To protect against ransomware, can Veeam write to a fileshare without modify permissions?
This way, the receiving server (the one hosting the fileshare) can periodically delete older Veeam backups without the sending client doing it. This would effectively protect against ransomware.
We have other apps that can deal with this permissions config, so I was wondering if Veeam can, too.
-
jfreeman
- Novice
- Posts: 3
- Liked: 2 times
- Joined: Jun 25, 2020 11:37 pm
- Full Name: Jason
- Contact:
-
Egor Yakovlev
- Product Manager
- Posts: 2581
- Liked: 708 times
- Joined: Jun 14, 2013 9:30 am
- Full Name: Egor Yakovlev
- Location: Prague, Czech Republic
- Contact:
Re: Write backup jobs without modify permissions?
Hi Jason, interesting request - noted for discussion.
Currently Veeam(and only Veeam) handles chain retention and keeps restore-point-related information in a database to show you relevant data, so if retention is done outside our product we must think of some sort "rescan" interval to periodically queue backup location(because you never know when target side will have "cleanup"). Much bigger problem is that we will have to expose Veeam backup structure, because retention is not just about deleting older files, but in many cases it requires a "merge" operation to move Full backup up the grid - which of course will be a tough task to perform from outside our data movers.
We do have Rotated media support, so for example you can have 1 week of backups on USB-HDD-01, and if by the time of Backup Job start on week 2 we detect repository is empty(you took out original disk with all Week 1 backups and plugged in a new one USB-HDD-02) we will start a new chain on it without problems. Week 3, when you plug USB-HDD-01 back, we will detect it, cleanup retention on it and continue backups without errors. That way you can have previous week of backups always be offline, 100% resilient to Ransomware.
/Hope that helps!
Currently Veeam(and only Veeam) handles chain retention and keeps restore-point-related information in a database to show you relevant data, so if retention is done outside our product we must think of some sort "rescan" interval to periodically queue backup location(because you never know when target side will have "cleanup"). Much bigger problem is that we will have to expose Veeam backup structure, because retention is not just about deleting older files, but in many cases it requires a "merge" operation to move Full backup up the grid - which of course will be a tough task to perform from outside our data movers.
We do have Rotated media support, so for example you can have 1 week of backups on USB-HDD-01, and if by the time of Backup Job start on week 2 we detect repository is empty(you took out original disk with all Week 1 backups and plugged in a new one USB-HDD-02) we will start a new chain on it without problems. Week 3, when you plug USB-HDD-01 back, we will detect it, cleanup retention on it and continue backups without errors. That way you can have previous week of backups always be offline, 100% resilient to Ransomware.
/Hope that helps!
Who is online
Users browsing this forum: AdsBot [Google] and 18 guests