Increase Security on Destination Server

We would like to harden our backup destination. 

Currently:

Source = Windows Servers --> Destination: Windows Server  via SMB UNC, Image Manager runs on this server.

There is very limited access to the Destination UNC but access is via AD accounts. Assuming the AD credentials are compromised then the backup Destination is also compromised.

We are considering using an unjoined NAS as a secondary destination for separate and less frequent Full jobs.  Access could be via SMB UNC or FTP.  We would prefer that Source server have Write but not Read or Modify rights to the destination.   We understand this would probably mean that Image Mgr would not be able to manage the chain or replicate.  We would want the Source server to correctly report Job Success or Failure.

Do you see any problems, have any recommendations for this type of setup or hardening ?

Thank you.

Comments

STC-JoshS

You could have image manager

You could have image manager replicate to an offsite NAS via FTP pretty reliably and then use a local account with a local install of IM to manage that and use Image Managers built in reporting to handle most of that.

Ed Fries

Thank you for your

Thank you for your response. 

So that is an ftp push from Windows to NAS

If push, then ftp will work with only Write access on on NAS?

I wasn't aware IM can be installed on a NAS.  Is that any NAS and can you point me to documentation?

Thank you.

STC-JoshS

It can't be installed on a

It can't be installed on any NAS, just ones that have windows on them. Sorry about the confusion, that was my mistake in making that appear to be the case. We need modify permissions on the NAS due to how we replicate, so write only won't work.

Ed Fries

To the original plan

To the original plan then: 

Can we run a 2nd backup job, not replication, from a Windows server to a NAS such that SP on the Windows box only has Write access to the Destination NAS?  No Read, Modify/Delete rights on the Destination NAS.

Thank you.

STC-JoshS

You're going to run into the

You're going to run into the same problem unfortunately. Our backup use the same method as the FTP replication so we'll need the Modify permissions as well.

lumacor

iSCSI NAS

If your NAS has iSCSI capability, you could mount the volume on a non-domain joined Windows endpoint / workstation and share the backup destination, with share and security access only for a local account on that endpoint.

You'd then enter the details in ImageManager for connecting to the destination.

This would give you some additional security against compromised domain credentials, which, wouldn't be authorised for access.

 

__________________

StorageCraft Certified Master Engineer

Veeam Technical Sales Professional (v9)

lumacor

SPX

The same goes for adding the location in SPX as a backup destination.

__________________

StorageCraft Certified Master Engineer

Veeam Technical Sales Professional (v9)

Ed Fries

We have thought about making

We have thought about making the 1st destination a non-joined machine, it's possible and would increase security somewhat but also causes some other practical complications in SMB situations. 

See below, bad guys got in and sat on the network, rooted or captured everything, completely wrecked it and all backups.  Perfect solution is a 2nd destination that is cheap and there are no creds for Modify/Read stored anywhere on the network.  If SP/IM can only Write then there is no possibility of the 2nd target being compromised.  Once the Read/Modify creds are stored in any app then the possibility exists.  Low probability but since it happened once it will happen again.

https://www.reddit.com/r/sysadmin/comments/62544d/got_hit_bad_tonight/

lumacor

2nd Destination

Have you considered using Azure Backup to move SPX data to an Azure Recovery Services vault? Or using StorageCraft Cloud Services?

You can't delete data from the destination using the Azure Backup agent on the endpoint. Plus, Microsoft keep backups of the Vault contents for 14 days. Perhaps combine a non-domain joined endpoint as a primary destination, with StorageCraft Cloud Services or Azure Backup copying the data for secondary.

https://docs.microsoft.com/en-us/azure/backup/backup-azure-security-feature

It's all about putting hurdles in the way.
I don't think you could ever stop someone really determined enough to do damage. You can mitigate against chancers and bad security policies like that Reddit post highlighted.

__________________

StorageCraft Certified Master Engineer

Veeam Technical Sales Professional (v9)

Damienf

Increased Security

Hi All,

Before this most issue which the Reddit post shows my setup is:

Local Domain joined Windows Box for backup with ImageManager to replicate to a Local Non Domain Joined Synology NAS via FTP using a password only used for this purpose

This NAS then replicated every night via the Synology RSync Like function with to an Offsite Synology NAS with unique password

I have also had the thought about a write only option to a NAS which would hold only weekly files via FTP and once a quarter or 6 months cleared out via script or manually anything older than our retention policy and add the cosolidated monthlies

Did anyone draw any conclusions on the issue ?

 

Cheer

Damien

 

 

Terms and Conditions of Use - Privacy Policy - Cookies