Scenario: VEB backup-to-NAS + surviving cryptolock

[Hariseldon1]

When VEB is backing up to a NAS location, what are the recommended best practices for security to protect NAS destination backups in the event the machine running VEB is compromised by CryptoLock?

Below are my thoughts, I would appreciate any feedback (things I missed / things I am wrong).

"CONTOSO\BOB" = Domain User Account logged into Windows PC running VEB.
"CONTOSO\VEB" = Domain Service Account used to run VEB services to backup

"\\BACKUPSERVER\BOB-VEB-BACKUP-DIRECTOY\" = VEB backup destination NAS\SHARE

"\\BACKUPSERVER\BOB-VEB-BACKUP-DIRECTOY\" NTFS Permissions:
----> Domain Account "CONTOSO\BOB" = NONE
----> Domain Account "CONTOSO\VEB" = ?FULL?

On Bob's PC, "CONTOSO\VEB" domain service account is used for the following:
----> VEB services
----> VEB command line backup scheduled task

In the scenario above, the goal is to perform backups using a different account than the end user (end user has no permissions to destination).

Therefore, if Bob downloads a cryptolock executable, the executable will only encrypt drives that bob (himself) has NTFS permissions to modify.

Since Bob cannot access the VEB NAS destination share, Bob's last backup before infection will be usable to restore.


Did I cover the basics? Did I overlook anything?

Is there a better way of explaining this? Is there any additional steps that could be taken to further the cause of protecting the VEB backup destination files?

Thanks!

[Hariseldon1]

Rick Vanover has a great youtube video (https://www.youtube.com/watch?v=hXchy5DonHo) ... first easiest thing that would improve the original scenario: use of non-domain credentials for VEB config to backup NAS destination.