Repository/Proxy server and AD

[rogerdu]

My customer is looking at methodologies to potentially mitigate Ransomware. Yes, I know this is discussed here (use the 3-2-1-0 rule), and it has also been discussed about not having your Repository server in AD (have a local account with a VERY complex password). What I've not been able to find out however, is if this scenario is covered:

• Repository server is a VM in Hyper-V
  Repository server also acts as the VMware Proxy server (HotAdd)
  Repository server has access to the iSCSI mounted Datastores
  No VMs were harmed in the making of this configuration

Presently, the Repository/Proxy server is in AD... Does it have to be (for security/hardening reasons)?

[Egor Yakovlev]

Hi, Roger!

Since statement 1 and statement 2 cannot co-exist, I guess that list is for different scenarios. So let me answer them one-by-one then:
- Repository server is a VM in Hyper-V: ok from implementation standpoint, but does not add any value against ransomware. Physical or virtual, if its on the network, its a potential target.
- Repository server also acts as the VMware Proxy server: ok from implementation standpoint, but once again, gives no additional value against ransomware.
- Repository server with iSCSI mounted LUNs: Repository server will see those as Disk with label. Server itself(and ransomware aligned) will not really care how F: is presented, so its a same potential target for encryption as local disks.

It is a good idea to separate Veeam components from production systems in terms of networking and authentication.
Also, feel free to check Infrastructure Hardening page.

Personally, I have a "disaster will happen no matter what I do" mindset: admit that hackers will find new ways to breach defenses, to pass by antiviruses, to find new holes in transmission\access control processes, to gain elevated account permissions within infrastructures. You cannot change that fact. Your data will get lost one way or another, sooner or later. However, you can be prepared for it by having offline copies that are physically inaccessible, like offline media, rotated drives, tape copy, various cloud options etc.

Hope that helps!

[rogerdu]

Interesting that in the documentation it says nothing about having to be a VMware based VM if said VM is to contain the Proxy function... Am I missing something? Can you sight specific documentation for this?

[Egor Yakovlev]

For Vmware infrastructure, Backup Proxy server nature(physical or virtual) matters a lot and surely is in the documentation.
Thing is, depending how Backup Proxy server is implemented, you will get different transport mode(way to read data from production esxi datastores). Which will also affect backup performance as a result.
/Thanks

[rogerdu]

Understood... and in the design phase, all this was researched... we're not using the Virtual Appliance mode as the Proxy is not on ESXi... but the Direct Storage and Network mode (on 10 GbE in this case) don't specify ESXi... But we digress...

Either way, the important part in this query was about the possibility of having both the Proxy and Repository functions on the same VM and having said VM in AD or not. Is there a specific requirement for AD membership for a Proxy Server?

[Egor Yakovlev]

There is no requirement of AD membership. It can be in a Workgroup or in a separated AD Domain.
Make sure to combine System Requirements of both Proxy and Repository if you run them on same machine too.
/Thanks!

[foggy]

I also recommend reviewing this thread for a deep conversation on ransomware protection. This one will also be helpful.