Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
Anguel
Expert
Posts: 193
Liked: 18 times
Joined: Apr 16, 2015 9:01 am
Location: Germany / Bulgaria
Contact:

Ransomware protection for endpoint backup repository

Post by Anguel »

I am backing up my endpoints to a VBR repository. Now I read some articles regarding Veeam and cryptolockers but I am still not sure how to exactly configure permissions for the repository in order to protect it form cryptolockers.
The default repository permissions allow access for everyone. Does that mean that any endpoint can cryptolock its own as well as all other endpoint backups?
Is the recommended way to create separate backup accounts for each endpoint and add them to repository permissions? Or is a single special backup account that I can then use on all endpoints enough?
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Ransomware protection for endpoint backup repository

Post by Dima P. »

Hi Anguel,

Dedicated backup account for every endpoint is the best solution. Keep in mind that you can set the computer account instead of user account while setting permissions to the VBR repository. Additionaly, check this post.
Anguel
Expert
Posts: 193
Liked: 18 times
Joined: Apr 16, 2015 9:01 am
Location: Germany / Bulgaria
Contact:

Re: Ransomware protection for endpoint backup repository

Post by Anguel »

Thanks Dima, however I am still a bit confused. Will adding a computer account instead of user account protect from crypting? IMHO access to the repository is still granted if the cryptolocker runs on that PC, or do I misunderstand?
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Ransomware protection for endpoint backup repository

Post by Dima P. »

As far as I know, most of malware threats use the currently logged user account. If you use local computer account and limit the access to the repository for an end-user – you should be good to go. Just make sure that repository folder is invisible/inaccessible via network surroundings for regular ‘non backup’ accounts.
Anguel
Expert
Posts: 193
Liked: 18 times
Joined: Apr 16, 2015 9:01 am
Location: Germany / Bulgaria
Contact:

Re: Ransomware protection for endpoint backup repository

Post by Anguel »

So do I understand correctly that I need to enter all accounts in the "Endpoint Backup Permissions" dialog for a specific repository in VBR?
Also, are each account's backups somehow isolated or can all accounts then access any other backups in the repository?
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Ransomware protection for endpoint backup repository

Post by Dima P. »

Yes, that is a recommended approach. "Setting access permissions on the backup repository to Everyone is equal to granting access rights to the Everyone Microsoft Windows group (Anonymous users are excluded)... this scenario is recommended for demo environments only"

Backup files are isolated from end-users. It will recognize its owner and VBR ‘administrator’ or ‘restore operator’ during Bare Metal Recovery.
Anguel
Expert
Posts: 193
Liked: 18 times
Joined: Apr 16, 2015 9:01 am
Location: Germany / Bulgaria
Contact:

Re: Ransomware protection for endpoint backup repository

Post by Anguel »

So let's say I create two endpoint backup accounts BackupUser1 and BackupUser2 and add them to the repository permissions, so both have access to the repository. Can BackupUser1 now access repository files of BackupUser2? Did not find anything about this in the docs.
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Ransomware protection for endpoint backup repository

Post by Dima P. »

BackupUser1 won’t see the backup files for BackupUser2 and vice versa.
Anguel
Expert
Posts: 193
Liked: 18 times
Joined: Apr 16, 2015 9:01 am
Location: Germany / Bulgaria
Contact:

Re: Ransomware protection for endpoint backup repository

Post by Anguel »

Thanks. So this sounds to me as most secure way: Special backup users with passwords different from domain users.
Sorry, but I still do not fully understand how a computer account can protect from encryption as access to the repository will be granted for the PC where the cryptoware is running - do you have any documents describing this?
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Ransomware protection for endpoint backup repository

Post by Dima P. »

It's up to you since both solutions are valid. To learn more about ComputerName\LocalSystem account check this msdn article. Thanks.
ccatlett1984
Enthusiast
Posts: 83
Liked: 9 times
Joined: Oct 31, 2013 5:11 pm
Full Name: Chris Catlett
Contact:

Re: Ransomware protection for endpoint backup repository

Post by ccatlett1984 »

Dima P. wrote:BackupUser1 won’t see the backup files for BackupUser2 and vice versa.
That is not correct, depending on what permission you give to each user.

If full control is given, then both accounts would have access to all files.
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Ransomware protection for endpoint backup repository

Post by Dima P. »

Chris,
If full control is given, then both accounts would have access to all files.
Probably, you saw all backup files because you used VBR admin account to access the repository, instead of actual user account?
Post Reply

Who is online

Users browsing this forum: No registered users and 30 guests