SourceOne Products Security Configuration · l SourceOne for Microsoft SharePoint Storage...

SourceOneVersion 7.2 SP6

Products Security Configuration Guide302-004-820

REV 01

Copyright © 2005-2018 Dell Inc. or its subsidiaries All rights reserved.

Published March 2018

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND

WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED

IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.

Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners.

Published in the USA.

Dell EMCHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.DellEMC.com

2 SourceOne 7.2 SP6 Products Security Configuration Guide

5

Overview 9

Security Configuration Settings 11Access control settings............................................................................... 12

User authentication........................................................................ 12User authorization......................................................................... 20Component access control.............................................................21

Log settings................................................................................................ 31Log description...............................................................................31Log management and retrieval....................................................... 31

Communication security settings................................................................32Port usage..................................................................................... 32Network encryption.......................................................................33

Data security settings.................................................................................35Encryption of data at rest .............................................................35Data integrity.................................................................................35Data erasure.................................................................................. 35

Secure serviceability settings..................................................................... 36Security alert system settings.................................................................... 36Other security considerations.....................................................................36

Secure Deployment and Usage Settings 39Security controls map................................................................................ 40Secure deployment settings....................................................................... 40

Secure Maintenance 43Security patch management.......................................................................44

Physical security controls 45Physical Security Controls..........................................................................46

Preface

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

CONTENTS

SourceOne 7.2 SP6 Products Security Configuration Guide 3

CONTENTS


Preface

As part of an effort to improve its product lines, EMC periodically releases revisions ofits software and hardware. Therefore, some functions that are described in thisdocument might not be supported by all versions of the software or hardwarecurrently in use. The product release notes provide the most up-to-date informationon product features.

Contact your EMC technical support professional if a product does not functioncorrectly or does not function as described in this document.

Note

This document was accurate at publication time. Go to EMC Online Support (https://support.emc.com) to ensure that you are using the latest version of this document.

PurposeThis document describes the security features and settings of Dell EMC SourceOne.

AudienceThis document is part of the Dell EMC SourceOne documentation set, and is intendedfor use by installers of the product, Dell EMC SourceOne system administrators, andmail server administrators.

Revision historyThe following table presents the revision history of this document.

Table 1 Revision history

Revision Date Description

01 March 26, 2018 Initial release of the 7.2 SP6SourceOne Products SecurityConfiguration Guide.

Related documentationThe SourceOne documentation set includes the following publications.

SourceOne Products:

l SourceOne Products Compatibility Guide

l SourceOne Products Security Configuration Guide

SourceOne Email Management:

l SourceOne Email Management Installation Guide

l SourceOne Email Management Administration Guide

l SourceOne Email Management Release Notes

l SourceOne Email Management Localized Product Release Notes

l SourceOne Auditing and Reporting Installation and Administration Guide

l SourceOne Management Pack for Microsoft System Center Operations ManagerGuide

l SourceOne Search User Guide


https://support.emc.com/

https://support.emc.com/

l SourceOne Disaster Recovery Solution Guide

l SourceOne 7.0 and later SNMP Trap Monitoring Solution Technical Notes

SourceOne Discovery Manager:

l SourceOne Discovery Manager Installation and Administration Guide

l SourceOne Discovery Manager Desktop User Guide

l SourceOne Discovery Manager Web Application User Guide

l SourceOne Discovery Manager Release Notes

l SourceOne Discovery Manager Localized Product Release Notes

l SourceOne Discovery Manager Desktop Quick Reference Cards

SourceOne for File Systems:

l SourceOne for File Systems Installation Guide

l SourceOne for File Systems Administration Guide

l SourceOne for File Systems Release Notes

SourceOne Offline Access:

l SourceOne Offline Access Installation and Administration Guide

l SourceOne Offline Access User Guide

l SourceOne Offline Access Release Notes

SourceOne Archiving for Microsoft SharePoint:

l SourceOne Archiving for Microsoft SharePoint Installation Guide

l SourceOne Archiving for Microsoft SharePoint Administration Guide

l SourceOne Archiving for Microsoft SharePoint Release Notes

l SourceOne Archiving for Microsoft SharePoint Archive Search Quick ReferenceCard

SourceOne for Microsoft SharePoint Storage Management:

l SourceOne for Microsoft SharePoint Storage Management Installation Guide

l SourceOne for Microsoft SharePoint Storage Management Administration Guide

l SourceOne for Microsoft SharePoint Storage Management Release Notes

SourceOne Email Supervisor:

l SourceOne Email Supervisor Installation Guide

l SourceOne Email Supervisor Administration Guide

l SourceOne Email Supervisor Web Application (Reviewer and Reports) Guide

l SourceOne Email Supervisor Release Notes

Special notice conventions that are used in this documentEMC uses the following conventions for special notices:

NOTICE

Identifies content that warns of potential business or data loss.

Note

Contains information that is incidental, but not essential, to the topic.

Preface


Typographical conventionsEMC uses the following type style conventions in this document:

Table 2 Style conventions

Bold Used for names of interface elements, such as names of buttons,fields, tab names, and menu paths (what the user specifically selectsor clicks)

Italic Used for full titles of publications that are referenced in text

Monospace Used for:

l System code

l System output, such as an error message or script

l Pathnames, file names, prompts, and syntax

l Commands and options

Monospace italic Used for variables

Monospace bold Used for user input

[ ] Square brackets enclose optional values

| Vertical bar indicates alternate selections - the bar means “or”

{ } Braces enclose content that the user must specify, such as x or y orz

... Ellipses indicate non-essential information that is omitted from theexample

Where to get helpEMC support, product, and licensing information can be obtained as follows:

Product informationFor documentation, release notes, software updates, or information about EMCproducts, go to EMC Online Support at https://support.emc.com.

Technical supportGo to EMC Online Support at https://support.emc.com, and click Service Center.Several options for contacting EMC Technical Support appear on the site. Note thatto open a service request, you must have a valid support agreement. Contact yourEMC sales representative for details about obtaining a valid support agreement or withquestions about your account.

Online communitiesGo to the EMC Community Network at https://community.emc.com for peercontacts, conversations, and content on product support and solutions. Interactivelyengage online with customers, partners, and certified professionals for all EMCproducts.

Your commentsYour suggestions help to improve the accuracy, organization, and overall quality of theuser publications. Send your opinions of this document to [email protected].

Preface


https://support.emc.com

https://support.emc.com

https://community.emc.com

mailto:[email protected]

Preface


CHAPTER 1

Overview

This guide provides an overview of security configuration for all Dell EMC SourceOneproducts. Topics in this guide include:

l Security Configuration Settings—Describes settings available in the product toensure a secure operation of the product.

l Secure Deployment and Usage Settings—Describes instructions on how todeploy the product securely and how to use the product securely.

l Secure Maintenance—Describes how to perform secure maintenance of theproduct.

l Physical Security Controls—Describes controls needed to protect the productcomponents against unauthorized physical access and physical tampering.

Overview 9

Overview


CHAPTER 2

Security Configuration Settings

This section provides an overview of the settings available to ensure secure operationsof the Dell EMC SourceOne product.

l Access control settings.......................................................................................12l Log settings........................................................................................................31l Communication security settings....................................................................... 32l Data security settings........................................................................................ 35l Secure serviceability settings.............................................................................36l Security alert system settings............................................................................36l Other security considerations............................................................................ 36

Security Configuration Settings 11

Access control settingsThis section describes settings available to limit access by end-user or by externalproduct components.

User authenticationUser authentication settings control the process of verifying an identity claimed by auser for accessing the product.

Default accountsThe Dell EMC SourceOne product does not provide any pre-configured defaultaccounts. The following accounts must be configured as prerequisite for productinstallation and administration.

l Product installation account

l Primary service account

l Outlook Web Access (OWA) service account

l Master service account (optional)

l Product console administrator

l Product system administrator

In addition to these accounts, an Dell EMC SourceOne Security group must be createdto host the service accounts. Admins group can be created to host consoleadministrator accounts.

Authentication configurationThis section discusses how to configure accounts.

Active DirectoryThis section includes an accounts and permission checklist for the Active Directory.

Table 3 Accounts and permissions checklist—Active Directory

Accounts and groups Details

Primary Service account All environments

The Dell EMC SourceOneprimary service account is requiredin all environments to process Dell EMC SourceOne activities.Details:

l Password does not need to be changed at next login.

l Account does not expire.

l Password does not expire.

l Must be in the same domain as the Dell EMC SourceOneservers.

SourceOne Email Management environments only

In Exchange environments, you can optionally create anExchange mailbox for the primary service account.



Table 3 Accounts and permissions checklist—Active Directory (continued)

Accounts and groups Details

Master Services serviceaccount (optional)

All environments

The optional Dell EMC SourceOne Master Services serviceaccount is specified during Master Services installation. Youcan alternatively use the primary service account.

Details:





OWA service account(optional)

SourceOne Email Management environments only

The Dell EMC SourceOneOWA service account is specifiedduring Extensions for OWA installation on Exchange. You canalternatively use the primary service account.

Details:





Security group All environments

Create the Dell EMC SourceOne security group. This grouphouses the service accounts used with Dell EMC SourceOne.Details:

l Created in a domain that is fully trusted by the domainsDell EMC SourceOne applications are running.

l Group scope is Universal, or Global if Universal is notavailable in the environment.

l Group type is Security.

l Group name does not contain special characters.

Add service accounts tosecurity group

All environments

Add the following accounts:

l Dell EMC SourceOne primary service account.

l Dell EMC SourceOne Master Services service account (ifused).

l Dell EMC SourceOneOWA service account (if used).


User authentication 13

Dell EMC SourceOneThis section includes an account and permission assignments for Dell EMCSourceOne.

Table 4 Accounts and permissions—permissions assignment

Environment/System

Task Details Validation

MIME dropdirectories

Configure dropdirectory permissionsfor MIMEmanagement

For drop directories intowhich you place MIMEmessages to be archived byDell EMC SourceOne:

l Sharing tab—Configure the securitygroup with Full Controlpermissions to theshare.

l Security tab—Configure the securitygroup with Full Controlpermissions to theshare.

1. Log in to asystem asthe primaryserviceaccount.

2. Access theshare andcreate a textfile.

3. Delete thetext file.

NSF drop directories Configure dropdirectory permissionsfor NSF management

For drop directories intowhich you place NSF filesto be archived by Dell EMCSourceOne:


l Security tab—Configure the securitygroup with Full Controlpermissions to theshare.

1. Log in to asystem asthe primaryserviceaccount.



PST drop directories Configure dropdirectory permissionsfor PST management

For drop directories intowhich you place PST filesto be archived by Dell EMCSourceOne in a singleExchange forestconfiguration:


l Security tab—Configure the securitygroup with Full Control

1. Log in to asystem asthe Dell EMCSourceOneprimaryserviceaccount.





Table 4 Accounts and permissions—permissions assignment (continued)

Environment/System


permissions to theshare.

See theSourceOne EmailManagementAdministration Guide forconsiderations in anExchange resourceforest configuration.

Network computers Configure PSTdiscoverypermissions

To support PST discoveryand management onnetwork computers in asingle Microsoft Exchangeforest configuration, addthe Dell EMCSourceOnesecurity groupas member of localAdministrators group forthese computers.

See the SourceOne EmailManagement AdministrationGuide for considerations inan Exchange resourceforest configuration.

Networkcomputers:

1. Log in to asystem asthe Dell EMCSourceOneprimaryserviceaccount.

2. Access acomputerfrom MyNetworkPlaces.

3. Access C$drive.

Microsoft ExchangeThis section includes an account and permission assignments for Microsoft Exchange.

Table 5 Accounts and permissions—Microsoft Exchange


Create Exchange journalingmailboxes.

Create one or more MicrosoftExchange journaling mailboxes. Ajournaling user account isassociated with an Exchangejournaling mailbox that collectsmessages generated on a MailboxStore. Most configurations willconsist of several journaling usersand mailboxes.

Envelope journaling is required forDell EMC SourceOne.

Ensure mailboxescreated.



Table 5 Accounts and permissions—Microsoft Exchange (continued)


A journaling user account is createdin Active Directory and must havethe following characteristics:

l Member of Domain Usersgroup.

l Password does not need to bechanged at next login.



l Journaling users/mailboxes

Configure general Exchangepermissions.

Grant the Dell EMC SourceOneprimary service account and theDell EMC SourceOne Admins groupthe following permission:

l Exchange View-OnlyAdministrator (at theOrganization level)

Note

If using Microsoft Exchange 2010 ina mixed environment, that includesboth Microsoft Exchange 2010 anda previous Microsoft Exchangeversion, you must explicitlyconfigure these permissions inMicrosoft Exchange 2010, as theydo not automatically propagate overfrom previous Microsoft Exchangeversions.

1. Start the Dell EMCSourceOne Console.

2. Check that theadministrator canview the mail serverhierarchy from theDell EMCSourceOneConsole.

Configure permissions forjournaling mailboxes.

Grant the Dell EMC SourceOneprimary service account accessrights to each journaling mailbox.

Microsoft Exchange 2013Server

l Full mailbox access





Test journaling mailboxaccess:

1. Open Outlook as theprimary serviceaccount.

2. Open the journalmailbox Inboxfolder.

3. Add and delete amessage.





Configure permissions foruser mailboxes.

To support storage management,which requires a higher level ofpermissions to access and changemailbox contents, configure thefollowing permissions depending onthe Microsoft Exchange version.

Note

In a mixed environment of MicrosoftExchange 2010 and MicrosoftExchange 2013, mail does not getpulled from the Microsoft Exchange2013 journaling mailboxes. Whenlogging into the Worker, errors willoccur. When pulling mail from thejournals on the Microsoft Exchange2013 server, jobs will fail. To avoidthese errors and jobs failing, inAccount Settings, change theOutlook configuration on theworkers by selecting the Connectto Microsoft Exchange using HTTPcheckbox.

Microsoft Exchange 2013

Grant the Dell EMC SourceOneprimary service account thefollowing extended permissions:

l Receive As

Note

In a mixed environment, forexample, Microsoft Exchange 2013and a previous version of MicrosoftExchange, grant these permissionsat the mailbox database level,targeting only the mailboxes onMicrosoft Exchange 2013. You canthen use the permissions describedin the following section formailboxes hosted on previousMicrosoft Exchange versions.



l Receive As

Storage management:

1. Open Outlook as theprimary serviceaccount.

2. Open a test usermailbox Inboxfolder.






Note

In a mixed environment, forexample, Microsoft Exchange 2010and a previous version of MicrosoftExchange, grant these permissionsat the mailbox database level,targeting only the mailboxes onMicrosoft Exchange 2010. You canthen use the permissions describedin the following section formailboxes hosted on previousMicrosoft Exchange versions.



l Receive As

l Send As

Note

These permissions can be grantedat the Organization level (highest)to the individual mailbox level(lowest).

Review Exchange 2010considerations.

Review the following considerationsif using Dell EMC SourceOne in anenvironment that includesMicrosoft Exchange 2010:

l Microsoft Exchange 2010replaced the permissions modelused in Microsoft Exchange2007 with a Role Based AccessControl (RBAC) permissionsmodel. Refer to the MicrosoftExchange 2010 documentationset for more information.

l Microsoft Exchange 2010 takestwo hours to update thepermissions cache. Restart theMicrosoft ExchangeInformation Store afterapplying permissions to activatethe changes.

None.

Review Exchange 2013considerations.

Review the following considerationsif using Dell EMC SourceOne in an

None.





environment that includesMicrosoft Exchange 2010:

l Microsoft Exchange 2013 takestwo hours to update thepermissions cache. Restart theMicrosoft ExchangeInformation Store afterapplying permissions to activatethe changes.

IBM DominoThis section includes an account and permission assignments for IBM Domino.

Table 6 Accounts and permissions—IBM Domino


Create Dell EMC SourceOneLotus Notes account.

This account will later bespecified on Dell EMCSourceOne host computers tosupport message processing ina Domino environment.

To support all Dell EMCSourceOne activities, configurethe account with:

l Manager privileges for allusers mail files.

l Delete access to allmailboxes.

To support all Dell EMCSourceOne activities exceptarchiving messages based onread or unread status, restoringmessages from Dell EMCSourceOne Search, and user-directed archiving:

l Editor privileges for allusers mail files.

l Delete access to allmailboxes.

Account name:

1. Open a user NSF filefor test purposes asthe Dell EMCSourceOne Notes user.

2. Add data.

3. Delete the data.

Configure Internet address andpassword for Lotus Notesusers.

Ensure Lotus Notes users havean Internet address andpassword configured. This isrequired for Notes users to useDell EMC SourceOne Search.

After Dell EMC SourceOneis installed, confirm that aNotes user can log in toDell EMC SourceOneSearch.



User actions performed without authenticationUsers cannot perform any actions without authentication. Before starting the DellEMC SourceOne Console, user authentication occurs when users login to theirWindows system. A user must be configured as a console administrator throughWindows security assignment, before the user can perform any action within the DellEMC SourceOne Console.

User authorizationThis section outlines the user authorization settings, control rights, and permissionsthat are granted to a user to access a resource that is managed by Dell EMCSourceOne.

Dell EMC SourceOne ConsoleThe Dell EMC SourceOneConsole Management subsystem restricts the ability toquery, modify, delete, or select the user and group map folder permissions to DellEMC SourceOne Console Administrators. Through the Permissions page of the NewFolder Wizard,Dell EMC SourceOne Console Administrators can specify the users andgroups who can access a folder and the permissions each user and group has on thefolder.

These values are then passed to the Database Provider Subsystem to be entered intothe Activity database.

Table 7 Dell EMC SourceOne Console

Task Resource Role

Assign/unassign Windows Users, WindowsGroups, and LDAP QueryGroups

Console Administrator or DellEMC SourceOneAdministrator (definedthrough primary serviceaccount)

Create, modify, and delete Policies, activities, and rules Console Administrator

Create and delete Native Archive folders Console Administrator

View, create, modify, copy,and delete

Dell EMC SourceOne mappedfolders

Console Administrator

Assign, modify, delete User and group permissionson mapped folders


Modify Native Archive folderproperties


View, edit Worker properties Console Administrator

Specify Users to be audited ("auditedusers")


Select Events to be audited Console Administrator

Dell EMC SourceOne ReportingYou can use the Dell EMC SourceOne reporting tools to view role and to audit reports.The SourceOne Auditing and Reporting Installation and Administration Guide providesdetailed information.



Table 8 Dell EMC SourceOne Reporting

Task Resource Role

Assign users to Roles for access to auditreports

Dell EMC SourceOneAdministrator

View and customize Audit reports Content Manager

View Audit reports Browser role

Component access controlComponent access control settings define control over access to the product byexternal and internal systems or components. Components are sub-systems of theproduct that typically interact over the network and often have their own securitysettings. For example, Agents, Database, Console, and Host Servers.

The key components are listed as follows:

l SQL Database server

l Master computers

l Worker computers

l Archive servers

l Web server

l File shares and storage

l Mail servers

l Elasticsearch Worker server

Component authenticationThis section describes how to configure authentication of remote components.

Dell EMC SourceOne accounts and permissionsThis table includes the component authentication accounts and permissions for DellEMC SourceOne.

Table 9 Accounts and permissions—permissions assignment

Environment/System


Microsoft SQL Server Configure MicrosoftSQL database installpermissions andSecurity Logins.

Ensure that theinstallation account isa local administratorand has the SQLsysadmin role.

Configure thefollowing groups andaccounts as SecurityLogins in SQL Server:

After Dell EMCSourceOne isinstalled, use theODBC TestConnection functionto confirm theconnection.


Component access control 21


Environment/System


l Dell EMCSourceOnesecurity group

l Dell EMCSourceOneAdmins group

l Dell EMCSourceOneinstallation accounts

After Dell EMCSourceOne databasesare installed, youassign individualdatabase privileges tothese logins.

Master computers Add service accountto local administratorsgroup.

Add one of thefollowing serviceaccounts as amember of the localadministrators groupfor this computer:

l Primary serviceaccount, or

l Master Servicesservice account ifused

This account isrequired to be amember of thisgroup to run theSourceOne JobSchedulerservice.

Ensure accounts wereadded.

Master computers Add installationaccount to localadministrators group.

Add the Dell EMCSourceOneinstallation account asa member of the localadministrators groupfor this computer.

You can remove thisuser from the groupafter the installationcompletes.

Alternatively you canuse an existing

Ensure you can log inusing this account.




Environment/System


account that is amember of the localadministrators groupto install thesoftware.

Worker computers Add installationaccount to localadministrators group.



Alternatively you canuse an existingaccount that is amember of the localadministrators groupto install thesoftware.


Dell EMC SourceOneNative Archivecomputers

Add installationaccount to localadministrators group.





Console clientcomputers

Add installationaccount to localadministrators group.






Environment/System




Storage Configure storagelocation permissions.

Configure Dell EMCSourceOne SecurityGroup withpermissions for thefollowing storagelocations:

l Message Centerlocation

l Archive location

l Index location

l Job detail log filelocation

Configure thefollowing permissionsfor each location:

l Sharing tab—Configure thesecurity groupwith Full Controlpermissions tothe share.

l Security tab—Configure thesecurity groupwith Full Controlpermissions tothe share.

1. Log in to asystem as theprimary serviceaccount.

2. Access the shareand create a textfile.

3. Delete the textfile.

Dell EMC DiskXtender Add security group toDX administratorsgroup.

If using DellEMCDiskXtender, addthe Dell EMCSourceOne SecurityGroup to theDxAdministratorsgroup on the Dell

Ensure the group isadded.




Environment/System


EMCDiskXtenderserver.

MIME dropdirectories

Configure dropdirectory permissionsfor MIMEmanagement.

For drop directoriesinto which you placeMIME messages to bearchived by Dell EMCSourceOne:






NSF drop directories Configure dropdirectory permissionsfor NSF management.

For drop directoriesinto which you placeNSF files to bearchived by Dell EMCSourceOne:






PST drop directories Configure dropdirectory permissionsfor PST management.

For drop directoriesinto which you placePST files to bearchived by Dell EMCSourceOne in a singleMicrosoft Exchangeforest configuration:

l Sharing tab—Configure the

1. Log in to asystem as theDell EMCSourceOneprimary serviceaccount.





Environment/System


security groupwith Full Controlpermissions tothe share.


See theSourceOne EmailManagementAdministrationGuide forconsiderations inan Exchangeresource forestconfiguration.


Network computers Configure PSTdiscoverypermissions.

To support PSTdiscovery andmanagement onnetwork computers ina single MicrosoftExchange forestconfiguration, add theDell EMC SourceOnesecurity group asmember of localAdministrators groupfor these computers.

See the SourceOneEmail ManagementAdministration Guidefor considerations inan Exchange resourceforest configuration.

Network computers:

1. Log in to asystem as theDell EMCSourceOneprimary serviceaccount.

2. Access acomputer fromMy NetworkPlaces.

3. Access C$ drive.

Microsoft Exchange accounts and permissionsThis table includes the component authentication accounts and permissions forMicrosoft Exchange.



Table 10 Accounts and permissions—Microsoft Exchange


Create MicrosoftExchange journalingmailboxes.

Create one or more Exchange journalingmailboxes. A journaling user account isassociated with an Exchange journalingmailbox that collects messages that aregenerated on a Mailbox Store. Mostconfigurations consist of severaljournaling users and mailboxes.

Envelope journaling is required for DellEMC SourceOne.

A journaling user account is created inActive Directory and must have thefollowing characteristics:

l Member of Domain Users group.

l Password does not need to bechanged at next login.



l Journaling users/mailboxes

Ensure mailboxescreated.

Configure generalMicrosoft Exchangepermissions.

Grant the Dell EMC SourceOne primaryservice account and the Dell EMCSourceOne Admins group the followingpermissions:

Exchange View-Only Administrator (atthe Organization level)

Note

If using Microsoft Exchange 2010 in amixed environment, which includes bothMicrosoft Exchange 2010 and a previousMicrosoft Exchange version, then youmust explicitly configure thesepermissions in Microsoft Exchange 2010.Permissions do not automaticallypropagate over from previous MicrosoftExchange versions.

1. Start the Dell EMCSourceOneConsole.

2. Check that theadministrator canview the mail serverhierarchy from theDell EMCSourceOneConsole.

Configure permissionsfor journaling mailboxes.

Grant the Dell EMC SourceOne primaryservice account access rights to eachjournaling mailbox.

Microsoft Exchange 2013 Server




Test journaling mailboxaccess:

1. Open Outlook asthe primary serviceaccount.

2. Open the journalmailbox Inboxfolder.








Configure permissionsfor user mailboxes.

To support storage management whichrequires a higher level of permissions toaccess and change mailbox contents,configure the following permissionsdepending on the Microsoft Exchangeversion.

Note

In a mixed environment of MicrosoftExchange 2010 and Microsoft Exchange2013, mail does not get pulled from theExchange 2013 journaling mailboxes.When logging in to the Worker, errorsoccur. When pulling mail from the journalson the Microsoft Exchange 2013 server,jobs fail. To work around theselimitations, from the Account Settings,change the Outlook configuration on the

workers by selecting the Connect toMicrosoft Exchange using HTTPcheckbox.


Grant the Dell EMC SourceOne primaryservice account the following extendedpermissions:

l Receive As

Note

In a mixed environment, for example,Microsoft Exchange 2013 and a previousversion of Microsoft Exchange, grantthese permissions at the mailboxdatabase level, targeting only themailboxes on Microsoft Exchange 2013.You can then use the permissions that aredescribed in the following section formailboxes that are hosted on previousMicrosoft Exchange versions.



l Receive As

Storage management:

1. Open Outlook asthe primary serviceaccount.

2. Open a test usermailbox Inboxfolder.






Note

In a mixed environment, for example,Microsoft Exchange 2010 and a previousversion of Microsoft Exchange, grantthese permissions at the mailboxdatabase level, targeting only themailboxes on Microsoft Exchange 2010.You can then use the permissions that aredescribed in the following section formailboxes that are hosted on previousMicrosoft Exchange versions.



l Receive As

l Send As

Note

These permissions can be granted at theOrganization level (highest) to theindividual mailbox level (lowest).

Review MicrosoftExchange 2010considerations.

Review the following considerations ifusing Dell EMC SourceOne in anenvironment that includes MicrosoftExchange 2010:

l Microsoft Exchange 2010 replacedthe permissions model that is used inMicrosoft Exchange 2007 with a RoleBased Access Control (RBAC)permissions model. Refer to theMicrosoft Exchange 2010documentation set for moreinformation.

l Microsoft Exchange 2010 takes 2hours to update the permissionscache. Restart the MicrosoftExchange Information Store afterapplying permissions to activate thechanges.

None.

Review MicrosoftExchange 2013considerations.

Review the following considerations ifusing Dell EMC SourceOne in anenvironment that includes MicrosoftExchange 2010:

None.





l Microsoft Exchange 2013 takes 2hours to update the permissionscache. Restart the MicrosoftExchange Information Store afterapplying permissions to activate thechanges.

IBM Domino accounts and permissionsThis table includes the component authentication accounts and permissions for IBMDomino.

Table 11 Accounts and permissions—IBM Domino


Create Dell EMCSourceOne IBM Notesaccount.

This account is specified later on DellEMC SourceOne host computers tosupport message processing in an IBMDomino environment.

To support all Dell EMC SourceOneactivities, configure the account with:

l Manager privileges for all users mailfiles.

l Delete access to all mailboxes.

To support all Dell EMC SourceOneactivities except archiving messagesbased on read or unread status,restoring messages from Dell EMCSourceOne Search, and user-directedarchiving:

l Editor privileges for all users mailfiles.

l Delete access to all mailboxes.

Account name:

1. Open a user NSF filefor test purposes asthe Dell EMCSourceOne Notesuser.

2. Add data.

3. Delete the data.

Configure Internetaddress and passwordfor IBM Notes users

Ensure IBM Notes users have anInternet address and passwordconfigured. This is required for IBMNotes users to use Dell EMC SourceOneSearch.

After Dell EMC SourceOneis installed, confirm that anIBM Notes user can log into Dell EMC SourceOneSearch.

Component authorizationThis section includes instructions or references to instructions on how to configurethe product to restrict access to remote components or systems (for example, LUNmasking or IP filtering).



Log settingsThis section describes settings related to the logging of events. A log is achronological record of system activities that is sufficient to enable the reconstructionand examination of the sequence of environments and activities surrounding or leadingto an operation, procedure, or event in a security-relevant transaction from inceptionto final results.

Log descriptionThis table lists all relevant logs including their location, for example, file path ordatabase, on a system and a description of their content. This table only includesevent logs and does not include trace and debug logs.

Table 12 Log files

Log file Location

SQL Database server Windows event log/Application

Master server Windows event log/Application/Dell EMC

Worker server Windows event log/Application/Dell EMC

Archive server Windows event log/Application/Dell EMC

IIS Web server On IIS server:

l Event Viewer\Custom Views\Server Roles\Web Server(IIS)

l Event Viewer\Applications andServices Logs\Microsoft\Windows\IIS-Configuration

l Event Viewer\Applications andServices Logs\Microsoft\Windows\IIS-Logging

On IIS server disk:

l C:\inetpub\logs\LogFilesl C:\Windows\System32\LogFilesl C:\Windows\System32\inetsrv

Log management and retrievalThis section includes instructions on how to configure log management and retentionpolicies.

Standard Windows event log management procedures can be applied. Refer toMicrosoft documentation on Windows event log and alert management.


Log settings 31

Log roll-overThis section includes information about log roll-over.

Configuration of an external Syslog serverThis section includes information about the configuration of an external Syslog server.

Configuration of logging levelsThis section includes information about the configuration of logging levels.

Configuration of alert mechanismsThis section includes information about the configuration of alert mechanisms.

Configuration for external log management tools like envisionThis section includes information about the configuration for external log managementtools like envision.

Configuration of time synchronization with external sourceThis section includes information about the configuration of time synchronization withexternal source. For example, using NTP, and Windows Time Service.

Accessing log filesThis section includes instructions or references to instructions on how a customer canaccess log files.

Communication security settingsThis section describes settings that are related to security for the product networkcommunications. Communication security settings enable the establishment of securecommunication channels between the product components as well as betweenproduct components and external systems or components.

Port usageThis table lists all the network ports, services, and protocols that are used by theproduct components. Information in the table includes what external interfaces, ports,and services must be open or enabled for proper operation of the product as well asthe configurable default ports. Use this information when using the Dell EMCSourceOne product along with a firewall.

Table 13 Port usage

Component Service Protocol Port

SourceOne OfflineAccess

DocumentManagement Service

TCP/HTTP 8001/8002

Search Not applicable TCP/HTTP 80/443



Table 13 Port usage (continued)

Component Service Protocol Port

Port 80 whenTLS/SSL is disabled.

Port 443 whenTLS/SSL is enabled.

Universal Shortcut/Mobile

Not applicable TCP/HTTP 80/443



SourceOne DiscoveryManager WebApplication




SourceOne EmailSupervisor WebApplication




Network encryptionThis section includes instructions about how to use the SourceOne product with SSLto configure an encryption key or a certificate for use in secure communications.

Follow this procedure to ensure that SSL is enabled.

Procedure

1. In the New Archive folder, specify the following:

l Ensure that the Enable SSL checkbox is selected. If SSL is enabled, HTTPSis used for data transport, otherwise, HTTP is used.

l In the Port field, specify the port number for the server.

n The default value for http is 80.

n The default value for https is 443.


Network encryption 33

Figure 1 Enabling SSL

2. If the LDAP or ADS server requires a secure sockets layer connection (SSL),select the Server requires a secure connection (SSL)? checkbox. When thischeckbox is selected, the LDAP port changes to the default secure LDAP portvalue of 636 for Active Directory. Note that the value for IBM Domino isdifferent.

3. If the LDAP or ADS server requires a secure sockets layer connection (SSL):

a. Open the Select Data Sources page of the New Activity wizard.

b. Select the Server requires a secure connection (SSL)? checkbox. Whenthis checkbox is selected, the LDAP port changes to the default secureLDAP port value of 636 for Active Directory.

Note that the secure LDAP port value for IBM Domino is different.



Figure 2 LDAP server configuration

Data security settingsThis section describes settings available to ensure protection of the data that ishandled by the product. Data security settings enable definition of controls to preventdata that is permanently stored by the product to be disclosed in an unauthorizedmanner.

Encryption of data at restThis section includes instructions or references to instructions about how to configureencryption for the data that is stored by the Dell EMC SourceOne product. Also thissection includes instructions on how to configure or change the encryption key.

Dell EMC SourceOne does not provide the capability to encrypt archived data.Encryption of data must be managed through underlying storage assuming that thestorage platform provides that capability.

Data integrityThis section describes how the Dell EMC SourceOne product secures data integrity.

Dell EMC SourceOne archive stores checksum with the archived object which isverified when the object is read and retrieved from the archive storage. Also, Dell EMCSourceOne calculates unique object IDs that are based on using the properties on theobject through proprietary, patented SHA-1 hash algorithm.

Data erasureThis section includes instructions about how to configure the secure erasure of thedata that is stored by the Dell EMC SourceOne product.

Configure data retention and disposal as follows.


Data security settings 35

Procedure

1. Specify the data retention on the archive folder in the Dell EMCSourceOneNative Archive. You can specify how long data in the archive folderis to be retained by entering a value in the Months to retain field.

2. Determine whether you want to automatically or manually dispose of data thatis past the retention period.

l To manually dispose of the data, perform the following:

a. Select the archive folder that contains the data that you want to process.

b. Select Action > Perform Disposition.

l To automatically dispose of the data, select the Enable automaticdisposition field on the archive folder.

The SourceOne Email Management Administration Guide contains moreinformation about configuring data retention and disposal.

Secure serviceability settingsDell EMC SourceOne does not enable any in-built specific role or accounts for DellEMC personnel for remote support.

Configuration changes require specific account and authentication setup by thecustomer for administration or usage of the Dell EMC SourceOne product. There are anumber of settings that are not available in the product Administration Console andrequire Customer Support involvement.

Security alert system settingsDell EMC SourceOne does not provide built-in notification services.

However, in environments that integrate the Dell EMC SourceOne product with theMicrosoft System Center Operations Manager (SCOM), the logging of specific DellEMC SourceOne product events occurs in the Windows Event Management Console.These events might generate notifications. The SourceOne Management Pack forMicrosoft System Center Operations Manager Guide includes more information.

For changes to permissions to data folders, Dell EMC SourceOne provides MappedFolder permissions. The SourceOne Email Management Administration Guide includesmore information.

Dell EMC SourceOne also provides audit reports. The SourceOne Auditing andReporting Installation and Administration Guide includes more information.

Other security considerationsThis section describes security settings that may not fall in one of the previoussections.

Consider the following Dell EMC recommended security measures:

l Place all Dell EMC SourceOne components behind a fire wall.

l Use TLS 1.2 for client web applications.

l Use TLS 1.2 for accessing Dell EMC Atmos/ECS devices.

l Disable TLS 1.0, SSL3 and earlier on the SourceOne server.



l Disable software versions of SSL 3 and earlier.

l Install the latest Windows Security Patch on the Dell EMC SourceOne productserver.

l Remove unnecessary local Admin rights for Dell EMC SourceOne account.

l Configure security software (anti-virus software) with Dell EMC SourceOne.

l Configure and change the caching period.

l Set up Network Address Translation (NAT).

l Do not host SQL server and IIS on the same server.

l Use SQL server security hardening.

l Use Windows Server security hardening.

When configuring and administering Dell EMC SourceOne, remove the following fromthe SQL server:

l Guest rights

l Extended stored procedure rights

l Registry access

l Sample databases


Other security considerations 37



CHAPTER 3

Secure Deployment and Usage Settings

This section describes instructions on how to deploy and how to use the Dell EMCSourceOne product securely.

l Security controls map........................................................................................ 40l Secure deployment settings...............................................................................40

Secure Deployment and Usage Settings 39

Security controls mapThis section provides a high level application map to explain the components, dataflows, and communications the Dell EMC SourceOne application uses. The map labelssecurity controls used to protect data.

Figure 3 Security controls map

Secure deployment settingsThis section includes instructions or references on how to securely deploy and use theDell EMC SourceOne product.

The following table includes information about deploying the Dell EMC SourceOneproduct securely.



Table 14 Secure Deployment Settings

DefaultSetting

SecureDeploymentSettings

Pros of SecureDeploymentSettings

Cons ofSecureDeploymentSettings

Instructionson how toconfiguresecuredeploymentsettings

In SourceOneEmailManagement,SSL is disabledby defaultbetween theclient and server.

For the bestpossible securitybetween theclient and server,enable SSL.

Provides a highlevel ofprotection forthecommunicationbetween clientand server byavoidingtampering,spoofing, andman in themiddle type ofattacks.

Impactsperformance.

The SourceOneEmailManagementInstallation Guideincludes SSLconfigurationinstructions.

In SourceOneDiscoveryManager, SSL isenabled bydefault betweenthe client andserver.



Impactsperformance.

The SourceOneDiscoveryManagerInstallation andAdministrationGuide includesSSLconfigurationinstructions.

In SourceOneEmail Supervisor,SSL is enabledby defaultbetween theclient and server.



Impactsperformance.

The SourceOneEmail SupervisorInstallation Guideincludes SSLconfigurationinstructions.

SNMPv1 bydefault forbackwardcompatibilityreasons

SNMPv3 bydefault for bestpossible securityand ability toswitch back toSNMPv1 for

Best possiblesecurity

By default,backwardcompatibility isnot available.

Refer toinstructionsabout how todeploy withSNMPv3 bydefault and how


Secure deployment settings 41

Table 14 Secure Deployment Settings (continued)

DefaultSetting

SecureDeploymentSettings

Pros of SecureDeploymentSettings

Cons ofSecureDeploymentSettings

Instructionson how toconfiguresecuredeploymentsettings

backwardcompatibility

to switch back toSNMPv1 forbackwardcompatibility.

The following table includes information about recommended default secure protocolsand settings.

Table 15 Secure Deployment Settings

Recommended Default SecureSettings

Risks Posed by Turning Off DefaultSecure Settings

SSL is turned on by default. By turning off SSL, Dell EMC SourceOne isexposed to tampering, spoofing, and man inthe middle type of attacks.



CHAPTER 4

Secure Maintenance

This section describes how to perform secure maintenance of the product.

l Security patch management.............................................................................. 44

Secure Maintenance 43

Security patch managementThis section includes instructions or references to instructions on Security patchmanagement. This table lists all the third-party components for which a patch isneeded.

Table 16 Security patch management

Third-partycomponent forwhich patch isneeded

Frequency ofpatch

Dell EMCresponsibility(Y/N)

Customerresponsibility(Y/N)

Reference toinstructionsfor applyingpatch

Open SSL 1.0.2nin SourceOneEmailManagement

Not applicable Y N SourceOne EmailManagementInstallation Guide

Secure Maintenance


CHAPTER 5

Physical security controls

This section includes instructions or references to instructions about how to securethe product physically. For example, if the product incorporates physical components,how to implement strong physical access controls such as, locking cabinets, portlocks, physical locks on all external interfaces, employing strong access control andintrusion detection mechanisms where the product cabling switches, servers andstorage hardware resides. Physical security controls enable the protection ofresources against unauthorized physical access and physical tampering.

Dell EMC SourceOne is a software product and does not bundle any specific physicalequipment requiring special handling.

l Physical Security Controls................................................................................. 46

Physical security controls 45

Physical Security ControlsPhysical security controls enable the protection of resources against unauthorizedphysical access and physical tampering. Dell EMC SourceOne is a software productand does not bundle any specific physical equipment requiring special handling.

Physical security controls


Date post:	16-Oct-2020
Category:	Documents
Upload:	others
View:	5 times
Download:	0 times

SourceOne Products Security Configuration · l SourceOne for Microsoft SharePoint Storage...

Documents