Part 3 of the ‘HPE StoreOnce: Immutability with v12’ series is about a small, but very useful new feature. Before going into it, here are the links to Part 1 and Part 2, in case you’ve missed them.
Thanks to Federico Venier from HPE I noticed that the latest StoreOnce release 4.3.6 did introduce two-factor authentication!
StoreOnce 4.3.6 supports Two-factor authentication (2FA) which provides additional security for users logging into the StoreOnce system, granting clients access to the system only when they present at least two factors of authentication.
https://support.hpe.com/hpesc/public/docDisplay?docId=sd00002919en_us&page=GUID-D9CE533F-9920-4656-A77D-4210E4EC56DE.html
Until now, an attacker would have been able to cause damage if he got access to the Admin and Security officer credentials. I described this process in Part 2 of the series: Veeam V12: Immutability with HPE StoreOnce - Part 2
Now, with 2FA, the security of HPE StoreOnce backup repositories gets a huge boost.
Enable Two-Factor authentication
The setup itself is rather easy. Just enable Two-Factor Authentication under Users and Groups, for both the Admin and the Security officer.
At the next login, you will get prompted to setup 2FA.
The 2FA is TOTP-based, which means you can use one of the many existing apps, like the Google Authenticator, Microsoft Authenticator or andOTP. Just scan the QR code and confirm with a generated code. If you should experience any issues here like an invalid code, it could come from time differences between your authenticator and the StoreOnce. In my lab, for example, I didn't use a NTP server and had -5 minutes difference.
Disabling 2FA
You should know that the console user can reset or disable 2FA for the Admin user. While this means that you can restore access if you should run into any issues, an attacker could potentially circumvent 2FA if he gets access to the console.
I have to note, that it seems that only the local console access can do this (or via remote management like iLO). Accessing the console via SSH didn't provide me this option.
Also the Admin user apparently cannot disable 2FA for the security officer.
So the way how HPE implemented 2FA looks very well thought to me.
Summary
One should use every available security measure to secure the backup environment. Therefore 2FA is a welcome addition for StoreOnce devices and should be enabled after upgrading to firmware 4.3.6. For me this was the missing part after the first implementation of immutability, so now I feel much better and safer.
Again I will close this post with my (updated) security recommendations:
- enable two-factor authentication for StoreOnce users
- keep the 2FA information secret
- don't store the QR code in your password manager or let it generate the TOTP codes
- keep the Security Officer’s credentials secret
- 2FA makes enhances the security but still make sure the credentials aren't easily accessible
- keep the iLO Interface secure or even disconnected
- 2FA can be reset/disabled with console access
- all StoreOnce security measurements won’t help if someone physically wipes the device remotely via iLO
- monitor the immutability setting in Veeam: If an attacker can’t delete your backups, he might just alter or completely disable immutability in Veeam
