3

I have a (physical, not Azure VM!) Windows server whose files are automatically backed up using Azure Backup.

If the server gets compromised, how much damage to the backups can the attacker do?

Background: Newer generations of ransomware have the unfortunate tendency to actively search for and delete backups (volume shadow copies, external hard drives, etc.). I guess it's only a matter of time before they start targeting cloud backups as well.

Research I have already done: I think that the worst damage that an attacker could do would be to lower the retention period to the minimum of 7 days, thus destroying backups older than a week. I have looked through the Azure Backup Powershell Cmdlets (which seems to be the official API for Azure Backup instrumentation) and have not found any way to explicitly delete or overwrite recovery points.

Related question: Protecting Azure Backup from malicious deletion. That question is about the case where the Azure management credentials get compromised. My question is about the case where only a vault-registered server gets compromised, but the management credentials are safe.

Community
  • 1
Heinzi
  • 2,217
  • 5
  • 32
  • 52
  • A side note, an interesting lecture about risk in Azure, not specific for backup, but still yet interesting; http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf – yagmoth555 Dec 15 '16 at 16:41

2 Answers2

2

Unfortunately, and rather scarily, you are incorrect. you can use Remove-OBPolicy which has an option to delete all associated backups with the -DeleteBackup parameter.

I can't think of an immediate way to protect against this either. Maybe it would be possible to swap credentials out in someway.

You could have them backing up to a intermediate filestore, being pushed up from there. Unfortunately that is very much a bandaid solution.

The Remove-OBPolicy cmdlet removes the currently set backup policy (OBPolicy object). This stops the existing scheduled daily backups. If the DeleteBackup parameter is specified, then any data backed up according to this policy on the online backup server is deleted. If the DeleteBackup parameter is not specified, the existing backups are retained in accordance with the retention policy in effect when the backup was created.

Michael B
  • 748
  • 3
  • 10
1

Azure just (November 2016) added new security features to Recovery Services vaults which can be activated in the recovery vault settings and address exactly these issues:

  1. Prevention: New authentication layer added for critical operations like Delete Backup Data, Change Passphrase. These operations now require Security PIN available only to users with valid Azure credentials.

  2. Alerting: Email notifications are sent for any critical operations that impact availability of backup data. These notifications enable users to detect attacks as soon as they occur.

  3. Recovery: Azure backup retains deleted backup data for 14 days ensuring recovery using any old or recent recovery points. Also, minimum number of recovery points are always maintained such that there are always sufficient number of points to recover from.

Heinzi
  • 2,217
  • 5
  • 32
  • 52