Host-based backup of Microsoft Hyper-V VMs.
Post Reply
dcolpitts
Veeam ProPartner
Posts: 119
Liked: 24 times
Joined: Apr 01, 2011 10:36 am
Full Name: Dean Colpitts
Location: Atlantic coast of Canada
Contact:

Exchange restore after Zero-Day compromise

Post by dcolpitts »

I had a customer have their single Exchange 2013 server compromised on March 3 at 4am, and it wasn't discovered until March 9 at 9pm. The first we did was power down the Exchange server and perform a backup. Then we proceeded to restore from the March 2 evening backup, which restored fine. When I powered up the restored server, and attempted to install 2013 CU23, I got a surprise! On March 5, the customer had created 3 new mailbox databases and move some users of the original single 900GB database into these new databases (it's my own fault I guess - I had been telling him to do that for some time). Anyways - CU23 refused to apply, but eventually I just killed the new databases in ADSIEDIT, and updated all the moved user's homeMDB attribute to point back at the restored database and I was able to apply CU23 and the security update. So the customer is now back up and running.

The issue now is recovering the week's missing data. I have a two fold issue here - first because I shut down the Exchange server last night before taking the backup, I have no option to restore Exchange Items. I know I can get around this by restoring the mailbox database folder structure and using Veeam Explorer for Exchange to manually pick the database (which I'm doing right now). The question I have is can I mass restore just the changes on the accounts within this database to the original 900GB database? Or am I going to have issues doing a "cross-mailbox-database" restore?

Or does anyone else have any better ideas (beside the obvious, keep stuff patched, and get rid of the 900GB mailbox database asap!).

dcc
dcolpitts
Veeam ProPartner
Posts: 119
Liked: 24 times
Joined: Apr 01, 2011 10:36 am
Full Name: Dean Colpitts
Location: Atlantic coast of Canada
Contact:

Re: Exchange restore after Zero-Day compromise

Post by dcolpitts » 2 people like this post

Answered my own questions... Restored the mailbox database to a temp folder on VBR server, and opened with Veeam Explorer for Exchange. Doesn't matter if the mailbox you are restoring is still in the original mailbox database it was backed up from or not. Just select the mailboxes one at a time and select restore. Make sure you have ApplicationImpersonation rights (New-ManagementRoleAssignment -Name "Veeam Mailbox Restore" -Role ApplicationImpersonation -User "your_username").

dcc
Post Reply

Who is online

Users browsing this forum: No registered users and 11 guests