Your Windows-based backup server may be at risk to ransomware. That was the take away from a recent talk on ransomware at the VeeamOn conference in New Orleans. A ransomware attack could either begin at your Windows-based backup server or crawl to your backup server through the network. It is therefore crucial that administrators take multiple steps to protect the backup software’s configuration data and its databases, as well as the backup data itself.
I’d like to take a moment to applaud Veeam for being upfront about this risk. Giving your customers a reason to consider the competition is always a risky move, even if most of Veeam’s competitors also use Windows backup servers. So, kudos to Veeam for this conference session that happened to occur the week after WannaCry started infecting systems worldwide.
The first and possibly most important thing an organization can do is to make sure it is up to date on any security patches. That one step would have stopped WannaCry. The backup system is the last line of defense, so make sure that it is one of the first systems to receive security patches. While we can understand the difficulty in updating every server in an enterprise, there really is no excuse for not keeping the backup server up to date.
Segregate the backup system as much as possible. This means not using an Active Directory authentication to log into the backup server. Use a separate account that is used only on the backup system. It’s also important to put the backup system on a separate network or VLAN. This will stop malware that crawls through the corporate network looking for other systems to compromise. WannaCry, for example, starts with a single infected system and then spreads through the SMB protocol. Not letting desktops and laptops directly see the backup server limits your exposure.
Limit the kinds of tasks the system performs on the backup server that might place it at risk. One of the best things IT can do is encourage administrators of the backup system to not browse the web directly from that machine, and especially not a privileged account on that machine.
Since many attacks also come via the Remote Desktop protocol (RDP), disabling RDP is always a good idea. If your organization uses RDP as part of your operation, consider putting it behind an internal firewall. You could limit RDP access to only those who have authenticated to an internal VPN.
There is not space in this format to go into all the things you can do to protect your server, but there is one final suggestion to make. Do not store your backups directly on the Windows-based backup server. Store them on a Linux-based network mount the Windows-based backup server accesses. If possible, only mount that network drive when it’s necessary for backups.
Many people reading this blog will think that some of the suggestions seem silly or overly cautious, but consider this: Data centers have always been a target for attacks, but ransomware attacks are different. The attackers are now motivated with a direct financial incentive, allowing them to attack thousands of machines hoping to get some of them to pay them hundreds or thousands of dollars. And its working. Some studies project ransomware is now a billion dollar “business”. Ransomware attacks are only going to increase. It’s time to take the security of your Windows-based backup server very seriously.