While you can integrate Data Domain with an external authentication service such as LDAP or ActiveDirectory, not everyone chooses to do that. Further, there are some essential accounts (such as ‘sysadmin’) that can’t be disabled. In these circumstances, being able to define controls over the security of passwords is an essential part of the security hardening process.
Data Domain deployments these days include a set of basic initial controls, including:
- Minimum time between password changes for accounts;
- Maximum time between password changes for accounts;
- How many ‘old’ passwords to block for a user account.
But these aren’t the only controls, and in this article I’ll show you how to get to the password hardening controls – and what the other options are.
To get to the options, start by logging into the Data Domain system manager and click the Administration option in the left-hand navigation pane:
Clicking Administration by default will take you to the Access controls for the Data Domain. From here, click the More Tasks drop-down:
From the More Tasks drop-down, click Change Login Options:
At this point you’ll get the password and login control options, which as you can see below is quite extensive:
There are two specific sections to the policy controls:
- Password Policy – Controlling the complexity of passwords, the frequency with which they can be changed, and the number of expired passwords that will be blocked, and
- Login Options – Broader, umbrella controls over login attempts, failures and numbers.
Now personally, I’d love to be able to set passwords along the lines of frozen oysters make for really awful lollypops rather than f7HhH-KJY64[g**bc__d)!, but since everyone else has decided the latter is somehow more memorable than the former, you really can go nuts with the password policy and set appropriate options to force multiple password character classes. So if you want to make sure every password is a minimum length of 16 characters and includes an upper-case letter, lower-case letter, digit and special character, you can make those changes in this control panel.
You’ll find comprehensive details about the different security options you can establish in the password controls in the Data Domain OS Security Guide. It’s a document I certainly recommend – particularly if you’re looking for compliance details. There is an entire section on System hardening and best practices that has great insight into establishing tighter security controls on the system and the different protocols that can be used to access the system. This includes a very comprehensive table for DISA STIG standards.
1 thought on “Data Domain Basics – Hardening Password Controls”