Discussions specific to the VMware vSphere hypervisor
Post Reply
crazylefty
Novice
Posts: 6
Liked: never
Joined: Jun 30, 2016 7:06 pm
Full Name: Matt Hart
Contact:

Preventing our backup copies from being crypto-locked

Post by crazylefty » Feb 11, 2017 12:35 am

We have just spun up a new DR site, and we've got backup copy jobs going to a nimble storage unit.
What would be the best way to prevent these backups, or any backups really, from being encrypted?
Right now the backup repository is a Server 2016 box that is iSCSI'd to the nimble array. Besides tight passwords, what is the best way to prevent these backup copies from getting encrypted and held for ransom?

Gostev
Veeam Software
Posts: 22995
Liked: 2890 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Preventing our backup copies from being crypto-locked

Post by Gostev » Feb 11, 2017 4:50 pm

Schedule periodic Nimble storage snapshots on those LUNs storing backup files.

tsightler
Veeam Software
Posts: 5195
Liked: 2078 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Preventing our backup copies from being crypto-locked

Post by tsightler » Feb 11, 2017 8:56 pm

One of the things I like to suggest is that the target repo be outside of the domain of the rest of the network, just a standalone server. Then secure it using standard Windows hardening practices for any Internet exposed Windows server, disable all admin shares, etc. That way, even if cryptolocker manages to get access to run under a domain admin account, it will not have any access to that specific server unless it also hacks the Veeam DB and gets the password.

DaveWatkins
Expert
Posts: 320
Liked: 85 times
Joined: Dec 13, 2015 11:33 pm
Contact:

Re: Preventing our backup copies from being crypto-locked

Post by DaveWatkins » Feb 11, 2017 10:17 pm

Personally I still really like to have my repo domain joined for general GPO inheritance, but I've removed Domain Admins from the local Adminstrators group and have only very select admin in that group. That effectively locks down the hidden drive shares (c$, d$ etc). You can also remove the file sharing exceptions from the windows firewall to remove that avenue completely.

Another option is to put it behind a dedicated firewall and only allow the proxies to get through and perhaps specific admin IP addresses for RDP

Post Reply

Who is online

Users browsing this forum: angelhuang and 24 guests