{"id":603,"date":"2009-06-26T17:27:24","date_gmt":"2009-06-26T07:27:24","guid":{"rendered":"http:\/\/nsrd.wordpress.com\/?p=603"},"modified":"2009-06-26T17:27:24","modified_gmt":"2009-06-26T07:27:24","slug":"your-datazone-is-only-as-secure-as-your-networker-server","status":"publish","type":"post","link":"https:\/\/nsrd.info\/blog\/2009\/06\/26\/your-datazone-is-only-as-secure-as-your-networker-server\/","title":{"rendered":"Your datazone is only as secure as your NetWorker server"},"content":{"rendered":"<p>A topic I discuss in <a title=\"Enterprise Systems Backup and Recovery: A Corporate Insurance Policy\" href=\"http:\/\/www.amazon.com\/Enterprise-Systems-Backup-Recovery-Corporate\/dp\/1420076396?ie=UTF8&amp;s=books&amp;qid=1221104920&amp;sr=8-1\" target=\"_self\">my book<\/a> that&#8217;s worth touching on here is that of datazone security.<\/p>\n<p>Backup is one of those enterprise components that touches on a vast amount of infrastructure; so much so that it&#8217;s usually one of those most broadest reaching pieces of software within an environment. As such, the temptation is always there to make it &#8220;as easy as possible&#8221; to configure. Unfortunately this sometimes leads to making it <em>too easy<\/em> to configure. By <em>too easy<\/em>, I mean <em>insecure<\/em>.<\/p>\n<p>Regardless of the &#8220;hassle&#8221; that it creates, a backup server <em>must<\/em> be highly secured. Or to be perhaps even blunter \u2013 the <em>entire security of everything backed up by your backup server depends on the security of your backup server<\/em>. Having an insecure NetWorker server, on the other hand, is like handing over the keys to your datacentre, as well as having the administrator\/root password for every server stuck to each machine.<\/p>\n<p>Thinking of it that way, do you really want the administrator list on your backup server to include say, any of the following?<\/p>\n<ul>\n<li>*@*<\/li>\n<li>*@&lt;host&gt;<\/li>\n<li>&lt;user&gt;*@<\/li>\n<\/ul>\n<p>If your answer is yes, <strong><em>then you&#8217;re wrong<\/em><\/strong>*.<\/p>\n<p>However, datazone security isn&#8217;t <strong>only<\/strong> about the administrator list (though that forms an important part). At bare minimum, your datazone should have the following security requirements:<\/p>\n<ol>\n<li>No wild-cards shall be permitted in <em>administrator<\/em> user list definitions (server, NMC).<\/li>\n<li>No client shall have an empty <em>servers<\/em> file (client).<\/li>\n<li>No wild-cards shall be permitted in <em>remote access<\/em> user list definitions (client resources).<\/li>\n<\/ol>\n<p><strong>Note<\/strong>: With the advent of <em>lockboxes<\/em> in version 7.5, security options increase \u2013 it&#8217;s possible, for instance, to have passwords for application modules stored in such a way that only the application module for the designated host can retrieve the password.<\/p>\n<p>&#8212;<br \/>\n* I do make allowance for some <em>extreme<\/em> recovery issues that have temporarily required users to enter wild-card administrators <em>temporarily<\/em> where it was not possible to wait for a bug fix.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A topic I discuss in my book that&#8217;s worth touching on here is that of datazone security. Backup is one&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[16,17,21],"tags":[96,288,1254,1060,1061],"class_list":["post-603","post","type-post","status-publish","format-standard","hentry","category-networker","category-policies","category-security","tag-administrator","tag-datazone","tag-security","tag-user-access","tag-usergroup"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pKpIN-9J","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/603","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/comments?post=603"}],"version-history":[{"count":0,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/603\/revisions"}],"wp:attachment":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/media?parent=603"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/categories?post=603"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/tags?post=603"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}