Ransomware defense part 2: Hardening

There are many documents on the internet that describe how to address this common request.

In this article, I’ll give you a track to move easier around this topic pointing out the most interesting articles.

Before starting let me thank Edwin Weijdema who created an  exhaustive guide to answer the common question (please click here to get it)

Are you ready? Let’s start

1- The first magic point for starting is Wikipedia where I got a good definition:

In computinghardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services.

2- The second point is to understand the concept of Perimeter security:

It is natural barriers or artificially built fortifications that have the goal of keeping intruders out of the area . The strategies can be listed as:

  • Use rack-mount servers
  • Keep intruders from opening the case
  • Disable the drives
  • Lock up the server room
  • Set up surveillance

A complete article is available by clicking here

3- The third point is  Network segmentation:

It is the division of an organization network into smaller and, consequently, a more manageable grouping of interfaces called zones. These zones consist of IP ranges, subnets, or security groups designed typically to boost performance and security.

In the event of a cyberattack, effective network segmentation will confine the attack to a specific network zone and contain its impact by blocking lateral movement across the network via logical isolation through access controls.

Designating zones allows organizations to consistently track the location of sensitive data and assess the relevance of an access request based on the nature of that data.  Designating where sensitive data reside permits network and security operations to assign resources for more aggressive patch management and proactive system hardening.

A complete article is available by clicking here

4- Hardening your Backup Repositories

The next good rules involve your backup architecture and in specific the Backup Repositories:

Windows:
a. Use the built-in local administrator account
b. Set permissions on the repository directory

c. Modify the Firewall

d. Disable remote RDP services

  • Linux:
  • e. Create a Dedicated Repository Account
  • f. Set Permissions on the Repository Directory
  • g. Configure the Linux Repository in VeeamModify the Firewall
  • h. Use Veeam Encryption

Do you want to know more about security? If so the Veeam Best Practices are for sure the answer.

The next article will cover monitoring and automatic actions using Veeam-ONE.

5- Prevent injection of shady boot code

Code injection, also called Remote Code Execution (RCE), occurs when an attacker exploits an input validation flaw in software to introduce and execute malicious code.

To prevent the attack please follow the following rules:

a. Run with UEFI Native Mode
b. Use UEFI with Secure Boot Standard Mode
c. Combine Secure Boot with TPM
d. Equip critical servers with a TPM 2.0

Stay tuned and see you soon

Veeam VBR DB Moving with SQL – Management Studio

In these last days, I had enough time to analyze my personal lab performances.

For testing purposes, I launched the backup of the whole architecture at the same time; the VM that suffered more was the backup server (VBR) and in particular the SQL Service.

This article will explain the steps I followed to move the VBR Database SQL Express from Backup & Replication to a SQL Server standard using SQL-Management Studio as a migration tool.

Before continuing reading the article, please watch at the following Veeam KBs and contact the Veeam Support

To make the description easier I’ll use the following acronyms :

  1. VBR = Backup Server
  2. SQLServer = Target Server where SQL Standard is installed
  3. SQLExpress = Source DB
  4. DB = VeeamBackup
  5. DBFile = VeeamBackup.mdf & VeeamBackup.ldf

The main steps to get the goal are:

  1. Stopping the Veeam service on VBR server
  2. Detaching DB from SQLExpress
  3. Copying DBFile from VBR to SQLServer
  4. Attaching DB to SQL Server
  5. Using the Veeam Migration tool
  6. Changing the service account name on VBR Service (optional)
  7. Checking up the register key
  8. Launching Backup and Restore tests

Let’s go!

  1. The first step is quite easy. Just connect to VBR, click on service and stop the SQL instance (Picture 1).

(Picture 1)

2. The second step is detaching the DB from SQL Express using SQL Management Studio (Picture 2).

(Picture 2)

If you need a good and short video guide to install SQL Management Studio please refer to the following link:

Another interesting video-guide to understand how to enable the remote connection with SQL server is available here

Remember:  for enabling SQL Server to talk via Network (1433 is default port) you also have to set-up the firewall correctly.

3. Now it’s time to copy DBFiles from VBR to SQLServer

Pay attention to the default path where the files have to be copied and pasted.

Generally, it is in C:\Program Files\Microsoft SQLServer\ MSSQL.xx.INSTANCENAME\MSSQL\DATA (Picture 3).

(Picture 3)

4. Next step is attaching the DB to the new SQL server following the easy SQL Management studio menu ((Picture 4).

(Picture 4)

5. Now from the programs menu of VBR server, just select the voice Veeam and then “Configuration DataBase Connection Settings“.

Now choose which DBs you want to move to the new architecture. It can be Backup & Replication or the Enterprise Manager or both (Picture 5)

 

(Picture 5)

Now fill in the Database Name and Server/Instance and proceeding with the final step migration (Picture 6).

(Picture 6)

If everything is correctly configurated you have finally migrated your DBs.

Troubleshooting:

TS-1

If you see that the process runs out of time (600 seconds), it means that the VBR service account can’t access the database

How to solve it?

Please contact your DB experts before doing any tasks!!!

6. The first thing is creating a user able to manage the SQL services.

The procedure is quite easy using a Domain Controller (Picture 7)

Picture 7

Now you have to add the new user to Domain Users and Domain Admin groups (Picture 8).

Picture 8

From the Veeam Services window, select the Logon Service tab and set up the right user (and for all services that need it) (Picture 9)

(Picture 9)

Re-apply the procedure shown at point 5.

In my case, I’ve had another issue.

TS-2

The issue I unlucky met during my setup was the following:

When I tried to connect to remote DB with the “Configuration DataBase Connection Settings” command appeared the following error (Picture 10).

Picture 10

This issue happens when the SQL Server driver on a client computer that uses integrated security and the Windows security token, can’t connect to the SQL Server

If you want to have all details please refer to the following Microsoft article:

Cannot generate SSPI context

Please contact your DB experts before doing any tasks!!!

After some google research and test, I found a solution that addressed my issue always working with Domain Controller.

The AD console needs to be switched to advanced (Picture 11).

Picture 11

Now left-click on the SQL server and  select “attribute editor”

From this menu, you have to delete all the entries with the writing MSSQL.svc (Picture 12)

It also needs a server reboot.

Please contact your DB experts before doing any tasks!!!

(Picture 12)

For the last two points (7 and 8),  check-up, if the procedure followed, has solved the request.

TS-3

If you are not able to discover the SQL server, please check on target Server if the SQL Server browser is up and running

Picture 13

 

From VBR Server open the register key (HKEY_LOCAL_MACHINE\ Software\Veeam\Veeam Backup and Replication) and check up if the items SqlDatabaseName, SQLinstanceName e SqlServerName are correctly filled in (Picture 14).

Do the same check-up for HKEY_LOCAL_MACHINE\Software\Veeam\Veeam Backup Catalog)  (Picture 15).

(Picture 14)

(Picture 15)

Now start backup Jobs and do some restore tasks to be sure that your Backup architecture is up and running.

In my case, the Backup Server can manage more tasks without any issue.

One more recommendation before ending the article:

Before doing any activities please read the official documentation and ask Veeam support

XFS – Performace

Last article about XFS.

In the previous two paragraphs I explained how to configure and set-up the XFS repository on Veeam Backup & Replication v.10 (VBR)

Today let’s see how perfectly the XFS linked-clone technology helps VBR to transform the backup chain. 

Particularly let’s see what happens with Synthetic Full.

What is Synthetic full?

It’s a smart way to help VBR to create a Full Restore point downloading just an incremental backup from production.

To be very short the process is composed of two phases.

Firstly it creates a normal incremental backup data, secondly it creates a full backup file stacking all previous backups (full and incremental).

This process normally needs a lot of work because it is necessary to copy, paste and delete the unnecessary blocks to create the synthetic full.

With XFS integration, we do not move any block because the filesystem will re-point his metadata creating a full Backup in one shot .

The result is super fast  Full Backup creation.

Let’s see with an example:

Full Backup has lasted 7 mins (Picture 1)

Picture 1

Incremental Backup has lasted 2 mins and 30 sec (Picture 2)

Picture 2

What about a Synthetic Full? 

Picture 3 shows that it needs less than 30 seconds!!!

So Amazing technology  and Veeamzing integration!!!