This article outlines the new local access limitations for enhanced security on Datto BCDR devices.
- Datto SIRIS
- Datto ALTO
- Datto NAS
To better secure your Datto devices from unauthorized access, Datto is disabling local (LAN) access to the Datto Device UI by default across all Datto BCDR devices. You'll have local network access during the initial registration session only, after which you'll use the Datto Partner Portal to access the Datto Device UI. During the initial device registration session, you'll have the ability to override the default and allow local access if you choose. Due to the enhanced security remote access only provides, Datto does not recommend enabling local device access unless absolutely necessary.
Authorized Partner Portal users will have the ability to turn on local access to the Datto device via the Partner Portal if they choose, but Datto highly discourages doing so. Allowing local access to the Datto device bypasses the additional security features of the Datto Partner Portal, such as Two Factor Authentication (2FA).
Datto Technical Support will also have the ability to turn on local access to your device should it be required in an emergency.
Why is Datto disabling local device access?
From time to time, Datto makes changes to the default behavior of our products to increase their security in response to shifts in observed attacker tactics. It is well known that attackers seek to destroy or corrupt backups to increase the likelihood of ransom payment. Mandatory Two Factor Authentication (2FA) in the Datto Partner Portal has shifted attackers' focus toward attempting to access local devices within a compromised network. By disabling the local web interface, we effectively force the backup device access through the Datto Partner Portal, which is multi-factor protected by default. These two changes have proven so HIGHLY effective in preventing and recovering from ransomware attacks that we are going to help the partner base protect themselves and their customers by enabling it automatically.
What do I need to do?
You should not need to do anything. Your Datto device will need to have access to the internet, which is already a prerequisite for Datto devices. See our BCDR networking and bandwidth requirements KB for the full list of networking requirements.
How can I opt-out?
This change greatly enhances the security of your Datto devices, but we understand that there may be circumstances that will require partners to opt-out of this initiative. While we highly discourage partners from doing so, you can opt-out by submitting the Datto Opt-Out For Disabling Local BCDR Web Access form (Survey Monkey form).
Frequently Asked Questions (FAQs)
- How will the Local UI access setting behavior change?
The Datto Device User Interface will only be available locally during device registration unless you deliberately turn off the feature at that time. After registration, the Datto device will only be accessible via the Datto Partner Portal.
- If I enable local access, will this setting change back to disabled?
No. If you choose to enable local access, the Datto device will be accessible locally until you choose to disable it via the Partner Portal. If you must enable local access, we encourage you to disable it again once it is no longer required.
- How can I change the local access setting?
You can change the local access setting via the local UI immediately following registration (your session will not end immediately) or via the remote UI (Partner Portal) after registration. Datto Technical support can also make this change if required.
- I need local access enabled by default. How can I opt-out?
You can opt-out by submitting the Datto Opt-Out For Disabling Local BCDR Web Access form (Survey Monkey). This opt-out does not change the default behavior, but we will not change the Local Access setting globally for those who opt-out.
- How can I access my device if not local?
You can access your device at portal.dattobackup.com by navigating to Status → BCDR Status and clicking the Device Web icon for the device you want to access. Any new device that is registered will disable by default, The opt-out does not change this behavior.
- What if I need to delete data?
Data can be removed via the Datto Device Web in the same manner as you previously performed this action locally.
- How is local access different than remote access?
Currently, the options provided with local access and remote access are essentially the same. In the near future, Datto plans to make additional security enhancements to prevent malicious data loss by disabling the ability to perform the following functions locally:
- Cloud deletions
- Remove agents
- Retention changes
- Replication schedule
- Local deletions
- Restore deletions
We'll continue to keep you updated as we roll out these changes.