?
Solved

Backup Exec Encryption/Server 2003 password hacking

Posted on 2007-07-25
16
Medium Priority
?
947 Views
Last Modified: 2013-12-01
I have a client who uses Symantec Backup Exec 11d to backup a Windows 2003 SBS to a Dat Drive with a restricted encryption key.

As I understand it Data can only be restored if the the pass phrase is known or by the key owner.  As the key owner will have have an AD username and password that could be hacked (LC5/Rainbow etc), I wonder how secure the encrypted data on the DAT cartridges actually is. Can anyone advise?

Thanks
0
Comment
Question by:jimmycan
  • 8
  • 6
  • 2
16 Comments
 
LVL 28

Accepted Solution

by:
peakpeak earned 1200 total points
ID: 19569916
You mean if the tape is actually stolen? In such a case you need to balance the Intellectual Property against its Value, would anyone go so far as to steal it? If the culprit doesnt have access to the AD but only to the tape, then it's a bit complicated, n'est pas?
0
 

Author Comment

by:jimmycan
ID: 19570120
Given the nature of the data it isn't beyond possibility that someone might but I was thinking more of a disgruntled employee or temporary member of Staff. If they got access to the Backup Exec Logon account they could restore date sensitive files and the encryption passkey would be useless.

I looked into using Geniesoft Server Backup Manager. It would only allow a user with the AES256 Passkey to restore data. Seemed a better and more secure way to do it. Unfortunately I had problems with this product in other areas which made it unsuitable.
0
 
LVL 28

Expert Comment

by:peakpeak
ID: 19570147
What about physical security? You mean everyone cab just grab a tape and dismantle it, exploring the secrets?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:jimmycan
ID: 19570229
Well no. Not that easy. But I think physical security is impossible to maintain 24/7 in the average work enviroment.

There are about 120 employees, some with a resonable degree of computer expertise and that is why I wanted to find someway where only a the 2 Directors and myself can restore data.

I feel it would be about as secure and simple as  possible if the passkey was required each and every time a file or files are to be rstored.

I think that obtaining the Backup Exec Account password for the encryption key owner is an unnecessay risk. I could be wrong though...
0
 
LVL 26

Assisted Solution

by:MidnightOne
MidnightOne earned 300 total points
ID: 19570282
Jimmycan:

Try building a new server unrelated to your operation (i.e., not in the domain and unconnected to the network), attach your backup hardware, and try a tape restore using the same software.

At worst, you'll learn new swear words. At best, that your tapes are reasonably secure.
0
 

Author Comment

by:jimmycan
ID: 19570325
Yes. I will. I'll try that and post again. Thanks for all your comments to day MidnightOne.
0
 
LVL 28

Expert Comment

by:peakpeak
ID: 19570336
What about a locked room in the first place??
0
 

Author Comment

by:jimmycan
ID: 19570368
Thanks for your responses peakpeak.

The server room is normally locked but I can't be sure happening when I'm on annual leave, training etc so back to square one. I can't understand why Symantec designed it that way. Must be some reason...
0
 
LVL 28

Expert Comment

by:peakpeak
ID: 19570395
be SMART jimmy, CHANGE the password and bring it WITH you !!!!
0
 
LVL 28

Expert Comment

by:peakpeak
ID: 19570402
Tape Too !!!
0
 
LVL 26

Expert Comment

by:MidnightOne
ID: 19570406
I had a safe where I worked. I had the combination. They had the number for a locksmith if I got hit by a bus.
0
 
LVL 28

Expert Comment

by:peakpeak
ID: 19570414
pass phrase, do you know it?
0
 
LVL 28

Expert Comment

by:peakpeak
ID: 19570423
this is a test, nes't pas?
0
 

Author Comment

by:jimmycan
ID: 19570495
Not sure about that. Still thing the best/simplest/securiest solution would be if no passkey - no restore.
0
 
LVL 28

Expert Comment

by:peakpeak
ID: 19570613
Best Practicies is to RELY on people, there's always a possibillity of break. Can you restructure the culture of the company to a more civilized level? Are you able to do that?
0
 

Author Comment

by:jimmycan
ID: 19616350
Thanks for you time Gentleman...J
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question