Jump to content
RESET Forums (homeservershow.com)

Protecting client backups against cryptowall?


Recommended Posts

Trimble Epic

Nothing at all against any of the info already posted, but I can't help but think that one good strategy for protecting clients is have a robust backup strategy. That way, if a client gets 'violated' you can simply restore to a backup that was created before the infection.

I think the point of this thread is to discuss whether or not the client backups are safe from Cryptolocker...

 

If the client can write to the backup location, then what's stopping cryptolocker from hijacking the backups?   Ideally, backups should be packaged by the client and handed off to the server for storage in a one-way transaction.. the client should NOT be able to delete or alter the backups via file system access... only the server should be able to alter the backups...  

 

My post above is about trying to make this same concept work for pushing media files to the media folders too.

Link to post
Share on other sites
  • Replies 29
  • Created
  • Last Reply

Top Posters In This Topic

  • ikon

    9

  • Drashna Jaelre

    7

  • Trimble Epic

    4

  • revengineer

    2

Top Posters In This Topic

Popular Posts

I don't think you're being paranoid even a little bit. You may or may not know, but I have 4 to 5 copies of all my data.

Nothing at all against any of the info already posted, but I can't help but think that one good strategy for protecting clients is have a robust backup strategy. That way, if a client gets 'violated'

Yeah, absolutely. Just wanted to throw the term in there, in case anyone wasn't 100% sure.   And it still begs the question: exactly how does the backup get initiated? Does the server use WoL? I've

I don't have WSE2012(R2) running ATM but, when I look at Client Computer Backups in the DashBoard of my WHS2011 server, I can see that it's not possible to alter the permissions for it. I presume this means that the Users I have defined in the DashBoard have no access to Client Computer Backups, which is good. If I look at the shares using Windows Explorer from my Desktop, Client Computer Backups is not displayed.

 

I think the way Client Computer Backups are triggered could be significant. I've see info saying the server wakes up the computers using WoL. I've also seen info that says it's not WoL; that the clients are woken up by a Scheduled Task. However, on my Win8.1 Desktop, I can't find a Scheduled Task that seems to relate to backups. So, the question becomes, how are client backups initiated?

Link to post
Share on other sites
Drashna Jaelre

I think the point of this thread is to discuss whether or not the client backups are safe from Cryptolocker...

 

If the client can write to the backup location, then what's stopping cryptolocker from hijacking the backups?   Ideally, backups should be packaged by the client and handed off to the server for storage in a one-way transaction.. the client should NOT be able to delete or alter the backups via file system access... only the server should be able to alter the backups...  

 

My post above is about trying to make this same concept work for pushing media files to the media folders too.

 

Blunt:

No, nothing is "safe" from a cryptlocker virus.

However, will they target the database? Most likely not, as it's not document or other important files. They're all ".dat" files. 

But they MAY target them. 

 

 

I don't have WSE2012(R2) running ATM but, when I look at Client Computer Backups in the DashBoard of my WHS2011 server, I can see that it's not possible to alter the permissions for it. I presume this means that the Users I have defined in the DashBoard have no access to Client Computer Backups, which is good. If I look at the shares using Windows Explorer from my Desktop, Client Computer Backups is not displayed.

 

I think the way Client Computer Backups are triggered could be significant. I've see info saying the server wakes up the computers using WoL. I've also seen info that says it's not WoL; that the clients are woken up by a Scheduled Task. However, on my Win8.1 Desktop, I can't find a Scheduled Task that seems to relate to backups. So, the question becomes, how are client backups initiated?

 

By default, it appears that the folder is locked down to "System" and "Administrators" and "Domain Admins"... as well as the server account (eg {SERVERNAME}$).

 

 

 

As for shares... Here is why I make such a big deal about NOT USING A DOMAIN ADMIN ACCOUNT:

 

By default, Windows shares  the drive letters as hidden shares.

This means "\\SERVERNAME\C$\", "\\SERVERNAME\D$\", "\\SERVERNAME\E$\", "\\SERVERNAME\F$\", and so on.

This are accessible based on the normal NTFS permissions, however, THEY DO NOT REQUIRE ELEVATION as they effectively already have it.

So, if you log in with a domain account, you can modify system files remotely, with no oversite. No elevation/prompt. 

This means you can always access those database files from the local network.

 

So just don't do it. Create an admin account, and create a "normal usage" account (you can use "lusrmgr.msc" on the client to add a specific domain user to the local "Administrators" account if you want)

Link to post
Share on other sites
Trimble Epic

Blunt:

No, nothing is "safe" from a cryptlocker virus.

 

I was under the impression that files on a read-only share would be safe from cryptolocker; assuming the cryptolocker was running on a client machine, the server was clean, and the user logged into the client machine had read only access to the share... 

 

If the user can't affect any change to the file, how does cryptolocker get around that?    Or, are you talking about cryptolocker moving from machine to machine and eventually getting onto (and running on) the server via whatever means the virus creators can exploit?

Link to post
Share on other sites
Drashna Jaelre

I was under the impression that files on a read-only share would be safe from cryptolocker; assuming the cryptolocker was running on a client machine, the server was clean, and the user logged into the client machine had read only access to the share... 

 

If the user can't affect any change to the file, how does cryptolocker get around that?    Or, are you talking about cryptolocker moving from machine to machine and eventually getting onto (and running on) the server via whatever means the virus creators can exploit?

Real only shares would definitely be safe from a client infected.

 

However, if the account has domain admin access, and the particular virus is smart enough, it could access those administrative shares (the hidden shares I mentioned above). And that COULD access the same shares by accessing the admin share instead. 

Link to post
Share on other sites

And by following the best practice of not using admin accounts except when really needed, it's not even necessary to remember that there are other ways malware might find a way to access the shares.

Link to post
Share on other sites
Drashna Jaelre

And by following the best practice of not using admin accounts except when really needed, it's not even necessary to remember that there are other ways malware might find a way to access the shares.

Yes, but when are best practices actually followed......

(I say, while logged into a domain admin account on my network)

Link to post
Share on other sites
Trimble Epic

Ok, so then getting back to the topic of protecting backup files...

 

If I'm logged into my laptop (client computer) as a standard user (no admin on the client, no admin on the server)..  and I let the backup run, the backup software running on my laptop finds a way to send data to the server to store the backup...   How does that work? 

 

Does my client user have access to write to a hidden share on the server? (such that cryptolocker could also reach into it and destroy things) ...  

 

or does my client backup program send blocks of data to the server using a protocol other than file access, and the server writes the blocks to a folder that my client cannot access?  (such that cryptolocker cannot touch the backup files).   I naively assumed it worked this way...  That would be an advantage of a client/server backup solution... 

 

whereas a client only backup solution (acronis etc?) would require the ability to actually write to whatever hard drive the backup files are stored on, making any files stored in that folder fair game for cryptolocker...  This has made me nervous since I heard about viruses that like to delete/destory/kidnap anything they can find....

Link to post
Share on other sites

I too am curious about the exact procedure that's used for Client PC backups. I know the Windows Server Client Computer Backup Provider Service has to be running on the server for backups to work. I'm assuming this means that the clients send data to the service on the server and it takes care of writing data to the drives, including the de-duping for Single Instance Storage. But, it is an assumption, not known fact.

Link to post
Share on other sites
Steve Pitts

I am a relative newcomer to all of this, so please take what I say with a pinch of salt, but I'm under the impression that it is the server that initiates the backup process not the clients. I can find no evidence of any sort of share for the Client Computer Backups, although there is one for the File History Backups.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...