Hey Veeamer's,
Im always coming across new blogs/posts etc, where other sys admins/techs post their ransomware strategies. Is there a "sticky" post for this?
I keep my own notes and toolkits updated, but it would be awesome to share and collaborate, so others can pick holes in it/offer suggestions etc...
-
Jobeylyn14
- Lurker
- Posts: 2
- Liked: never
- Joined: Jul 21, 2020 9:22 pm
- Contact:
-
HannesK
- Product Manager
- Posts: 14322
- Liked: 2890 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Updated Ransomware Posts? Collaboration?
Hello,
and welcome to the forums.
There are pretty many topics on ransomware in the forums. If you / others can collect things together in this thread, then I could copy the essentials to the FAQ (which is sticky)
Best regards,
Hannes
and welcome to the forums.
There are pretty many topics on ransomware in the forums. If you / others can collect things together in this thread, then I could copy the essentials to the FAQ (which is sticky)
Best regards,
Hannes
-
Jobeylyn14
- Lurker
- Posts: 2
- Liked: never
- Joined: Jul 21, 2020 9:22 pm
- Contact:
Re: Updated Ransomware Posts? Collaboration?
Thanks, Hannes.
As a starting point, Some stategies I employ are:
Before Reading: ALWAYS first is proper network segregation, security policies, best practices & staff education (in case someone reads me the riot act)
- Veeam Server is never domain joined & always strongly recommended; stand alone workstation (VLAN Seperate if possible)
- If using ISCSI storage ensure security on the Target is applied. Ensure ISCSI Host (whether NAS or appliance) is only reachable from Veeam Server (iscsi masking/security)
- Obvious Security on the Veeam Server: RDP disabled, Strong A/V policies, patches/updates etc
- Use FSRM on the ISCSI Lun. Block ALL extensions and only allow veeam. *.bco, *.ini, *.tmp, *.vbk, *.vbm, *.vbm*,*.vib, *.vrb, .vbm*, *.txt, *.old, *.xml, *.cache, *.vcache
- Ensure local account policies are setup :account lockouts/thresholds etc
- Complex 24CHTR password, change default username
**Never use the same passwords on anything; goes without saying**
D/R Site or HyperV Replication:
- If youre using a small environment ~10VM's, leave HyperV Hosts OFF domain (if clustered this is not possible).
- Enable FSRM on the HyperV partition (always put HyperV on a seperate partition). Block ALL but allow: *.avhdx, *.ini, *.mrt, *.rct, *.vhdx, *.vcmx, *.vmrs, *.vmx, *.vsv, *.xml, *.txt, *.bin
- Remove RDP access
- If site-to-site firewall, ensure only the onsite VEEAM server can talk to the DR Site (need-to-know basis. eg: Allow Veeam to talk to Veeam)
- Utilise Veam Cloud Connect repositories (can be on prem). Ensure Insider Protection is enabled (no deletions for X amout of Days); This wont apply for those who can afford S3 Object lock storage..although you can host on-prem with minIO/Cloudian
- Use backup copy to rotated USB drives and DISCONNECT.
A starting point, to get the ball rolling
As a starting point, Some stategies I employ are:
Before Reading: ALWAYS first is proper network segregation, security policies, best practices & staff education (in case someone reads me the riot act)
- Veeam Server is never domain joined & always strongly recommended; stand alone workstation (VLAN Seperate if possible)
- If using ISCSI storage ensure security on the Target is applied. Ensure ISCSI Host (whether NAS or appliance) is only reachable from Veeam Server (iscsi masking/security)
- Obvious Security on the Veeam Server: RDP disabled, Strong A/V policies, patches/updates etc
- Use FSRM on the ISCSI Lun. Block ALL extensions and only allow veeam. *.bco, *.ini, *.tmp, *.vbk, *.vbm, *.vbm*,*.vib, *.vrb, .vbm*, *.txt, *.old, *.xml, *.cache, *.vcache
- Ensure local account policies are setup :account lockouts/thresholds etc
- Complex 24CHTR password, change default username
**Never use the same passwords on anything; goes without saying**
D/R Site or HyperV Replication:
- If youre using a small environment ~10VM's, leave HyperV Hosts OFF domain (if clustered this is not possible).
- Enable FSRM on the HyperV partition (always put HyperV on a seperate partition). Block ALL but allow: *.avhdx, *.ini, *.mrt, *.rct, *.vhdx, *.vcmx, *.vmrs, *.vmx, *.vsv, *.xml, *.txt, *.bin
- Remove RDP access
- If site-to-site firewall, ensure only the onsite VEEAM server can talk to the DR Site (need-to-know basis. eg: Allow Veeam to talk to Veeam)
- Utilise Veam Cloud Connect repositories (can be on prem). Ensure Insider Protection is enabled (no deletions for X amout of Days); This wont apply for those who can afford S3 Object lock storage..although you can host on-prem with minIO/Cloudian
- Use backup copy to rotated USB drives and DISCONNECT.
A starting point, to get the ball rolling
-
HannesK
- Product Manager
- Posts: 14322
- Liked: 2890 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Updated Ransomware Posts? Collaboration?
https://vbr.veeambp.com/VBP/Security/ also describes many things.
Who is online
Users browsing this forum: Bing [Bot], Google [Bot] and 121 guests