Backup File Server to DAS
-
@DustinB3403 said:
I'm replying to @Dashrender and @IT-ADMIN so I don't know why you'd be restoring to identical hardware.
Unless you were backing up a physical host, expecting the physical host to die because of something software related, not hardware related.
I'd expect you to more likely restore to different hardware. Which is why I raised the point.
In which case the backup is likely not any good.
-
@IT-ADMIN said:
@Dashrender said:
@IT-ADMIN said:
@coliver said:
This. Even with a proper backup you will probably have to re-authorize your key when you restore to the same (or similar) hardware.
i said that because our friend @coliver said the above
He's absolutely right on the similar, but probably not if it was the same.
@scottalanmiller and @DustinB3403 are right though, when would you ever do a full restore to the same hardware?
I suppose if you needed to completely redo the underlying harddrive setup on a server that could be the case, that's so rare as to not even be considered. If you get a replacement motherboard put into the same server, from a software perspective that's no longer the same hardware, so you'd most likely get a re authorization.
ah ok in case of hardware change (cpu, RAM, HD, motherboard) otherwise the backup would be made without activation
How will you do a restore without one of those things changing?
-
@IT-ADMIN said:
@DustinB3403 said:
I'm replying to @Dashrender and @IT-ADMIN so I don't know why you'd be restoring to identical hardware.
Unless you were backing up a physical host, expecting the physical host to die because of something software related, not hardware related.
I'd expect you to more likely restore to different hardware. Which is why I raised the point.
ah ok, thank you for clarifying that, so in this case i can restore my physical server in case of software failure with a previous system image without triggering any activation process (no hardware change)
Sure, but is that really what your backup is for? This is a very edge case. You have a backup system that's only purpose is to handle the scenario where the software has died and you want to fall back to an older version of the system? What will stop it from dying again right away? Is software "dying" a real concern (other than patching?)
-
if a virus take over the system or a ransomware lock my file server for example, in this case i think a system restore would solve the problem right ??
-
@IT-ADMIN said:
if a virus take over the system or a ransomware lock my file server for example, in this case i think a system restore would solve the problem right ??
Correct. As long as you don't use something like Windows backup attached to a DAS Which is what we were warning about earlier. If you have Veeam and a NAS without a mapped drive, you are likely okay. This is where you want tape to be really safe.
-
how to make a NAS not mapped, is it by using username and password right ??
-
@IT-ADMIN said:
how to make a NAS not mapped, is it by using username and password right ??
A UNC for an SMB share would do it. \\NAS01\VeeamShare
-
@IT-ADMIN said:
how to make a NAS not mapped, is it by using username and password right ??
Simply don't map it!
-
-
@scottalanmiller said:
@coliver said:
@IT-ADMIN said:
how to make a NAS not mapped, is it by using username and password right ??
A UNC for an SMB share would do it. \NAS01\VeeamShare
Only if the ransomware know about it or discover it. Not sure how common that is.
Would they do that? I've never heard of ransomware digging around for a UNC path. You could also setup the Veeam service to run as a different user account and give write access to that specific user.
-
@coliver said:
Would they do that? I've never heard of ransomware digging around for a UNC path. You could also setup the Veeam service to run as a different user account and give write access to that specific user.
CryptoWall will
-
I thought maybe. Any guess what it does to seek it out? Does it look in Veeam config files, just hunt through DNS, etc?
-
I would assume that having an account to access the NAS that is not a normal user or admin account will help so that only if the backup user is compromised that it can attack it?
-
@Jason said:
@coliver said:
Would they do that? I've never heard of ransomware digging around for a UNC path. You could also setup the Veeam service to run as a different user account and give write access to that specific user.
CryptoWall will
How does it discover it? If you are just putting the UNC path in the Veeam configuration then it should have no way of finding it. Even if it could find it if you lock it down to one specific user wouldn't that add a layer of protection? I'm asking hypothetically as I really don't know a lot about how this type of malware works.
-
@scottalanmiller said:
@IT-ADMIN said:
how to make a NAS not mapped, is it by using username and password right ??
Simply don't map it!
great, so i shouldn't create a map drive (pointing to NAS) in the server sending the backup to the NAS
-
@IT-ADMIN said:
@scottalanmiller said:
@IT-ADMIN said:
how to make a NAS not mapped, is it by using username and password right ??
Simply don't map it!
great, so i shouldn't create a map drive (pointing to NAS) in the server sending the backup to the NAS
We've made that clear from the beginning of the thread that mapping the NAS would instantly expose it like a DAS to Ransonware. That's been repeated over and over.
-
@coliver said:
How does it discover it?
UNC is easily discoverable, all it has to do is turn on network discovery and look for shares, and many companies likely leave it on.
-
Would hiding the shares with a $ make any difference in this situation?
-
@Dashrender said:
Would hiding the shares with a $ make any difference in this situation?
doubt it, that's not really hidden, it's up to the client device to hide it from the end user. Windows explorer hides it from the user. Linux and others do not.
-
@Jason said:
@Dashrender said:
Would hiding the shares with a $ make any difference in this situation?
doubt it, that's not really hidden, it's up to the client device to hide it from the end user. Windows explorer hides it from the user. Linux and others do not.
Which means that the ransomeware code is not going to hide it either. Likely it won't even notice that you've attempted to hide something. Much like MS Office security, open those files with something other than MS Office and that private data hidden in there is exposed in such a way that the people using it are not even aware that you thought that you were hiding it.