Scenario: VEB backup-to-NAS + surviving cryptolock

Backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)

Scenario: VEB backup-to-NAS + surviving cryptolock

Veeam Logoby Hariseldon1 » Fri Jun 10, 2016 6:09 pm

When VEB is backing up to a NAS location, what are the recommended best practices for security to protect NAS destination backups in the event the machine running VEB is compromised by CryptoLock?

Below are my thoughts, I would appreciate any feedback (things I missed / things I am wrong).

"CONTOSO\BOB" = Domain User Account logged into Windows PC running VEB.
"CONTOSO\VEB" = Domain Service Account used to run VEB services to backup

"\\BACKUPSERVER\BOB-VEB-BACKUP-DIRECTOY\" = VEB backup destination NAS\SHARE

"\\BACKUPSERVER\BOB-VEB-BACKUP-DIRECTOY\" NTFS Permissions:
----> Domain Account "CONTOSO\BOB" = NONE
----> Domain Account "CONTOSO\VEB" = ?FULL?

On Bob's PC, "CONTOSO\VEB" domain service account is used for the following:
----> VEB services
----> VEB command line backup scheduled task

In the scenario above, the goal is to perform backups using a different account than the end user (end user has no permissions to destination).

Therefore, if Bob downloads a cryptolock executable, the executable will only encrypt drives that bob (himself) has NTFS permissions to modify.

Since Bob cannot access the VEB NAS destination share, Bob's last backup before infection will be usable to restore.


Did I cover the basics? Did I overlook anything?

Is there a better way of explaining this? Is there any additional steps that could be taken to further the cause of protecting the VEB backup destination files?

Thanks!
Hariseldon1
Influencer
 
Posts: 22
Liked: 1 time
Joined: Sat Mar 19, 2016 5:39 pm
Full Name: Hari Seldon

Re: Scenario: VEB backup-to-NAS + surviving cryptolock

Veeam Logoby Hariseldon1 » Fri Jun 10, 2016 6:57 pm

Rick Vanover has a great youtube video (https://www.youtube.com/watch?v=hXchy5DonHo) ... first easiest thing that would improve the original scenario: use of non-domain credentials for VEB config to backup NAS destination.
Hariseldon1
Influencer
 
Posts: 22
Liked: 1 time
Joined: Sat Mar 19, 2016 5:39 pm
Full Name: Hari Seldon


Return to Veeam Agent for Windows



Who is online

Users browsing this forum: Google [Bot] and 7 guests