This article discusses best practices for secure configuration and deployment of Datto SIRIS, ALTO, and Datto NAS devices.
- Datto SIRIS
- Datto ALTO
- Datto NAS
Datto BDR appliances ship with inherent and configurable security features and functionality to support a secure deployment. You are responsible for the configuration of those features and for deploying the Datto appliance in a way that meets your network and security architecture requirements. Datto expects that you will deploy your BDR appliances in a secure LAN environment with no inbound internet access, and that appropriate network access control exists on your LAN to limit the accessibility to your appliance network daemons and services.
Access control objectives
Datto strongly recommends implementing least privilege (external link) access controls, such as the following:
- Never allow inbound access from the internet to the appliance.
- Deploy the appliance in line with the SIRIS, ALTO, and NAS: BCDR networking and bandwidth requirements article.
- Only permit access OUTBOUND, as you don't need inbound access for the appliance to function.
- Restrict outbound communications from the Datto appliance to only the networks in the Knowledge Base, and deny all other communications.
- Limit access to the appliance's management end-user network GUI to only trusted network
management workstations, or jump hosts that need access for BDR workflow purposes.
- Only allow protected systems to communicate with the appliance.
- Implement strong identity and access management practices for device GUI and IPMI login.
You can deploy your Datto devices in line with the above best practices in several ways, including, but not limited to:
- Placing the appliance in a protected backup network requiring L2 adjacency.
- Limiting the backup network's reachability through network routing restrictions.
- Employing a network firewall to implement network access control lists.
- Deploying port-based access control lists (ACLs) on network switch ports.
Secure configuration best practices
The Datto BDR appliance offers a range of configuration options to help MSPs and end-users manage BDR workflows in a manner that best suits their environment. MSPs should always deploy the Datto device in a secure LAN environment, and enable more secure configuration options when available and appropriate for the end-user.
- Ensure your device is running the latest software version
- Updates ensure that your device has the latest software and operating system packages. They also patch and harden the appliance to Datto's most recent standards.
- You can find the software version your Datto device is running listed at the top of the home page of your device GUI.
- See the GUI: Device Settings article for more information.
- Deploy encrypted agents
- Agent level encryption assures backup data written to the appliance's ZFS filesystem and replicated to the Datto Cloud is encrypted at rest, using a unique key that you can only generate with the passphrase held by the MSP or end-user.
- Agent encryption is available on specific appliance platforms, such as the SIRIS family of appliances and ALTO XL appliances.
- See the How to Encrypt Backups on a Datto Appliance and Properly Sizing a Datto Appliance Knowledge Base articles for more information.
- Configure file shares with secure protocols and settings
- Understand the policy and compliance requirements of the environment in which you have deployed the Datto device, as you can jeopardize compliance by selecting unsecure file share options.
- Whenever end-user business requirements allow, do not permit anonymous or public access to any file share.
- Leverage CHAP authentication with iSCSI file shares, as CHAP requires authentication to access the file share.
- Enable SFTP instead of FTP, as SFTP requires authentication AND encrypts data in transit across your network.
- See the iSCSI Share Settings article for details on CHAP authentication settings.
- Enable Relay forced login
- Relay forced login requires all users to enter their login credentials when navigating from the Partner Portal to the device GUI.
- Enable Relay forced login in the device GUI by navigating to Configure → Device Settings → Datto Relay Forced Login and clicking Enable Forced Login.
- See the GUI: Device Settings article for more information.
- Unmount file recoveries and local virtualizations when no longer required
- Do not make file restore data or local virtualizations on supported platforms available for longer than is necessary to complete the required BDR workflow.
- After you have confirmed mounted file restores and local virtualizations are no longer needed, you should unmount them.
- Remove a file restore by navigating to Restore → Active Recoveries, selecting the file restore or local virtualization, and clicking Remove Restore.
- Enable mounted restore alerts
- This option displays an alert in the device GUI when you have a file restore, or virtualization mounted for longer than the admin-specified period. These alerts warn you of latent restores that may need removal.
- Enable Mounted Restore Alerts in the device GUI by navigating to Configure → Device Settings → Mounted Restore Alert, selecting the number of days after which to alert from the drop-down menu, then clicking Apply.
- Configure local users with strong access credentials
- Configure local user account usernames and passwords following the MSP or end-users identity and password management policies.
- Where MSPs and end-users lack identity and password policies, Datto strongly recommends following password guidance in NIST SP 800-63: Digital Identity Guidelines.
- Avoid using known weak or compromised passwords (i.e., 123456, password, admin, etc.). A secure password has a combination of uppercase and lowercase letters, as well as numbers and special characters.
- You can create local users in the Datto appliance GUI from the Local Users page. See the Local Users article to learn more.
- Update local user credentials as required
- Local User access credentials for MSP technicians and end-user employees should be updated when those employees leave their respective organizations.
- Update Local User passwords when required in the device GUI by navigating to Configure → Device Settings → Local Users and clicking Set Password.
- See the Local User and Contacts article for more information.
- Enable remote logging
- For end-users with logging and auditing requirements, you can configure the ability to send device logs to an off-box syslog server for later analysis.
- Enable Remote Logging in the device GUI by navigating to Configure → Device Settings → Remote Logging, clicking Enable Remote Logging, then entering the IP address and port of the syslog server and clicking Add Remote Server.
- See the GUI: Device Settings article for additional information.
- Configure IPMI with strong access credentials
- You have the option to use IPMI to interact with unresponsive appliances over the local LAN. When you enable this feature, configure it with a robust non-default user password that avoids known weak or breached credentials. A secure password has a combination of uppercase and lowercase letters, as well as numbers and special characters.
- Update IPMI passwords in the device GUI by navigating to Configure → Networking → IPMI Settings. Then select Admin, enter a secure password and click Change Admin Password.
- See the GUI - Network Settings article for further information.
- Disable local access
- Local access to the Datto device GUI is disabled by default.
- Disabling local access means all device gui access must originate from the Partner Portal, and leverages the security of Partner Portal two-factor authentication (2FA).
- Note: If you have enabled Forced Login, you still need to manage local user credentials.
- You can enable or disable local access to the Datto device GUI by navigating to Configure → Device Settings → Local Access Control.
- Enable secondary replication
- Available on all SIRIS products, Secondary Replication ensures that your data is available in the event of unintended deletion of backup data.
- Data remains available in the secondary site for 90 days after deletion from the primary.
- Enable secondary replication in the device GUI by navigating to Configure → Device Settings → Secondary Replication.
Datto is committed to providing a backup and disaster recovery solution with security features that aid customers in meeting their security policy and compliance requirements. Should you have any questions or concerns relating to topics covered in this article, please reach out to Datto Technical Support.