In this post, we'll highlight some security tips for Nakivo Backup and Replication users. Ransomware continues to spread and threaten many small, medium, or large businesses. It's important to stay protected and protect your backup servers and backup files.
Nakivo Backup and Replication is usually installed on top of an Operating System (Windows, Linux etc) so it's crucial that you protect the access to those servers and maintain them up-to-date with security patches.
MFA for Nakivo backup server
One of the protection methods which is more and more used is Multi-Factor Authentication (MFA). Whether you run Windows or Linux, you can protect your server by placing it outside of Microsoft Active Directory (AD) with local user access only. If your Microsoft AD credentials get compromised, your bacup server stays isolated and protected.
There are solutions for Windows or Linux, for implementing MFA. It's easy to find an easy-to-use solution for both environments. In my lab, I'm using DUO security which allows me to protect my backup server VM via a third-party authentication mechanism.
For those of you who do not know how this works. It's an MSI file that you download from Duo (part of Cisco) – after creating an account with them, up to 10 FREE users. Duo Authentication for Windows Logon adds Duo two-factor authentication to these Windows and Windows Server login scenarios:
- Local or domain account logins
- Logins at the local console and/or incoming Remote Desktop (RDP) connections
The screenshot from the lab shows the Duo login screen before I open a session on my Windows server machine. As you can see, there are 3 options (I only use one). Duo Push is via Duo App, Phone Call or get the code via Text message (my case). You can check more at Duo Security here.
After I click the “Text me new codes” I receive a SMS with entry code that I enter, then click the Login button and I'm logged in…. Then only, I can login into my Nakivo Backup and Replication Software.
Once your backup server is protected with MFA, you can login only via this method.
Note that you should definitely check Duo Restore, which provide your users with the ability to back up and restore their Duo Mobile app with Duo Restore. This feature allows Android and iOS Duo Mobile users to back up their Duo-protected accounts and recover them when they get a new device — no help desk ticket is needed.
How do I protect my Backup files is I store them elsewhere than on my backup server?
The best backup rule is to store multiple copies of backups in different locations. If your backup server gets hacked (even if you have protected it the best you could), it's always more difficult for hackers to deleted backups stored in the public cloud infrastructure that is protected by immutability.
Immutable backups = undeletable
Even me, as an admin, cannot delete my immutable backups (during a certain period of time only, which is configurable). Immutability is one of the ultimate protections against hackers, ransomware and so on.
Nakivo supports Immutability too. The most important is to activate the immutability when you create a new bucket. If the bucket is already created, it's not possible to activate the immutability and you must recreate the bucket and re-send the backups in there.
Check our recent post – Protect your backups with Wasabi Immutable Storage Buckets – (New)
Backup Immutability Support in Nakivo Backup and Replication
To make backups immutable in Backup Repositories located in Amazon S3 or Wasabi, the following options must be enabled for the buckets where the repository is located:
- Object Lock
- Versioning
To make backups immutable in Backup Repositories located in Backblaze B2 Cloud Storage, File Lock (also known as Object Lock) must be enabled.
To make backups immutable in Backup Repositories located in Azure Blob Storage, the following options must be selected for the Azure storage account or container:
- Enable version-level immutability support
- Enable versioning for blobs
Notes: Disable Object Lock retention mode and retention period for the Amazon S3 or Wasabi bucket where the repository is located, as retention settings are set in NAKIVO Backup & Replication during job creation.
Backing up to Wasabi with Object Lock enabled may take longer compared to when Object Lock is disabled.
Links: Nakivo Trial and Duo Security
More about Nakivo on ESX Virtualization
- Nakivo 10.7 New Features – (New)
- Backup a file share with Nakivo Backup and Replication
- NAS Backup with Nakivo Backup and Replication 10.6
- Nakivo Backup and Replication FREE Edition Features and Limitations
- How to configure immutable backups with Nakivo
- Nakivo Backup 10.3 adds features for MSPs
- SharePoint Online Backup with Nakivo Backup and Replication
- Nakivo Backup and Ransomware Recovery
- Nakivo Backup and Replication 10.2 Released with SharePoint Online backup and S3 Object Lock
- Nakivo Backup and Replication 10 Released adding compatibility to vSphere 7
More posts from ESX Virtualization:
- VMware EXPLORE 2022 (NEW)
- vSphere 8.0 Page (NEW)
- Patch your ESXi 7.x again
- VMware vCenter Server 7.03 U3g – Download and patch
- Upgrade VMware ESXi to 7.0 U3 via command line
- VMware vCenter Server 7.0 U3e released – another maintenance release fixing vSphere with Tanzu
- VMware vCenter Converter Discontinued – what’s your options?
- How to upgrade VMware VCSA 7 Offline via patch ISO
- vSphere 7.0 U3C Released
- vSphere 7.0 Page[All details about vSphere and related products here]
- VMware vSphere 7.0 Announced – vCenter Server Details
- VMware vSphere 7.0 DRS Improvements – What's New
- How to Patch vCenter Server Appliance (VCSA) – [Guide]
- What is The Difference between VMware vSphere, ESXi and vCenter
- How to Configure VMware High Availability (HA) Cluster
Stay tuned through RSS, and social media channels (Twitter, FB, YouTube)
