Skip to main content

 

Druva Documentation

Hardening steps for inSync server storage node running on Windows 2008 R2

 

This article applies to:

  • OS: Windows 2008 R2
  • Product edition: inSync On-Premises

This procedure provides the hardening steps for inSync server storage node running on Windows 2008 R2.

Procedure

Druva inSync Server Hardening steps for inSync Master/storage Node running on 2008 R2:

  1. Log on to the server as an Administrator and launch the Server Manager console.
  2. Click Run Security Configuration Wizard link present under Security Information.

    ServerMgrConsole.png
  3. Click Next on the welcome page of the Security Configuration Wizard. 


    SecurityConfigWizard2.png
  4. Select Create a new security policy on the Configuration Action page.


    ConfigAction.png
  5. Retain the existing server and click Next.


    SelectServer.png
  6. Click Next when the Processing Security Configuration Database page displays Processing complete.
  7. On Role-Based Service Configuration page, click Next.


    RoleBasedServiceConfigPg2.png
  8. Ensure Remote SCW configuration and Analysis role are selected and clear the rest, then click Next.
    Remote SCW Configuration and analysis role is required only when you want to manage the Security configuration centrally/remotely.


    SelectserverRolePg2.png
  9.  On the Select Client Features page, select the following and click Next.
    • Background Intelligent Transfer Service
    • DNS Client
    • Microsoft Networking Client
    • Time Synchronisation
    • Windows Update

      SelectClientFeaturesPg2.png
  10. On the Select Administration and Other Options page, select the following and clear the remaining options.
    • Local Application Installation
    • Microsoft Fibre Channel Platform Registration Service (Required only if any system disk/volumes are FC based)
    • Microsoft iSCSI Initiator Service (Required only if any system disk/volumes are iSCSI based)


      SelectAdminandOtherOptionPg2.png
  11. On the Select Additional Services page, select the following checked and clear the remaining.
    • On inSync Master
      • Druva inSync Master Config Server
      • Druva inSync Master Control Panel
      • Druva inSync Master Sync Server
      • Performance Counter DLL Host
      • Power


        SelectAdditionalServicesPg2.png
    • On Storage Node:
      • Druva inSync Storage Node
      • Performance Counter DLL Host
      • Power
         
  12. On the Handling Unspecified Services page, select Disable the service and click Next.


    HandlingUnspecifidServicesPg2.png
  13. Click Next on the Confirm Service Changes page.


    ConfServiceChangesPg2.png
  14. Click Next on the Network Security page.
  15. Select the following rules and clear the rest on the Network Security Rules page.
    • Core Networking – DNS (UDP-Out)
    • Core Networking – IPHTTPS (TCP-In)
    • Core Networking – IPHTTPS (TCP-Out)
    • File and Printer Sharing (SMB-Out)
       
  16. Click Add and add the rules to allow incoming TCP for Backup/Sync port (e.g.2081) and Admin UI port (e.g. 2088) on all connections.
  17. Click Add again and add the rule allow ICMP (ping) only from inSync Master and click Next.
  18. Select the Skip this section on the Registry Settings page and click Next.


    RegistrySettings.png
  19. Select Skip this section on the Audit Policy page and click Next.

    AuditPolicyPg2.png
  20. Click Next on the Save Security Policy page.
  21. On Security Policy File Name page:
    1. Click Browse.
    2. Enter the policy name as DruvaHardening and click Save.
    3. Click Next.

      SecurityPolicyFileNamePg2.png
  22. Select Apply Now and click Next.


    ApplySecurityPolicyPg2.png
  23. After the application is complete, click Next on the Applying Security Policy page. 


    ApplyingSecurityPolicyPg2.png
  24. Click Finish and restart the server.