Dell SupportAssist: Security Considerations This Dell Technical FAQ document provides details on how SupportAssist maintains data security and privacy, and also defines the network configurations required for SupportAssist. Version 1.0 Dell Services Product Group
Contents Introduction... 3 What data does SupportAssist collect?... 3 Can the data be filtered before being transmitted back to Dell?... 3 How is my data transferred to Dell?... 4 What steps does Dell take to safeguard customer information?... 4 Who has access to the SupportAssist collected data at Dell?... 4 What are the network settings requirements?... 5 How to Identify SSL Connection Failure?... 6 How To Install Root Certificates?... 6 Tables Table 1. Settings For SupportAssist Server (Management Station)... 5 Table 2. Settings For Managed des and idrac... 5 This document is for informational purposes only and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind. 2013 Dell Inc. All rights reserved. Dell and its affiliates cannot be responsible for errors or omissions in typography or photography. Dell, the Dell logo, and PowerEdge are trademarks of Dell Inc. Intel and Xeon are registered trademarks of Intel Corporation in the U.S. and other countries. Microsoft, Windows, and Windows Server are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims proprietary interest in the marks and names of others. July 2013 Version 1.0 ii
Introduction Dell SupportAssist, integrated with the Dell OpenManage Essentials systems management console, is a capability that enables automated support from Dell by remotely identifying issues in your IT environment. Dell s robust and easy to use proactive support technology allows us to identify, diagnose, and resolve issues faster and more precisely with less of your involvement reducing downtime and letting you get back to business. SupportAssist is available to all Dell customers but only systems with ProSupport or ProSupport Plus will receive the automated support referenced in this document. Systems with Basic Service will send information back to Dell to speed troubleshooting on a reactive basis. This document provides details on how SupportAssist maintains data security and privacy and also defines the network configurations required to successfully enable SupportAssist functionality in your environment. What data does SupportAssist collect? SupportAssist collects data that is required for troubleshooting hardware issues and providing proactive support from our ProSupport engineers.. SupportAssist does not collect any user files stored on the system, any passwords or any information about application usage. SupportAssist collection includes following types of data: Hardware configuration installed device, processor, memory, network device and usage Event Data Windows event logs, core dump, and debug logs Software configuration for servers operating system and installed applications Network Identity information computer name, domain name, and IP address For more details on the data collection, see: Windows Data Collection Linux/ESX Data Collection SupportAssist also stores the contact information that is provided during SupportAssist registration or SupportAssist configuration screens which includes customer name, email address and phone numbers. Can the data be filtered before being transmitted back to Dell? User cannot manually filter the data before it is transmitted to Dell. However, user can choose not to send network identity information to Dell by going to settingspreferences page and uncheck the option for sending the network identity information and it will remove following information from the collection before it is sent to Dell. Host name IP address Subnet mask Default gateway MAC address DHCP server DNS server Processes Environment variables Registry 3
Logs iscsi data te : These changes may limit the ability of technical support to troubleshoot the issue. How is my data transferred to Dell? The data sent from your Dell systems to Dell is encrypted with 128 bit encryption and transferred securely using SSL protocol. The data is stored in compliance with the Dell Privacy Policy.and the Dell Data Security Policy What steps does Dell take to safeguard customer information? Dell hosts SupportAssist data including the application, systems, network and security components in a USbased data center designed to maintain high levels of availability and security. Dell protects your data by using a wide variety of measures, including Physical security Features include, but are not limited to: On-premise security guards Rigorous exterior building security, including cameras, false entrances, vehicle blockades, specialized parking lot design, bulletproof glass and walls, and the use of an unmarked building Interior pan/tilt/zoom security cameras with digital recorders Network security All monitoring components are located behind a firewall and are managed by a Dell network security team. We tightly control all network traffic, requiring all inbound traffic to be transmitted via specific ports and sent only to appropriate destination network addresses. Server and database security Servers and OS components reside on standard images that have undergone security review. We regularly review security updates used by the application, including those published by Microsoft and vendors of other software. When critical security updates are issued, we test them first on nonproduction images and generally apply them to live servers within 48 hours. Procedural security Dell groups who have access to Dell SupportAssist components (such as the database administration group and the operational support team) are assigned separate duties and access rights. All updates to the production environment go through a defined change control process that incorporates checks and balances. Auditing Dell retains proprietary monitoring hosting device logs, accessible only by Dell. These logs record all attempts to log into or access the OS or SupportAssist Web Server Console, as well as every write or escalation operation performed by an authenticated user on the Server Console. Who has access to the SupportAssist collected data at Dell? SupportAssist collected data is accessible by technical support agents who use it for troubleshooting hardware issues reported by SupportAssist. The data is also available to Technical Account Managers for their respective accounts for providing technical recommendation to ProSupport Plus and ProSupport Flex customers. The data is not shared for sales or promotional purposes. Dell takes information security and privacy seriously. Above described mechanisms makes sure that customer data collected by SupportAssist is secure and used only for support purposes. 4
What are the network settings requirements? SupportAssist uses SSL for secure communication between SupportAssist and Dell, so port 443 needs to be opened in the firewall for successful SSL communication. SupportAssist uses the following endpoints for data upload: api.dell.com ddldropbox.us.dell.com/upload.ashx The following tables provide more information about port settings for SupportAssist. Table 1. Settings For SupportAssist Server (Management Station) Number Protocol Type Maximum Encryption Level Direction Usage Configurable 162 SNMP UDP ne In Event reception through SNMP 143 Proprietary TCP ne In/Out If SQL server is remote 443 HTTPS TCP ne In/Out Communication with Dell Yes Table 2. Settings For Managed des and idrac Number Protocol Type Maximum Encryption Level Direction Usage Configurable 161 SNMP UDP ne In/Out SNMP query management 443 HTTPS TCP ne In/Out idrac and ESXi discovery and DSET collection If the management server connects to the Internet through a proxy server, you must configure the Proxy Settings in SupportAssist. To configure the proxy server settings, click Settings Proxy Settings, and follow the instructions on the screen. Verify that the SupportAssist client is able to communicate with the SupportAssist server hosted by Dell by performing the email connectivity test. For more information, see Email Connectivity Test in the SupportAssist User s Guide. If there is a SSL connection failure, you must install the required root certificates. To identify and resolve a SSL connection failure, see the following sections. 5
How to Identify SSL Connection Failure? SSL connection failure may occur if your system does not have the required certificate installed from the issuing root certificate authority, GTE CyberTrust Global Root. All Dell certificates are issued from this certificate authority. To verify if the certificate is installed in Internet Explorer: 1. Click Tools Internet Options The Internet Options dialog box is displayed. 2. Click the Content tab, and then click Certificates The Certificates dialog box is displayed 3. Click the Trusted Root Certification Authorities tab 4. Scroll to verify if GTE CyberTrust Global Root is listed in the Issued To and Issued By columns. If GTE CyberTrust Global Root is not listed, you must install the required certificates. To install the certificates, see next section on How To Install Root Certificates. How To Install Root Certificates? Before you begin, ensure the following: You must be logged in to the user account with which SupportAssist was installed You must have administrator privileges The SupportAssist service must be running To resolve SSL connection issues, you must install the following root certificates Dell_Inc_Enterprise_Issuing_CA1.cer Dell_Inc_Enterprise_CA.cer GTE_CyberTrust Global Root.cer These certificates should be installed in the Trusted Root Certification Authorities and Intermediate Certification Authorities folders of the current user and local computer: Here are instructions on how to install these certificates. 1. Click Start Run. The Run dialog box is displayed. 2. In the Open box, type mmc, and click OK. The Console 1 [Console Root] window is displayed. 3. Click File Add/Remove Snap-in. The Add or Remove Snap-ins dialog box is displayed. 4. Under Available snap-ins, select Certificates, and click Add >. The Certificates snap-in dialog box is displayed. 6
5. Ensure that My user account is selected, and then click Finish. 6. In the Add or Remove snap-ins dialog box, click Add >. The Certificates snap-in dialog box is displayed. 7. Select Computer account and click Next. The Select Computer dialog box is displayed. 8. Ensure that Local computer (the computer this console is running on) is selected, and click Finish. 9. In the Add or Remove snap-ins dialog box, click OK. 10. Under the Console Root, click Certificates Current User. 11. Right-click Trusted Root Certification Authority All Tasks Import. 12. Click Next. The File to Import dialog box is displayed. 13. Browse to select the location of the certificate files, select a certificate file and click Next. The Certificate Store information is displayed. 14. Click Next. 15. Click Finish. 16. Perform step 11 to step 15 until all three certificate files are imported. 17. Right-click Intermediate Certification Authorities All Tasks Import. 18. Perform step 12 to step 15 until all three certificate files are imported. 19. Under the Console Root, click Certificates Local Computer. 20. Right-click Trusted Root Certification Authority All Tasks Import. 21. Perform step 12 to step 15 until all three certificate files are imported. 22. Right-click Intermediate Certification Authorities All Tasks Import. 23. Perform step 12 to step 15 until all three certificate files are imported 7