Backup File Server to DAS
-
@IT-ADMIN said:
@DustinB3403 said:
I'm replying to @Dashrender and @IT-ADMIN so I don't know why you'd be restoring to identical hardware.
Unless you were backing up a physical host, expecting the physical host to die because of something software related, not hardware related.
I'd expect you to more likely restore to different hardware. Which is why I raised the point.
ah ok, thank you for clarifying that, so in this case i can restore my physical server in case of software failure with a previous system image without triggering any activation process (no hardware change)
Sure, but is that really what your backup is for? This is a very edge case. You have a backup system that's only purpose is to handle the scenario where the software has died and you want to fall back to an older version of the system? What will stop it from dying again right away? Is software "dying" a real concern (other than patching?)
-
if a virus take over the system or a ransomware lock my file server for example, in this case i think a system restore would solve the problem right ??
-
@IT-ADMIN said:
if a virus take over the system or a ransomware lock my file server for example, in this case i think a system restore would solve the problem right ??
Correct. As long as you don't use something like Windows backup attached to a DAS
Which is what we were warning about earlier. If you have Veeam and a NAS without a mapped drive, you are likely okay. This is where you want tape to be really safe. -
how to make a NAS not mapped, is it by using username and password right ??
-
@IT-ADMIN said:
how to make a NAS not mapped, is it by using username and password right ??
A UNC for an SMB share would do it. \\NAS01\VeeamShare
-
@IT-ADMIN said:
how to make a NAS not mapped, is it by using username and password right ??
Simply don't map it!
-
-
@scottalanmiller said:
@coliver said:
@IT-ADMIN said:
how to make a NAS not mapped, is it by using username and password right ??
A UNC for an SMB share would do it. \NAS01\VeeamShare
Only if the ransomware know about it or discover it. Not sure how common that is.
Would they do that? I've never heard of ransomware digging around for a UNC path. You could also setup the Veeam service to run as a different user account and give write access to that specific user.
-
@coliver said:
Would they do that? I've never heard of ransomware digging around for a UNC path. You could also setup the Veeam service to run as a different user account and give write access to that specific user.
CryptoWall will
-
I thought maybe. Any guess what it does to seek it out? Does it look in Veeam config files, just hunt through DNS, etc?
-
I would assume that having an account to access the NAS that is not a normal user or admin account will help so that only if the backup user is compromised that it can attack it?
-
@Jason said:
@coliver said:
Would they do that? I've never heard of ransomware digging around for a UNC path. You could also setup the Veeam service to run as a different user account and give write access to that specific user.
CryptoWall will
How does it discover it? If you are just putting the UNC path in the Veeam configuration then it should have no way of finding it. Even if it could find it if you lock it down to one specific user wouldn't that add a layer of protection? I'm asking hypothetically as I really don't know a lot about how this type of malware works.
-
@scottalanmiller said:
@IT-ADMIN said:
how to make a NAS not mapped, is it by using username and password right ??
Simply don't map it!
great, so i shouldn't create a map drive (pointing to NAS) in the server sending the backup to the NAS
-
@IT-ADMIN said:
@scottalanmiller said:
@IT-ADMIN said:
how to make a NAS not mapped, is it by using username and password right ??
Simply don't map it!
great, so i shouldn't create a map drive (pointing to NAS) in the server sending the backup to the NAS
We've made that clear from the beginning of the thread that mapping the NAS would instantly expose it like a DAS to Ransonware. That's been repeated over and over.
-
@coliver said:
How does it discover it?
UNC is easily discoverable, all it has to do is turn on network discovery and look for shares, and many companies likely leave it on.
-
Would hiding the shares with a $ make any difference in this situation?
-
@Dashrender said:
Would hiding the shares with a $ make any difference in this situation?
doubt it, that's not really hidden, it's up to the client device to hide it from the end user. Windows explorer hides it from the user. Linux and others do not.
-
@Jason said:
@Dashrender said:
Would hiding the shares with a $ make any difference in this situation?
doubt it, that's not really hidden, it's up to the client device to hide it from the end user. Windows explorer hides it from the user. Linux and others do not.
Which means that the ransomeware code is not going to hide it either. Likely it won't even notice that you've attempted to hide something. Much like MS Office security, open those files with something other than MS Office and that private data hidden in there is exposed in such a way that the people using it are not even aware that you thought that you were hiding it.
-
wow, those ransomware are scary, did anyone experience them ?? i think it is very rare to get affected by them ??
-
@IT-ADMIN said:
wow, those ransomware are scary, did anyone experience them ?? i think it is very rare to get affected by them ??
Very common, actually. Go on Spiceworks and someone gets one nearly once a week. They are the biggest threat in IT right now. It's VERY scary.
There is a reason why people are moving to fully decoupled backup systems across the board (never running the backup software from the same system.) Because they need the protection for normal issues like ransonware. Anything talking over DAS, NAS or SAN protocols is vulnerable, extremely vulnerable.
You ideally want stuff that is offline like tape but most make due with systems that at least have an air cap like Unitrends.
