DataMiner hardening guide

In today’s digital landscape, properly securing your data and systems is of the utmost importance. You should therefore go beyond the out-of-the-box DataMiner configuration and take the necessary steps to make sure your DataMiner configuration is as secure as possible.

This guide will give you a comprehensive overview to help you make the necessary changes to secure your DataMiner System as much as possible.

Tip

See also: Kata #29: DataMiner Hardening on DataMiner Dojo

Keep your system up to date

Your first step should be to make sure your system is always up to date. This includes the operating system and all installed software. This way, you have access to the latest security fixes and features.

To obtain the most recent version of DataMiner and related software, go to the Downloads page on DataMiner Dojo.

Use BPA tests

A good start for hardening your DataMiner System is to make use of the available BPA tests. These scan your DataMiner System for all sorts of issues and will help you resolve any detected issues.

For information on how to run these tests, refer to Running BPA tests.

From DataMiner 10.4.5/10.4.0 [CU3] onwards, you can run the Security Advisory BPA test to run all security-related checks at the same time. In earlier DataMiner versions (starting from DataMiner 10.2.12/10.3.0), the security checks are available in the following dedicated BPA tests:

• Database Security
• Firewall Configuration
• HTTPS Configuration

After you have run a BPA test, it will provide an overview of the detected issues and point you to the right documentation to resolve them.

DataMiner Agent hardening

Note

If you have deployed DataMiner using the pre-installed DataMiner Virtual Hard Disk, your system will be hardened out of the box, so you do not need to do anything to harden DataMiner. For an overview of the implemented measures, refer to DataMiner Dojo. However, note that if you have selected the data storage type Self-hosted - External Storage, you are responsible for the management of the external Cassandra and OpenSearch database clusters. See Secure self-managed DataMiner storage.

Secure Cube-server communication

By default, Cube currently uses .NET Remoting to communicate with DataMiner. From DataMiner 10.1.7 onwards, this communication is encrypted using the Rijndael algorithm using a 256-bit key, which is negotiated over a 1024-bit RSA encrypted communication channel. However, .NET Remoting is a legacy technology and is widely considered insecure. For this reason, DataMiner 10.3.2/10.3.0 introduces the possibility to use gRPC instead as a secure alternative.

Important

The gRPC connection feature is still a beta feature in DataMiner 10.3.2/10.3.0 CU0, which means you may still encounter issues and the connection might still be less stable than with .NET Remoting.

To enable gRPC for the client-server connection, edit the ConnectionSettings.txt file on each DataMiner Agent. For detailed information, refer to ConnectionSettings.txt.

Secure server-server communication

gRPC

For the inter-DMA communication, like for the communication with DataMiner Cube, you can also use gRPC instead of .NET Remoting from DataMiner 10.3.2/10.3.0 onwards.

Important

The gRPC connection feature is still a beta feature in DataMiner 10.3.2/10.3.0 CU0, which means you may still encounter issues and the connection might still be less stable than with .NET Remoting.

To enable gRPC for the communication between DataMiner Agents in a cluster, add redirects in DMS.xml or, from 10.3.6/10.3.0 [CU3] onwards, disable .NET Remoting completely in MaintenanceSettings.xml.

NATS

By default, NATS does not employ TLS encryption, leaving communication susceptible to eavesdropping. Consequently, we strongly recommend enabling TLS encryption for enhanced security within your NATS cluster.

Disable legacy components

DataMiner has some components that are considered legacy. They are still around to support existing setups that depend on them, but if you have a new setup or you want to secure your existing setup, we recommend disabling them. Currently we recommend disabling the Annotations component, the legacy Reports and Dashboards component, and the v0 api.

Annotations and legacy Reports and Dashboards

To disable both the Annotations component and the legacy Reports and Dashboards component:

1. Add the following code in the C:\Skyline DataMiner\SoftLaunchOptions.xml file:

   <SLNet>
      <LegacyAnnotations>false</LegacyAnnotations>
      <LegacyReportsAndDashboards>false</LegacyReportsAndDashboards>
   </SLNet>
   

2. To make the changes take effect, run the ConfigureIIS.bat script, located in the C:\Skyline DataMiner\Tools folder, as Administrator.

Note

The legacy Annotations and Reports and Dashboards modules are disabled by default as from DataMiner versions 10.4.0/10.4.1.

v0 API

To disable the v0 API:

1. Open the file C:\Skyline DataMiner\Webpages\API\Web.config.

2. Add the tag <add key="enableLegacyV0Interface" value="false"/> tag under <appSettings>, and save the file.

3. Restart IIS.

Note

The v0 API is disabled by default as from DataMiner versions 10.2.0/10.1.6. It is not possible to enable the v0 API when your DMS is connected to dataminer.services.

DataMiner Webpages hardening

HTTPS

By default, DataMiner uses HTTP to serve the web applications. HTTP is unencrypted and vulnerable to man-in-the-middle attacks, so we highly recommend setting up HTTPS instead.

HTTP headers

When configuring HTTPS in IIS on your DataMiner Agent, we also recommend setting the following HTTP headers:

• HTTP Strict Transport Security

• X-Frame-Options: We recommend setting this to DENY or SAMEORIGIN.

• X-Content-Type-Options: We recommend setting this to NOSNIFF.

There are some other HTTP headers that can improve security. However, their value depends on your specific DataMiner setup (e.g. resources used in Dashboards/Low-Code Apps):

• Content Security Policy

• Referrer Policy

• Permissions-Policy

Operating system hardening

TLS versions

In addition to enabling HTTPS, we also recommend that you configure your operating system to block deprecated SSL/TLS versions. HTTPS uses SSL/TLS for encrypting communication, but the older versions of this protocol are no longer considered secure. At present, all major browsers support the latest TLS version (TLS 1.3), but TLS 1.2 is also still regarded as secure.

Protocol	Published	Status
SSL 1.0	Unpublished	N/A
SSL 2.0	1995	Deprecated since 2011
SSL 3.0	1996	Deprecated since 2015
TLS 1.0	1999	Deprecated since 2020
TLS 1.1	2006	Deprecated since 2020
TLS 1.2	2008	Supported
TLS 1.3	2018	Supported (most secure)

For more information about disabling legacy SSL/TLS versions, refer to TLS, DTLS, and SSL protocol version settings in the Microsoft documentation. We have also made tools and scripts available for this on GitHub, or you can use third-party tools such as IIS Crypto.

Configure the firewall

Depending on which version of the DataMiner Installer is used, different firewall ports are opened by default. You can find more information about this below.

• Installer v10.4
• Installer v10.2
• Installer v10.0 (or older)

If DataMiner is installed with the DataMiner Installer v10.4, the following (inbound) ports and rules are opened in the Windows firewall:

• TCP 80: HTTP

• TCP 8004: Remoting (client-server & inter-DMS communication)

• TCP 5100: CloudGateway (dataminer.services endpoint)

• TCP 4222 and 6222: NATS (inter-process communication)

• TCP 9090: NATS Account Server

• UDP 162: SNMP

• Allow ICMP: Ping

Some of the ports that are opened by default can potentially be closed depending on the configuration of your DataMiner System:

• TCP port 80 can be closed if IIS is configured to require HTTPS connections and if IIS is not configured to redirect HTTP to HTTPS. We highly recommended enabling HTTPS on your DataMiner System. Note that TCP port 443 needs to be open for HTTPS connections. For more information, see Setting up https on a DMA.

• TCP port 8004 can be closed if the DMA is configured to use gRPC for both Cube-to-DMA and inter-DMA communication.

• The ports for NATS communication, i.e. 4222, 6222, and 9090, can be closed when the DMA is not part of a cluster.

• TCP port 5100 can be closed when the DMA is not part of a cluster and no DxMs are hosted on external machines.

Tip

See also: Configuring the IP network ports

Disable the local Administrator account

DataMiner has one built-in user, named "Administrator". This user is the local administrator on the Windows server hosting DataMiner and intended for recovery and initial configuration purposes. Once Operator users have been created, we recommend disabling the local Administrator user on the DataMiner server.

Secure self-managed DataMiner storage

If you do not make use of Storage as a Service (STaaS) but manage DataMiner storage yourself, you need to make sure that the databases used for DataMiner storage are fully secure.

If you use on-premises databases, we recommend using a Cassandra cluster and OpenSearch cluster. It is important that you spend some time making sure the configuration of these databases is as secure as possible. For detailed information, refer to Securing Cassandra, Securing OpenSearch, or Securing Elasticsearch.

Note

• If you do use Storage as a Service, Skyline will take care of protecting your data, making use of existing and secure storage solutions provided by Microsoft Azure.
• Previously, Elasticsearch was recommended as the on-premises indexing database instead of OpenSearch. For more information on why OpenSearch is now recommended instead, see From Elasticsearch to OpenSearch to StaaS.