S 4.274 Secure basic configuration of storage systems

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

All configuration work on storage systems must be performed according to the security policy drawn up (see S 2.352 Drawing up a security policy for NAS systems, S 2.353 Drawing up a security policy for SAN systems) and documented and annotated as described in S 2.358 Documenting the system settings of storage systems.

Operating system

Storage systems that can be operated as NAS systems are specialised servers administered internally by an operating system. This operating system is usually a lighter and higher-performance version of a standard operating system.

Even in SAN systems, which may consist of a number of individual components, some individual components may be administered by close-to-standard systems.

For these operating systems in particular, but also for "unknown" manufacturer-specific systems, it must be ensured before initial operation that the latest versions of all software and firmware components are installed to ensure the best possible stability of the system and to ensure protection against attacks, for example by worm programs.

Basic configuration

Before a storage system is integrated into IT production, a secure base configuration must be set. Many devices are delivered by the manufacturer with a default configuration primarily designed for fast start-up and the widest possible range of functionality, but with practically no security mechanisms enabled. For this reason, the default settings and the basic configuration must be checked offline over the administration network or in a secure test network specifically set up to this end.

When configuring the system, it must be taken into account that not every administration or configuration tool (console, web interface, external configuration program) will display all relevant information under some circumstances.

For this reason, it is important to be able to check the available documentation to see if all relevant parameters were set properly. It is desirable to have configuration tools that provide assessable documentation of all steps taken to configure the storage device at least in local log files, although a central logging system would be even better.

It is recommendable to divide the basic configuration procedure into the following steps:

• Local configuration: Check and change the configuration parameters referring to the device itself (for example, RAID level settings, hard disk to volume assignments, backup device to storage device assignments), the logging settings, the console access settings, etc.
• Network configuration: Check and change the configuration parameters referring to the integration of the device in the local network, the administration network, and the storage network. Services used for administration such as telnet, tftp, or http where the login procedure is performed in clear text and all information is exchanged as clear text should be replaced by their encrypted equivalents ssh, sftp, and https.
• For SAN systems, the network must be segmented internally using zoning and port binding. The connected servers should only be assigned those SAN resources they actually need.
• The administration of the storage systems should be integrated into the central rights administration (e.g. Active Directory, LDAP, Radius, ...).

User accounts and passwords

The capabilities for configuring users and roles and for assigning authorisations differ from manufacturer to manufacturer, sometimes significantly. For this reason, it is recommended to draw up a detailed concept for the particular devices according to the rights and role concept designed for the administration of the storage devices.

There are often one or more default administration user IDs with universally known standard user names and passwords, and sometimes even without passwords. Lists of manufacturer-specific default accounts and passwords can be downloaded from relevant websites.

When a device is operated for the first time, these default user accounts must be changed, if possible. In any case, though, the passwords for the default accounts must be changed. Unused user accounts must be deactivated.

After that, the planned user accounts and roles must be set up according to the rights and roles concept.

Configuration files must be specifically protected against unauthorised access. Even if the passwords are secure because they are stored in an encrypted form, for example, it must be ensured that such files are protected against unauthorised viewing, since they contain business-critical information and since encrypted passwords can often be decrypted in a short time using appropriate programs.

The password policies of the organisation in terms of the password length, strength, and change frequency must be followed in any case.

Login banners

No login messages from a storage system should be visible outside of the administration network. These login messages often contain information (for example the model or version number, software

release number, or patch level) a potential attacker could use to his/her advantage.

If the ability to log in to the intranet of the organisation cannot be eliminated, the standard login message should be replaced by a modified version which does not contain any internal information. The model and version number of the device and the version number of the operating system must not be displayed in the login banner under any circumstances. The following information should be displayed on the device instead when a user logs in:

• Access is only allowed for authorised personnel.
• All work must be performed in accordance with the security policy.
• The device is integrated into central control mechanisms, for example in a network management system (NMS) to record and detect violations of the security policy.
• Violations of the security policy will be punished by disciplinary / legal action.

Logging

The internal log on the storage system must be configured in such a way that all information, especially information required for early detection of problems, is in plain view.

The time and date on the storage system and the computer used for administration and logging should be synchronised using an NTP server.

It is generally recommended to synchronise all IT systems in the organisation to a uniform time and date via NTP.

Interfaces

Unused interfaces on storage systems must be disabled. This means that unused connections (e.g. a serial interface for connecting a terminal) should not have cables connected to them and that unused services should be disabled explicitly.

Testing the configuration

At the end of the test operation phase, the standard systems should be tested and a security check should be performed on the administration network.

Backing up the configuration

The configuration files of the basic configuration form the basis for the further configuration. Backup copies must be made of the default configuration delivered with the device, as well as of the data resulting from the basic configuration, and these copies must be stored securely.

These copies form the basis for a restart after serious malfunctions (see S 6.98 Contingency planning for storage systems).

Review questions:

• Has all configuration work been performed in accordance with the security policy for the storage system?
• Can the present documentation be used to comprehend whether all relevant settings are performed?
• Are unneeded user accounts disabled, default passwords changed in accordance with the provisions governing the use of passwords, and/or new accounts created when commissioning storage systems?
• Are the specified user accounts and/or roles created according to the rights and role concept?
• Has the internal logging function of the storage network been configured in such a way that information serving for the early detection of problems is identified quickly?
• Have interfaces of the storage system that are not used been deactivated?
• Storage system hardware: Are the default configuration, the determined basic configuration, and the current configuration stored redundantly and securely?