Reliable Ransomware protection using a LAN connected NAS box with strict permissions.

With currently known Ransomware variants is backing up a Windows 10 Pro and/or Windows 7 Pro workstation  to a ReadyNAS NAS Box  or FreeNAS NAS Box a reliable method of protecting your backup images/files  if the workstation user does not have permission to access the NAS device but the backup program on the workstation does have the ability to write to the NAS using a specific NAS configured Read/Write User account?
If not.....
 1) what are additional NAS configurations should be configured?
2)  what  other additional backup protection methods should be deployed on the network storage destination(s).

Thank you,
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Ransomware comes via email from strangers. Make sure you have top notch spam control. Once someone opens a bad email, ransomware spreads to any connected device users can access.

That is why we suggest good, offsite backups as a primary defense in the event of an attack.
David Johnson, CD, MVPRetiredCommented:
having 1 saved copy is better than none. The only method that I feel is trustworthy is OFFLINE
Having 1 saved copy is better than none.

But only to a small extent..
Personally I like to keep 5 - 7 days of full data backups

NAS backup disks are decrypted and mounted while in use, then encrypted and unmounted when done

NAS backups are also Rsync'd to an off-site server where the backups are also stored on removable drives which are rotated daily and removed from that location

At any one time I've got three complete backups spanning 5 - 7 days in three different locations (1 ON / 2 OFF)
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization ConsultantCommented:
We've seen Trojans, Malware, Ransomware (Windows) which if it has ANY RIGHTS, (Write) to a Network Share it will also ENCRYPT any files it finds there!

It can also discover network shares, and run through all files and encrypt them!

We SYNC data to Cloud Sources, - Azure, Backblaze, Dropbox, Google, Tresorit, Box, Onedrive. (these are scripted - not mapped!)

We also have three copies on NAS which are also scripted not mapped, and all NAS are synced and mirrored.

Have GOOD Anti-Trojans, Malware, Ransomware in place.
COM1Author Commented:
Thank you all for responding……..

I would like to further define the words   “OFFLINE” and  “ANY RIGHTS”

David: (The only method that I feel is trustworthy is OFFLINE)
Question: “OFFLINE” = “physically disconnected”  from the network?......or still connected to the  Network but no access due to lack of permissions?

Andrew: (We've seen Trojans, Malware, Ransomware (Windows) which if it has ANY RIGHTS)
Question: “ANY RIGHTS” includes the read/write permissions that are ONLY configured in the backup program on the workstation? (Veeam or Macrium Reflect)….the users would have zero writes to log into the NAS box at any level.

Andrew:  (We also have three copies on NAS which are also scripted not mapped)
Question:  IF LAN connected  NAS Boxes are not mapped and  ONLY allow backup programs  permission to access them
isn’t this same as a scripted cloud destination backup?

Limited upload bandwidth (1-3 Mbps)  in rural office locations prohibit my ability to backup up system image files to a cloud based destination.
Other options I have been using: (LAN NAS box allowing ONLY backup programs to access appears to be easiest)
1)      Older Dell Optiplex workstation with FeeNAS where the workstation’s BIOS is configured to turn on and off at specific times coordinated with backup programs.
2)      Using a $18 wireless AC socket with the ability to schedule available electricity to the AC adaptor of an external USB drive.
3)      Configuring in our Sonicwall routers limited Network access times to the NAS box coordinated with backup program times .

Has anyone yet to see any malicious software that has the ability to extract and use permission information  configured within a backup program?
JohnBusiness Consultant (Owner)Commented:
Offline / Offsite simply means a backup set that is in no way connected to your system

Any rights (as I read it here) means the system compromised that has right to a server (normal) will infect that server.

Has anyone yet to see any malicious software that has the ability to extract and use permission information  configured within a backup program?

It the backup is connected, it is possible. Ransomware writers are very capable.  That is why the backup must be disconnected and removed.
David Johnson, CD, MVPRetiredCommented:
offline - physically disconnected.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization ConsultantCommented:
If you workstation has an open connections to your NAS, and has WRITE access - it's vulnerable!

Mapped Drives, e.g. E:, F: etc even easier for trojan etc writers...

We don't use backup programs, we use APIs with AUTH to connect and Sync Data to NAS and ONLINE!

The Trojans would have to decrypt the keys.....for access, and I think they'll go after the easier muppets first!

e.g. encrypt local files, and mapped drives!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
1. NAS device(s) dedicated to backups - no user access whatsoever. NAS SMB NIC is on storage network and only accessible from Backup server. No direct connection where possible to reduce exposure. And disable online access to files in the NAS’s settings (leaving local network access only).

2. No mapping of drives to it. Backup software using a service account with a unique password to access the NAS and only the NAS. The API and scripted access mentioned by expert is preferred.

3. Restrict IP addresses allowed to access the NAS (use the backup policy if the device support this feature).

4. Get backups offsite or to another medium, do not rely solely on a single NAS. You probably already have it. Validate backup data recovery. These is last resort though not the latest version but better than nothing.

5. Update NAS firmware regularly. Yes obvious but not many do it hence open up weakness to malware.
Of course the author's method of using a different account for backups and assign write access to that backup account and not to the user is  a protection. The malware, when executed by the user cannot impersonate other accounts. Even if it somehow would use a privilege escalation exploit, it would not impersonate some backup account, but rather the system account, which does not have write access to the backup account.

So he is on the right track and the only enhancements I can think of is to make the backup location available only at backup times and not during the day when an infection is more likely to occur.
COM1Author Commented:
Thank you all for responding and contributing!
It appears the consensus is that out of "physical reach" is the only sure way to ensure your data is safe - this makes sense because the problem we are dealing with is ever evolving.
1) Password protected accounts are still "available" on the network - you only need to get past the the best case scenario.
2) Firewalled devices are still "available" on the network - you only need to get past the firewall.
3) Physically disconnected devices and accounts are "not available" - socially engineered attacks are the only avenue here....but less effective, maybe.

I appreciate everyone's time and expertise.
John B
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization ConsultantCommented:
We also encrypt all data which gets sent to the cloud...

So even if Cloud space gets attacked, the data is useless.
"out of "physical reach" is the only sure way to ensure your data is safe" - define "safe". I don't agree to that consensus.

As nice as it is, you will some day have to reconnect the backup storage to get the next backup on it. If the malware is active during that time, it will only be able to access the backup when it knows the credentials of the backup account. As I wrote before, even elevation of privilege attacks don't target credential stores (that you might be using ). Malware is not that smart as you may think, and it does not have to be - millions of users use their daily account for backups and are easy targets for that reason. Having a separate backup account is the main step and having the backup disconnected when not needed is the enhancement - not the other way round.
COM1Author Commented:
Netgear ReadyNAS boxes running the newest  firmware update (version 6.9.4 released on 9/13/2018) now have the ability to   power on/off    the unit on a configurable schedule.

This gives us a LAN storage device with the ability to not only configure share access restrictions but also to "physically remove" the device off the network as deemed necessary.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.