Host-based backup of VMware vSphere VMs.
Post Reply
crazylefty
Influencer
Posts: 10
Liked: 1 time
Joined: Jun 30, 2016 7:06 pm
Full Name: Matt Hart
Contact:

Preventing our backup copies from being crypto-locked

Post by crazylefty »

We have just spun up a new DR site, and we've got backup copy jobs going to a nimble storage unit.
What would be the best way to prevent these backups, or any backups really, from being encrypted?
Right now the backup repository is a Server 2016 box that is iSCSI'd to the nimble array. Besides tight passwords, what is the best way to prevent these backup copies from getting encrypted and held for ransom?
Gostev
Chief Product Officer
Posts: 31457
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Preventing our backup copies from being crypto-locked

Post by Gostev »

Schedule periodic Nimble storage snapshots on those LUNs storing backup files.
tsightler
VP, Product Management
Posts: 6009
Liked: 2843 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Preventing our backup copies from being crypto-locked

Post by tsightler »

One of the things I like to suggest is that the target repo be outside of the domain of the rest of the network, just a standalone server. Then secure it using standard Windows hardening practices for any Internet exposed Windows server, disable all admin shares, etc. That way, even if cryptolocker manages to get access to run under a domain admin account, it will not have any access to that specific server unless it also hacks the Veeam DB and gets the password.
DaveWatkins
Veteran
Posts: 370
Liked: 97 times
Joined: Dec 13, 2015 11:33 pm
Contact:

Re: Preventing our backup copies from being crypto-locked

Post by DaveWatkins »

Personally I still really like to have my repo domain joined for general GPO inheritance, but I've removed Domain Admins from the local Adminstrators group and have only very select admin in that group. That effectively locks down the hidden drive shares (c$, d$ etc). You can also remove the file sharing exceptions from the windows firewall to remove that avenue completely.

Another option is to put it behind a dedicated firewall and only allow the proxies to get through and perhaps specific admin IP addresses for RDP
Post Reply

Who is online

Users browsing this forum: No registered users and 86 guests