Skip to main content

Default administrative accounts

Contributors netapp-dbagwell
PDFs

The admin account should be restricted because the role of administrator is allowed access using all applications. The diag account allows access to the system shell and should be reserved only for technical support to perform troubleshooting tasks.

There are two default administrative accounts: admin and diag.

Orphaned accounts are a major security vector that often leads to vulnerabilities, including the escalation of privileges. These are unnecessary and unused accounts that remain in the user account repository. They are primarily default accounts that were never used or for which passwords were never updated or changed. To address this issue, ONTAP supports the removal and renaming of accounts.

Note ONTAP cannot remove or rename built-in accounts. However, NetApp recommends locking any unneeded built-in accounts with the lock command.

Although orphaned accounts are a significant security issue, NetApp strongly recommends testing the effect of removing accounts from the local account repository.

List local accounts

To list the local accounts, run the security login show command.

cluster1::*> security login show -vserver cluster1

Vserver: cluster1
                             Authentication             Acct   Is-Nsswitch
User/Group Name  Application Method    Role Name        Locked Group
---------------- ----------- --------- ---------------- ------ -----------
admin            console     password  admin            no     no
admin            http        password  admin            no     no
admin            ontapi      password  admin            no     no
admin            service-processor password admin       no     no
admin            ssh         password  admin            no     no
autosupport      console     password  autosupport      no     no
6 entries were displayed.

Remove the default admin account

The admin account has the role of administrator and is allowed access using all applications.

Steps

  1. Create another admin-level account.

    To completely remove the default admin account, you must first create another admin-level account that uses the console login application.

    Note Making these changes might cause some undesired effects. Always test new settings that might affect the security status of the solution on a nonproduction cluster first.

    Example:

    cluster1::*> security login create -user-or-group-name NewAdmin -application console -authentication-method password -vserver cluster1
    cluster1::*> security login show -vserver cluster1

Vserver: cluster1
                             Authentication             Acct   Is-Nsswitch
User/Group Name  Application Method    Role Name        Locked Group
---------------- ----------- --------- ---------------- ------ -----------
NewAdmin         console     password  admin            no     no
admin            console     password  admin            no     no
admin            http        password  admin            no     no
admin            ontapi      password  admin            no     no
admin            service-processor password admin       no     no
admin            ssh         password  admin            no     no
autosupport      console     password  autosupport      no     no
7 entries were displayed.

  2. After you create the new admin account, test access to that account with the NewAdmin account login. With the NewAdmin login, configure the account to have to same login applications as the default or previous admin account (for example, http, ontapi, service-processor, or ssh). This step makes sure that access control is maintained.

    Example:

    cluster1::*> security login create -vserver cluster1 -user-or-group-name NewAdmin -application ssh -authentication-method password
cluster1::*> security login create -vserver cluster1 -user-or-group-name NewAdmin -application http -authentication-method password
cluster1::*> security login create -vserver cluster1 -user-or-group-name NewAdmin -application ontapi -authentication-method password
cluster1::*> security login create -vserver cluster1 -user-or-group-name NewAdmin -application service-processor -authentication-method password

  3. After all functions have been tested, you can disable the admin account for all applications before removing it from ONTAP. This step serves as a final test to confirm that there are no lingering functions that rely on the previous admin account.

    cluster1::*> security login lock -vserver cluster1 -user-or-group-name admin -application *

  4. To remove the default admin account and all entries for it, run the following command:

    cluster1::*> security login delete -vserver cluster1 -user-or-group-name admin -application *
cluster1::*> security login show -vserver cluster1

Vserver: cluster1
                             Authentication             Acct   Is-Nsswitch
User/Group Name  Application Method    Role Name        Locked Group
---------------- ----------- --------- ---------------- ------ -----------
NewAdmin         console     password  admin            no     no
NewAdmin         http        password  admin            no     no
NewAdmin         ontapi      password  admin            no     no
NewAdmin         service-processor password admin       no     no
NewAdmin         ssh         password  admin            no     no
autosupport      console     password  autosupport      no     no
7 entries were displayed.

Set the diagnostic (diag) account password

A diagnostic account named diag is provided with your storage system. You can use the diag account to perform troubleshooting tasks in the systemshell. The diag account is the only account that can be used to access the systemshell through the diag privileged command systemshell.

Caution The systemshell and the associated diag account are intended for low-level diagnostic purposes. Their access requires the diagnostic privilege level and is reserved only to be used with guidance from technical support to perform troubleshooting tasks. Neither the diag account nor the systemshell is intended for general administrative purposes.
Before you begin

Before accessing the systemshell, you must set the diag account password by using the security login password command. You should use strong password principles and change the diag password at regular intervals.

Steps

  1. Set the diag account user password:

    cluster1::> set -privilege diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? \{y|n}: y

cluster1::*> systemshell -node node-01
    (system node systemshell)
diag@node-01's password:

Warning: The system shell provides access to low-level
diagnostic tools that can cause irreparable damage to
the system if not used properly. Use this environment
only when directed to do so by support personnel.

node-01%