Skip to main content

 

Druva Documentation

Hardening steps for inSync server storage node running on Windows 2012 R2

This article applies to:

  • OS: Windows 2012 R2
  • Product edition: inSync On-Premises

This procedure provides the hardening steps for inSync server storage node running on Windows 2012 R2.

Procedure

  1. Log on to the inSync server as an Administrator and launch the Server Manager console.
  2. Click Tools > Security Configuration Wizard under the Security Information.  The Security Configuration Wizard is displayed.

    SecurityConfigWizard.png
  3. Click Next on the Welcome Page.

    WizardWelcomPg.png
  4. Select Create a new security policy and click Next.
  5. Keep the existing server as selected and click Next.

    SelectServerPg.png
  6. Click Next when the processing is complete on the Processing Security Configuration Database page.

    ProcessSecurityConfigDbPg.png
  7. Click Next on the Role-Based Service Configuration page.

    RoleBasedServiceConfigPg.png
  8. Select Remote SCW Configuration and Analysis, clear all the other server roles., and click Next.
    Remote SCW Configuration and Analysis role is required only when you want to manage the Security configuration centrally or remotely.

    SelectserverRolePg.png
  9. On the Select Client Features page, select the following features and click Next.
    • Background Intelligent Transfer Service
    • DNS Client
    • Microsoft Networking Client
    • Time Synchronisation
    • Windows Update

      SelectClientFeaturesPg.png
  10. On the Select Administration and Other Options page, select the following options, clear the other options, and click Next.
    • Local Application Installation
    • Microsoft Fibre Channel Platform Registration Service (Required only if any system disk/volumes are FC based.)
    • Microsoft iSCSI Initiator Service (Required only if any system disk/volumes are iSCSI based.)

      SelectAdminandOther OptionPg.png
  11. On the Select Additional Services page, select the following services and clear the rest.

On inSync Master:

  • Background Tasks Infrastructure Service
  • Druva inSync Master Config Server
  • Druva inSync Master Control Panel
  • Druva inSync Master Sync Server
  • Local Session Manager
  • Performance Counter DLL Host
  • Power
  • Windows Font Cache Service

On Storage Node:

  • Background Tasks Infrastructure Service
  • Druva inSync Storage Node
  • Local Session Manager
  • Optimize Drives
  • Performance Counter DLL Host
  • Power
  • Windows Font Cache Service
  • User Access Logging Service

    SelectAdditionalServicesPg.png
  1. On the Handling Unspecified Services page, select Disable the Service option and click Next.

    HandlingUnspecifidServicesPg.png
  2. Click Next on the Confirm Service Changes page.

    ConfServiceChangesPg.png
  3. Click Next on the Network Security page.

    NetworkSecurityPg.png
  4. On the Network Security Rules page select the following rules and clear the rest.
    • Core Networking – DNS (UDP-Out)
    • Core Networking – IPHTTPS (TCP-In)
    • Core Networking – IPHTTPS (TCP-Out)
    • File and Printer Sharing (SMB-Out)

      NetworkSecurityRulesPg.png
  5. Click Add to add the rules to allow incoming TCP for Backup/Sync port (e.g.2081) and Admin UI port (e.g. 2088) on all connections.
  6. Click Add again and add the rule Allow ICMP (ping) only from inSync Master and click Next.
  7. Select Skip this section on the Registry Settings page and click Next.

    RegSettingsPg.png
  8.  Select the Skip this section on the Audit Policy page and click Next.

    AuditPolicyPg.png
  9. Click Next on the Save Security Policy page.
  10. Name the Policy: Click on Browse name as “DruvaHardening” and click on Save and then click Next:
  11. On Security Policy File Name page, click Browse and add path to DruvaHardening, click Save, and then click Next.

    SecurityPolicyFileNamePg.png
  12. Select Apply Now on the Apply Security Policy page and click Next.

    ApplySecurityPolicyPg.png
  13. Click Finish.

    ApplyingSecurityPolicyPg.png
  14. Reboot the server.