Ransomware protection for endpoint backup repository

[Anguel]

I am backing up my endpoints to a VBR repository. Now I read some articles regarding Veeam and cryptolockers but I am still not sure how to exactly configure permissions for the repository in order to protect it form cryptolockers.
The default repository permissions allow access for everyone. Does that mean that any endpoint can cryptolock its own as well as all other endpoint backups?
Is the recommended way to create separate backup accounts for each endpoint and add them to repository permissions? Or is a single special backup account that I can then use on all endpoints enough?

[Dima P.]

Hi Anguel,

Dedicated backup account for every endpoint is the best solution. Keep in mind that you can set the computer account instead of user account while setting permissions to the VBR repository. Additionaly, check this post.

[Anguel]

Thanks Dima, however I am still a bit confused. Will adding a computer account instead of user account protect from crypting? IMHO access to the repository is still granted if the cryptolocker runs on that PC, or do I misunderstand?

[Dima P.]

As far as I know, most of malware threats use the currently logged user account. If you use local computer account and limit the access to the repository for an end-user – you should be good to go. Just make sure that repository folder is invisible/inaccessible via network surroundings for regular ‘non backup’ accounts.

[Anguel]

So do I understand correctly that I need to enter all accounts in the "Endpoint Backup Permissions" dialog for a specific repository in VBR?
Also, are each account's backups somehow isolated or can all accounts then access any other backups in the repository?

[Dima P.]

Yes, that is a recommended approach. "Setting access permissions on the backup repository to Everyone is equal to granting access rights to the Everyone Microsoft Windows group (Anonymous users are excluded)... this scenario is recommended for demo environments only"

Backup files are isolated from end-users. It will recognize its owner and VBR ‘administrator’ or ‘restore operator’ during Bare Metal Recovery.

[Anguel]

So let's say I create two endpoint backup accounts BackupUser1 and BackupUser2 and add them to the repository permissions, so both have access to the repository. Can BackupUser1 now access repository files of BackupUser2? Did not find anything about this in the docs.

[Dima P.]

BackupUser1 won’t see the backup files for BackupUser2 and vice versa.

[Anguel]

Thanks. So this sounds to me as most secure way: Special backup users with passwords different from domain users.
Sorry, but I still do not fully understand how a computer account can protect from encryption as access to the repository will be granted for the PC where the cryptoware is running - do you have any documents describing this?

[Dima P.]

It's up to you since both solutions are valid. To learn more about ComputerName\LocalSystem account check this msdn article. Thanks.

[ccatlett1984]

BackupUser1 won’t see the backup files for BackupUser2 and vice versa.

That is not correct, depending on what permission you give to each user.

If full control is given, then both accounts would have access to all files.

[Dima P.]

Chris,

If full control is given, then both accounts would have access to all files.

Probably, you saw all backup files because you used VBR admin account to access the repository, instead of actual user account?