Setup Guide

ManualsBrandsDell ManualsConverged InfrastructureWyse Management Suite

December 2020

Hardening Document for MongoDB Security

Configuration

Introduction

This guide contains security hardening rules to secure your MongoDB Community servers 5.x that are deployed with Wyse

Management Suite.

In database management, server hardening is the process of maximizing the security of database servers and eliminating

database vulnerabilities. This document provides guidelines to restrict non-administrator users from accessing the MongoDB

database resources.

The audience for this guide is enterprise customers with administrator privileges.

Restrict access to MongoDB resources

You must access the MongoDB service using an administrator account. If all users have access to the MongoDB service, they

can access the configuration files and the data directories. Dell Technologies recommends restricting access to a user account

that is used for Wyse Management Suite installation and configuration. The following steps ensure that the MongoDB resources

are not accessible to other users.

Steps

1. Log in to the server where Wyse Management Suite is installed.

2. Go to the Wyse Management Suite installation directory.

Introduction

Summary of content (17 pages)

PAGE 1
December 2020 Hardening Document for MongoDB Security Configuration Introduction This guide contains security hardening rules to secure your MongoDB Community servers 5.x that are deployed with Wyse Management Suite. In database management, server hardening is the process of maximizing the security of database servers and eliminating database vulnerabilities. This document provides guidelines to restrict non-administrator users from accessing the MongoDB database resources.
PAGE 2
Figure 1. Wyse Management Suite installation directory 3. Right-click MongoDB and click Properties. MongoDB Properties window is displayed.
PAGE 3
Figure 2. MongoDB properties 4. Go to the Security tab and click Advanced.
PAGE 4
Figure 3. Security tab Advanced Security Settings for MongoDB window is displayed. 5. Click Disable inheritance. The Block Inheritance window is displayed.
PAGE 5
Figure 4. Block inheritance NOTE: By default, inheritance is enabled which restricts the altering of permissions to the folder. 6. Click the Convert inherited permissions into explicit permissions on this object option. 7. Select the users that you want to remove access to the MongoDB service and click Remove. Figure 5. Remove user 8.
PAGE 6
Figure 6. Verify the user deletion Restrict access to MongoDB data directory You must access the MongoDB data directory using an administrator account. If all users have access to the MongoDB data directory, they can access the configuration files and the data directories. Read and write permission must be set to only an administrator group, as these files are critical for the system to operate. The following steps ensure that the MongoDB resources are not accessible to other users. Steps 1.
PAGE 7
Figure 7. Wyse Management Suite installation directory 3. Right-click Mongo and click Properties. MongoDB Properties window is displayed. 4. Go to the Security tab and click Advanced.
PAGE 8
Figure 8. Security tab Advanced Security Settings for MongoDB window is displayed. 5. Click Disable inheritance. The Block Inheritance window is displayed.
PAGE 9
Figure 9. Disable Inheritance NOTE: By default, inheritance is enabled which restricts the altering of permissions to the folder. 6. Click the Convert inherited permissions into explicit permissions on this object option. 7. Select the users that you want to remove access to MongoDB service and click Remove.
PAGE 10
Figure 10. Remove users 8. Verify the changes by logging out from the server and logging in again using the removed user credentials You must be denied access to the MongoDB folder—This step is optional. Change the port number used by MongoDB You can change the port number that is used by MongoDB and protect the database from an unauthorized access. Steps 1. Log in to the server where Wyse Management Suite is installed. 2. Go to the MongoDB folder in the Wyse Management Suite installation directory.
PAGE 11
Figure 11. Wyse Management Suite installation directory 3. Open the mongod.cfg file and add the following command at the end of the configuration: port= Figure 12. Change port number The following are the default port numbers in MongoDB: ● ● ● ● 27017—The default port for Mongod and Mongos instances. 27018—The default port when you run with --shardsvr runtime operation. 27019—The default port when you run with --configsvr runtime operation. 28017—The default port for the web status page.
PAGE 12
4. Go to Start > Services. 5. Right-click Dell WMS: MongoDB and click Restart. Figure 13. Restart MongoDB services Change the new MongoDB port in the configuration file Steps 1. Log in to the server where Wyse Management Suite is installed. 2. Go to C:\Program Files\DELL\WMS\Tomcat-9\webapps\ccm-web\WEB-INF\classes.
PAGE 13
Figure 14. Configuration file directory 3. Open the bootstrap.properties file. 4. Update the following value with the new port number that is assigned to MongoDB in the file: mongodb.seedList=localhost\: Figure 15. Updated port number 5. Save the file. 6. Go to Start > Services. 7. Right-click Dell WMS: Tomcat Service and click Restart.
PAGE 14
Figure 16. Restart Tomcat service 8. Log in to the Wyse Management Suite application. The port number is changed, and the application is loaded. Configure MongoDB resources to capture system logs If the MongoDB log configuration is set to silent or quiet, the logging of information does not work. You must configure the SystemLog.
PAGE 15
Figure 17. Wyse Management Suite installation directory 3. Open the mongod.cfg file and add the following commands at the end of the configuration: #systemLog: quiet: false Figure 18. Configuration file 4. Go to Start > Services. 5. Right-click Dell WMS: MongoDB and click Restart.
PAGE 16
Figure 19.
PAGE 17
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.