DCE Security

  It is recommended that customers do not configure their Data Center Expert to backup to the same physical or virtual server that hosts any DCE remote repositories (if in use). This imposes significant risk; if the physical or virtual server becomes unavailable and unrecoverable, both remote data and backups would be lost.   Backups should always be stored in multiple locations, separate from DCE data, whenever possible.

The intent of this document is to provide a security handbook covering relevant best practices and information for Data Center Expert (DCE).    DCE is a software solution consisting of both a server and client. The server is supported by a proprietary version of Rocky Linux and shipped as a locked down appliance. Users do not have access to the underlying operating system. The client runs on a standard Windows operating system. See system requirements for more information. Note: This page is targeted at the latest release of DCE, however applicable to older versions.   Security Hardening   This topic outlines how to harden and secure an instance of DCE. To maintain security throughout the deployment lifecycle, Schneider Electric recommends reviewing the following considerations for:   Network Security Physical Security Appliance Security Client Security Device Integration Security NOTE: Different deployments may require different security considerations.   This document provides general security guidance to help you decide on an appropriate secure deployment based on your specific security requirements.   Network Security   Insufficient restrictions on system access over the network increases exposure to attacks from viruses, worms, and spyware, and may also facilitate undesired access to resources. Not having a rule in place that denies incoming traffic unnecessarily exposes a system to compromise. Schneider Electric strongly recommends that the below key configuration changes are made.   Firewalls   Schneider Electric strongly recommends that network traffic to DCE is behind a firewall.    A firewall will reduce the likelihood of compromise but cannot prevent all attacks. Firewall logs, if enabled, can be used to identify successful attacks. In the event of a system compromise, these logs are used in forensic analysis to determine the extent of the compromise and nature of the attack.   Enable logs; retain at least 30 days of data; and collect at least source and destination IP Please see the Network Protocols and Ports section of this document for a breakdown of all ports used by DCE.   Deploy a Network Layer Firewall Schneider Electric strongly recommends that the device is not exposed to the public Internet and is deployed behind an appropriate Stateful Packet Inspection (SPI) firewall.    Appliance Firewall The Data Center Expert server comes with a firewall included. The server is not configurable and therefore the firewall cannot be changed.   Network Segmentation   Schneider Electric strongly recommends that network traffic to DCE’s public and private interfaces are both separated, either physically or logically, from normal network traffic.   A flat network architecture makes it easier for malicious actors to move around within the network; whereas with network segmentation, organizations can enhance network security by controlling access to sensitive data in the form of enabling or denying network access.   A strong security policy entails segmenting the network into multiple zones, with varying security requirements, and rigorously enforcing the policy on what is allowed to move from zone to zone.   If monitored devices cannot utilize secure protocols, it is recommended that they be placed on the private network, separate from the public network.   Connected Network Directories   Schneider Electric recommends that all connected network directories, for example, directories for backups, be secured and only accessible to DCE and DCE administrators. This minimizes any risk associated with a malicious actor tampering with a backup that may potentially be restored into DCE.   Other Security Detection and Monitoring Tools   Schneider Electric recommends that the environment is protected and monitored by appropriate physical, technical and administrative tools for network intrusion and monitoring such as IDS/IPS and appropriate SIEM solutions.   Physical Security   Attackers with physical access to covered equipment can access the device without authorization.  Schneider Electric recommends that physical security must be in place to control the physical access to restricted areas and facilities containing instances of DCE and other hardware.   Deploy Equipment in a Secure Location   Custodians should secure equipment from unauthorized physical access.   Access should be restricted to those who require access to maintain the equipment. Restricted areas should be clearly marked for authorized personnel only. Restricted areas should be secured by locked doors. Access to the restricted areas should produce a physical or electronic, regularly reviewed, audit trail.   Secure access to the device front panel and rear ports   Deploy the physical appliance in a rack or cage that can be locked with a suitable key, or other physical methods. Any of these methods should be tested regularly. This will prevent access to the physical ports of the device and restrict console access.   Appliance Security   Privileged Accounts   Privileged and super-user accounts (Administrator and root) must not be used for non-administrator activities. Network services must run under accounts assigned the minimum necessary privileges. Also minimize the number of local accounts   Certificates   Replace the Default SSL/TLS Certificate Default SSL/TLS certificates are created during the initial configuration of the device. These certificates are not intended for use in production deployments and should be replaced.   Schneider Electric recommends that customers configure the device to use certificates either from a reputable Certificate Authority (CA) or appropriate certificates from your enterprise CA.   SSH   SSH is disabled on the DCE appliance by default and should remain disabled unless needed for support troubleshooting sessions. If it is enabled, it should be disabled when no longer needed.   Logging   Schneider Electric recommends that customers regularly monitor DCE logging.    DCE has readily available capture logs (based on standard Linux capabilities). Logs are stored on the server and are accessible to system administrator.   Upgrades   Schneider Electric recommends that, prior to performing an update, an administrator validates the downloaded artifact checksum against the SHA1 checksum provided on the download page.   This minimizes any risk associated with a malicious actor tampering with an upgrade file after it has been downloaded from the secure Schneider Electric website.   Validate security settings   It is considered a best practice to validate configured security settings to ensure they work as intended. Schneider Electric strongly recommends making this practice mandatory whenever security configurations are modified. For example:   Verify the configured firewall rules. Attempt to make a connection that is configured to be denied and verify it is denied. Verify the configured security policies. Verify that monitored devices are online in the Data Center Expert. Verify an HTTP to HTTPS redirect occurs when HSTS is enabled. Verify SSL certificate changes are applied correctly by viewing the certificate in a web browser. Attempt to log in with an invalid user name or password and validate that the unsuccessful login attempt is logged in the event log. Attempt to access the DCE server via an insecure protocol, for example, HTTP. Verify the server is inaccessible when HTTP is not enabled.   Client Security   Physical Security   Customers are responsible for the physical security of their client machines. This may include logging off or locking the client machine when away from it, avoiding leaving it unattended in public areas, and keeping it in a secure location when not in use.   Digital Security   Customers should protect their client machines from cyberattacks and data breaches. Protections may include:   Setting strong passwords; not reusing passwords Never sharing your passwords with others Using different authentication methods Encrypting hard drives Backing up data regularly Installing antivirus software and keeping it up to date Enabling firewall protection Keeping software and operating systems up to date Installing and maintaining the latest antivirus software on client machines. Enabling Data Execution Prevention (DEP) for the EcoStruxure IT Data Center Expert desktop client   Device Integration Security   Schneider Electric recommends that customers harden any NMC-based devices by using the latest available firmware updates and recommended configuration changes. For more information, see the security handbooks for NMC2 and NMC3 devices.   Secure Disposal and Decommissioning   This topic outlines how to reset an instance of DCE to its default settings and erase all user information and configurations   Delete Device Contents   For information on how to delete the device contents, please consult the Restoring a Data Center Expert Physical Appliance or Restoring a Data Center Expert Physical Appliance sections of https://www.apc.com/us/en/faqs/FA321728/   Dispose of Physical Device   For information on how to physically dispose of or recycle the DCE appliance, please consult our hardware supplier’s documentation.   Network Protocol and Ports   This section contains all ports utilized by DCE. Schneider Electric recommends that secure protocols are used wherever possible. The DCE will only attempt to communicate over the ports and protocols in External Integrations and Device Communication sections if they have been configured.   Web Server   Protocol Transfer Protocol Port Direction Description HTTP(S) TCP(SSL) 80(443) 1 Inbound Used for client communication and 3 rd party integrations   External Integrations   Protocol Transfer Protocol Port Direction Description SMTP TCP 25 1 Outbound Communication with email server NFS TCP/UDP 111 Outbound NFS mounted external drive     2049 Outbound NAS/SAN NTP UDP 123 Outbound Remote NTP server time communication SMB TCP 139, 445 Outbound NAS/SAN   UDP 137, 138 Outbound NAS/SAN DNS TCP/UDP 53 Outbound DNS Server LDAP TCP 389 1 Outbound Active Directory/LDAP LDAPS (with SSL) TCP(SSL) 636 Outbound Active Directory/LDAP   Device Communication   Protocol Transfer Protocol Port Direction Description FTP TCP 21 1 Outbound Used to transfer configurations, firmware binaries and logs SCP TCP 22 1 Outbound Used to transfer configurations, firmware binaries and logs SNMPv3 UDP 161 1 Outbound SNMP device polling and discovery     162 1 Inbound SNMP traps HTTP(S) TCP 80(443) Inbound NetBotz device polling and discovery       Outbound NetBotz traps Modbus TCP TCP 502 1 Outbound Modbus TCP device polling and discovery APC Proprietary Communication TCP 6000 Outbound AP76xx outlet strips and gen1 PDU device polling and discovery   Local System Only   Protocol Transfer Protocol Port Direction Description PostgresSQL TCP 5432 Inbound Local System ONLY – Used by the DCE server to communicate with its database   1 Port can be changed from its default value.  Please consult with DCE documentation for more information.   Data Center Expert REST API   Data Center Expert supports a REST API and utilizes OAuth2 for authorization. Handling OAuth2 access tokens and refresh tokens securely is critical to ensure the integrity and confidentiality of data.   Integrators should take care where they store these tokens and should treat them as sensitive data. Keeping OAuth2 tokens secure is crucial because they serve as the keys to accessing device data and resources, and any compromise could lead to unauthorized access, data breaches, and potential misuse of sensitive information.   Software Vulnerability, Scan(s) and Certifications   Vulnerability scans are regularly run against Data Center Expert. Schneider Electric is committed to remediating and patching any items identified. For more information on major vulnerabilities, see Schneider Electric Security Notifications.   Schneider Electric IT Corporation Legal Disclaimer   The information presented in this manual is not warranted by the Schneider Electric IT Corporation to be authoritative, error free, or complete. This publication is not meant to be a substitute for a detailed operational and site specific development plan. Therefore, Schneider Electric IT Corporation assumes no liability for damages, violations of codes, improper installation, system failures, or any other problems that could arise based on the use of this Publication. The information contained in this Publication is provided as is and has been prepared solely for the purpose of evaluating data center design and construction. This Publication has been compiled in good faith by Schneider Electric IT Corporation. However, no representation is made or warranty given, either express or implied, as to the completeness or accuracy of the information this Publication contains. IN NO EVENT SHALL SCHNEIDER ELECTRIC IT CORPORATION, OR ANY PARENT, AFFILIATE OR SUBSIDIARY COMPANY OF SCHNEIDER ELECTRIC IT CORPORATION OR THEIR RESPECTIVE OFFICERS, DIRECTORS, OR EMPLOYEES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL, OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, CONTRACT, REVENUE, DATA, INFORMATION, OR BUSINESS INTERRUPTION) RESULTING FROM, ARISING OUT, OR IN CONNECTION WITH THE USE OF, OR INABILITY TO USE THIS PUBLICATION OR THE CONTENT, EVEN IF SCHNEIDER ELECTRIC IT CORPORATION HAS BEEN EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SCHNEIDER ELECTRIC IT CORPORATION RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES WITH RESPECT TO OR IN THE CONTENT OF THE PUBLICATION OR THE FORMAT THEREOF AT ANY TIME WITHOUT NOTICE. Copyright, intellectual, and all other proprietary rights in the content (including but not limited to software, audio, video, text, and photographs) rests with Schneider Electric IT Corporation or its licensors. All rights in the content not expressly granted herein are reserved. No rights of any kind are licensed or assigned or shall otherwise pass to persons accessing this information. This Publication shall not be for resale in whole or in part.

To comply with stricter cybersecurity requirements across various product groups, it is recommended that customers review their username/password lists in Data Center Expert and EcoStruxure IT Gateway and and confirm that those listed are both active and accurate.   In particular, some APC NMC3 devices may have bad login attempt limits configured that can prohibit successful device discovery or completing specific tasks. Repeated failed attempts to log into devices can adversely affect DDF downloads, device launch, device configuration, and firmware updates.   To comply with stricter cybersecurity rules, the NMC3 web UI now reports the error condition for bad login attempt limit exceeded as Invalid user name or password instead of Account locked out as in prior firmware versions (2.3.1.1 and older).    When the number of failed login attempts is exceeded, a one hour wait time is required before another login attempt, or before the superuser or an admin level account can unlock the account. By default, there is no admin level account other than the superuser; you must create one.   The Bad login attempts setting defaults to 5. In prior versions, the default was 0 (unlimited). You can increase this value up to 99. Log in to the NMC3 UI and go to Configuration > Security > Local users > Default Settings to check this setting.   NMC3 version 2.4 In version 2.4, the superuser account cannot be locked out by the Bad login attempts setting.   NMC3 version 2.5 In version 2.5, the superuser account can also be locked out by the Bad login attempts setting.   If the superuser is locked out and a separate admin level account was never created, you must wait the full hour for the lockout timer to end before attempting to login in again, or format the NMC, which resets the NMC to factory default and wipes all configuration and related items.

Schneider Electric is aware of multiple vulnerabilities in its Data Center Expert product. Security notification - Data Center Expert The Schneider Electric Cybersecurity Portal is the single source for up-to-date information about cybersecurity vulnerabilities and incidents for installed solutions including Data Center Expert. To stay informed, register to receive email notifications for new and updated security information.

  The Schneider Electric Cybersecurity Portal is the single source for up-to-date information about cybersecurity vulnerabilities and incidents for installed solutions including Data Center Expert. To stay informed, register to receive email notifications for new releases and updated security information.  

  It is recommended that customers do not configure their Data Center Expert purge settings (and disk size, if Virtual Machine) to intentionally avoid the automatic purging of data indefinitely. There are important tasks that are executed as part of a purge that will help keep your DCE appliance running efficiently.    Manual purging of data should also be considered periodically if historical data does not need to be retained.