Recovery Manager for Active Directory (RMAD) provides the ability to set up a dedicated secure backup storage server. If you use a Secure Storage server in your environment it helps prevent unauthorized modification or malware attacks on backup data, supporting your key data security and compliance initiatives. For more information on how a Secure Storage server is secured, see Hardening Secure Storage servers below.
IMPORTANT |
Use of Secure Storage Server requires a Recovery Manager for Active Directory Disaster Recovery Edition license. |
Requirements
Operating system: Microsoft Windows® 2016 or higher
A stand-alone server to be used as your Secure Storage server. This server should be a workgroup server and NOT joined to an Active Directory domain.
An account that will be used to deploy the Storage Agent on the Secure Storage server. This account must also be a local Administrator on the Secure Storage server.
Physical access (keyboard) to the Secure Storage server. Once the server is hardened access with regular methods will be disabled (RDP).
Sufficient storage space on the Secure Storage server for all backup files. For one backup file, the space required is at least the size of the backed-up Active Directory database file (Ntds.dit) and the SYSVOL folder plus 40 MB for the transaction log files. The space check performed also includes an extra 1 GB to ensure enough space is available.
Best Practices
We highly recommend using a new, dedicated, clean physical server as your Secure Storage server to help ensure access methods are kept to a minimum.
Secure additional methods of accessing the Secure Storage server such as console or serial access.
Recommend the Secure Storage have additional volumes available in addition to the system drive. It is not advised to store backups on the system drive.
note |
Virtual machines are more susceptible to ransomware attacks. It is highly recommended that a virtual machine not be used for your Secure Storage server, as a bad actor could gain access to backups on the server or delete the entire Secure Storage server. |
User Scenario
Backup data for all domain controllers can be accumulated on primary storage, and at the same time, you can make a copy of your backup data on a Secure Storage server. The Secure Storage agent will pull the backup securely to the Secure Storage server while the firewall on the Secure Storage server remains in place. If disaster strikes, you could lose your backups on primary storage and even your installation of RMAD but your Secure Storage server will remain in place.
After the Secure Storage server has been added and the Storage Agent has been installed on it, the server is hardened automatically. The following list outlines what happens to a Secure Storage server when it is hardened:
All SMB server roles are disabled (SMBv1 - SMBv3).
All incoming TCP, ICMP and UDP protocols are blocked by IPSec policies, except for the high-level Secure Storage Agent ports (see below).
ICMP traffic is blocked (i.e. the server cannot be pinged).
Remote desktop (RDP) traffic is blocked.
Only one TCP agent port is left open on the server for communication with Recovery Manager for Active Directory, the Storage Agent port (by default, this is 48001) but also to allow pulling the backups there are opened ports for SMB, DNS, NetBIOS and LLMNR (incoming TCP 445 for SMB, incoming UDP 53 port for DNS, incoming UDP 5355 port for LLMNR and incoming UDP 137 port for NetBIOS).
Agent traffic is encrypted by the public/private key pair.
Logons to the server are only allowed via console (physical) access.
When a Secure Storage server is hardened, the lock icon next to the name of the Secure Storage server in the Secure Storage Servers window will be closed and it will have a Security Status of Secured.
IMPORTANT |
You cannot install the Secure Storage server agent on a domain joined server, a domain controller or a member server. A server that is hardened will not be able to perform authentication or allow replication to occur. A Secure Storage server should be a stand-alone server in a workgroup. |
To get the hardening status of a Secure Storage server
During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.
On the Secure Storage server, run the PowerShell® console. The module will be automatically imported.
To get the hardening status, run the cmdlet Get-RMADStorageServerHardeningStatus. For further details see the Management Shell Guide supplied with this release of the product.
To unharden a Secure Storage server
During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.
On the Secure Storage server, run the PowerShell® console. The module will be automatically installed.
To unharden a Secure Storage server, run the cmdlet Unprotect-RMADStorageServer. For further details see the Management Shell Guide supplied with this release of the product.
To harden a Secure Storage server manually
During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.
On the Secure Storage server, run the PowerShell® console. The module will be automatically installed.
To harden a Secure Storage server manually, run the cmdlet Protect-RMADStorageServer. For further details see the Management Shell Guide supplied with this release of the product.
It is recommended to use a dedicated, clean physical server that is not joined to a domain. However, virtualized servers can be used including a the virtual machine in the cloud. Virtualized servers on you on-premise are not recommended for use as they are vulnerable to attack.
To access the Secure Storage server that is hosted on-premise you must have physical access to the server and use interactive logon with a local administrator account.
Each Secure Storage server is installed with dedicated PowerShell® module to setup and maintain the storage server. For further details see the Management Shell Guide supplied with this release of the product.
WARNING |
While Secure Storage server remains hardened, no RDP, PowerShell® Remote and other remote control services and protocols are available. |
If you have configured the dedicated virtual machine on your physical server you may use hypervisor capabilities to control the virtual Secure Storage server including virtual machine connections and execution of commands through the hypervisor services (such as PowerShell® Direct on Hyper-V® machines).
Amazon EC2
To access a Secure Storage server that is deployed in the Amazon EC2 you can use EC2 Serial Console.
To get more information on how to connect to the virtual machine refer to Connect to the EC2 Serial Console
Microsoft Azure®
To access a Secure Storage server that is hosted in Microsoft Azure® virtual machine you can use Serial Console access. Refer to Azure Serial Console
To add a Secure Storage server it is recommended to install the agent manually. This method saves the agent installation package to the local machine. You must transfer the package manually to the Secure Storage server. This reduces the likelihood of any malware infecting your Secure Storage server by being exposed to your network before the server is secured. Your Secure Storage server is only secured after the Storage Agent has been installed and the Secure Storage server is hardened.
To add a Secure Storage server using manual method (Recommended)
In the Recovery Manager for Active Directory (RMAD) console, click the Secure Storage node.
In the Secure Storage Servers pane, click Add Server.
Type the DNS name or IP address of the server you want to use as your secure storage server.
In the Agent port field, type port number or use default port of 48001.
NOTE: Ports cannot be changed after the Secure Storage server is added. To change the port after the Secure Storage server is added, it must be removed and added again.
From the Agent installation method drop-down list, select Manual (recommended).
Type the path or browse to path to Save agent setup package to.
Click OK. The agent setup package is saved to your local machine.
Copy the package, SecureStorageAgent.zip, to the server being configured as your Secure Storage server. This requires console (physical) access to the Secure Storage server.
Extract the installation package on the Secure Storage server and double-click the SecureStorageAgent.msi file to install the agent.
A warning will be displayed and requires confirmation to proceed. IMPORTANT PLEASE READ: This server is about to be hardened and all network connections to this server will be lost including Remote Desktop. Ensure you have physical access to this server and have an available method to access such as console access or serial access. Select YES to acknowledge you understand and are prepared for the Secure Storage server to be installed and hardened. Recovery Manager for Active Directory cannot undo this operation without physical access to the server.
NOTE: For quiet installation both the /qn switch and FORCE=true can be specified when launching the msi file from the command line.
The Storage Agent is installed and the server is hardened automatically. For more information on hardening, see Hardening a Secure Storage server above.
To add a Secure Storage server using automatic method
In the RMAD console, click the Secure Storage node.
In the Secure Storage Servers pane, click Add Server.
Type the DNS name or IP address of the server you want to use as your secure storage server.
In the Agent port field, type port number or use default port of 48001.
NOTE: Ports cannot be changed after the Secure Storage server is added. To change the port after the Secure Storage server is added, it must be removed and added again.
From the Agent installation method drop-down list, select Automatic.
Specify a user account that will be used to automatically deploy the agent on the target storage server. Select Use current account to use the currently logged in user account or select Use this account. Type the user name and password for the user account to be used to deploy the agent.
Click OK.
To manually export the setup package
If you have misplaced the agent setup package or need to update the configuration for a Secure Storage server, you can manually export the package again.
In the RMAD console, click the Secure Storage node.
In the Secure Storage Servers pane, right-click the Secure Storage server that you want to manually export the setup package for.
Click Export setup.
NOTE |
The setup package is exported to your local machine. You must then copy the setup package to the server that you want to use as your Secure Storage server and run the installation. |
To delete a Secure Storage server from RMAD console
In the RMAD console, expand the Secure Storage node.
Right-click the Secure Storage server and select Delete.
NOTE |
The Secure Storage server is not automatically unhardened when deleted from the RMAD console. To unharden use available PowerShell cmdlets on the Secure Storage server. For further details see the Management Shell Guide supplied with this release of the product. |
In the Recovery Manager for Active Directory console, select the Storage node, then Secure Storage and right click.
In menu shown click on Export Servers…
In the Export storage servers dialog, select a location to save the file, enter a file name, and click Save .
If the RMAD server is lost, after installing the RMAD console on a new server, you can register the backups that are stored on the secure storage server on your new RMAD server.
NOTE |
Due to server hardening, the Automatic agent installation method is not supported when adding an existing Secure Storage server to a clean RMAD installation. |
To add a Secure Storage server on a clean installation of RMAD console
In the new RMAD console, click the Secure Storage node.
In the Secure Storage Servers pane, click Add server.
Type the DNS name or IP address of the server you want to use as your secure storage server.
In the Agent port field, type port number or use default port of 48001.
NOTE: Ports cannot be changed after the Secure Storage server is added. To change the port after the Secure Storage server is added, it must be removed and added again.
From the Agent installation method drop-down list, select Manual (recommended).
Type the path or browse to path to Save agent setup package to.
Click OK. The agent setup package for the new RMAD console is saved to your local machine.
Copy the package, SecureStorageAgent.zip, to the existing Secure Storage server. This requires console (physical) access to the Secure Storage server.
Extract the package on the Secure Storage server and double-click the SecureStorageAgent.msi file to reinstall the agent and register the Secure Storage server with new Recovery Manager for Active Directory console.
In the RMAD console, you will now see the Secure Storage server and can now retrieve your backups from the existing Secure Storage server for recovery purposes.
NOTE |
The existing Secure Storage server has continued to be hardened throughout this process. |
By default, the Storage Agent port is 48001. If you want to use a different default port, you can configure it in the Secure Storage server Properties window or overwrite when adding each Secure Storage server.
To change the default Storage Agent port
In the RMAD console, right-click the Secure Storage node and select Properties.
In the Storage Agent port field, type a port number.
The Storage Agent is used to pull the backup onto the Secure Storage server.
Click OK.
NOTE |
Ports cannot be changed after the Secure Storage server is added. To change the port after the Secure Storage server is added, it must be removed and added again. |
To view Secure Storage server properties
In the RMAD console, click the Secure Storage node, in the Secure Storage Servers pane, select a Secure Storage Server, right-click and select Properties.
Properties of the Secure Storage server will be displayed. Properties include the Host name, Agent version, Agent port, and Server Status. All properties are read only and cannot be edited.
Additionally all configured volumes are displayed in priority order. Each volume is shown with the amount of space taken by Existing Backups and the amount of Free Space available on the volume.
NOTE |
A warning icon will be displayed if a volume is running out of available free space. |
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center