Ransomware protection for endpoint backup repository

Backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)

Ransomware protection for endpoint backup repository

Veeam Logoby Anguel » Mon Mar 21, 2016 10:58 am

I am backing up my endpoints to a VBR repository. Now I read some articles regarding Veeam and cryptolockers but I am still not sure how to exactly configure permissions for the repository in order to protect it form cryptolockers.
The default repository permissions allow access for everyone. Does that mean that any endpoint can cryptolock its own as well as all other endpoint backups?
Is the recommended way to create separate backup accounts for each endpoint and add them to repository permissions? Or is a single special backup account that I can then use on all endpoints enough?
Anguel
Enthusiast
 
Posts: 79
Liked: 6 times
Joined: Thu Apr 16, 2015 9:01 am

Re: Ransomware protection for endpoint backup repository

Veeam Logoby Dima P. » Mon Mar 21, 2016 1:49 pm

Hi Anguel,

Dedicated backup account for every endpoint is the best solution. Keep in mind that you can set the computer account instead of user account while setting permissions to the VBR repository. Additionaly, check this post.
Dima P.
Veeam Software
 
Posts: 6229
Liked: 439 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Ransomware protection for endpoint backup repository

Veeam Logoby Anguel » Mon Mar 21, 2016 2:49 pm

Thanks Dima, however I am still a bit confused. Will adding a computer account instead of user account protect from crypting? IMHO access to the repository is still granted if the cryptolocker runs on that PC, or do I misunderstand?
Anguel
Enthusiast
 
Posts: 79
Liked: 6 times
Joined: Thu Apr 16, 2015 9:01 am

Re: Ransomware protection for endpoint backup repository

Veeam Logoby Dima P. » Mon Mar 21, 2016 4:28 pm

As far as I know, most of malware threats use the currently logged user account. If you use local computer account and limit the access to the repository for an end-user – you should be good to go. Just make sure that repository folder is invisible/inaccessible via network surroundings for regular ‘non backup’ accounts.
Dima P.
Veeam Software
 
Posts: 6229
Liked: 439 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Ransomware protection for endpoint backup repository

Veeam Logoby Anguel » Mon Mar 21, 2016 4:46 pm

So do I understand correctly that I need to enter all accounts in the "Endpoint Backup Permissions" dialog for a specific repository in VBR?
Also, are each account's backups somehow isolated or can all accounts then access any other backups in the repository?
Anguel
Enthusiast
 
Posts: 79
Liked: 6 times
Joined: Thu Apr 16, 2015 9:01 am

Re: Ransomware protection for endpoint backup repository

Veeam Logoby Dima P. » Mon Mar 21, 2016 5:01 pm

Yes, that is a recommended approach. "Setting access permissions on the backup repository to Everyone is equal to granting access rights to the Everyone Microsoft Windows group (Anonymous users are excluded)... this scenario is recommended for demo environments only"

Backup files are isolated from end-users. It will recognize its owner and VBR ‘administrator’ or ‘restore operator’ during Bare Metal Recovery.
Dima P.
Veeam Software
 
Posts: 6229
Liked: 439 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Ransomware protection for endpoint backup repository

Veeam Logoby Anguel » Tue Mar 22, 2016 10:10 am

So let's say I create two endpoint backup accounts BackupUser1 and BackupUser2 and add them to the repository permissions, so both have access to the repository. Can BackupUser1 now access repository files of BackupUser2? Did not find anything about this in the docs.
Anguel
Enthusiast
 
Posts: 79
Liked: 6 times
Joined: Thu Apr 16, 2015 9:01 am

Re: Ransomware protection for endpoint backup repository

Veeam Logoby Dima P. » Tue Mar 22, 2016 11:03 am

BackupUser1 won’t see the backup files for BackupUser2 and vice versa.
Dima P.
Veeam Software
 
Posts: 6229
Liked: 439 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Ransomware protection for endpoint backup repository

Veeam Logoby Anguel » Tue Mar 22, 2016 12:09 pm

Thanks. So this sounds to me as most secure way: Special backup users with passwords different from domain users.
Sorry, but I still do not fully understand how a computer account can protect from encryption as access to the repository will be granted for the PC where the cryptoware is running - do you have any documents describing this?
Anguel
Enthusiast
 
Posts: 79
Liked: 6 times
Joined: Thu Apr 16, 2015 9:01 am

Re: Ransomware protection for endpoint backup repository

Veeam Logoby Dima P. » Thu Mar 24, 2016 12:49 am

It's up to you since both solutions are valid. To learn more about ComputerName\LocalSystem account check this msdn article. Thanks.
Dima P.
Veeam Software
 
Posts: 6229
Liked: 439 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Ransomware protection for endpoint backup repository

Veeam Logoby ccatlett1984 » Mon Mar 28, 2016 1:39 pm

Dima P. wrote:BackupUser1 won’t see the backup files for BackupUser2 and vice versa.

That is not correct, depending on what permission you give to each user.

If full control is given, then both accounts would have access to all files.
ccatlett1984
Enthusiast
 
Posts: 83
Liked: 9 times
Joined: Thu Oct 31, 2013 5:11 pm
Full Name: Chris Catlett

Re: Ransomware protection for endpoint backup repository

Veeam Logoby Dima P. » Mon Mar 28, 2016 5:12 pm

Chris,
If full control is given, then both accounts would have access to all files.

Probably, you saw all backup files because you used VBR admin account to access the repository, instead of actual user account?
Dima P.
Veeam Software
 
Posts: 6229
Liked: 439 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov


Return to Veeam Agent for Windows



Who is online

Users browsing this forum: Dima P., Google [Bot], tsightler and 14 guests