Backup Exec Ransomware Resilience Best Practices

Description

Backup Exec 20.4 has introduced a new feature called “Ransomware Resilience”.which provides an extra layer of security by blocking any non-Veritas process from writing to a backup disk or deduplication storage location.

Ransomware Resilience v2, introduced in Backup Exec 21, also adds protection to the Backup Exec services, preventing malicious code injection by ransomware.

Configuration

Ransomware resilience is enabled by default when you install Backup Exec (20.4 or later). This feature can be configured in the Backup Exec GUI as follows:

1. Click the Backup Exec button > choose Configuration and Settings > and select Backup Exec Settings

2. On the left menu, select Network and Security. Scrolling down will reveal the 'Disk storage lockdown setting', which will be enabled by default. To disable the setting, you’ll be prompted for the system logon account password and the reason for disabling.

The disk storage lockdown status icon displays the status of disk-based backup storage configured with Backup Exec, and can be found on the bottom right of the Backup Exec UI:

Note that any attempt to delete or modify either the Backup to Disk folder's contents or the Deduplication folder's contents will result in an error with a File Access Denied message or similar:

The Backup Exec Lockdown Server service also protects the Backup Exec services from malicious code injection:

Note that all critical Backup Exec services are dependent on this service (and other BE services are dependent upon them) :

It is Veritas' strong recommendation that the 'Disk storage lockdown setting' is kept enabled.to ensure disk-based backup data is protected. By default if the setting is disabled, an alert is generated every day until the lockdown setting is enabled.

Protected Storage - The following types of storage are protected by the lockdown feature:

• Disk Storage hosted on a fixed disk on the Media Server
• Deduplication Storage Folder hosted on a fixed disk attached to the Media Server
• RDX device attached to the Media Server with limited support.
• Disk Storage created on a network share hosted on a remote network device with limited support (details below)

 This feature is not applicable to other removable devices such as tape storage.

Limitations

• The protection is limited to the folder where the disk storage is hosted and does not apply to the entire disk
• For disk storage hosted on RDX device, GRT data is written to the root of the volume and hence not protected from write operation. The Non-GRT data is written to a sub-directory on the RDX device and hence protected from being written by unauthorized processes.
• Disk storage created on a Network share, which is hosted on a network attached storage (NAS) has limited protection. Protection of such data is the responsibility of the machine hosting the device. Backup Exec only protects writes that originate from the Media Server hosting the network share as disk storage. If the network share is accessed from another server with Backup Exec not installed, the data is not protected.
• In a CAS environment, if a disk storage hosted on fixed disk attached to a Managed Backup Exec Server or Central Administration Server is also shared with another Media server, write protection is available against all the writes originating from any server. However, this protection is not available if the disk storage is hosted on a Media Server with Windows 2008 Operating System.

Best Practices

• The 'Disk storage lockdown setting' should be kept enabled at all times.to ensure disk-based backup data is protected. By default if the setting is disabled, an alert is generated every day until the lockdown setting is re-enabled.

• Always use the latest version of Backup Exec (check the Veritas Downloads Center for the latest version) as more security features are being added with newer releases (v21 includes Ransomware Resilience v2 - more details above)

• Ensure storage used for backups are not shared with or accessible from unsecured systems.

• Backup your data regularly and consistently, using the:3-2-1 Rule:
   - Keep a minimum of 3 copies of your data, on at least 2 different types of media, with 1 copy located offsite (unplugged).

• Ensure all firmware, OS and software patches are up-to-date, including the use of security/anti-malware and IDS/IPS (intruder detection/prevention systems)

• Restrict backup credentials to the minimum required and ensure access controls and permissions are configured appropriately.

• Perform test restores regularly and always have a current Disaster Recovery Plan to hand.

• Improve employee awareness of social engineering and phishing techniques to reduce the likelihood of a ransomware attack.