-
Title
Best practices for protecting Rapid Recovery Core server and repository from ransomware -
Description
Some viruses that infect computer networks prevent user access to files and even entire systems. These viruses are often referred to as ransomware or cryptolocker viruses. When a system is infected with this malicious code, the files and folders on the system are encrypted by the virus which then demands a ransom to decrypt the data. The virus also attempts to spread from system to system and to encrypt any network shares it can access.Once the data on systems has been encrypted, the only options for restoring the data are:
- Restore from the last good backup
- Pay the ransom (and hope it works)
The worst case scenario occurs when both production systems and backups are encrypted. -
Resolution
To minimize the risk of your Rapid Recovery Core server and repository being encrypted by ransomware, follow these best practices:
1. User Access Management
-
Minimize User Accounts: Restrict access to the Core server by minimizing the number of user accounts with administrative privileges.
-
Domain Binding: If your Core server is bound to a domain, restrict the Local Users and Local Administrators groups to only the essential domain accounts.
-
Account Management: Remove the "Domain Admins" and "Domain Users" groups from the Local Users and Local Administrators groups. Limit access to named accounts only.
-
Disable Unused Accounts: Ensure that all unnecessary local user accounts are disabled, including the default administrator account. If the default administrator account is needed, rename it and set a complex, unique password.
2. Network Configuration
-
Disable Network Shares: Disable all network shares on the Core server, including administrative shares. To do this:
-
Open regedit.
-
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters.
-
Set the value of AutoShareServer to 0. If the key doesn't exist, create it.
-
Reboot the server for the changes to take effect.
-
Disable SMBv1: Ensure that SMBv1 is disabled, as it is a known vulnerability. Follow the guidance in the next Microsoft article How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn to disable SMBv1.
-
Isolate Core Server: When using offsite replication, ensure that the target Core server is on a completely separate network. The only allowed traffic between the source and target Core servers should be on port 8006.
3. Software Configuration
-
Anti-Virus Installation: Install and maintain anti-virus software on the Core server. Ensure that exclusions for Rapid Recovery are configured as per Best Practices enabling Anti-virus Exclusions (4036144) (quest.com).
-
Regular Updates: Keep the Core server’s operating system, web browsers, and all software up to date with the latest security patches. Avoid using the Core server for web browsing or email.
4. Repository Configuration
-
Secure CIFS Shares: If using a CIFS share to host repository files, restrict access to the share to a single, unique account used exclusively by Rapid Recovery.
-
NAS Security: If using a NAS to host repository files, ensure that the default password has been changed and that the NAS is configured with strong security settings.
5. Backup and Recovery Preparations
In the event of a ransomware attack, even if the Core server is compromised, the following steps can help expedite recovery:
-
Registry Backup: Regularly export a backup of the registry key HKLM/Software/AppRecovery using regedit.
-
Repository XML Backup: Backup the two XML files located in the repository folder. Note: If you have multiple repository extents, a single backup of the XML files is sufficient.
-
Secure Storage: Store the registry backup and XML files in a secure, offsite location. These files can be used to rebuild your Core server configuration and mount the repository, even if the XML files are damaged.
-
Review Microsoft Best Practices: Review the Microsoft best practices documentation for preventing ransomware to ensure your environment is fully protected.
References
Notes
Ensure that all practices are reviewed and updated regularly to adapt to new security threats and updates.
-