[But] here are some general recommendations:
1. Any separate storage device that is not directly write-accessible from compromised servers by industry-standard protocols (SMB, NFS) is "good enough" protection from CryptoLocker. But the storage device should use its own set of credentials (not from local directory, and not local accounts of the storage device). Additionally, you want that storage device located off-site. Cloud Connect service provider is ideal for this, and we actually have a recent success story posted on this forum where Cloud Connect saved the user from CryptoLocker.
2. I personally always recommend using tape whenever possible as the last line of defense. Even if it just a monthly export. Tape is true read-only storage that is also much more reliable than disk. I saw tape backups saving companies from worst disasters so many times... and, I also saw every line of comprehensive disk-based protection strategy failing miserably, leaving users with unrecoverable data loss.
Even more importantly, don't get too obsessed about CryptoLocker specifically. Upset employee deleting all your production data and backups is as likely, really. Storage-level corruption, fire, flood (including beer spill
) are also way more common than most think they are. So, always consider all threats to your data, don't get hung up on specific ones. And looking at the bigger picture, you will see that the only way to truly protect yourself from all threats is to have a read-only backup copy in a secure location off-site. All other solutions are cost/risk compromise.