sourceone products security configuration · l sourceone for microsoft sharepoint storage...
TRANSCRIPT
SourceOneVersion 7.2 SP6
Products Security Configuration Guide302-004-820
REV 01
Copyright © 2005-2018 Dell Inc. or its subsidiaries All rights reserved.
Published March 2018
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED
IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.
Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners.
Published in the USA.
Dell EMCHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.DellEMC.com
2 SourceOne 7.2 SP6 Products Security Configuration Guide
5
Overview 9
Security Configuration Settings 11Access control settings............................................................................... 12
User authentication........................................................................ 12User authorization......................................................................... 20Component access control.............................................................21
Log settings................................................................................................ 31Log description...............................................................................31Log management and retrieval....................................................... 31
Communication security settings................................................................32Port usage..................................................................................... 32Network encryption.......................................................................33
Data security settings.................................................................................35Encryption of data at rest .............................................................35Data integrity.................................................................................35Data erasure.................................................................................. 35
Secure serviceability settings..................................................................... 36Security alert system settings.................................................................... 36Other security considerations.....................................................................36
Secure Deployment and Usage Settings 39Security controls map................................................................................ 40Secure deployment settings....................................................................... 40
Secure Maintenance 43Security patch management.......................................................................44
Physical security controls 45Physical Security Controls..........................................................................46
Preface
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
CONTENTS
SourceOne 7.2 SP6 Products Security Configuration Guide 3
CONTENTS
4 SourceOne 7.2 SP6 Products Security Configuration Guide
Preface
As part of an effort to improve its product lines, EMC periodically releases revisions ofits software and hardware. Therefore, some functions that are described in thisdocument might not be supported by all versions of the software or hardwarecurrently in use. The product release notes provide the most up-to-date informationon product features.
Contact your EMC technical support professional if a product does not functioncorrectly or does not function as described in this document.
Note
This document was accurate at publication time. Go to EMC Online Support (https://support.emc.com) to ensure that you are using the latest version of this document.
PurposeThis document describes the security features and settings of Dell EMC SourceOne.
AudienceThis document is part of the Dell EMC SourceOne documentation set, and is intendedfor use by installers of the product, Dell EMC SourceOne system administrators, andmail server administrators.
Revision historyThe following table presents the revision history of this document.
Table 1 Revision history
Revision Date Description
01 March 26, 2018 Initial release of the 7.2 SP6SourceOne Products SecurityConfiguration Guide.
Related documentationThe SourceOne documentation set includes the following publications.
SourceOne Products:
l SourceOne Products Compatibility Guide
l SourceOne Products Security Configuration Guide
SourceOne Email Management:
l SourceOne Email Management Installation Guide
l SourceOne Email Management Administration Guide
l SourceOne Email Management Release Notes
l SourceOne Email Management Localized Product Release Notes
l SourceOne Auditing and Reporting Installation and Administration Guide
l SourceOne Management Pack for Microsoft System Center Operations ManagerGuide
l SourceOne Search User Guide
SourceOne 7.2 SP6 Products Security Configuration Guide 5
l SourceOne Disaster Recovery Solution Guide
l SourceOne 7.0 and later SNMP Trap Monitoring Solution Technical Notes
SourceOne Discovery Manager:
l SourceOne Discovery Manager Installation and Administration Guide
l SourceOne Discovery Manager Desktop User Guide
l SourceOne Discovery Manager Web Application User Guide
l SourceOne Discovery Manager Release Notes
l SourceOne Discovery Manager Localized Product Release Notes
l SourceOne Discovery Manager Desktop Quick Reference Cards
SourceOne for File Systems:
l SourceOne for File Systems Installation Guide
l SourceOne for File Systems Administration Guide
l SourceOne for File Systems Release Notes
SourceOne Offline Access:
l SourceOne Offline Access Installation and Administration Guide
l SourceOne Offline Access User Guide
l SourceOne Offline Access Release Notes
SourceOne Archiving for Microsoft SharePoint:
l SourceOne Archiving for Microsoft SharePoint Installation Guide
l SourceOne Archiving for Microsoft SharePoint Administration Guide
l SourceOne Archiving for Microsoft SharePoint Release Notes
l SourceOne Archiving for Microsoft SharePoint Archive Search Quick ReferenceCard
SourceOne for Microsoft SharePoint Storage Management:
l SourceOne for Microsoft SharePoint Storage Management Installation Guide
l SourceOne for Microsoft SharePoint Storage Management Administration Guide
l SourceOne for Microsoft SharePoint Storage Management Release Notes
SourceOne Email Supervisor:
l SourceOne Email Supervisor Installation Guide
l SourceOne Email Supervisor Administration Guide
l SourceOne Email Supervisor Web Application (Reviewer and Reports) Guide
l SourceOne Email Supervisor Release Notes
Special notice conventions that are used in this documentEMC uses the following conventions for special notices:
NOTICE
Identifies content that warns of potential business or data loss.
Note
Contains information that is incidental, but not essential, to the topic.
Preface
6 SourceOne 7.2 SP6 Products Security Configuration Guide
Typographical conventionsEMC uses the following type style conventions in this document:
Table 2 Style conventions
Bold Used for names of interface elements, such as names of buttons,fields, tab names, and menu paths (what the user specifically selectsor clicks)
Italic Used for full titles of publications that are referenced in text
Monospace Used for:
l System code
l System output, such as an error message or script
l Pathnames, file names, prompts, and syntax
l Commands and options
Monospace italic Used for variables
Monospace bold Used for user input
[ ] Square brackets enclose optional values
| Vertical bar indicates alternate selections - the bar means “or”
{ } Braces enclose content that the user must specify, such as x or y orz
... Ellipses indicate non-essential information that is omitted from theexample
Where to get helpEMC support, product, and licensing information can be obtained as follows:
Product informationFor documentation, release notes, software updates, or information about EMCproducts, go to EMC Online Support at https://support.emc.com.
Technical supportGo to EMC Online Support at https://support.emc.com, and click Service Center.Several options for contacting EMC Technical Support appear on the site. Note thatto open a service request, you must have a valid support agreement. Contact yourEMC sales representative for details about obtaining a valid support agreement or withquestions about your account.
Online communitiesGo to the EMC Community Network at https://community.emc.com for peercontacts, conversations, and content on product support and solutions. Interactivelyengage online with customers, partners, and certified professionals for all EMCproducts.
Your commentsYour suggestions help to improve the accuracy, organization, and overall quality of theuser publications. Send your opinions of this document to [email protected].
Preface
SourceOne 7.2 SP6 Products Security Configuration Guide 7
Preface
8 SourceOne 7.2 SP6 Products Security Configuration Guide
CHAPTER 1
Overview
This guide provides an overview of security configuration for all Dell EMC SourceOneproducts. Topics in this guide include:
l Security Configuration Settings—Describes settings available in the product toensure a secure operation of the product.
l Secure Deployment and Usage Settings—Describes instructions on how todeploy the product securely and how to use the product securely.
l Secure Maintenance—Describes how to perform secure maintenance of theproduct.
l Physical Security Controls—Describes controls needed to protect the productcomponents against unauthorized physical access and physical tampering.
Overview 9
Overview
10 SourceOne 7.2 SP6 Products Security Configuration Guide
CHAPTER 2
Security Configuration Settings
This section provides an overview of the settings available to ensure secure operationsof the Dell EMC SourceOne product.
l Access control settings.......................................................................................12l Log settings........................................................................................................31l Communication security settings....................................................................... 32l Data security settings........................................................................................ 35l Secure serviceability settings.............................................................................36l Security alert system settings............................................................................36l Other security considerations............................................................................ 36
Security Configuration Settings 11
Access control settingsThis section describes settings available to limit access by end-user or by externalproduct components.
User authenticationUser authentication settings control the process of verifying an identity claimed by auser for accessing the product.
Default accountsThe Dell EMC SourceOne product does not provide any pre-configured defaultaccounts. The following accounts must be configured as prerequisite for productinstallation and administration.
l Product installation account
l Primary service account
l Outlook Web Access (OWA) service account
l Master service account (optional)
l Product console administrator
l Product system administrator
In addition to these accounts, an Dell EMC SourceOne Security group must be createdto host the service accounts. Admins group can be created to host consoleadministrator accounts.
Authentication configurationThis section discusses how to configure accounts.
Active DirectoryThis section includes an accounts and permission checklist for the Active Directory.
Table 3 Accounts and permissions checklist—Active Directory
Accounts and groups Details
Primary Service account All environments
The Dell EMC SourceOneprimary service account is requiredin all environments to process Dell EMC SourceOne activities.Details:
l Password does not need to be changed at next login.
l Account does not expire.
l Password does not expire.
l Must be in the same domain as the Dell EMC SourceOneservers.
SourceOne Email Management environments only
In Exchange environments, you can optionally create anExchange mailbox for the primary service account.
Security Configuration Settings
12 SourceOne 7.2 SP6 Products Security Configuration Guide
Table 3 Accounts and permissions checklist—Active Directory (continued)
Accounts and groups Details
Master Services serviceaccount (optional)
All environments
The optional Dell EMC SourceOne Master Services serviceaccount is specified during Master Services installation. Youcan alternatively use the primary service account.
Details:
l Password does not need to be changed at next login.
l Account does not expire.
l Password does not expire.
l Must be in the same domain as the Dell EMC SourceOneservers.
OWA service account(optional)
SourceOne Email Management environments only
The Dell EMC SourceOneOWA service account is specifiedduring Extensions for OWA installation on Exchange. You canalternatively use the primary service account.
Details:
l Password does not need to be changed at next login.
l Account does not expire.
l Password does not expire.
l Must be in the same domain as the Dell EMC SourceOneservers.
Security group All environments
Create the Dell EMC SourceOne security group. This grouphouses the service accounts used with Dell EMC SourceOne.Details:
l Created in a domain that is fully trusted by the domainsDell EMC SourceOne applications are running.
l Group scope is Universal, or Global if Universal is notavailable in the environment.
l Group type is Security.
l Group name does not contain special characters.
Add service accounts tosecurity group
All environments
Add the following accounts:
l Dell EMC SourceOne primary service account.
l Dell EMC SourceOne Master Services service account (ifused).
l Dell EMC SourceOneOWA service account (if used).
Security Configuration Settings
User authentication 13
Dell EMC SourceOneThis section includes an account and permission assignments for Dell EMCSourceOne.
Table 4 Accounts and permissions—permissions assignment
Environment/System
Task Details Validation
MIME dropdirectories
Configure dropdirectory permissionsfor MIMEmanagement
For drop directories intowhich you place MIMEmessages to be archived byDell EMC SourceOne:
l Sharing tab—Configure the securitygroup with Full Controlpermissions to theshare.
l Security tab—Configure the securitygroup with Full Controlpermissions to theshare.
1. Log in to asystem asthe primaryserviceaccount.
2. Access theshare andcreate a textfile.
3. Delete thetext file.
NSF drop directories Configure dropdirectory permissionsfor NSF management
For drop directories intowhich you place NSF filesto be archived by Dell EMCSourceOne:
l Sharing tab—Configure the securitygroup with Full Controlpermissions to theshare.
l Security tab—Configure the securitygroup with Full Controlpermissions to theshare.
1. Log in to asystem asthe primaryserviceaccount.
2. Access theshare andcreate a textfile.
3. Delete thetext file.
PST drop directories Configure dropdirectory permissionsfor PST management
For drop directories intowhich you place PST filesto be archived by Dell EMCSourceOne in a singleExchange forestconfiguration:
l Sharing tab—Configure the securitygroup with Full Controlpermissions to theshare.
l Security tab—Configure the securitygroup with Full Control
1. Log in to asystem asthe Dell EMCSourceOneprimaryserviceaccount.
2. Access theshare andcreate a textfile.
3. Delete thetext file.
Security Configuration Settings
14 SourceOne 7.2 SP6 Products Security Configuration Guide
Table 4 Accounts and permissions—permissions assignment (continued)
Environment/System
Task Details Validation
permissions to theshare.
See theSourceOne EmailManagementAdministration Guide forconsiderations in anExchange resourceforest configuration.
Network computers Configure PSTdiscoverypermissions
To support PST discoveryand management onnetwork computers in asingle Microsoft Exchangeforest configuration, addthe Dell EMCSourceOnesecurity groupas member of localAdministrators group forthese computers.
See the SourceOne EmailManagement AdministrationGuide for considerations inan Exchange resourceforest configuration.
Networkcomputers:
1. Log in to asystem asthe Dell EMCSourceOneprimaryserviceaccount.
2. Access acomputerfrom MyNetworkPlaces.
3. Access C$drive.
Microsoft ExchangeThis section includes an account and permission assignments for Microsoft Exchange.
Table 5 Accounts and permissions—Microsoft Exchange
Task Details Validation
Create Exchange journalingmailboxes.
Create one or more MicrosoftExchange journaling mailboxes. Ajournaling user account isassociated with an Exchangejournaling mailbox that collectsmessages generated on a MailboxStore. Most configurations willconsist of several journaling usersand mailboxes.
Envelope journaling is required forDell EMC SourceOne.
Ensure mailboxescreated.
Security Configuration Settings
User authentication 15
Table 5 Accounts and permissions—Microsoft Exchange (continued)
Task Details Validation
A journaling user account is createdin Active Directory and must havethe following characteristics:
l Member of Domain Usersgroup.
l Password does not need to bechanged at next login.
l Password does not expire.
l Account does not expire.
l Journaling users/mailboxes
Configure general Exchangepermissions.
Grant the Dell EMC SourceOneprimary service account and theDell EMC SourceOne Admins groupthe following permission:
l Exchange View-OnlyAdministrator (at theOrganization level)
Note
If using Microsoft Exchange 2010 ina mixed environment, that includesboth Microsoft Exchange 2010 anda previous Microsoft Exchangeversion, you must explicitlyconfigure these permissions inMicrosoft Exchange 2010, as theydo not automatically propagate overfrom previous Microsoft Exchangeversions.
1. Start the Dell EMCSourceOne Console.
2. Check that theadministrator canview the mail serverhierarchy from theDell EMCSourceOneConsole.
Configure permissions forjournaling mailboxes.
Grant the Dell EMC SourceOneprimary service account accessrights to each journaling mailbox.
Microsoft Exchange 2013Server
l Full mailbox access
Microsoft Exchange 2010Server
l Full mailbox access
Microsoft Exchange 2007Server
l Full mailbox access
Test journaling mailboxaccess:
1. Open Outlook as theprimary serviceaccount.
2. Open the journalmailbox Inboxfolder.
3. Add and delete amessage.
Security Configuration Settings
16 SourceOne 7.2 SP6 Products Security Configuration Guide
Table 5 Accounts and permissions—Microsoft Exchange (continued)
Task Details Validation
Configure permissions foruser mailboxes.
To support storage management,which requires a higher level ofpermissions to access and changemailbox contents, configure thefollowing permissions depending onthe Microsoft Exchange version.
Note
In a mixed environment of MicrosoftExchange 2010 and MicrosoftExchange 2013, mail does not getpulled from the Microsoft Exchange2013 journaling mailboxes. Whenlogging into the Worker, errors willoccur. When pulling mail from thejournals on the Microsoft Exchange2013 server, jobs will fail. To avoidthese errors and jobs failing, inAccount Settings, change theOutlook configuration on theworkers by selecting the Connectto Microsoft Exchange using HTTPcheckbox.
Microsoft Exchange 2013
Grant the Dell EMC SourceOneprimary service account thefollowing extended permissions:
l Receive As
Note
In a mixed environment, forexample, Microsoft Exchange 2013and a previous version of MicrosoftExchange, grant these permissionsat the mailbox database level,targeting only the mailboxes onMicrosoft Exchange 2013. You canthen use the permissions describedin the following section formailboxes hosted on previousMicrosoft Exchange versions.
Microsoft Exchange 2010
Grant the Dell EMC SourceOneprimary service account thefollowing extended permissions:
l Receive As
Storage management:
1. Open Outlook as theprimary serviceaccount.
2. Open a test usermailbox Inboxfolder.
3. Add and delete amessage.
Security Configuration Settings
User authentication 17
Table 5 Accounts and permissions—Microsoft Exchange (continued)
Task Details Validation
Note
In a mixed environment, forexample, Microsoft Exchange 2010and a previous version of MicrosoftExchange, grant these permissionsat the mailbox database level,targeting only the mailboxes onMicrosoft Exchange 2010. You canthen use the permissions describedin the following section formailboxes hosted on previousMicrosoft Exchange versions.
Microsoft Exchange 2007
Grant the Dell EMC SourceOneprimary service account thefollowing extended permissions:
l Receive As
l Send As
Note
These permissions can be grantedat the Organization level (highest)to the individual mailbox level(lowest).
Review Exchange 2010considerations.
Review the following considerationsif using Dell EMC SourceOne in anenvironment that includesMicrosoft Exchange 2010:
l Microsoft Exchange 2010replaced the permissions modelused in Microsoft Exchange2007 with a Role Based AccessControl (RBAC) permissionsmodel. Refer to the MicrosoftExchange 2010 documentationset for more information.
l Microsoft Exchange 2010 takestwo hours to update thepermissions cache. Restart theMicrosoft ExchangeInformation Store afterapplying permissions to activatethe changes.
None.
Review Exchange 2013considerations.
Review the following considerationsif using Dell EMC SourceOne in an
None.
Security Configuration Settings
18 SourceOne 7.2 SP6 Products Security Configuration Guide
Table 5 Accounts and permissions—Microsoft Exchange (continued)
Task Details Validation
environment that includesMicrosoft Exchange 2010:
l Microsoft Exchange 2013 takestwo hours to update thepermissions cache. Restart theMicrosoft ExchangeInformation Store afterapplying permissions to activatethe changes.
IBM DominoThis section includes an account and permission assignments for IBM Domino.
Table 6 Accounts and permissions—IBM Domino
Task Details Validation
Create Dell EMC SourceOneLotus Notes account.
This account will later bespecified on Dell EMCSourceOne host computers tosupport message processing ina Domino environment.
To support all Dell EMCSourceOne activities, configurethe account with:
l Manager privileges for allusers mail files.
l Delete access to allmailboxes.
To support all Dell EMCSourceOne activities exceptarchiving messages based onread or unread status, restoringmessages from Dell EMCSourceOne Search, and user-directed archiving:
l Editor privileges for allusers mail files.
l Delete access to allmailboxes.
Account name:
1. Open a user NSF filefor test purposes asthe Dell EMCSourceOne Notes user.
2. Add data.
3. Delete the data.
Configure Internet address andpassword for Lotus Notesusers.
Ensure Lotus Notes users havean Internet address andpassword configured. This isrequired for Notes users to useDell EMC SourceOne Search.
After Dell EMC SourceOneis installed, confirm that aNotes user can log in toDell EMC SourceOneSearch.
Security Configuration Settings
User authentication 19
User actions performed without authenticationUsers cannot perform any actions without authentication. Before starting the DellEMC SourceOne Console, user authentication occurs when users login to theirWindows system. A user must be configured as a console administrator throughWindows security assignment, before the user can perform any action within the DellEMC SourceOne Console.
User authorizationThis section outlines the user authorization settings, control rights, and permissionsthat are granted to a user to access a resource that is managed by Dell EMCSourceOne.
Dell EMC SourceOne ConsoleThe Dell EMC SourceOneConsole Management subsystem restricts the ability toquery, modify, delete, or select the user and group map folder permissions to DellEMC SourceOne Console Administrators. Through the Permissions page of the NewFolder Wizard,Dell EMC SourceOne Console Administrators can specify the users andgroups who can access a folder and the permissions each user and group has on thefolder.
These values are then passed to the Database Provider Subsystem to be entered intothe Activity database.
Table 7 Dell EMC SourceOne Console
Task Resource Role
Assign/unassign Windows Users, WindowsGroups, and LDAP QueryGroups
Console Administrator or DellEMC SourceOneAdministrator (definedthrough primary serviceaccount)
Create, modify, and delete Policies, activities, and rules Console Administrator
Create and delete Native Archive folders Console Administrator
View, create, modify, copy,and delete
Dell EMC SourceOne mappedfolders
Console Administrator
Assign, modify, delete User and group permissionson mapped folders
Console Administrator
Modify Native Archive folderproperties
Console Administrator
View, edit Worker properties Console Administrator
Specify Users to be audited ("auditedusers")
Console Administrator
Select Events to be audited Console Administrator
Dell EMC SourceOne ReportingYou can use the Dell EMC SourceOne reporting tools to view role and to audit reports.The SourceOne Auditing and Reporting Installation and Administration Guide providesdetailed information.
Security Configuration Settings
20 SourceOne 7.2 SP6 Products Security Configuration Guide
Table 8 Dell EMC SourceOne Reporting
Task Resource Role
Assign users to Roles for access to auditreports
Dell EMC SourceOneAdministrator
View and customize Audit reports Content Manager
View Audit reports Browser role
Component access controlComponent access control settings define control over access to the product byexternal and internal systems or components. Components are sub-systems of theproduct that typically interact over the network and often have their own securitysettings. For example, Agents, Database, Console, and Host Servers.
The key components are listed as follows:
l SQL Database server
l Master computers
l Worker computers
l Archive servers
l Web server
l File shares and storage
l Mail servers
l Elasticsearch Worker server
Component authenticationThis section describes how to configure authentication of remote components.
Dell EMC SourceOne accounts and permissionsThis table includes the component authentication accounts and permissions for DellEMC SourceOne.
Table 9 Accounts and permissions—permissions assignment
Environment/System
Task Details Validation
Microsoft SQL Server Configure MicrosoftSQL database installpermissions andSecurity Logins.
Ensure that theinstallation account isa local administratorand has the SQLsysadmin role.
Configure thefollowing groups andaccounts as SecurityLogins in SQL Server:
After Dell EMCSourceOne isinstalled, use theODBC TestConnection functionto confirm theconnection.
Security Configuration Settings
Component access control 21
Table 9 Accounts and permissions—permissions assignment (continued)
Environment/System
Task Details Validation
l Dell EMCSourceOnesecurity group
l Dell EMCSourceOneAdmins group
l Dell EMCSourceOneinstallation accounts
After Dell EMCSourceOne databasesare installed, youassign individualdatabase privileges tothese logins.
Master computers Add service accountto local administratorsgroup.
Add one of thefollowing serviceaccounts as amember of the localadministrators groupfor this computer:
l Primary serviceaccount, or
l Master Servicesservice account ifused
This account isrequired to be amember of thisgroup to run theSourceOne JobSchedulerservice.
Ensure accounts wereadded.
Master computers Add installationaccount to localadministrators group.
Add the Dell EMCSourceOneinstallation account asa member of the localadministrators groupfor this computer.
You can remove thisuser from the groupafter the installationcompletes.
Alternatively you canuse an existing
Ensure you can log inusing this account.
Security Configuration Settings
22 SourceOne 7.2 SP6 Products Security Configuration Guide
Table 9 Accounts and permissions—permissions assignment (continued)
Environment/System
Task Details Validation
account that is amember of the localadministrators groupto install thesoftware.
Worker computers Add installationaccount to localadministrators group.
Add the Dell EMCSourceOneinstallation account asa member of the localadministrators groupfor this computer.
You can remove thisuser from the groupafter the installationcompletes.
Alternatively you canuse an existingaccount that is amember of the localadministrators groupto install thesoftware.
Ensure you can log inusing this account.
Dell EMC SourceOneNative Archivecomputers
Add installationaccount to localadministrators group.
Add the Dell EMCSourceOneinstallation account asa member of the localadministrators groupfor this computer.
You can remove thisuser from the groupafter the installationcompletes.
Alternatively you canuse an existingaccount that is amember of the localadministrators groupto install thesoftware.
Ensure you can log inusing this account.
Console clientcomputers
Add installationaccount to localadministrators group.
Add the Dell EMCSourceOneinstallation account asa member of the localadministrators groupfor this computer.
Ensure you can log inusing this account.
Security Configuration Settings
Component access control 23
Table 9 Accounts and permissions—permissions assignment (continued)
Environment/System
Task Details Validation
You can remove thisuser from the groupafter the installationcompletes.
Alternatively you canuse an existingaccount that is amember of the localadministrators groupto install thesoftware.
Storage Configure storagelocation permissions.
Configure Dell EMCSourceOne SecurityGroup withpermissions for thefollowing storagelocations:
l Message Centerlocation
l Archive location
l Index location
l Job detail log filelocation
Configure thefollowing permissionsfor each location:
l Sharing tab—Configure thesecurity groupwith Full Controlpermissions tothe share.
l Security tab—Configure thesecurity groupwith Full Controlpermissions tothe share.
1. Log in to asystem as theprimary serviceaccount.
2. Access the shareand create a textfile.
3. Delete the textfile.
Dell EMC DiskXtender Add security group toDX administratorsgroup.
If using DellEMCDiskXtender, addthe Dell EMCSourceOne SecurityGroup to theDxAdministratorsgroup on the Dell
Ensure the group isadded.
Security Configuration Settings
24 SourceOne 7.2 SP6 Products Security Configuration Guide
Table 9 Accounts and permissions—permissions assignment (continued)
Environment/System
Task Details Validation
EMCDiskXtenderserver.
MIME dropdirectories
Configure dropdirectory permissionsfor MIMEmanagement.
For drop directoriesinto which you placeMIME messages to bearchived by Dell EMCSourceOne:
l Sharing tab—Configure thesecurity groupwith Full Controlpermissions tothe share.
l Security tab—Configure thesecurity groupwith Full Controlpermissions tothe share.
1. Log in to asystem as theprimary serviceaccount.
2. Access the shareand create a textfile.
3. Delete the textfile.
NSF drop directories Configure dropdirectory permissionsfor NSF management.
For drop directoriesinto which you placeNSF files to bearchived by Dell EMCSourceOne:
l Sharing tab—Configure thesecurity groupwith Full Controlpermissions tothe share.
l Security tab—Configure thesecurity groupwith Full Controlpermissions tothe share.
1. Log in to asystem as theprimary serviceaccount.
2. Access the shareand create a textfile.
3. Delete the textfile.
PST drop directories Configure dropdirectory permissionsfor PST management.
For drop directoriesinto which you placePST files to bearchived by Dell EMCSourceOne in a singleMicrosoft Exchangeforest configuration:
l Sharing tab—Configure the
1. Log in to asystem as theDell EMCSourceOneprimary serviceaccount.
2. Access the shareand create a textfile.
Security Configuration Settings
Component access control 25
Table 9 Accounts and permissions—permissions assignment (continued)
Environment/System
Task Details Validation
security groupwith Full Controlpermissions tothe share.
l Security tab—Configure thesecurity groupwith Full Controlpermissions tothe share.
See theSourceOne EmailManagementAdministrationGuide forconsiderations inan Exchangeresource forestconfiguration.
3. Delete the textfile.
Network computers Configure PSTdiscoverypermissions.
To support PSTdiscovery andmanagement onnetwork computers ina single MicrosoftExchange forestconfiguration, add theDell EMC SourceOnesecurity group asmember of localAdministrators groupfor these computers.
See the SourceOneEmail ManagementAdministration Guidefor considerations inan Exchange resourceforest configuration.
Network computers:
1. Log in to asystem as theDell EMCSourceOneprimary serviceaccount.
2. Access acomputer fromMy NetworkPlaces.
3. Access C$ drive.
Microsoft Exchange accounts and permissionsThis table includes the component authentication accounts and permissions forMicrosoft Exchange.
Security Configuration Settings
26 SourceOne 7.2 SP6 Products Security Configuration Guide
Table 10 Accounts and permissions—Microsoft Exchange
Task Details Validation
Create MicrosoftExchange journalingmailboxes.
Create one or more Exchange journalingmailboxes. A journaling user account isassociated with an Exchange journalingmailbox that collects messages that aregenerated on a Mailbox Store. Mostconfigurations consist of severaljournaling users and mailboxes.
Envelope journaling is required for DellEMC SourceOne.
A journaling user account is created inActive Directory and must have thefollowing characteristics:
l Member of Domain Users group.
l Password does not need to bechanged at next login.
l Password does not expire.
l Account does not expire.
l Journaling users/mailboxes
Ensure mailboxescreated.
Configure generalMicrosoft Exchangepermissions.
Grant the Dell EMC SourceOne primaryservice account and the Dell EMCSourceOne Admins group the followingpermissions:
Exchange View-Only Administrator (atthe Organization level)
Note
If using Microsoft Exchange 2010 in amixed environment, which includes bothMicrosoft Exchange 2010 and a previousMicrosoft Exchange version, then youmust explicitly configure thesepermissions in Microsoft Exchange 2010.Permissions do not automaticallypropagate over from previous MicrosoftExchange versions.
1. Start the Dell EMCSourceOneConsole.
2. Check that theadministrator canview the mail serverhierarchy from theDell EMCSourceOneConsole.
Configure permissionsfor journaling mailboxes.
Grant the Dell EMC SourceOne primaryservice account access rights to eachjournaling mailbox.
Microsoft Exchange 2013 Server
l Full mailbox access
Microsoft Exchange 2010 Server
l Full mailbox access
Test journaling mailboxaccess:
1. Open Outlook asthe primary serviceaccount.
2. Open the journalmailbox Inboxfolder.
Security Configuration Settings
Component access control 27
Table 10 Accounts and permissions—Microsoft Exchange (continued)
Task Details Validation
Microsoft Exchange 2007 Server
l Full mailbox access
3. Add and delete amessage.
Configure permissionsfor user mailboxes.
To support storage management whichrequires a higher level of permissions toaccess and change mailbox contents,configure the following permissionsdepending on the Microsoft Exchangeversion.
Note
In a mixed environment of MicrosoftExchange 2010 and Microsoft Exchange2013, mail does not get pulled from theExchange 2013 journaling mailboxes.When logging in to the Worker, errorsoccur. When pulling mail from the journalson the Microsoft Exchange 2013 server,jobs fail. To work around theselimitations, from the Account Settings,change the Outlook configuration on the
workers by selecting the Connect toMicrosoft Exchange using HTTPcheckbox.
Microsoft Exchange 2013
Grant the Dell EMC SourceOne primaryservice account the following extendedpermissions:
l Receive As
Note
In a mixed environment, for example,Microsoft Exchange 2013 and a previousversion of Microsoft Exchange, grantthese permissions at the mailboxdatabase level, targeting only themailboxes on Microsoft Exchange 2013.You can then use the permissions that aredescribed in the following section formailboxes that are hosted on previousMicrosoft Exchange versions.
Microsoft Exchange 2010
Grant the Dell EMC SourceOne primaryservice account the following extendedpermissions:
l Receive As
Storage management:
1. Open Outlook asthe primary serviceaccount.
2. Open a test usermailbox Inboxfolder.
3. Add and delete amessage.
Security Configuration Settings
28 SourceOne 7.2 SP6 Products Security Configuration Guide
Table 10 Accounts and permissions—Microsoft Exchange (continued)
Task Details Validation
Note
In a mixed environment, for example,Microsoft Exchange 2010 and a previousversion of Microsoft Exchange, grantthese permissions at the mailboxdatabase level, targeting only themailboxes on Microsoft Exchange 2010.You can then use the permissions that aredescribed in the following section formailboxes that are hosted on previousMicrosoft Exchange versions.
Microsoft Exchange 2007
Grant the Dell EMC SourceOne primaryservice account the following extendedpermissions:
l Receive As
l Send As
Note
These permissions can be granted at theOrganization level (highest) to theindividual mailbox level (lowest).
Review MicrosoftExchange 2010considerations.
Review the following considerations ifusing Dell EMC SourceOne in anenvironment that includes MicrosoftExchange 2010:
l Microsoft Exchange 2010 replacedthe permissions model that is used inMicrosoft Exchange 2007 with a RoleBased Access Control (RBAC)permissions model. Refer to theMicrosoft Exchange 2010documentation set for moreinformation.
l Microsoft Exchange 2010 takes 2hours to update the permissionscache. Restart the MicrosoftExchange Information Store afterapplying permissions to activate thechanges.
None.
Review MicrosoftExchange 2013considerations.
Review the following considerations ifusing Dell EMC SourceOne in anenvironment that includes MicrosoftExchange 2010:
None.
Security Configuration Settings
Component access control 29
Table 10 Accounts and permissions—Microsoft Exchange (continued)
Task Details Validation
l Microsoft Exchange 2013 takes 2hours to update the permissionscache. Restart the MicrosoftExchange Information Store afterapplying permissions to activate thechanges.
IBM Domino accounts and permissionsThis table includes the component authentication accounts and permissions for IBMDomino.
Table 11 Accounts and permissions—IBM Domino
Task Details Validation
Create Dell EMCSourceOne IBM Notesaccount.
This account is specified later on DellEMC SourceOne host computers tosupport message processing in an IBMDomino environment.
To support all Dell EMC SourceOneactivities, configure the account with:
l Manager privileges for all users mailfiles.
l Delete access to all mailboxes.
To support all Dell EMC SourceOneactivities except archiving messagesbased on read or unread status,restoring messages from Dell EMCSourceOne Search, and user-directedarchiving:
l Editor privileges for all users mailfiles.
l Delete access to all mailboxes.
Account name:
1. Open a user NSF filefor test purposes asthe Dell EMCSourceOne Notesuser.
2. Add data.
3. Delete the data.
Configure Internetaddress and passwordfor IBM Notes users
Ensure IBM Notes users have anInternet address and passwordconfigured. This is required for IBMNotes users to use Dell EMC SourceOneSearch.
After Dell EMC SourceOneis installed, confirm that anIBM Notes user can log into Dell EMC SourceOneSearch.
Component authorizationThis section includes instructions or references to instructions on how to configurethe product to restrict access to remote components or systems (for example, LUNmasking or IP filtering).
Security Configuration Settings
30 SourceOne 7.2 SP6 Products Security Configuration Guide
Log settingsThis section describes settings related to the logging of events. A log is achronological record of system activities that is sufficient to enable the reconstructionand examination of the sequence of environments and activities surrounding or leadingto an operation, procedure, or event in a security-relevant transaction from inceptionto final results.
Log descriptionThis table lists all relevant logs including their location, for example, file path ordatabase, on a system and a description of their content. This table only includesevent logs and does not include trace and debug logs.
Table 12 Log files
Log file Location
SQL Database server Windows event log/Application
Master server Windows event log/Application/Dell EMC
Worker server Windows event log/Application/Dell EMC
Archive server Windows event log/Application/Dell EMC
IIS Web server On IIS server:
l Event Viewer\Custom Views\Server Roles\Web Server(IIS)
l Event Viewer\Applications andServices Logs\Microsoft\Windows\IIS-Configuration
l Event Viewer\Applications andServices Logs\Microsoft\Windows\IIS-Logging
On IIS server disk:
l C:\inetpub\logs\LogFilesl C:\Windows\System32\LogFilesl C:\Windows\System32\inetsrv
Log management and retrievalThis section includes instructions on how to configure log management and retentionpolicies.
Standard Windows event log management procedures can be applied. Refer toMicrosoft documentation on Windows event log and alert management.
Security Configuration Settings
Log settings 31
Log roll-overThis section includes information about log roll-over.
Configuration of an external Syslog serverThis section includes information about the configuration of an external Syslog server.
Configuration of logging levelsThis section includes information about the configuration of logging levels.
Configuration of alert mechanismsThis section includes information about the configuration of alert mechanisms.
Configuration for external log management tools like envisionThis section includes information about the configuration for external log managementtools like envision.
Configuration of time synchronization with external sourceThis section includes information about the configuration of time synchronization withexternal source. For example, using NTP, and Windows Time Service.
Accessing log filesThis section includes instructions or references to instructions on how a customer canaccess log files.
Communication security settingsThis section describes settings that are related to security for the product networkcommunications. Communication security settings enable the establishment of securecommunication channels between the product components as well as betweenproduct components and external systems or components.
Port usageThis table lists all the network ports, services, and protocols that are used by theproduct components. Information in the table includes what external interfaces, ports,and services must be open or enabled for proper operation of the product as well asthe configurable default ports. Use this information when using the Dell EMCSourceOne product along with a firewall.
Table 13 Port usage
Component Service Protocol Port
SourceOne OfflineAccess
DocumentManagement Service
TCP/HTTP 8001/8002
Search Not applicable TCP/HTTP 80/443
Security Configuration Settings
32 SourceOne 7.2 SP6 Products Security Configuration Guide
Table 13 Port usage (continued)
Component Service Protocol Port
Port 80 whenTLS/SSL is disabled.
Port 443 whenTLS/SSL is enabled.
Universal Shortcut/Mobile
Not applicable TCP/HTTP 80/443
Port 80 whenTLS/SSL is disabled.
Port 443 whenTLS/SSL is enabled.
SourceOne DiscoveryManager WebApplication
Not applicable TCP/HTTP 80/443
Port 80 whenTLS/SSL is disabled.
Port 443 whenTLS/SSL is enabled.
SourceOne EmailSupervisor WebApplication
Not applicable TCP/HTTP 80/443
Port 80 whenTLS/SSL is disabled.
Port 443 whenTLS/SSL is enabled.
Network encryptionThis section includes instructions about how to use the SourceOne product with SSLto configure an encryption key or a certificate for use in secure communications.
Follow this procedure to ensure that SSL is enabled.
Procedure
1. In the New Archive folder, specify the following:
l Ensure that the Enable SSL checkbox is selected. If SSL is enabled, HTTPSis used for data transport, otherwise, HTTP is used.
l In the Port field, specify the port number for the server.
n The default value for http is 80.
n The default value for https is 443.
Security Configuration Settings
Network encryption 33
Figure 1 Enabling SSL
2. If the LDAP or ADS server requires a secure sockets layer connection (SSL),select the Server requires a secure connection (SSL)? checkbox. When thischeckbox is selected, the LDAP port changes to the default secure LDAP portvalue of 636 for Active Directory. Note that the value for IBM Domino isdifferent.
3. If the LDAP or ADS server requires a secure sockets layer connection (SSL):
a. Open the Select Data Sources page of the New Activity wizard.
b. Select the Server requires a secure connection (SSL)? checkbox. Whenthis checkbox is selected, the LDAP port changes to the default secureLDAP port value of 636 for Active Directory.
Note that the secure LDAP port value for IBM Domino is different.
Security Configuration Settings
34 SourceOne 7.2 SP6 Products Security Configuration Guide
Figure 2 LDAP server configuration
Data security settingsThis section describes settings available to ensure protection of the data that ishandled by the product. Data security settings enable definition of controls to preventdata that is permanently stored by the product to be disclosed in an unauthorizedmanner.
Encryption of data at restThis section includes instructions or references to instructions about how to configureencryption for the data that is stored by the Dell EMC SourceOne product. Also thissection includes instructions on how to configure or change the encryption key.
Dell EMC SourceOne does not provide the capability to encrypt archived data.Encryption of data must be managed through underlying storage assuming that thestorage platform provides that capability.
Data integrityThis section describes how the Dell EMC SourceOne product secures data integrity.
Dell EMC SourceOne archive stores checksum with the archived object which isverified when the object is read and retrieved from the archive storage. Also, Dell EMCSourceOne calculates unique object IDs that are based on using the properties on theobject through proprietary, patented SHA-1 hash algorithm.
Data erasureThis section includes instructions about how to configure the secure erasure of thedata that is stored by the Dell EMC SourceOne product.
Configure data retention and disposal as follows.
Security Configuration Settings
Data security settings 35
Procedure
1. Specify the data retention on the archive folder in the Dell EMCSourceOneNative Archive. You can specify how long data in the archive folderis to be retained by entering a value in the Months to retain field.
2. Determine whether you want to automatically or manually dispose of data thatis past the retention period.
l To manually dispose of the data, perform the following:
a. Select the archive folder that contains the data that you want to process.
b. Select Action > Perform Disposition.
l To automatically dispose of the data, select the Enable automaticdisposition field on the archive folder.
The SourceOne Email Management Administration Guide contains moreinformation about configuring data retention and disposal.
Secure serviceability settingsDell EMC SourceOne does not enable any in-built specific role or accounts for DellEMC personnel for remote support.
Configuration changes require specific account and authentication setup by thecustomer for administration or usage of the Dell EMC SourceOne product. There are anumber of settings that are not available in the product Administration Console andrequire Customer Support involvement.
Security alert system settingsDell EMC SourceOne does not provide built-in notification services.
However, in environments that integrate the Dell EMC SourceOne product with theMicrosoft System Center Operations Manager (SCOM), the logging of specific DellEMC SourceOne product events occurs in the Windows Event Management Console.These events might generate notifications. The SourceOne Management Pack forMicrosoft System Center Operations Manager Guide includes more information.
For changes to permissions to data folders, Dell EMC SourceOne provides MappedFolder permissions. The SourceOne Email Management Administration Guide includesmore information.
Dell EMC SourceOne also provides audit reports. The SourceOne Auditing andReporting Installation and Administration Guide includes more information.
Other security considerationsThis section describes security settings that may not fall in one of the previoussections.
Consider the following Dell EMC recommended security measures:
l Place all Dell EMC SourceOne components behind a fire wall.
l Use TLS 1.2 for client web applications.
l Use TLS 1.2 for accessing Dell EMC Atmos/ECS devices.
l Disable TLS 1.0, SSL3 and earlier on the SourceOne server.
Security Configuration Settings
36 SourceOne 7.2 SP6 Products Security Configuration Guide
l Disable software versions of SSL 3 and earlier.
l Install the latest Windows Security Patch on the Dell EMC SourceOne productserver.
l Remove unnecessary local Admin rights for Dell EMC SourceOne account.
l Configure security software (anti-virus software) with Dell EMC SourceOne.
l Configure and change the caching period.
l Set up Network Address Translation (NAT).
l Do not host SQL server and IIS on the same server.
l Use SQL server security hardening.
l Use Windows Server security hardening.
When configuring and administering Dell EMC SourceOne, remove the following fromthe SQL server:
l Guest rights
l Extended stored procedure rights
l Registry access
l Sample databases
Security Configuration Settings
Other security considerations 37
Security Configuration Settings
38 SourceOne 7.2 SP6 Products Security Configuration Guide
CHAPTER 3
Secure Deployment and Usage Settings
This section describes instructions on how to deploy and how to use the Dell EMCSourceOne product securely.
l Security controls map........................................................................................ 40l Secure deployment settings...............................................................................40
Secure Deployment and Usage Settings 39
Security controls mapThis section provides a high level application map to explain the components, dataflows, and communications the Dell EMC SourceOne application uses. The map labelssecurity controls used to protect data.
Figure 3 Security controls map
Secure deployment settingsThis section includes instructions or references on how to securely deploy and use theDell EMC SourceOne product.
The following table includes information about deploying the Dell EMC SourceOneproduct securely.
Secure Deployment and Usage Settings
40 SourceOne 7.2 SP6 Products Security Configuration Guide
Table 14 Secure Deployment Settings
DefaultSetting
SecureDeploymentSettings
Pros of SecureDeploymentSettings
Cons ofSecureDeploymentSettings
Instructionson how toconfiguresecuredeploymentsettings
In SourceOneEmailManagement,SSL is disabledby defaultbetween theclient and server.
For the bestpossible securitybetween theclient and server,enable SSL.
Provides a highlevel ofprotection forthecommunicationbetween clientand server byavoidingtampering,spoofing, andman in themiddle type ofattacks.
Impactsperformance.
The SourceOneEmailManagementInstallation Guideincludes SSLconfigurationinstructions.
In SourceOneDiscoveryManager, SSL isenabled bydefault betweenthe client andserver.
For the bestpossible securitybetween theclient and server,enable SSL.
Provides a highlevel ofprotection forthecommunicationbetween clientand server byavoidingtampering,spoofing, andman in themiddle type ofattacks.
Impactsperformance.
The SourceOneDiscoveryManagerInstallation andAdministrationGuide includesSSLconfigurationinstructions.
In SourceOneEmail Supervisor,SSL is enabledby defaultbetween theclient and server.
For the bestpossible securitybetween theclient and server,enable SSL.
Provides a highlevel ofprotection forthecommunicationbetween clientand server byavoidingtampering,spoofing, andman in themiddle type ofattacks.
Impactsperformance.
The SourceOneEmail SupervisorInstallation Guideincludes SSLconfigurationinstructions.
SNMPv1 bydefault forbackwardcompatibilityreasons
SNMPv3 bydefault for bestpossible securityand ability toswitch back toSNMPv1 for
Best possiblesecurity
By default,backwardcompatibility isnot available.
Refer toinstructionsabout how todeploy withSNMPv3 bydefault and how
Secure Deployment and Usage Settings
Secure deployment settings 41
Table 14 Secure Deployment Settings (continued)
DefaultSetting
SecureDeploymentSettings
Pros of SecureDeploymentSettings
Cons ofSecureDeploymentSettings
Instructionson how toconfiguresecuredeploymentsettings
backwardcompatibility
to switch back toSNMPv1 forbackwardcompatibility.
The following table includes information about recommended default secure protocolsand settings.
Table 15 Secure Deployment Settings
Recommended Default SecureSettings
Risks Posed by Turning Off DefaultSecure Settings
SSL is turned on by default. By turning off SSL, Dell EMC SourceOne isexposed to tampering, spoofing, and man inthe middle type of attacks.
Secure Deployment and Usage Settings
42 SourceOne 7.2 SP6 Products Security Configuration Guide
CHAPTER 4
Secure Maintenance
This section describes how to perform secure maintenance of the product.
l Security patch management.............................................................................. 44
Secure Maintenance 43
Security patch managementThis section includes instructions or references to instructions on Security patchmanagement. This table lists all the third-party components for which a patch isneeded.
Table 16 Security patch management
Third-partycomponent forwhich patch isneeded
Frequency ofpatch
Dell EMCresponsibility(Y/N)
Customerresponsibility(Y/N)
Reference toinstructionsfor applyingpatch
Open SSL 1.0.2nin SourceOneEmailManagement
Not applicable Y N SourceOne EmailManagementInstallation Guide
Secure Maintenance
44 SourceOne 7.2 SP6 Products Security Configuration Guide
CHAPTER 5
Physical security controls
This section includes instructions or references to instructions about how to securethe product physically. For example, if the product incorporates physical components,how to implement strong physical access controls such as, locking cabinets, portlocks, physical locks on all external interfaces, employing strong access control andintrusion detection mechanisms where the product cabling switches, servers andstorage hardware resides. Physical security controls enable the protection ofresources against unauthorized physical access and physical tampering.
Dell EMC SourceOne is a software product and does not bundle any specific physicalequipment requiring special handling.
l Physical Security Controls................................................................................. 46
Physical security controls 45
Physical Security ControlsPhysical security controls enable the protection of resources against unauthorizedphysical access and physical tampering. Dell EMC SourceOne is a software productand does not bundle any specific physical equipment requiring special handling.
Physical security controls
46 SourceOne 7.2 SP6 Products Security Configuration Guide