Security settings to be configured to minimize risk
Configure the following security settings to minimize the security configuration risk.
See About security configuration risk.
Table:
Security settings | Description |
|---|---|
Insecure communication with 8.0 and earlier hosts | This setting determines if insecure communication with 8.0 and earlier hosts is enabled or not. It is recommended that you disable the setting to ensure only the secure communication in the domain. |
Security level for certificate deployment | Determines the checks that are performed before the NetBackup CA issues a certificate to a NetBackup host. It is recommended that you set it to High or Very High. |
Multifactor authentication (MFA) | This setting adds an additional layer of protection in addition to passwords that significantly reduces the risk of malicious access. Enforcing multifactor authentication for all users is recommended. |
Secure data-in-transit encryption (DTE) | This setting determines the global data-in-transit encryption (DTE) mode. It is recommended that you set it to Enforced or Preferred On. See Configure the global data-in-transit encryption setting. |
Percent of hosts with DTE enabled | This setting determines the percentage of active hosts in the domain that are participating in DTE. |
Multiperson authorization (MPA) | This setting ensures that critical actions or decisions are approved by multiple authorized individuals, minimizing the risk of errors, fraud, or misuse of privileges. Enabling this setting is recommended. |
Malware detection | This setting determines if malware detection is configured or not. Malware detection scans backup images and detects malware. Configuring malware detection is recommended. |
Anomaly detection | This setting detects any unusual deviation in backup job or system attributes and notifies it as an anomaly. Enabling backup and system anomaly detection is recommended. |
Percent of hosts with service user configured | Measures the percentage of active hosts that are configured to run NetBackup services under a service user account. Having NetBackup services configured to run under a service user (non-privileged user) account is highly recommended. Security configuration risk can be reduced if more hosts are configured to run NetBackup services under service user account. Active primary server, media server, and client hosts are considered for service user configuration. |
Percent of encryption-enabled backup storage | This setting identifies the percentage of total active backup storage that is configured to encrypt the data at rest. |
Immutable backup storage | This setting identifies if there is at least one active WORM backup storage to be configured. It can either be a storage unit or a tape volume. |
Percent of servers with version (primary version) or later | This setting represents the percentage of active hosts (primary and media servers) with NetBackup version later or same as the primary server. |
Percent of other hosts with version (primary version) or later | This setting represents the percentage of active hosts (other than primary and media servers) with NetBackup version later or same as the primary server. |
CLI access to OS administrator | This setting enables or disables the CLI access for the operating system administrator. It is recommended to disable the setting. |
Web UI access to OS administrator | This setting enables or disables web UI access for the operating system administrator. It is recommended to disable the setting. |
Client-initiated redirected restores | This setting determines if client-initiated redirected restores are allowed in the domain. It depends on the presence of the No.Restrictions file. It is recommended to remove this file if it exists. |