Secure deployment best practices for Datto appliances

Topic

This article discusses best practices for secure configuration and deployment of Datto SIRIS, ALTO, and Datto NAS devices.

Environment

Datto SIRIS
Datto ALTO
Datto NAS

Description

Datto BDR appliances ship with inherent and configurable security features and functionality to support a secure deployment. You are responsible for the configuration of those features and for deploying the Datto appliance in a way that meets your network and security architecture requirements. Datto expects that you will deploy your BDR appliances in a secure LAN environment with no inbound internet access, and that appropriate network access control exists on your LAN to limit the accessibility to your appliance network daemons and services.

Attacking backups to make them unavailable is a known part of the ransomware playbook. It is critically important to deploy backup appliances securely within their native environment to be relied upon when needed most. As a partner in protecting your critical business data, Datto has processes in place to ensure we maintain a cloud copy of backups for appliances with secondary replication enabled. This ensures backed-up data is available even if local agent backup data has been maliciously or accidentally removed.

Though this process has been effective in ensuring recovery from accidental and malicious deletions to date, restoring from a secondary offsite backup should be considered the last line of defense in protecting your critical business data and ensuring recovery from accidental and malicious deletions. The first line of defense is taking the proper steps to secure your BCDR appliance locally.

Access control objectives

Datto strongly recommends implementing least privilege (external link) access controls, such as the following:

Never allow inbound access from the internet to the appliance.
Deploy the appliance in line with the BCDR networking and bandwidth requirements article.
Only permit access OUTBOUND, as you don't need inbound access for the appliance to function.
Restrict outbound communications from the Datto appliance to only the networks in the Knowledge Base, and deny all other communications.
Limit access to the appliance's management end-user network GUI to only trusted network
Management workstations that need access for BDR workflow purposes.
Only allow protected systems to communicate with the appliance.
Implement strong identity and access management practices for device GUI and IPMI login.
Ensure all employees have MFA access configured.

Limiting accessibility

You can deploy your Datto devices in line with the above best practices in several ways, including, but not limited to:

Placing the appliance in a protected backup network requiring L2 adjacency.
Limiting the backup network's reachability through network routing restrictions.
Employing a network firewall to implement network access control lists.
Deploying port-based access control lists (ACLs) on network switch ports.

Secure configuration best practices

The Datto BDR appliance offers a range of configuration options to help MSPs and end-users manage BDR workflows in a manner that best suits their environment. MSPs should always deploy the Datto device in a secure LAN environment, and enable more secure configuration options when available and appropriate for the end-user.

Credential management

Disable local access

This forces users to login through the Partner Portal which is a secure connection over HTTPS.
Local access to the Datto device GUI is disabled by default.
Disabling local access means all device gui access must originate from the Partner Portal, and leverages the security of Partner Portal multifactor authentication (MFA).

NOTE If you have enabled Forced Login, you still need to manage local user credentials.

You can enable or disable local access to the Datto device GUI by navigating to Configure > Device Settings > Local Access Control. Local Users for further information.

Account management

Portal and Local User access credentials for MSP technicians and end-user employees should be updated when those employees leave their respective organizations.
Update Portal and Local User passwords when required in the device.
- For Local users, see Local Users
- For Portal employees, see Partner Portal: Managing employee accounts and roles
- For Portal organizations, see Partner Portal: Managing company and organization users & roles
Assign a Security Administrator.
Know the differences between an employee and an organization using Partner Portal: Managing company and organization users & roles.
Use the User Activity Log via the Partner Portal, to audit user activity on a BCDR device.

Enable Relay forced login

Relay forced login requires all users to enter their login credentials when navigating from the Partner Portal to the device GUI.
Enable Relay forced login in the device GUI by navigating to Configure > Device Settings > Datto Relay Forced Login and clicking Enable Forced Login.

See the GUI: Device Settings article for more information.

Ensure your device is running the latest software version

Updates ensure that your device has the latest software and operating system packages. They also patch and harden the appliance to Datto's most recent standards.
You can find the software version your Datto device is running listed at the top of the home page of your device GUI.

See the GUI: Device Settings article for more information.

Deploy encrypted agents

Agent level encryption assures backup data written to the appliance's ZFS filesystem and replicated to the Datto Cloud is encrypted at rest, using a unique key that you can only generate with the passphrase held by the MSP or end-user.

Agent encryption is available on specific appliance platforms, such as the SIRIS family of appliances and ALTO XL appliances.
See the How to Encrypt Backups on a Datto Appliance and Properly Sizing a Datto Appliance Knowledge Base articles for more information.

Configure file shares with secure protocols and settings

Understand the policy and compliance requirements of the environment in which you have deployed the Datto device, as you can jeopardize compliance by selecting unsecure file share options.
Whenever end-user business requirements allow, do not permit anonymous or public access to any file share.
Leverage CHAP authentication with iSCSI file shares, as CHAP requires authentication to access the file share.
Enable SFTP instead of FTP, as SFTP requires authentication AND encrypts data in transit across your network.

See the Share Settings article for details on CHAP authentication settings.

Unmount file recoveries and local virtualizations when no longer required

Do not make file restore data or local virtualizations on supported platforms available for longer than is necessary to complete the required BDR workflow.
After you have confirmed mounted file restores and local virtualizations are no longer needed, you should unmount them.
Remove a file restore by navigating to Restore>Active Recoveries, selecting the file restore or local virtualization, and clicking Remove Restore.

Enable mounted restore alerts

This option displays an alert in the device GUI when you have a file restore, or virtualization mounted for longer than the admin-specified period. These alerts warn you of latent restores that may need removal.

Enable Mounted Restore Alerts in the device GUI by navigating to Configure >Device Settings >Mounted Restore Alert, selecting the number of days after which to alert from the drop-down menu, then clicking Apply.
Configure local users with strong access credentials
Configure local user account usernames and passwords following the MSP or end-users identity and password management policies.
Where MSPs and end-users lack identity and password policies, Datto strongly recommends following password guidance in NIST SP 800-63: Digital Identity Guidelines.
Avoid using known weak or compromised passwords (i.e., 123456, password, admin, etc.). A secure password has a combination of uppercase and lowercase letters, as well as numbers and special characters.

You can create local users in the Datto appliance GUI from the Local Users page. See the Local Users article to learn more.

Update local user credentials as required

Enable remote logging

For end-users with logging and auditing requirements, you can configure the ability to send device logs to an off-box syslog server for later analysis.

Enable Remote Logging in the device GUI by navigating to Configure >Device Settings >Remote Logging, clicking Enable Remote Logging, then entering the IP address and port of the syslog server and clicking Add Remote Server.

See the GUI: Device Settings article for additional information.

Enable secondary replication

Secondary Replication ensures that your data is available in the event of unintended deletion of backup data.

Data remains available in the secondary site for 90 days after deletion from the primary.

Enable secondary replication in the device GUI by navigating to Configure > Device Settings > Secondary Replication.
See Secondary replication for further information

Secondary replication is not currently available in the ANZ region

Datto is committed to providing a backup and disaster recovery solution with security features that aid customers in meeting their security policy and compliance requirements. Should you have any questions or concerns relating to topics covered in this article, please reach out to Datto Technical Support.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the ideas forum!
	Provide feedback for the Documentation team.