Comprehensive data protection for all workloads
Post Reply
Jobeylyn14
Lurker
Posts: 2
Liked: never
Joined: Jul 21, 2020 9:22 pm
Contact:

Updated Ransomware Posts? Collaboration?

Post by Jobeylyn14 »

Hey Veeamer's,

Im always coming across new blogs/posts etc, where other sys admins/techs post their ransomware strategies. Is there a "sticky" post for this?

I keep my own notes and toolkits updated, but it would be awesome to share and collaborate, so others can pick holes in it/offer suggestions etc...
HannesK
Product Manager
Posts: 15598
Liked: 3445 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Updated Ransomware Posts? Collaboration?

Post by HannesK »

Hello,
and welcome to the forums.

There are pretty many topics on ransomware in the forums. If you / others can collect things together in this thread, then I could copy the essentials to the FAQ (which is sticky)

Best regards,
Hannes
Jobeylyn14
Lurker
Posts: 2
Liked: never
Joined: Jul 21, 2020 9:22 pm
Contact:

Re: Updated Ransomware Posts? Collaboration?

Post by Jobeylyn14 »

Thanks, Hannes.

As a starting point, Some stategies I employ are:

Before Reading: ALWAYS first is proper network segregation, security policies, best practices & staff education (in case someone reads me the riot act)

- Veeam Server is never domain joined & always strongly recommended; stand alone workstation (VLAN Seperate if possible)
- If using ISCSI storage ensure security on the Target is applied. Ensure ISCSI Host (whether NAS or appliance) is only reachable from Veeam Server (iscsi masking/security)
- Obvious Security on the Veeam Server: RDP disabled, Strong A/V policies, patches/updates etc
- Use FSRM on the ISCSI Lun. Block ALL extensions and only allow veeam. *.bco, *.ini, *.tmp, *.vbk, *.vbm, *.vbm*,*.vib, *.vrb, .vbm*, *.txt, *.old, *.xml, *.cache, *.vcache
- Ensure local account policies are setup :account lockouts/thresholds etc
- Complex 24CHTR password, change default username

**Never use the same passwords on anything; goes without saying**

D/R Site or HyperV Replication:
- If youre using a small environment ~10VM's, leave HyperV Hosts OFF domain (if clustered this is not possible).
- Enable FSRM on the HyperV partition (always put HyperV on a seperate partition). Block ALL but allow: *.avhdx, *.ini, *.mrt, *.rct, *.vhdx, *.vcmx, *.vmrs, *.vmx, *.vsv, *.xml, *.txt, *.bin
- Remove RDP access
- If site-to-site firewall, ensure only the onsite VEEAM server can talk to the DR Site (need-to-know basis. eg: Allow Veeam to talk to Veeam)
- Utilise Veam Cloud Connect repositories (can be on prem). Ensure Insider Protection is enabled (no deletions for X amout of Days); This wont apply for those who can afford S3 Object lock storage..although you can host on-prem with minIO/Cloudian
- Use backup copy to rotated USB drives and DISCONNECT.

A starting point, to get the ball rolling
HannesK
Product Manager
Posts: 15598
Liked: 3445 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Updated Ransomware Posts? Collaboration?

Post by HannesK »

https://vbr.veeambp.com/VBP/Security/ also describes many things.
Post Reply

Who is online

Users browsing this forum: Baidu [Spider] and 37 guests