Configure ISLP and security hardening

Information security level protection (ISLP) and security hardening secure the system and its confidential data.

Procedure

1. On the top navigation bar, click System.

2. From the left navigation pane, select Parameters.

3. Click the ISLP and Security Hardening tab.

4. Click Edit and then edit the parameters as needed.

5. Click Save.

Parameters

• Secure Mode: Select whether to enable the secure mode or not. You can enable secure mode only after you enable Mandatory HTTPS. You can create encrypted VMs only after the system is enabled with the secure mode. After you enable the secure mode, the following restrictions take effect:

• A storage volume can be used by only one VM.

• The login names of operators cannot be modified.

• An operator account can be used by only one user at a time.

• Users can access CAS only through HTTPS.

• If the security zone is configured, you cannot disable the secure mode.

• The security zone, secrecy policy, and security service workflows are available only when secure mode is enabled. If secure mode is disabled, those features are unavailable.

For a VM to access the VNC console, you must specify a VNC proxy server when the secure mode or mandatory HTTPS mode is enabled.

 

• Mandatory HTTPS: When secure mode is enabled, you can select whether to enable mandatory HTTPS mode. When this mode is enabled, you can access CVM only through HTTPS. To avoid task failure, do not edit this parameter when other tasks are running in the system.

• Root SSH Login Permission: Set whether to enable root SSH login permission on CVK hosts.

• If you enable this feature, operators can only add CVK hosts by using username root.

• If you disable this feature, operators can only add or log in to CVK hosts through SSH by using username sysadmin. The default password of user sysadmin is [email protected].

Changing the state of root SSH login permission switches the account used for login on all hosts managed by the system. When the system prompts for a password, enter the password of the correct account. If you have forgotten the password, you can enter a new password directly.

• Port Hardening: Configure whether to enable port hardening. This feature opens specific ports on a CVM host. Only the opened ports can access that host.

• After you enable port hardening, you can configure port policies to open ports on associated hosts, which achieves fine-grained control and management of ports on CVM hosts. You can also select different port policies according to service requirements.

• After you disable port hardening, CVM permits all ports on physical hosts.

Port hardening takes effect only on IPv4 hosts.

After you enable port hardening, make sure the ports used by third-party software or NetFlow are open. Failure to open the corresponding ports will result in failure of third-party software or NetFlow.