CryptoLocker Word Of Caution
Posted by Reprinted Article on 03 October 2013 02:03 PM
One of the things we have done from the get-go when it comes to setting up ShadowProtect to stream backups to either a drive set connected to a standalone Hyper-V host or to the standalone DC in a Hyper-V cluster setting is to set the shares to allow the Domain Admin MOD.
Inheritance on the folder’s NTFS permission set is removed/copied out then Domain Users/Machine Users group will get removed altogether.
We do this for a number of reasons
While we are into our client’s servers on a regular basis sometimes the occasional domain admin account password will expire in the interim.
ShadowProtect will start failing to back up to the shared folder as a result of not being able to log on so a small bonus in the mix.
We are seeing CryptoLocker problems abound lately where someone clicks on a link in an e-mail or is drawn to a compromised site. What that means is that _any_ file/folder set the user has permissions to access and modify may end up encrypted by the malware.
The _only_ way to “recover” from this situation is via Shadow Copies or backup.
If the backup drive and/or backup folder destinations for those ShadowProtect backup files, or any other product that lays down files for backup, is open for users to access then we all know what can happen.
Point of order: Any backup product that uses the volume snapshot service should have its backup times staggered over the Volume Shadow Copy snapshots as having two snapshots running simultaneously could end up with data toast on both sides.
Chef de partie in the SMBKitchen