Protect ISCSI used for Backup

We had a business about ten minutes away get hit with Cryptolocker...and I read up where it can encrypt any files that are on any attached devices.
Which got me to thinking that we backup to an ISCSI target which appears as another drive letter to the system.  (Server 2008R2).

Is there a way top better protect the ISCSI target so it's not always online sitting there waiting to be hacked?

Thanks.
LVL 1
dougp23Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
strivoliConnect With a Mentor Commented:
You are right. But lets analyze how can a malware encrypt a file:
a. The malware runs with someone's account. It might be the user's who first launched the infected file or it might even be SYSTEM's account.
b. The file's permissions must allow encryption. By default "Everyone" can encrypt.

If you:
a. Run the backup with a special user and a strong password.
b. You allow only the special user to access the backup file (backup file permissions).
c. Encrypt the backup file.

If the above conditions are met, I can't imagine how can a malware encrypt such a file.

Anyway... I think there's a PowerShell command that allows you to connect/disconnect iSCSI targets. Sorry but I don't have it handy.
0
 
strivoliCommented:
I would protect the backup itself instead of the target. The best way is to encrypt the backup.
0
 
dougp23Author Commented:
Uhm..well the backup is on an ISCSI device, so let's say it appears as drive X to the system.  I encrypt the backup.  OK.  So now someone gets Cryptolocker and it encrypts my encrypted backup.  I'm still hosed....

I was wondering more along the lines if there is a way to write a short script that connects the ISCSI target just before backing up, and disconnects it just after backing up.
0
 
SelfGovernConnect With a Mentor Commented:
You raise a good question.

Make sure none of your users have admin rights on the server.

Make sure admins do not use the server for any non-admin purposes.
And yes, that needs to be NOT ANY.  
If you haven't already, make sure that they have formal training on
security best practices.

Best practice would include sending your backups to at least one other
target -- for instance, a tape drive, so that the tape is not writable as a
file system, and can be moved offsite to protect against a site-wide
disaster.  This won't stop your iSCSI store from being encrypted, but it
will give you a second restore source and allow you to go back in time
to various points in time as necessary.
0
All Courses

From novice to tech pro — start learning today.