DCE Security
Contact Support
Submit a support request for additional assistance with EcoStruxure IT software.
Link copied. Please paste this link to share this article on your social media post.
Last Updated: JLehr 3 weeks ago
The intent of this document is to provide a security handbook covering relevant best practices and information for Data Center Expert (DCE).
DCE is a software solution consisting of both a server and client. The server is supported by a proprietary version of Rocky Linux and shipped as a locked down appliance. Users do not have access to the underlying operating system. The client runs on a standard Windows operating system. See system requirements for more information.
Note: This page is targeted at the latest release of DCE, however applicable to older versions.
This topic outlines how to harden and secure an instance of DCE. To maintain security throughout the deployment lifecycle, Schneider Electric recommends reviewing the following considerations for:
NOTE: Different deployments may require different security considerations.
This document provides general security guidance to help you decide on an appropriate secure deployment based on your specific security requirements.
Insufficient restrictions on system access over the network increases exposure to attacks from viruses, worms, and spyware, and may also facilitate undesired access to resources.
Not having a rule in place that denies incoming traffic unnecessarily exposes a system to compromise. Schneider Electric strongly recommends that the below key configuration changes are made.
Schneider Electric strongly recommends that network traffic to DCE is behind a firewall.
A firewall will reduce the likelihood of compromise but cannot prevent all attacks. Firewall logs, if enabled, can be used to identify successful attacks. In the event of a system compromise, these logs are used in forensic analysis to determine the extent of the compromise and nature of the attack.
Enable logs; retain at least 30 days of data; and collect at least source and destination IP
Please see the Network Protocols and Ports section of this document for a breakdown of all ports used by DCE.
Deploy a Network Layer Firewall
Schneider Electric strongly recommends that the device is not exposed to the public Internet and is deployed behind an appropriate Stateful Packet Inspection (SPI) firewall.
Appliance Firewall
The Data Center Expert server comes with a firewall included. The server is not configurable and therefore the firewall cannot be changed.
Schneider Electric strongly recommends that network traffic to DCE’s public and private interfaces are both separated, either physically or logically, from normal network traffic.
A flat network architecture makes it easier for malicious actors to move around within the network; whereas with network segmentation, organizations can enhance network security by controlling access to sensitive data in the form of enabling or denying network access.
A strong security policy entails segmenting the network into multiple zones, with varying security requirements, and rigorously enforcing the policy on what is allowed to move from zone to zone.
Schneider Electric recommends that all connected network directories, for example, directories for backups, be secured and only accessible to DCE and DCE administrators.
This minimizes any risk associated with a malicious actor tampering with a backup that may potentially be restored into DCE.
Schneider Electric recommends that the environment is protected and monitored by appropriate physical, technical and administrative tools for network intrusion and monitoring such as IDS/IPS and appropriate SIEM solutions.
Attackers with physical access to covered equipment can access the device without authorization. Schneider Electric recommends that physical security must be in place to control the physical access to restricted areas and facilities containing instances of DCE and other hardware.
Custodians should secure equipment from unauthorized physical access.
Deploy the physical appliance in a rack or cage that can be locked with a suitable key, or other physical methods. Any of these methods should be tested regularly. This will prevent access to the physical ports of the device and restrict console access.
Privileged and super-user accounts (Administrator and root) must not be used for non-administrator activities. Network services must run under accounts assigned the minimum necessary privileges. Also minimize the number of local accounts
Replace the Default SSL/TLS Certificate Default SSL/TLS certificates are created during the initial configuration of the device. These certificates are not intended for use in production deployments and should be replaced.
Schneider Electric recommends that customers configure the device to use certificates either from a reputable Certificate Authority (CA) or appropriate certificates from your enterprise CA.
SSH is disabled on the DCE appliance by default and should remain disabled unless needed for support troubleshooting sessions. If it is enabled, it should be disabled when no longer needed.
Schneider Electric recommends that customers regularly monitor DCE logging.
DCE has readily available capture logs (based on standard Linux capabilities). Logs are stored on the server and are accessible to system administrator.
Schneider Electric recommends that, prior to performing an update, an administrator validates the downloaded artifact checksum against the SHA1 checksum provided on the download page.
This minimizes any risk associated with a malicious actor tampering with an upgrade file after it has been downloaded from the secure Schneider Electric website.
It is considered a best practice to validate configured security settings to ensure they work as intended. Schneider Electric strongly recommends making this practice mandatory whenever security configurations are modified. For example:
Customers are responsible for the physical security of their client machines. This may include logging off or locking the client machine when away from it, avoiding leaving it unattended in public areas, and keeping it in a secure location when not in use.
Customers should protect their client machines from cyberattacks and data breaches. Protections may include:
Schneider Electric recommends that customers harden any NMC-based devices by using the latest available firmware updates and recommended configuration changes.
For more information, see the security handbooks for NMC2 and NMC3 devices.
This topic outlines how to reset an instance of DCE to its default settings and erase all user information and configurations
For information on how to delete the device contents, please consult the Restoring a Data Center Expert Physical Appliance or Restoring a Data Center Expert Physical Appliance sections of https://www.apc.com/us/en/faqs/FA321728/
For information on how to physically dispose of or recycle the DCE appliance, please consult our hardware supplier’s documentation.
This section contains all ports utilized by DCE. Schneider Electric recommends that secure protocols are used wherever possible. The DCE will only attempt to communicate over the ports and protocols in External Integrations and Device Communication sections if they have been configured.
Protocol |
Transfer Protocol |
Port |
Direction |
Description |
HTTP(S) |
TCP(SSL) |
80(443)1 |
Inbound |
Used for client communication and 3rd party integrations |
Protocol |
Transfer Protocol |
Port |
Direction |
Description |
SMTP |
TCP |
251 |
Outbound |
Communication with email server |
NFS |
TCP/UDP |
111 |
Outbound |
NFS mounted external drive |
|
|
2049 |
Outbound |
NAS/SAN |
NTP |
UDP |
123 |
Outbound |
Remote NTP server time communication |
SMB |
TCP |
139, 445 |
Outbound |
NAS/SAN |
|
UDP |
137, 138 |
Outbound |
NAS/SAN |
DNS |
TCP/UDP |
53 |
Outbound |
DNS Server |
LDAP |
TCP |
3891 |
Outbound |
Active Directory/LDAP |
LDAPS (with SSL) |
TCP(SSL) |
636 |
Outbound |
Active Directory/LDAP |
Protocol |
Transfer Protocol |
Port |
Direction |
Description |
FTP |
TCP |
211 |
Outbound |
Used to transfer configurations, firmware binaries and logs |
SCP |
TCP |
221 |
Outbound |
Used to transfer configurations, firmware binaries and logs |
SNMPv3 |
UDP |
1611 |
Outbound |
SNMP device polling and discovery |
|
|
1621 |
Inbound |
SNMP traps |
HTTP(S) |
TCP |
80(443) |
Inbound |
NetBotz device polling and discovery |
|
|
|
Outbound |
NetBotz traps |
Modbus TCP |
TCP |
5021 |
Outbound |
Modbus TCP device polling and discovery |
APC Proprietary Communication |
TCP |
6000 |
Outbound |
AP76xx outlet strips and gen1 PDU device polling and discovery |
Protocol |
Transfer Protocol |
Port |
Direction |
Description |
PostgresSQL |
TCP |
5432 |
Inbound |
Local System ONLY – Used by the DCE server to communicate with its database |
1 Port can be changed from its default value. Please consult with DCE documentation for more information.
Data Center Expert supports a REST API and utilizes OAuth2 for authorization. Handling OAuth2 access tokens and refresh tokens securely is critical to ensure the integrity and confidentiality of data.
Integrators should take care where they store these tokens and should treat them as sensitive data. Keeping OAuth2 tokens secure is crucial because they serve as the keys to accessing device data and resources, and any compromise could lead to unauthorized access, data breaches, and potential misuse of sensitive information.
Vulnerability scans are regularly run against Data Center Expert. Schneider Electric is committed to remediating and patching any items identified.
For more information on major vulnerabilities, see Schneider Electric Security Notifications.
The information presented in this manual is not warranted by the Schneider Electric IT Corporation to be authoritative, error free, or complete. This publication is not meant to be a substitute for a detailed operational and site specific development plan. Therefore, Schneider Electric IT Corporation assumes no liability for damages, violations of codes, improper installation, system failures, or any other problems that could arise based on the use of this Publication. The information contained in this Publication is provided as is and has been prepared solely for the purpose of evaluating data center design and construction. This Publication has been compiled in good faith by Schneider Electric IT Corporation. However, no representation is made or warranty given, either express or implied, as to the completeness or accuracy of the information this Publication contains. IN NO EVENT SHALL SCHNEIDER ELECTRIC IT CORPORATION, OR ANY PARENT, AFFILIATE OR SUBSIDIARY COMPANY OF SCHNEIDER ELECTRIC IT CORPORATION OR THEIR RESPECTIVE OFFICERS, DIRECTORS, OR EMPLOYEES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL, OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, CONTRACT, REVENUE, DATA, INFORMATION, OR BUSINESS INTERRUPTION) RESULTING FROM, ARISING OUT, OR IN CONNECTION WITH THE USE OF, OR INABILITY TO USE THIS PUBLICATION OR THE CONTENT, EVEN IF SCHNEIDER ELECTRIC IT CORPORATION HAS BEEN EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SCHNEIDER ELECTRIC IT CORPORATION RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES WITH RESPECT TO OR IN THE CONTENT OF THE PUBLICATION OR THE FORMAT THEREOF AT ANY TIME WITHOUT NOTICE. Copyright, intellectual, and all other proprietary rights in the content (including but not limited to software, audio, video, text, and photographs) rests with Schneider Electric IT Corporation or its licensors. All rights in the content not expressly granted herein are reserved. No rights of any kind are licensed or assigned or shall otherwise pass to persons accessing this information. This Publication shall not be for resale in whole or in part.
Link copied. Please paste this link to share this article on your social media post.
Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.