How to configure the environment for security

Dynatrace NAM (NAM) is a monitoring system composed of several components communicating with each other. These components have default security settings for communicating with each other and for monitoring. You can apply your own security policy for a single operating system that hosts several components. Some security actions, however, specifically apply to the report server or database server.
Firewalls and antivirus software can be installed on NAM component machines - because these use OS versions and builds that you provide.

Hardening NAM component systems

You should apply general operating system guidelines for securing the report server. Depending on your deployment scenario, securing the operating system could also secure other NAM components (NAM Server, ADS, NAM Console, and MS SQL).

TLS 1.2 support

By default, every component of the NAM May 2017 release uses TLS 1.2. If you are using a legacy NAM Probe installation, you will have to upgrade to the newest NAM Probe release. For more information, see Upgrading Classic AMD.

Firewalls

  • Locate the server behind a firewall with default rules to set up a whitelist or blacklist for server URLs.
  • Open the server only to specific applications or web servers.

Software

  • Maintain the latest operating system version.
  • Apply all current software security patches.
  • Disable any unnecessary file and printer sharing services.
  • Remove unnecessary services, applications, and network protocols.
  • Remove or disable any development tools
  • Configure custom LDAP SSL certificate.

Accounts

  • Change default password policy.
  • Provide the accounts with system administration capabilities to as few individuals as is practical.

  • Remove unnecessary default accounts and non-interactive accounts.

Hardening report server (NAM Server & ADS)

Perform the following security actions specifically on NAM report servers:

Firewall

  • NAM Server server can only be access on port 80 by the Reverse Proxy Server.

Reverse proxy

Set up a reverse proxy for NAM Server using the configuration that best reflects your access policy.
The following example illustrates a setup with access from the external network only for mobile and desktop report users.

Create a whitelist and blacklist of URLs:

  • Pass only those URLs which are required to serve the DMI reports to the non-admin users (whitelist).
    For example, direct all report users through this proxy (including the mobile app users). This way admin users’ access to NAM will be restricted to stations that can access the NAM servers directly from the network segments behind the reverse proxy.
  • Block specific URLs which are used for report server administration and configuration (blacklist).
    For example, the report server contains a set of specific web-enabled diagnostic tools that can be accessed via the client's browser.

  • The tool to execute diagnostic and database maintenance queries on the report server database.

  • Location of the administration console enabling performance of configuration management, system management, and diagnostics.

In deployments requiring high security, you can disable or block access to these tools.

As an additional, optional safety measure, the NAM Console server service can be disabled on the NAM servers (in Windows Control panel, and enabled only when configuration tasks have to be performed).

Hardening Database Server (MS SQL)

While this checklist can be applied to all databases, some points are specifically recommended for NAM deployments.

Database user roles and permissions

  • Limit access to the database to only authorized users.
  • Use operating system accounts to log in to dataserver machines as administrative duties should be performed using individual accounts, and not using a shared group account. A group account could be permitted to run automated monitoring jobs such as backups. For more information, see Setting database user rights.
  • Enforce strong database passwords when technically possible.
  • Remove unneeded default accounts or change their default passwords. For NAM, make sure that the default database sa account is not used in any of the NAM products. For more information, see Updating database owner password

Database auditing

  • Monitor all logins to operating system and database servers, successful or unsuccessful.
  • Review audit logs regularly.

Database backup & recovery

Database connection encryption

TLS 1.2 support

TLS 1.2 support for MS SQL Server (2008, 2012, and 2014) requires a specific Service Pack version and/or cumulative update patch.
For more information, see SQL Server support for TLS 1.2 article.

  • Enable specific protocols, ciphers, hashes, and key exchange algorithms:

Download and install the ISS Crypto tool (This tool requires .Net Framework 4.x or 2.x)
https://www.nartac.com/Products/IISCrypto/Download

Set the following options:

  • Protocols - TLS 1.2

  • Ciphers - AES 256/256

  • Hashes - SHA 256, SHA 384, SHA 512

  • Key Exchanges - Diffie-Hellman, ECDH

Hardening NAM Probe

Because the NAM Probe (network probe) has insight into customer data, it should be protected in the same manner as the network and server equipment is protected on the customer data processing path. Set secure access to the NAM Probe, including restriction and auditing of the management connection to the NAM Probe, and maintain firewall and antivirus software updated and patched.

For more information on how to harden the NAM Probe security, see Hardening NAM Probe.