Recovery Manager for AD Disaster Recovery Edition 10.3.2 - Security Guide

Location of Customer Data

All data, application logs and computations are performed on server(s) provided by the customer.

Backups created with Recovery Manager for Active Directory can be stored in multiple locations. Primary storage of backups allows backup files to be saved on a distributed network or on selected computers with physically restricted access. Recovery Manager considers these locations as primary storage, referred to as Tier 1 storage.

Recovery Manager for Active Directory Disaster Recovery Edition offers secondary storage locations known as Tier 2 storage. Secondary storage options in Recovery Manager include Secure Storage server and Cloud Storage. Tier 2 storage provides secure locations for business-critical backups to ensure you are prepared when disaster strikes.

Primary Storage (Tier 1)

Recovery Manager for Active Directory provides options for primary storage in both local and remote locations. Local storage refers to storage on the Recovery Manager console computer, while remote storage refers to storage on the backed-up domain controller or other remote servers on network shares. These locations are considered remote because they are not on the Recovery Manager console computer.

For both local and remote storage locations, a primary backup path can be provided, along with an alternate backup path.

Primary storage is used for saving the original backup files to a safe location. For primary storage, the backup agent creates the backup file, compresses the data, and then saves the file to the configured storage locations. In the diagram below, refer to lines numbered 1 to view the process that is followed to save the backup file to primary storage locations. The RPC protocol is used to save backup files to the console computer. For saving to remote storage locations, the SMB protocol is used.

Figure 2: Primary Storage for Backups

The figure above illustrates how Recovery Manager for Active Directory creates and saves backup files to primary storage locations.

Secondary Storage (Tier 2)

Recovery Manager for Active Directory Disaster Recovery Edition provides secondary storage for critical backups. For Active Directory® and Windows Server® BMR backups, you can copy the backups to a secondary storage location. There are two options available for secondary storage in Recovery Manager for Active Directory Disaster Recovery Edition: you can set up a dedicated Secure Storage server, use Cloud Storage, or use both options to ensure that your backups are always available, even if disaster strikes and your primary storage backups are lost.

After a backup is created and saved to primary storage locations, the backup will be additionally copied to configured Tier 2 locations.

Secure Storage Server

A Secure Storage server is a dedicated secure backup storage server, hardened by Recovery Manager for Active Directory and isolated according to IPSec rules.

After the backup is placed in primary storage, the console (for backups configured on local storage) or the backup agent (for backups configured on remote storage) starts sending backup data to the secure storage agent, which saves the backup file on one of the allowed volumes according to the volume policy.

Hardening a Secure Storage server

After the Secure Storage server (a standalone server) has been added and the Storage Agent has been installed on it, the server is hardened automatically. The following list outlines what happens to a Secure Storage server when it is hardened:

• All SMB server roles are disabled (SMBv1 - SMBv3).

• All inbound and outbound TCP, ICMP and UDP protocols are blocked by IPSec policies, except for the high-level Secure Storage Agent ports (see below).

• ICMP traffic is blocked (i.e. the server cannot be pinged).

• Remote desktop (RDP) traffic is blocked.

• Only one TCP inbound agent port is left open on the server for communication with Recovery Manager for Active Directory, the Storage Agent port (by default, this is 48001).

• To allow the backups to be uploaded to remote locations (the "Copy to…" menu item in the Backups on the Secure Storage Servers pane), outbound TCP port 445 for SMB, outbound UDP 53 port for DNS, outbound UDP 5355 port for LLMNR, and outbound UDP 137 port for NetBIOS are opened.

• Agent traffic is encrypted by the public/private key pair.

• Logons to the server are only allowed via console (physical) access.

When a Secure Storage server is hardened, the lock icon next to the name of the Secure Storage server in the Secure Storage Servers window will be closed and it will have a Security Status of Secured.

Figure 3: Secondary Storage with Secure Storage Server

The figure above illustrates how Recovery Manager for Active Directory copies backup files to secondary storage with a Secure Storage server.

Cloud Storage

Using Cloud Storage, you can configure and use storage for your business-critical backups. Cloud Storage provides multiple options, including immutability, to protect your backups from being overwritten or deleted. After primary storage is complete, copies of the backup files are copied to Cloud Storage locations. For Cloud Storage, the backup file is copied to the Recovery Manager console using the SMB protocol (line number 2), and then the Recovery Manager Cloud Upload service uploads a copy of the backup to the cloud storage location using a secure HTTPS connection, as indicated by line number 3.

For further information on cloud storage requirements, usage of connection strings or Shared Access Signatures please see Cloud Storage in the User Guide.

Figure 4: Secondary Storage with Cloud Storage

The figure above illustrates how Recovery Manager for Active Directory copies backup files to secondary storage with Cloud Storage.

Privacy and Protection of Customer Data

Recovery Manager for Active Directory provides protection for customer sensitive data both in transit and at rest.

Recovery Manager for Active Directory uses encryption algorithms to do the following:

• Encryption of backup files
• Encryption of Forest Recovery project files
• Encryption of data (passwords, scripts) in the Recovery Manager configuration database (rmad.db3)
• Encryption of credentials for AD and AD LDS (ADAM) instances
• Encryption of reporting database credentials
• Encryption of password in email settings
• Encryption of password for persistence database
• Encryption of passwords for configuration backups

Also, Recovery Manager uses signing algorithms for communication with the following components:

• Hybrid Connect Service – data signing is done in communications via WCF transport security.
• Agents – data signing is done in communications via RPC transport security, including RPC over Schannel mode.

Network Communications

The architectural diagram of the product with all the components is shown in Figure 1. Figures 5, 6 and 7 provide information about the communication ports required to work with Recovery Manager for Active Directory.
This section provides information about the communication ports required to work with Recovery Manager for Active Directory.

Figure 5: Ports used by Recovery Manager for Active Directory Console to work with Active Directory

Figure 6: Ports used by Recovery Manager for Active Directory Console to work with AD LDS (ADAM)

Figure 7: Ports used by Forest Recovery Console

Authentication of Users and Services

Recovery Manager for Active Directory relies upon Windows Authentication and Active Directory group membership to authenticate users.

In scenarios where Windows Authentication may be unavailable due to Active Directory failures, Recovery Manager uses certificate-based SCHANNEL authentication to establish secure connection between Forest Recovery Console and the Forest Recovery Agent.