How to protect backups from Ransomware ? : PULL Backups from UNC Path onto dedicated "backup" PC with Acronis Trueimage 2018 running ?
I have 2 computers at home, both running Windows 10 (Pro I think). One is a "Client" (the one I use for general use), and the other is a "Backup server" sitting behind the TV. I back up to a UNC Path on the "server" (I currently using crashlan for files, and Acronis for system image, but am looking to use TI 2018 for both now).
I'm wondering how safe this is from a ransomware standpoint ? Ransomware is apparently becoming more aggressive about searching/going after backups to prevent a restore. My "backup server" drive is accessed via a UNC Path - does this mean that ransomware will be able to find it and encrypt it?
Does anyone else have a good strategy (other than disconnecting the target USB Drive or Share folder?). It's of value to me to have the backup server switched on 24*7, since the backups get done on schedule if the target is connected and available. I understand the value of an "air-gapped" disconnected drive or whatever (and also do that occasionally), but I don't want to have to turn my main backup server on/off for ongoing backups.
One thought was to use a "Pull" approach - to install my Acronis TI 2018 on the "backup server" instead of the desktop client and do the backups the other way round (to have it "pull" the data from my main desktop via a UNC path - I realise this would only work for files and not system backups). This would mean that while the backup server would have access to the desktop computer, there would be no need for access the other way round. Any ransomware (which is much more likely on the desktop PC) wouldn't be able to get to the backups ?
Any thoughts, alternatives etc. ? Are there any snags/problems with this approach ?
Welcome Aidan,
Your having 2 Windows 10 computers is an advantage in this scenario as you can determine and set the SMB Protocol used during share access on the Target (Server) machine. Your Client machine would then negotiate the highest possible Protocol SMB connection between it and the server for data transmission. What this means is that you can expect to achieve SMB 3.0 at a minimum with your setup which is currently the highest level of security of all Windows SMB Protocol variants.
Linux based servers have gone beyond this to SMB4.0 and its variants. I currently use a Linux based server (Freenas) as an NAS device and use the Linux (SAMBA) SMB 3.0 variant 3.1.1 Protocol. The SMB 3.0 and its variants are very secure and I am confident that ransomware as we know it today would not be able to attack the data behind the Protocol.
There is an additional feature of SMB 3.0 which I do not use to date but may in the future and that is that it is possible to encrypt all data transmitted with the Protocol which should thwart any attempts to further encrypt the data to the best of my knowledge.
You can find out what version of SMB that your connection currently has by using PowerShell. You would first open a connection from say Explorer to a share on your target machine. Now open PowerShell as admin. and type the following command Get-SMBConnection and press Enter. You will get an output like shown below:
As you can see I have a guest account open using SMB Protocol 3.1.1 currently only 1 open connection exists.
You can learn more about PowerShell SMB commands (CMDlets) at the link below. Use caution as these are powerful so make sure you fully understand the command before running them. Some may not work due to supporting services or such not being installed. You probably shouldn't need any of those.
For more on SMB 3.1.1 encryption look Here
The information above should go a long way in answering your concerns.
@Enchantech , many thanks for your reply, and apologies I didn't get to acknowledge it sooner.
I'm not familiar with SMB, so I'll dig a bit to see where I get to.
Many thanks,
Aidan.
There have been several discussions on this forum with, as I recall, no definitive solution. I think it was determined that a remote target of a backup using an SMB connection may be vulnerable to ransomware attacks for the duration of the SMB connection. (Perhaps that was true only for SMB 1 or 2.) It has been confirmed that Acronis Active Protection will not protect .tib files on a remote share (connected via SMB). Since your configuration involves 2 computers running Windows (rather than a Windows computer plus a NAS device) you could have ATI with AAP running on both. That would protect your .tib files from ransomware. (Would the "remote" AAP complain with the "local" ATI tried saving a .tib file on it?)
One option is to make backups to a local external drive using ATI and then copy the .tib files to a remote location across a non-SMB connection. I use FTP but there are probably many other options in the Windows-to-Windows configuration. I would recommend not using the ATI FTP support; the Acronis support of FTP does not seem ready for prime time.
Thanks Patrick. It's really interesting to hear that Active Protection wont protect backups on a remote share. I get what you mean about putting Acronis TrueImage (or just Active Protection, which I think is available separately for free?) on the target machine where the backups are stored to protect them.
But really what I am looking for is a strategy (other than turning that machine off) that will make them inaccessible from the desktop machine I use most of the time and am backing up, so that ransomware can't get to them.
My current thoughts (until I understand SMB etc. better) are to move ATI to the "server" WIN10 machine , and "pull" the data from the desktop machine. This would mean the desktop wouldn't need access to the "server" (although the server would obviously need remote share access to the desktop). Since the desktop is where most of the ransomware risk is (the only PC in the house I use on a regular basis), that would drastically cut down on the risk of ransomware getting to the backups and infecting them I think.
I'm not keen on manually copying files via FTP or other means, since I really want this to happen regularly without intervention.
best regards,
Aidan.
I think AAP is an integral part of ATI (and maybe other Acronis programs) and is not available as a stand-alone product. Others more familiar with the products will certainly correct me if I'm wrong.
I know nothing about the internal workings of Acronis products but I assume AAP must get inserted in OS routines that open/read/write directories and files. I assume Windows provides the hooks for that insertion for local files but maybe no such hooks are provided in SMB routines. Or maybe the hooks are provided but the logic needed is vastly different. In any case, I think it is understandable (but very unfortunate!) that AAP does not (yet) provide protection for files and directories accessed via SMB.
I hope someone knowledgeable in SMB comments on you "pull" thought. I don't know if that's more safe or not. It very well might be.
Regarding FTP, I've got a batch FTP scheduled to run weekly that FTPs some .tib files to a NAS. It's not ideal by any means: it runs under my id and puts up a distrtacting command window. If I'm not logged on it doesn't run but (in theory) is retried shortly after I log on. And I'm the only one using this computer so I'm always logged on when the computer is on.
Active Protection Free is available HERE
Definitive article on SMB dialects, signing, and encryption can be found HERE
The security measures present in SMB dialects 2 and greater provide for only authenticated access to SMB shares. These measures are largely aimed at MITM (man in the middle) attacks on SMB sessions. As this relates to backups is something quite different.
Active Protection protects against Ransomware on the Windows device on which it is installed where Windows version is Win 7 SP1 or higher. Active Protection does not monitor Windows SMB traffic at this time and this is where a vulnerability exists in Active Protection. Example: If a backup .tib file is targeted for a modification attempt such as copy for example outside of the True Image application such attempt will be blocked as a suspected ransomware attack because the copy of files is a know behavior of ransomware. The user is notified of the block and given choices for remedy. When such a modification is targeted at a .tib file residing on an SMB share however no such block is carried out by Active Protection and the copy is carried out.
I hope that this vulnerability will be addressed in a near future release of the product. It certainly needs to be.
Aldan, your proposed scheme has merit. I would offer the following suggestions.
The best defense against unwanted intrusion is management of sharing data. By default Windows now makes the user authorize the sharing of data on a computer. If sharing is configured properly security risk is greatly reduced. This is particularly true for remote SMB shares. I suggest that you setup a single shared folder on the remote (server) PC sharing data with the source (client) PC. Create your backups from the client to this shared folder. This shared folder should be created under a separate user account on the server preferably a standard Windows account.
Once the backups are created copy or move the backups to another non-shared folder on the server PC. Installing Active Protection Free on the server PC will provide protection of all .tib files on that PC so that if ransomware were introduced it should be stopped. Since this secondary folder on the server does not have shared access SMB is removed from the equation as it is simply a local folder. Only protection on a local level is therefore needed provided that share access to the server is configured correctly.
Many thanks for the clarification on Active Protection, and the current limitations when dealing with remote shares.
Also, I hadn't thought of the option of "..Once the backups are created copy or move the backups to another non-shared folder on the server PC....". This would effectively put the copies at least out of harms way if ransomware got to the client/desktop PC - as long as the copy were done frequently enough to be up to date, and infrequently enough not to have copied encrypted TLB backup files before the attack was identified. Doing this additional copy manually on a periodical basis probably limits the possibility of copying infected files over (assuming you have realised they are infected). There is the additional concern that this ought to be automated to ensure it gets done, and then there's the concern about the additional automation, will it be reliable etc, how will I detect if it starts failing etc. Every scheme needs to be tested regularly of course, but the less bits in the mix the better.
Installing ActiveProtection (free version) would add an additional layer of protection on the server of course.
I could do all of this without moving ATI to my "server" PC, so this is a very useful option.
I can't help thinking though that moving Acronis to the "server" and giving the desktop machine/users no access at all (other than via remote desktop) to the headless server PC where backups are stored is the best option. The server PC's access could be limited to just read only to the source data via a dedicated backup userid. Without knowing the full ins & outs of network security, with a decent Security package/Firewall/Antivirus/Antimalware (I use BitDefender) it's hard to see how malware/ransomware infecting the client could every get at the server PC. And since the server PC is never used for browsing/email etc. the possiblities of a direct infection there are very limited. If it did, and the attackers gained access, they would only have read access to the main PC's data via the compromised user on the server.
It all sounds overkill I know, but even for a home user (with 1TB+ of valuable photos, docs, software downloads etc. over a decade or more) a ransomware attack can be very devestating. The icing on the cake (if it were possible) would be a scheme to have the backup server switch itself off after each backup, and switch back on automatically at a set time to continue with the next one - effectively "air gapping" it between backups. I've searched, but not found any reasonable cost backup appliance or backups drive that will do this. There's a product in the making there I think.
I can't see a flaw (yet) in this approach, do you think it would work ?
Aidan...The biggest problem with moving True Image to your server is that you won't be able to make a 'disk' mode backup. If you don't have a disk mode backup, then, in the event of an attack or disk failure, you would have to re-install Windows and all of your apps, and then restore your data. A 'Restore' of a 'disk' mode backup would have you back up and running, with the computer at the same 'state' as when the backup was made. With your method, you could certainly back up your data (files/folders). (I know that you know this, but I think it is worth repeating)
Personally, all I perform are disk mode backups. Also, I have configured my NAS connections per Enchantech's recommendations, including copying backups to a non-shared folder.
Aldan,
You should have a look at Robocopy (free in Windows) which can be used to copy files from one location to another. Robocopy runs from a command line so it is possible to create a Robocopy command file, then use Windows Task Manager to run the file at predetermined times. This would help automate the process.
Moving such files will free up disk space on the server which should be of benefit over copying. If some manual involvement can be achieved you could run a Robocopy command on the server manually setup to move files from a non-shared folder to an external drive which you attach to the server only for this purpose. After transfer is completed the external drive can be disconnected from the server and stored anywhere you desire. This allows for maximum data security and the ability to keep data off site for example.
" It's really interesting to hear that Active Protection wont protect backups on a remote share "
it does if your remote share is a Windows PC running ATIH 2018 with AAP, too. Thats how my multi-talent and high performance small form factor "NAS"* works.
in my case I use a drive that has special NTFS permissions that only allow a remote computer to write and delete there using a special local account on this machine. This was my way to protect before AAP exists and might be obsolete today.
If you want to have details which HW components I've chosen for this let me know :)
Hi Karl,
Glad to hear that your NAS setup running Windows with ATI with AAP will protect backups stored there from ransomware. My question would be, what version of Windows do you have running on the NAS?
Unfortunately for most consumers the boxed offerings of NAS devices on the market run a trimmed down version of Linux so having ATI installed on such a device is not doable. I am hopeful that AAP will soon be able to overcome this shortcoming of not monitoring /protecting SMB remote shares. Many users of the True Image product use these NAS devices and so this issue needs to be remedied ASAP.
With AAP now being offered as a free download, might we see a Linux based offering? Most of the NAS devices I've seen run application plugins for offered services on the device. It might well be possible to release something that might be compatible with the majority of such devices on the market.
Whatever the future brings, it most certainly should address the remote share issue.
Even if Acronis releases a version of AAP for Linux there is a problem of installing it on a NAS. Some vendors readily allow installation of 3rd party software; others make it very difficult.
Karl...your set up sounds interesting. My question is: What happens when ATI on the Client PC attempts to perform a clean up operation and delete a .tib series? Does ATI AAP on the Server allow this?
Hi Randy,
yes it does. The only issue that usually happen is when you have another scenario:
machine A backup to local drive > onedrive folder > uploads to O365 Onedrive
machine B is using the same Onedrive folders. If you delete the backup on a different machine than the tib file deletion will be prevented on machine A due to "system" (Onedrive) will delete the tib. AAP protects against this. Exclusions don't work and I have discussed this with the support already. There is no good solution. Except preventing this and using Onedrive with the new feature "on demand files" on machine B.
The usual cleanup operation made by ATIH on Machine A (source) will not be interfered by Machine B AAP (target)
Thanks Bob, all machines use Windows 10 (Pro) the is also powerful enough to host Hyper-V and has 2 onboard NICS. When I have time I will host a Sophos XG on this. Had that setup already but it is not too easy to setup the firewall properly.