by Anguel » Mon Mar 21, 2016 10:58 am people like this post
I am backing up my endpoints to a VBR repository. Now I read some articles regarding Veeam and cryptolockers but I am still not sure how to exactly configure permissions for the repository in order to protect it form cryptolockers. The default repository permissions allow access for everyone. Does that mean that any endpoint can cryptolock its own as well as all other endpoint backups? Is the recommended way to create separate backup accounts for each endpoint and add them to repository permissions? Or is a single special backup account that I can then use on all endpoints enough?
by Dima P. » Mon Mar 21, 2016 1:49 pm people like this post
Dedicated backup account for every endpoint is the best solution. Keep in mind that you can set the computer account instead of user account while setting permissions to the VBR repository. Additionaly, check this post.
by Anguel » Mon Mar 21, 2016 2:49 pm people like this post
Thanks Dima, however I am still a bit confused. Will adding a computer account instead of user account protect from crypting? IMHO access to the repository is still granted if the cryptolocker runs on that PC, or do I misunderstand?
by Dima P. » Mon Mar 21, 2016 4:28 pm people like this post
As far as I know, most of malware threats use the currently logged user account. If you use local computer account and limit the access to the repository for an end-user – you should be good to go. Just make sure that repository folder is invisible/inaccessible via network surroundings for regular ‘non backup’ accounts.
by Anguel » Mon Mar 21, 2016 4:46 pm people like this post
So do I understand correctly that I need to enter all accounts in the "Endpoint Backup Permissions" dialog for a specific repository in VBR? Also, are each account's backups somehow isolated or can all accounts then access any other backups in the repository?
by Anguel » Tue Mar 22, 2016 10:10 am people like this post
So let's say I create two endpoint backup accounts BackupUser1 and BackupUser2 and add them to the repository permissions, so both have access to the repository. Can BackupUser1 now access repository files of BackupUser2? Did not find anything about this in the docs.
by Anguel » Tue Mar 22, 2016 12:09 pm people like this post
Thanks. So this sounds to me as most secure way: Special backup users with passwords different from domain users. Sorry, but I still do not fully understand how a computer account can protect from encryption as access to the repository will be granted for the PC where the cryptoware is running - do you have any documents describing this?