Admins need to protect their data. More than before. With the multiplication of ransomware attacks, there must be a way to effectively protect your data, your VMs or your whole company as such because, without data, any company is nothing today. In this post, we’ll discuss how to harden a backup repository on Windows.
Imagine the scenario where your organization is a victim of ransomware. This is quite common today as hackers just want to make some money by offering you to decrypt your files that were encrypted by their malware. Send some bitcoins to their wallet or so.
Usually, when a problem like this happens, your network is affected and your workstations/laptops encrypted asking for ransom. Imagine the worst-case scenario where your Microsoft Active Directory (AD) accounts are compromised so the hackers gain access to all your file shares and all your domain-joined servers. A true disaster that has already happened many times.
There are some tips that I’ll discuss today, which will help you to secure your backup server and your backup repositories so even if the whole work network gets compromised, hackers won’t be able to break into your backup server and delete or encrypt your backup files stored on the backup repositories.
We might do a post on the same, but for Linux in the future.
Tip 1 – Do not join in Microsoft Domain – In any case, do not join your Windows backup server to Microsoft AD. Just leave the server completely as a side system. Keep the default Workgroup or change to something else. Also, you should perhaps name the server with a generic name instead of “BackupSRV01” or something like this. Use a completely generic name that hackers won’t guess that this is the backup server.
Tip 2 – Use Simple Approach – Use simple design and close all network ports via the internal firewall, except those needed for your backup software. Remove all unneeded components from the Windows server, such as web browsers, java, adobe reader and this kind of stuff. Maintain the server as usual with all Windows security patches and protect it with AV/Malware software.
Tip 3 – Roles and Users – use the principle of least privilege. Give the minimal privilege needed for some operation to occur. You should make sure that all accounts do have a specific role and they are added to a specific group. If your organization has several backup admins, give each one specific account and put them in a group. Only give access to what is needed for the backup management or backup job. Limit users who can use Remote Desktop Protocol (RDP) and if possible, set-up a 2-factor authentication.
Tip 4 – Set permissions on the repository folder – you should grant access on this directory only to the users of the backup software. After you add the user administrative account on the security tab of the disk(s) where backups will be stored, you can open the advanced security settings and change the owner.
Note: If there are already files, just uncheck the “Replace all child object permissions entries with inheritable permission entries from this object”.
Nobody else should be present on the Permissions tab.
Tip 5 Disable remote RDP service – Quite often, the server hosting the backup is physical machine. It is an extra security layer that nobody can connect remotely to this server and that the physical location of this machine is protected. You should use physical access only or a KVM-over-IP switch to access this machine when located in remote datacenter.
Tip 6 Clean Install of backup server stored as Image – even backup server should have backup of itself. After installing and configuring this backup server, install the backup software and configure the hardening options as listed above. Then use an image level backup software type Acronis, Ghost etc, and do a clean image backup of the system partition. Like this, if this machine gets corrupted and unbootable, you can restore the system partition with hope that the data disks (which should be separate volume) are fine.
Download Trial Backup Software
- Veeam Backup and Replication v10a latest ISO
- Altaro VM Backup – Protect your VMware and Hyper-V VMs for Free with Altaro VM Backup. 2 VM for Free, forever. Grab your copy now!
There might be more security hardening tips, but if you clearly implement those 6 listed above you should be fine. Many backup software does provide the option of replication to the cloud. You should use and have backup copies stored in the cloud as well. With plenty of offers from public cloud offerings, such as Amazon or Azure, you can find an object storage for long term retention or for the case that you need to download the copies of the backups back to the on-prem datacenter.
Think that you could be also a victim of theft, flood or fire within your main datacenter. Make sure you have a backup copy of your backups off site. The ideal scenario for multiple sites is to backup locally, then replicate to a remote datacenter.
In many cases when a ransomware attack occurs, enterprise admin should be prepared with at least two different recovery plans where one should imply recovery from cloud storage.
More from ESX Virtualization
- Download vSphere 7.0 U1 – GA is now available
- vSphere 7.0 Page [All details about vSphere and related products here]
- VMware vSphere 7.0 DRS Improvements – What's New
- Upgrade from ESXi 6.7 to 7.0 ESXi Free
- VCP6.7-DCV Study Guide