Keep it simple / best practices for setting up a server, specifically 2012R2 essentials related to previous versions

We got burned by CryptoWall and wonder about some things.  We had backups so not a big deal, but another way would have been previous versions on the server.  The infection was on a laptop that encrypted files on the server that had mapped shares.

When I looked at previous versions on the server (2011 SBS server), there were none on the D drive - the data drive.  Checking the settings, I saw that the C drive previous versions was configured, but drive D was disabled.

Someone else set up this server.
Being that the malware wasn't running on the D drive, it woudn't have been able to disable previous versions, right?
When setting up an 2011 SBS / 2012R2 Essentials box and making a C and D drive, the C drive previous versions is on by default, right?
But what about D? you have to remember to manually configure that?
Which goes to the question - do you just make a single large C drive for data and OS?  That's my thinking but more expert people here disagree?  along with wondering if C is too big / too small for the OS, here's another reason to just make a single drive?

And settings for previous versions - do you set a maximum amount of space or limit the amount available.  Might as well give all the space? Something like cryptowall changing all files would need lots of space for previous versions?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
If memory serves, no version enables by default.  But that said, ESPECIALLY when working on a server you setup, you should never assume.  Maybe they never enabled it... or maybe they disabled it for some reason.  As part of your on-boarding process you need to examine the server and check the settings.

As for size, depends on space available.  As a best practice, to improve performance, VSS copies should be on a separate physical drive and then I leave them at max space MOST of the time.  

NEVER make a single drive.  It's messy, increases your chances of problems and complicates future upgrades.

As far as crypto viruses, why couldn't one disable vss?  It all depends on the permissions it has when it executes.  And some will repeatedly change files so as to use up all the space and make recovery more difficult.  Think about it from a BUSINESS perspective.  I'm a malware writer trying to extort money from victims.  If I can find a way to ensure that, short of an offline backup, you cannot leverage technologies to recover, I stand a better chance at making money... if I could, why wouldn't I disable VSS or overload it?
Thomas Zucker-ScharffSolution GuideCommented:
It depends on the version of the crypto trojan that hits you.  Some versions will turn off system restore and then turn it back on effectively wiping out any previous versions you had.  Some don't bother to turn it back on at all.  Your only real way to recover from a crypto trojan is a good set of backups.  Versioning backups are the best of course, but any good set (not kept on a network share) will do.  Note that the newer versions of the crypto trojans will encrypt non mapped shares as well.

Prevention: See my article on ransomware prevention and the comments at the end as well.

Setup of a server:  I heartily suggest one partition for the OS only and another for data.  This generally makes life a lot easier when troubleshooting.  There is the free EaseUS software to resize partitions (see this article). Also if you qualify you can get paragon's software for free and that makes changing the partition size a breeze (https://www.paragon-software.com/technologies/ptac/).
BeGentleWithMe-INeedHelpAuthor Commented:
Lee: care to expand on 'check the settings.'?  there are many on a server. Is there a doc listing the settings that you check on an inherited machine or set or at least look at on a new machine?

Why couldn't it disable VSS? I defer to you on that. I am thinking at least for the server where the encryption comes from the malware running on a desktop machine. Would you know if a desktop with standard domain user credentials be able to change the VSS settings on the server?  That was the case here - the malware was on the desktop.  So the fact that VSS was off on the server's d drive I am thinking was a lack of configuration by authorized admins.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Thomas Zucker-ScharffSolution GuideCommented:
Let's just leave it that it can be done.  It usually involves some social engineering.  At any rate, you can't depend on VSS after a crypto incident.  You really should have versioned  backups on a unshared server, or completely offline.  The only real solution is to rebuild the server.  I wouldn't want to trust any "recovered" device.  This goes for any trojan or infection.  Best course of action is to do a complete wipe and reinstall.
Lee W, MVPTechnology and Business Process AdvisorCommented:
I wouldn't want to trust any "recovered" device.
COMPLETELY AGREE.  But sometimes you do when the risk is analyzed and the data/consequences aren't too great.

As for what to check - that's you're process.  Whatever services you rely on/routinely setup.  Go through features you want/expect to use, services to document what's running... Every case is different, but if you want to be well regarded by your clients and not caught off guard, you need to inspect what was done and how it was done to ensure you are familiar with the config and that it conforms to how you would have set up the server had you been the one to set up the server.  You know what they say happens when you ASSUME :-)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BeGentleWithMe-INeedHelpAuthor Commented:
thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.