Veritas NetBackup™ Appliance Security Guide
- About the NetBackup appliance Security Guide
- User authentication
- About user authentication on the NetBackup appliance
- About configuring user authentication
- About authenticating LDAP users
- About authenticating Active Directory users
- About authentication using smart cards and digital certificates
- About authenticating Kerberos-NIS users
- About the appliance login banner
- About user name and password specifications
- User authorization
- Intrusion prevention and intrusion detection systems
- About Symantec Data Center Security on the NetBackup appliance
- About the NetBackup appliance intrusion prevention system
- About the NetBackup appliance intrusion detection system
- Reviewing SDCS events on the NetBackup appliance
- Running SDCS in unmanaged mode on the NetBackup appliance
- Running SDCS in managed mode on the NetBackup appliance
- Log files
- Operating system security
- Data security
- Web security
- Network security
- Call Home security
- Remote Management Module (RMM) security
- STIG and FIPS conformance
- Appendix A. Security release content
- Index
About user name and password specifications
The user name for the NetBackup appliance user account must be in the format that the selected authentication system accepts. Table: User name specifications lists the user name specifications for each user type.
Note:
The Manage > NetBackupCLI > Create command is used to create local users with the NetBackupCLI role. All the local user and password specifications apply to these users.
Table: User name specifications
Description | Administrator (local user) | NetBackupCLI (local user) | Registered remote user |
|---|---|---|---|
Maximum length | No restrictions applied | No restrictions applied | Determined by the LDAP, AD, or NIS policy |
Minimum length | 2 characters | 2 characters | Determined by the LDAP, AD, or NIS policy |
Restrictions | User names must not start with:
| User names must not start with:
| Determined by the LDAP, AD, or NIS policy |
Space inclusion | User names must not include spaces. | User names must not include spaces. | Determined by the LDAP, AD, or NIS policy |
The NetBackup appliance password policy has been updated to increase security on the appliance. The password for the appliance user account must be in the format that the selected authentication system accepts. Table: Password specifications lists the password specifications for each user type.
Table: Password specifications
Description | Administrator (local user) | NetBackupCLI (local user) | Registered remote user |
|---|---|---|---|
Maximum length | No restrictions applied | No restrictions applied | Determined by the LDAP, AD, or NIS policy |
Minimum length | Passwords must contain at least eight characters. | Passwords must contain at least eight characters. | Determined by the LDAP, AD, or NIS policy |
Requirements |
|
| Determined by the LDAP, AD, or NIS policy |
Space inclusion | Passwords must not include spaces. | Passwords must not include spaces. | Determined by the LDAP, AD, or NIS policy |
Minimum password age | 0 day | 0 day Note: You can manage the user password age using the Settings > Security > Authentication > LocalUser command from the NetBackup Appliance Shell Menu. For more information, refer to the NetBackup Appliance Command Reference Guide. | Determined by the LDAP, AD, or NIS policy |
Maximum password age | 99999 days (doesn't expire) | 99999 days (doesn't expire) | Determined by the LDAP, AD, or NIS policy |
Password history | The last seven passwords cannot be reused and the new password cannot be similar to previous passwords. | The last seven passwords cannot be reused and the new password cannot be similar to previous passwords. | Determined by the LDAP, AD, or NIS policy |
Password expiry | Not applicable as the password does not expire | Use the Settings > Security > Authentication > LocalUser command to manage NetBackupCLI user passwords. | Determined by the LDAP, AD, or NIS policy |
Password lockout | None | None | Determined by the LDAP, AD, or NIS policy |
Lockout duration | None | None | Determined by the LDAP, AD, or NIS policy |
Warning:
Appliances do not support Maintenance account passwords such as passwd. These types of passwords are overwritten once the system is upgraded. Use the NetBackup Appliance Shell Menu to change the Maintenance account password.
The NetBackup appliance uses the following password protection measures:
The SHA-512 hashing algorithm is used for protecting the passwords of all customer-accessible local appliance users (local users, NetBackupCLI users, the Administrator user, and the Maintenance user). Whenever you create a new local appliance user, or change an existing local appliance user password, the password is hashed using SHA-512.
Note:
If you are upgrading from NetBackup appliance software version earlier than 2.6.1.1, Veritas recommends that you eventually change the passwords of all the local appliance users after the upgrade so that they use the latest default SHA-512 hashing algorithm.
The password history is set to 7, meaning that the old passwords are protected and logged up to seven times. If you try to use the old password as the new password, the appliance displays a token manipulation error.
Passwords in transit include the following:
An SSH login where the password is protected by the SSH protocol.
A NetBackup Appliance Web Console login where the password is protected by HTTPS communication.
For detailed password instructions, refer to the NetBackup Appliance Administrator's Guide.