Hi all,
I would like to continue talking about the technical aspects and authorization workflow for dual authentication related to the use of HPE StoreOnce and its immutability. Following the description of the less technical part covered in the previous article, we will look at some configuration aspects.
TECHNICAL PRACTICES ON STOREONCE
Below we go on to describe the technical procedures for using immutability functions on StoreOnce.
REQUIREMENTS
Before proceeding to the configurations, it is good to reiterate what are the prerequisites necessary for the proper use of all the components needed to use immutability with StoreOnce.
- Minimum firmware version required: 4.3.2 (better 4.3.6 for MFA)
- Creation of user accounts with specific roles
- Two-factor authentication
- Enabling and configuring Dual Authorization
- Type of operations allowed
- The "Maximum ISV Controlled Data Retention" parameter must be set to 365000 in the Catalyst Store configuration.
- It is recommended to use incremental backup processes with the application of synthetic full to optimize the data transfer rate.
ROLES AND TYPES OF USERS
The following roles should be associated with users based on their functions:
- Administrator: This role allows the user to create and edit functions from the StoreOnce management console. Any user with the Administrator role has the same permissions as the default Admin account.
- Security Officer: This role restricts the user to view, approve and deny dual authorization requests. Restricts access to monitoring and viewing for all other features.
- BackupAdmin: This role limits the user to creating, editing, and managing data services function.
- Backup Operator: This role limits the user to monitoring and viewing of data services function.
User types
The following types of user accounts are available:
- Local User (typically administrators): Accessed locally using credentials stored on StoreOnce.
- Directory User: Log in using Domain Users.
- Directory Group: Active Directory groups.
NOTE: To add domain users or groups the StoreOnce must be placed in the domain itself.
Default account
During StoreOnce installation a default user account (Admin) is created with the Administrator role. It is not possible to delete this account. It is advisable to change the default Admin user password to avoid security holes and keep it in a safe place.
Some recommended best practices from HPE
- Create additional accounts to which you assign the correct roles that allow the minimum privileges necessary to prevent accidental or malicious data loss.
- If you create a group with the Observer role, HPE recommends setting up a user in the group with the Administrator role. (Roles set up with the Add User action take precedence over roles set up with the Add Group action.)
Active Directory or LDAP users are recommended whenever possible.
Note: for me is not a best way to use LDAP or AD users. Why? Read next paragraph
TWO-FACTOR AUTHENTICATION (2FA)
NOTE: Two-factor authorization (2FA) is available from firmware version 4.3.6 and later.
It is only available for local users.
Security for accessing the StoreOnce management panel can be further enhanced by implementing MFA authentication
Configuration is quite simple. It involves enabling two-factor authentication in Users and Groups for both the administrator and Security Officer.
Once this is done at the next login you will be prompted to setup 2-factor authentication
The 2FA is TOTP-based, which means you can use one of the many existing applications, such as the Google Authenticator, Microsoft Authenticator, or FreeOTP. Just scan the QR code and confirm with a generated code.
2FA authentication is nothing more than a security addition to prevent unauthorized access to systems. Combined with immutability and "Dual Authorization" it is part of the recommended actions to avoid ransomware attacks or unauthorized deletions.
An additional security note, particularly related to 2FA is to keep the iLO interface secure (or even disconnected). In fact, 2FA options can be reset and disabled by logging into the console remotely via iLO.
ENABLING DUAL AUTHORIZATION
Dual Authentication is a security procedure that requires two different users to approve an action. Dual Authentication helps to prevent data from getting lost due to malicious actions.
It helps to prevent data loss due to malicious activity, and requires that individuals be able to identify inappropriate actions, correct approval flow, and the real need to perform the requested operation.
Double-authorization is disabled by default. Operational logic requires two people with different StoreOnce roles.
- An administrator user: Must have administrator privileges to enable dual authorization.
- A Security Officer user: is required to use this feature. You cannot enable the dual authorization feature if you do not have a Security Administrator user.
You can create another user with Security Officer privileges. However, creating new user is considered a protected operation requiring another Security Officer's authorization.
Unlike 2FA, dual authentication does not use OTP tokens or anything similar. It is a double check that requires a second user to approve the requested task. DA prevents the removal of immutability and the Catalyst stores that use it.
If DA is not set, you cannot configure immutability from VEEAM, and if you try to configure it in the backup job, you might see the following failure:
In addition, a message will appear in the StoreOnce console to indicate that the DA has been turned off.
To enable DA, from the StoreOnce console the first step is to create a new user with the role of SecurityOfficer.
All technical steps are described on this article → thanks to
@regnor
