DataMiner hardening guide
In today’s digital landscape, properly securing your data and systems is of the utmost importance. You should therefore go beyond the out-of-the-box DataMiner configuration and take the necessary steps to make sure your DataMiner configuration is as secure as possible.
This guide will give you a comprehensive overview to help you make the necessary changes to secure your DataMiner System as much as possible.
Tip
See also: Kata #29: DataMiner Hardening on DataMiner Dojo 
Keep your system up to date
Your first step should be to make sure your system is always up to date. This includes the operating system and all installed software. This way, you have access to the latest security fixes and features.
To obtain the most recent version of DataMiner and related software, go to the Downloads page on DataMiner Dojo.
Use BPA tests
A good start for hardening your DataMiner System is to make use of the available BPA tests. These scan your DataMiner System for all sorts of issues and will help you resolve any detected issues.
For information on how to run these tests, refer to Running BPA tests.
From DataMiner 10.4.5/10.4.0 [CU3] onwards, you can run the Security Advisory BPA test to run all security-related checks at the same time. In earlier DataMiner versions (starting from DataMiner 10.2.12/10.3.0), the security checks are available in the following dedicated BPA tests:
After you have run a BPA test, it will provide an overview of the detected issues and point you to the right documentation to resolve them.
DataMiner Agent hardening
Note
If you have deployed DataMiner using the pre-installed DataMiner Virtual Hard Disk, your system will be hardened out of the box, so you do not need to do anything to harden DataMiner. For an overview of the implemented measures, refer to DataMiner Dojo. However, note that if you have selected the data storage type Self-hosted - External Storage, you are responsible for the management of the external Cassandra and OpenSearch database clusters. See Secure self-managed DataMiner storage.
Secure Cube-server communication
By default, Cube currently uses .NET Remoting to communicate with DataMiner. From DataMiner 10.1.7 onwards, this communication is encrypted using the Rijndael algorithm using a 256-bit key, which is negotiated over a 1024-bit RSA encrypted communication channel. However, .NET Remoting is a legacy technology and is widely considered insecure. For this reason, DataMiner 10.3.2/10.3.0 introduces the possibility to use gRPC instead as a secure alternative.
Important
The gRPC connection feature is still a beta feature in DataMiner 10.3.2/10.3.0 CU0, which means you may still encounter issues and the connection might still be less stable than with .NET Remoting.
To enable gRPC for the client-server connection, edit the ConnectionSettings.txt file on each DataMiner Agent. For detailed information, refer to ConnectionSettings.txt.
Secure server-server communication
gRPC
For the inter-DMA communication, like for the communication with DataMiner Cube, you can also use gRPC instead of .NET Remoting from DataMiner 10.3.2/10.3.0 onwards.
Important
The gRPC connection feature is still a beta feature in DataMiner 10.3.2/10.3.0 CU0, which means you may still encounter issues and the connection might still be less stable than with .NET Remoting.
To enable gRPC for the communication between DataMiner Agents in a cluster, add redirects in DMS.xml or, from 10.3.6/10.3.0 [CU3] onwards, disable .NET Remoting completely in MaintenanceSettings.xml.
NATS
By default, NATS does not employ TLS encryption, leaving communication susceptible to eavesdropping. Consequently, we strongly recommend enabling TLS encryption for enhanced security within your NATS cluster.
Disable legacy components
DataMiner has some components that are considered legacy. They are still around to support existing setups that depend on them, but if you have a new setup or you want to secure your existing setup, we recommend disabling them. Currently we recommend disabling the Annotations component, the legacy Reports and Dashboards component, and the v0 api.
Annotations and legacy Reports and Dashboards
To disable both the Annotations component and the legacy Reports and Dashboards component:
Add the following code in the
C:\Skyline DataMiner\SoftLaunchOptions.xmlfile:<SLNet> <LegacyAnnotations>false</LegacyAnnotations> <LegacyReportsAndDashboards>false</LegacyReportsAndDashboards> </SLNet>To make the changes take effect, run the ConfigureIIS.bat script, located in the
C:\Skyline DataMiner\Toolsfolder, as Administrator.
Note
The legacy Annotations and Reports and Dashboards modules are disabled by default as from DataMiner versions 10.4.0/10.4.1.
v0 API
To disable the v0 API:
Open the file
C:\Skyline DataMiner\Webpages\API\Web.config.Add the tag
<add key="enableLegacyV0Interface" value="false"/>tag under<appSettings>, and save the file.Restart IIS.
Note
The v0 API is disabled by default as from DataMiner versions 10.2.0/10.1.6. It is not possible to enable the v0 API when your DMS is connected to dataminer.services.
DataMiner Webpages hardening
HTTPS
By default, DataMiner uses HTTP to serve the web applications. HTTP is unencrypted and vulnerable to man-in-the-middle attacks, so we highly recommend setting up HTTPS instead.
HTTP headers
By default, DataMiner does not configure some HTTP headers that improve the security of the webpages. Additionally, depending on the DataMiner version, some HTTP headers may be present by default that leak information about the underlying technologies. For this reason, we recommend having a look at the HTTP header configuration.
Operating system hardening
TLS versions
In addition to enabling HTTPS, we also recommend that you configure your operating system to block deprecated SSL/TLS versions. HTTPS uses SSL/TLS for encrypting communication, but the older versions of this protocol are no longer considered secure. At present, all major browsers support the latest TLS version (TLS 1.3), but TLS 1.2 is also still regarded as secure.
| Protocol | Published | Status |
|---|---|---|
| SSL 1.0 | Unpublished | N/A |
| SSL 2.0 | 1995 | Deprecated since 2011 |
| SSL 3.0 | 1996 | Deprecated since 2015 |
| TLS 1.0 | 1999 | Deprecated since 2020 |
| TLS 1.1 | 2006 | Deprecated since 2020 |
| TLS 1.2 | 2008 | Supported |
| TLS 1.3 | 2018 | Supported (most secure) |
For more information about disabling legacy SSL/TLS versions, refer to TLS, DTLS, and SSL protocol version settings in the Microsoft documentation. We have also made tools and scripts available for this on GitHub, or you can use third-party tools such as IIS Crypto.
Configure the firewall
Depending on which version of the DataMiner Installer is used, different firewall ports are opened by default. You can find more information about this below.
If DataMiner is installed with the DataMiner Installer v10.4, the following (inbound) ports and rules are opened in the Windows firewall:
TCP 80: HTTP
TCP 8004: Remoting (client-server & inter-DMS communication)
TCP 5100: CloudGateway (dataminer.services endpoint)
TCP 4222 and 6222: NATS (inter-process communication)
TCP 9090: NATS Account Server
UDP 162: SNMP
Allow ICMP: Ping
Some of the ports that are opened by default can potentially be closed depending on the configuration of your DataMiner System:
TCP port 80 can be closed if IIS is configured to require HTTPS connections and if IIS is not configured to redirect HTTP to HTTPS. We highly recommended enabling HTTPS on your DataMiner System. Note that TCP port 443 needs to be open for HTTPS connections. For more information, see Setting up https on a DMA.
TCP port 8004 can be closed if the DMA is configured to use gRPC for both Cube-to-DMA and inter-DMA communication.
The ports for NATS communication, i.e. 4222, 6222, and 9090, can be closed when the DMA is not part of a cluster.
TCP port 5100 can be closed when the DMA is not part of a cluster and no DxMs are hosted on external machines.
Tip
See also: Configuring the IP network ports
Disable the local Administrator account
DataMiner has one built-in user, named "Administrator". This user is the local administrator on the Windows server hosting DataMiner and intended for recovery and initial configuration purposes. Once Operator users have been created, we recommend disabling the local Administrator user on the DataMiner server.
Secure self-managed DataMiner storage
If you do not make use of Storage as a Service (STaaS) but manage DataMiner storage yourself, you need to make sure that the databases used for DataMiner storage are fully secure.
If you use on-premises databases, we recommend using a Cassandra cluster and OpenSearch cluster. It is important that you spend some time making sure the configuration of these databases is as secure as possible. For detailed information, refer to Securing Cassandra, Securing OpenSearch, or Securing Elasticsearch.
Note
- If you do use Storage as a Service, Skyline will take care of protecting your data, making use of existing and secure storage solutions provided by Microsoft Azure.
- Previously, Elasticsearch was recommended as the on-premises indexing database instead of OpenSearch. For more information on why OpenSearch is now recommended instead, see From Elasticsearch to OpenSearch to StaaS.