD | Authentication | Minimum account lockout duration |
| K010CI0MP0355 | PowerProtect DD | Authentication | Minimum passphrase length |
| K010CI0M00360 | PowerProtect DD | Authentication | Minimum password age |
| K010CI0MP0365 | PowerProtect DD | Authentication | Minimum password digits |
| K010CI0MP0370 | PowerProtect DD | Authentication | Minimum password length |
| K080CI0MP0375 | PowerProtect DD | Authentication | Minimum password lowercase characters |
| K080CI0MP0380 | PowerProtect DD | Authentication | Minimum password special characters |
| K010CI0MP0385 | PowerProtect DD | Authentication | Minimum password uppercase characters |
| K010CI0MP0390 | PowerProtect DD | Authentication | NDMP authentication type |
| K010CI0MP0395 | PowerProtect DD | Authentication | Number of disallowed past passwords |
| K010CI00P0400 | PowerProtect DD | Authentication | Password hash strength |
| K010CI0MP0405 | PowerProtect DD | Authentication | Replication peer authentication |
| K010CI0MP0410 | PowerProtect DD | Authentication | SNMP community default string |
| K010CI0MP0415 | PowerProtect DD | Authentication | SNMP user authentication |
| K070CI00P0420 | PowerProtect DD | Authentication | Two-factor authentication for iDRAC |
| K010CI0MP0425 | PowerProtect DD | Authorization | Approved Admin user/group |
| K010CI0MP0430 | PowerProtect DD | Authorization | Approved CIFS admin users / groups |
| K010CI0MP0435 | PowerProtect DD | Authorization | CIFS anonymous user access restriction |
| K010CI0MP0440 | PowerProtect DD | Authorization | Permission on sensitive directories/files |
| K190CI0M00445 | PowerProtect DD | Authorization | Root squash is enforced |
| K010CI0MP0450 | PowerProtect DD | Authorization | Use of limited-admin |
| K010CI0MP0455 | PowerProtect DD | Backup and Recovery | Align backup retention period policy with retention lock time |
| K010CI0MP0460 | PowerProtect DD | Backup and Recovery | Approved target Data Domain |
| K010C00MP0465 | PowerProtect DD | Backup and Recovery | Automatic lock delay |
| K010CI0M00470 | PowerProtect DD | Backup and Recovery | Automatic retention period |
| K010CI0MP0475 | PowerProtect DD | Backup and Recovery | Backup application commits files for retention locking |
| K090CI0MP0480 | PowerProtect DD | Backup and Recovery | iDRAC Retention Lock Compliance |
| K090CI0000485 | PowerProtect DD | Backup and Recovery | Maximum retention period |
| K040CI0MP0490 | PowerProtect DD | Backup and Recovery | Minimum retention period |
| K040CI0MP0495 | PowerProtect DD | Backup and Recovery | Mtree with retention lock |
| K010CI0MP0500 | PowerProtect DD | Backup and Recovery | Remote replication |
| K110CI0MP0505 | PowerProtect DD | Backup and Recovery | Replication pair status |
| K010CI0MP0510 | PowerProtect DD | Backup and Recovery | Replication topology |
| K010CI0MP0515 | PowerProtect DD | Backup and Recovery | Required Mtree lock |
| K010CI0MP0520 | PowerProtect DD | Backup and Recovery | Retention Lock Compliance license |
| K010CI0MP0525 | PowerProtect DD | Backup and Recovery | Retention Lock configuration |
| K010CI0MP0530 | PowerProtect DD | Backup and Recovery | Retention Lock mode status |
| K010CI0MP0535 | PowerProtect DD | Backup and Recovery | Retention Lock use (manual vs automatic) |
| K010CI0MP0540 | PowerProtect DD | Backup and Recovery | Retention Locking mode |
| K010CI0MP0545 | PowerProtect DD | Backup and Recovery | Security Officer authorization enabled |
| K010CI00P0550 | PowerProtect DD | Backup and Recovery | Target Mtree Replication propagate retention lock |
| K120CI0MP0555 | PowerProtect DD | Configuration Management | DD boost user assignment to single unit |
| K010CI00P0560 | PowerProtect DD | Configuration Management | DNS server redundancy |
| K010CI0MP0565 | PowerProtect DD | Configuration Management | DNS service status |
| K010CI0MP0570 | PowerProtect DD | Configuration Management | File share export options |
| K010CI0MP0575 | PowerProtect DD | Configuration Management | File share max connections |
| K020CI0000580 | PowerProtect DD | Configuration Management | HTTP\HTTPS default port used |
| K020CI0MP0585 | PowerProtect DD | Configuration Management | Remote support configuration |
| K010CI0MP0590 | PowerProtect DD | Configuration Management | Security officer configuration |
| K010CI0MP0595 | PowerProtect DD | Configuration Management | SSH non-default port |
| K010CI0MP0600 | PowerProtect DD | Configuration Management | SSO configuration |
| K010CI0MP0605 | PowerProtect DD | Configuration Management | Target Data Domain OS version |
| K010C00MP0610 | PowerProtect DD | Encryption | Certificate expiry |
| K010CI0MP0615 | PowerProtect DD | Encryption | Certificate key size |
| K010CI0MP0620 | PowerProtect DD | Encryption | Client session encryption is disabled |
| K170CI0M00625 | PowerProtect DD | Encryption | CRL configuration |
| K010CI0MP0630 | PowerProtect DD | Encryption | Data at-rest encryption algorithm |
| K010CI0MP0635 | PowerProtect DD | Encryption | DDBoost encryption enforcement |
| K010CI0MP0640 | PowerProtect DD | Encryption | DDBoost encryption strength |
| K010CI0MP0645 | PowerProtect DD | Encryption | DDBoost file replication encryption |
| K010CI0MP0650 | PowerProtect DD | Encryption | Encryption of data at rest |
| K010CI0000655 | PowerProtect DD | Encryption | ESRS secure connection |
| K050CI0MP0660 | PowerProtect DD | Encryption | In-flight data encryption enforcement |
| K010CI0MP0665 | PowerProtect DD | Encryption | MAC algorithm strength |
| K010CI0000670 | PowerProtect DD | Encryption | Mtree replication encryption |
| K110CI0MP0675 | PowerProtect DD | Encryption | NFS privacy (krb) |
| K010CI00P0680 | PowerProtect DD | Encryption | Replication encryption over wire |
| K010CI0MP0685 | PowerProtect DD | Encryption | Secure LDAP |
| K010CI0MP0690 | PowerProtect DD | Encryption | Self-signed certificates |
| K010CI0MP0695 | PowerProtect DD | Encryption | SMB digital signing |
| K010CI0MP0700 | PowerProtect DD | Encryption | SNMP message privacy |
| K010CI0MP0705 | PowerProtect DD | Encryption | SNMP message privacy algorithm strength |
| K010CI0MP0710 | PowerProtect DD | Encryption | SSH cipher strength |
| K010CI0MP0715 | PowerProtect DD | Encryption | SSL certificate status |
| K010CI0MP0720 | PowerProtect DD | Encryption | TLS for FTP |
| K010CI0MP0725 | PowerProtect DD | Encryption | TLS level |
| K010CI0MP0730 | PowerProtect DD | Hardening | Disable default root account |
| K010CI0MP0735 | PowerProtect DD | Hardening | FIPS mode status |
| K010CI0MP0740 | PowerProtect DD | Hardening | Time change limits |
| K010CI0MP0745 | PowerProtect DD | Hardening | USB ports disabled |
| K010CI0000750 | PowerProtect DD | Monitoring | CloudIQ settings |
| K010CI0MP0755 | PowerProtect DD | Monitoring | Email alerts |
| K010CI0000760 | PowerProtect DD | Monitoring | ESRS settings and state |
| K010CI0MP0765 | PowerProtect DD | Services and Protocols | Approved NFS versions |
| K010CI0MP0770 | PowerProtect DD | Services and Protocols | CIFS SMBv1 status |
| K010CI0M00775 | PowerProtect DD | Services and Protocols | Cloud status |
| K010CI00P0780 | PowerProtect DD | Services and Protocols | DDNS status |
| K010C00MP0785 | PowerProtect DD | Services and Protocols | FTP service |
| K010CI0MP0790 | PowerProtect DD | Services and Protocols | HTTP service |
| K030CI0MP0795 | PowerProtect DD | Services and Protocols | IPMI configuration |
| K180CI0MP0800 | PowerProtect DD | Services and Protocols | IPv6 configuration |
| K010CI0MP0805 | PowerProtect DD | Services and Protocols | NDMP configuration |
| K110CI0000810 | PowerProtect DD | Services and Protocols | NFS port |
| K010CI0MP0815 | PowerProtect DD | Services and Protocols | SNMP service |
| K010CI0M00820 | PowerProtect DD | Services and Protocols | SNMPv1 / SNMPv2 version |
| K010CI0MP0825 | PowerProtect DD | Services and Protocols | Telnet service |
| K010CI0MP0830 | PowerProtect DD | Services and Protocols | Telnet uninstall |
| K010CI0MP0835 | PowerProtect DD | Services and Protocols | VTL service |
| K010CI0MP0840 | PowerProtect DD | Isolation | Unique credentials |
| K010CI0MP0845 | PowerProtect DD | Isolation | Use of local users (No AD) |
| ... and more. |
NOTE: Other than DDOS, additional security baseline checks should be performed against Data Protection Central (DPC), PowerProtect Data Manager, Smart Scale, iDRAC and other Dell EMC components.
Comments
0 comments
Please sign in to leave a comment.