Best practices for protecting Rapid Recovery Core server and repository from ransomware (4032911)

Some viruses that infect computer networks prevent user access to files and even entire systems. These viruses are often referred to as ransomware or cryptolocker viruses. When a system is infected with this malicious code, the files and folders on the system are encrypted by the virus which then demands a ransom to decrypt the data. The virus also attempts to spread from system to system and to encrypt any network shares it can access.

Once the data on systems has been encrypted, the only options for restoring the data are:

1. Restore from the last good backup
2. Pay the ransom (and hope it works)

The worst case scenario occurs when both production systems and backups are encrypted.

To minimize the possibility of the Rapid Recovery Core server and the Repository being encrypted, we highly recommend implementing the following security controls:

1. Minimize the number of user accounts with access to the Core server
   1. If you bind the Core server to your domain, restrict the Local Users and Local Administrators groups to only the domain accounts that absolutely need access to the Rapid Recovery Core server.
   2. Remove the Domain Admins and Domain Users groups from the Local Users and Local Administrators groups on the Core server to restrict access to only named accounts with access.
   3. Ensure that all local user accounts on the server are disabled except for the ones you will use to log in and manage the server. Ideally you should disable the default administrator account or rename it so that it is unique.
   4. Set any local administrator account passwords so that they are complex and unique. You do not want a virus gaining access to a local account on one machine and then being able to use those same credentials to jump to other machines.
2. Disable all network shares on the Core server including admin shares. To disable admin shares:
   1. open regedit
   2. set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer = 0. If the key doesn't exist, create it.
   3. After making the change, reboot.
3. Install anti-virus software on the Core server. Please make sure to follow the steps in Quest KB 117680 to add exclusions for Rapid Recovery to function properly.
4. Ensure all Windows updates are regularly installed on the Core server operating system.
5. Keep your web browser up to date with the latest security patches and do not browse the web any more than absolutely necessary to download software, driver, and firmware updates.
6. Never check email when logged into the Core server.
7. When implementing offsite replication make sure your target Core server is on a completely separate network from your source Core server. Ideally the two networks are completely isolated and no traffic from one network can reach the other except for on port 8006 between the source Core server and the target Core server.
8. Disable SMBv1 if Enabled per Microsoft KB 22696547.
9. If using a CIFS share to host your repository files, make sure to limit access to the share to only one account that is unique and only used by Rapid Recovery.
10. If using a NAS to host your repository files, ensure that the default password of the NAS has been changed.
11. Review the Microsoft best practices documentation for preventing ransomware.

In some cases ransomware may be able to infect a Core server but not encrypt all of the repository files because they are locked and in use by the Core service. In that case the Core server OS may be damaged and the repository XML files encrypted, but the actual repository data files may still be good. To expedite recovery in this situation, you should do the following preventative steps each time you make changes to the Rapid Recovery configuration:

1. Open regedit and export a backup of HKLM/Software/AppRecovery.
2. Browse to the location of the repository files and make a backup copy of the two XML files stored in that folder. NOTE: If you have more than one repository extent you only need one backup copy of the XML files since they are all identical.
3. Place the registry backup and the copy of the XML files in a secure location separate from the Core server. Together they can be used to rebuild your Core server configuration and mount the repository even when it's XML files have been damaged.