Preventing our backup copies from being crypto-locked

[crazylefty]

We have just spun up a new DR site, and we've got backup copy jobs going to a nimble storage unit.
What would be the best way to prevent these backups, or any backups really, from being encrypted?
Right now the backup repository is a Server 2016 box that is iSCSI'd to the nimble array. Besides tight passwords, what is the best way to prevent these backup copies from getting encrypted and held for ransom?

[Gostev]

Schedule periodic Nimble storage snapshots on those LUNs storing backup files.

[tsightler]

One of the things I like to suggest is that the target repo be outside of the domain of the rest of the network, just a standalone server. Then secure it using standard Windows hardening practices for any Internet exposed Windows server, disable all admin shares, etc. That way, even if cryptolocker manages to get access to run under a domain admin account, it will not have any access to that specific server unless it also hacks the Veeam DB and gets the password.

[DaveWatkins]

Personally I still really like to have my repo domain joined for general GPO inheritance, but I've removed Domain Admins from the local Adminstrators group and have only very select admin in that group. That effectively locks down the hidden drive shares (c$, d$ etc). You can also remove the file sharing exceptions from the windows firewall to remove that avenue completely.

Another option is to put it behind a dedicated firewall and only allow the proxies to get through and perhaps specific admin IP addresses for RDP