3

There seems to be just another huge attack with crypto trojans. I have an office here, where I am responsible for the samba server that receives the windows backups (with windows backup tool)

In an efford to make the encryption of backup-data unlikely, I removed the w-attribute recursively for the content of the folder that each machine backups to.

# This removes the w flag for all content of each backup folder
for i in `ls  -a | grep 0`;do chmod a-w $i/* ;done

Done this, I realized, that the backup-tool needs to store certain information dynamically and I re-allowed the w attribute for the following folders

for i in `find -name Catalog`; do chmod -R u+w,g+w $i; done
for i in `find -name SPPMetadataCache`; do chmod -R u+w,g+w $i; done

My plan is, to run this nightly when no backups occour. Actually I have two questions:

  • What if the Catalog or SPPMetadataCache gets corrupted? Will this invalidate the backups?
  • Are there any other folders that need to be writeable for the windows-backup-tool to work properly?
moestly
  • 1,188
  • 9
  • 11

2 Answers2

4

I'm afraid it wont help. Good ransomware protection strategy requires a comprehensive approach to the infrastructure. 3-2-1 backup rule and tapes either physical or virtual. The thing is that ransomware cant target tapes and ignores them completely, meaning your backups will not fall victim of something like Wannacry. Check the Iron Mountain that can store and protect the backup tapes. Here it is the link: http://www.ironmountain.com/Solutions/Small-Business/Tape-and-Cloud/Offsite-Tape-Storage.aspx

Another example would be to go for virtual tape libraries with an offload to cloud. Check Veeam. They offer some VTL integrated solutions: https://www.veeam.com/blog/leverage-vtl-on-amazon-aws-object-storage-s3-glacier.html

I'll give you a couple of more examples on this:

http://www.luminex.com/products/cloudtape/

https://www.oracle.com/storage/tape-storage/vsm-vles/index.html

Hope it helps!

batistuta09
  • 8,981
  • 10
  • 23
  • As I said, I am only in charge of the samba server. I have no influence whatsoever on the machines that deliver the backups. Until the sambaserver insn't vulnerable too, making the files readonly should prevent modification. Using tapes is out of scope here and requires just a little patch in the ransomware to be used in the next attack. – moestly Jun 30 '17 at 09:07
0

Windows Image backups? I like them but they are very sensitive. I really only use them as a way to make VHD's as restoring from them hasn't been very reliable for me. (I've yet to have a Windows 10 system image restore) So I would assume corruption to those files would make full/normal restore unsuccessful. (but I still like to use windows image backup/wbadmin )

Why not a bash script that runs to copy or move the backups off the samba share (away from windows access) and into another folder? and rotate as necessary. Samba is secure and reliable but the environment it serves is under attack, best to move things out of the hostile environment.

sirmonkey
  • 76
  • 1
  • 1
  • 6
  • When I move the existing files away, Windows backup will loose its incremental feature. Backing up the folders in question daily seems to be a more robust and cheap method to secure them. – moestly Jun 28 '17 at 07:32
  • thats true, and if you move them back in the time of need windows may not see them. :-/. you would have to test it. – sirmonkey Jul 01 '17 at 01:44
  • Did you try that already? – moestly Jul 01 '17 at 09:31
  • yes, I have scripts that move files between folders. (from samba share to non share folder). and then when I need to restore from a backup I copy them to the share. do note Lately I haven't been having much luck restoring windows image backup from anything newer then windows 7 . I have yet to have a windows 10 system image work at all. ( i just tried to restore one for the first time this last weekend ) – sirmonkey Jul 05 '17 at 17:15