You are on page 1of 19

Veeam Availability Platform

Designs for Ransomware


Resiliency Series
Rick Vanover
vExpert, MCITP, VCP

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 1
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 1

Contents
CHAPTER 1:
Veeam Availability Suite resiliency tips to enhance data protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Why should the Veeam Availability Suite design be assessed due to ransomware? . . . . . . . . . . . . . . . . . 3

The most important recommendation: There must be a copy of the data on offline storage . . . . . . . . 3

Second recommendation: Use different credentials for backup repositories. . . . . . . . . . . . . . . . . . . . . . . 5

Third recommendation: Have more frequent restore points and more types of restore points . . . . . . . 7

Additional recommendation: Continued diligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

CHAPTER 2:
Veeam Backup & Replication and Veeam Agents resiliency tips to enhance data protection . . . . . . . . . 8

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Many Options for Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Configuration Recommendation Option 1: Additional Backup that is File-Only. . . . . . . . . . . . . . . . . . . . 8

   Restores with a File-Only Backup Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Configuration Recommendation Option 2: Replicated VMs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Configuration Recommendation Option 3: Ejecting Media and


Computer Account Permissions for Veeam Agent for Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . 12

    Eject Removable Media When a Job Is Complete. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

    Computer Account Permissions for Network Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

    Ransomware Resiliency Requires Continual Diligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

About the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

About Veeam Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 2
Chapter 1:
Veeam Availability Suite resiliency tips
to enhance data protection

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 4
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 1

Introduction
The threat of ransomware is real and should be top of mind for CIOs as well as technology administrators of all types.
In this brief, Veeam® will share some key tips to add ransomware resiliency to provide the best levels of Availability
for critical applications and data. These tips will apply directly to Veeam Availability Suite™ and other Veeam products
to provide design options for more resiliency should ransomware strike.

Why should the Veeam Availability Suite design


be assessed due to ransomware?
The threats are real. At Veeam, we’ve seen ransomware situations where backups have been deleted from existing threats;
additionally, there is a risk of encrypting both the source data and the backups. Due to the continuous threat climate
changing, Veeam is committed to continually tweaking the recommendations based on current conditions. In this first
chapter, we’ll address three of the key recommendations to keep your Availability levels high and meeting expectations.

This paper (and subsequent chapters) will be a collection of both generic and specific recommendations for Veeam
Backup & Replication™ configurations. There is no single “best” design or configuration — so the goal of these design
chapters is to give the Veeam customer and partner ecosystem options for better Availability in the ransomware era.

The most important recommendation:


There must be a copy of the data on offline storage
This is also referred to as an “air gap.” Offline storage is the single most effective ransomware resiliency technique, and
it can be achieved in many direct ways. The most obvious example here is tape storage. Tape storage is completely offline
unless being read from or written to. Here are a few tips to leverage tape in the ransomware threat climate:

• Leverage the GFS retention capability on tape to include more restore points on tape
• Consider keeping some tapes “out” of the media pool to have restore points out of any tape rotation
• Diligently monitor the job status for tape jobs. Backup or backup copy jobs may get more attention if there is a warning
or failure; tape jobs should have just as much (if not more) priority.

Given the relatively low acquisition cost of tape and high portability, this may make the case for additional restore points
on tape, given the strong value of being completely offline.

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 3
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 1

An additional offline storage option includes support for rotating drives within Veeam Backup & Replication. A rotating
drive is a good way to get the performance of a disk system with the offline characteristics in regards to the integrity of the
backup data. The rotating drives option is set as a property of a backup repository (advanced option) and is selected below:

Figure A

The one important caveat of using rotating drives (which can include entire disk systems) is that if it re-appears, a new full
backup or backup copy job cycle may be required. Rotating drives generally are presumed to be one drive or drive system
inserted or online at a time with one or more additional instances of the same equipment offline and possibly in another site.

For the rotating drive option, one on-premises example that doesn’t involve moving disks and requiring an additional full
backup (or backup copy) would be a configuration that has the following characteristics:

• A physical server running either a Linux or Windows operating system. If it is a Windows operating system,
it is recommended to have a completely different and out-of-band authentication (have no domain membership and
different credentials for local accounts and have Windows Firewall on).
• Direct attached storage. Some general-purpose storage direct attached as a local drive or drive system, the
recommendation on this storage is to have RAID on the drives.
• Have this system offline except during a scheduled backup window. Have this system completely powered off (and
optionally disconnected from the network) except when it is due to run. A script can be set after a backup or backup
copy job, which could include a shutdown script as shown in the figure below:

Figure B

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 4
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 1

• Have an out-of-band mechanism to turn this system on. This can be as primitive as a calendar appointment or
advanced as an automatic task scheduler from a separate system to remotely turn on this system. But keep this
backup repository offline generally at all times, and only have it online during a backup or restore task.

Note the above configuration for an offline repository (that is disk) isn’t recommend for the first instance of the backups
(as general restores would be difficult to do). This would be a good option for the “different media and offline” element
of the 3-2-1 rule that Veeam promotes often.

Second recommendation:
Use different credentials for backup repositories
One of the key characteristics of ransomware is its ability to propagate. By using different credentials within the Veeam
infrastructure, we can introduce more resiliency by limiting propagation from other operating systems on the network. There
are various ways to accomplish this with Veeam Backup & Replication by leveraging the following authentication mechanisms:

• Windows credentials (either domain or local account)


• Veeam Cloud Connect credentials (specified by a service provider)
• Linux credentials (Linux account or Linux private key)
• Integrated backup storage accounts (current with EMC Data Domain, HPE StoreOnce and ExaGrid appliances)
• Credentials for SMB shares

The best, broadest recommendation is to have at least two credential mechanisms in use. That can include both
Windows and Linux accounts, Windows and Veeam Cloud Connect, etc. The following view shows a few different backup
repositories with each Veeam Cloud Connect, Windows Credentials and an integrated backup storage account:

Figure C

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 5
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 1

In this example, several different credentials are in use so that the risk of propagation is reduced. In regards to having resiliency
against ransomware, having these different credentials as well as types can provide one less propagation attack surface.

Specifically, for the Windows set of credentials, it is important to ensure that all backup repository access is not by the same
Active Directory environment or by the same account as used in Veeam Backup & Replication in the user context as well
as on the network at large. This means a completely separate Forest with no trusts (or only local accounts). For backup
repository roles on Windows systems, and the role of backup storage is their only function, a good approach is to have
it on a completely separate security configuration as the rest of the network. This configuration would have the following
characteristic of the backup repository server (Windows system running the role of the repository and containing the
backups) not be on an Active Directory domain and have different passwords and usernames for all functions. For every
object in the Backup Infrastructure tab of Veeam Backup & Replication, there are associated credentials for the components
to access them. This means that communication to that backup repository would function (from the Veeam components)
only from the account specified for the configuration. An additional step is to have all Veeam Backup & Replication
components running Windows operating systems be off of the domain and each with different credentials — important
if ransomware were to impact the domain controller (potentially limiting the access to restore data).

There is a benefit for at least one system to use Linux credentials, as the propagation of ransomware through Windows operating
systems is reduced (and vice versa). In the example above, the ExaGrid systems use Linux authentication for example.

Veeam Cloud Connect is also worth an explanation here. Veeam Cloud Connect uses authentication issued by a service
provider. This account is how backups are sent to the cloud repository, and it is not an operating system authentication
mechanism thus making it out of band from operating system credentials on-premises.

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 6
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 1

Third recommendation:
Have more frequent restore points
and more types of restore points
This recommendation is to of course have more frequent backup job restore points, but also to include other
mechanisms to provide frequent and different types. There can be more resiliency available when the different types
of restore points are available. This includes the following mechanisms:

• Storage snapshots of VMware VMs with supported Veeam arrays: Have a storage snapshot for high-speed recovery
with the many different integrated arrays supported in Veeam Availability Suite. This provides an out-of-band recovery
technique for a system potentially infected with ransomware.
• Replicated virtual machines. The Veeam replicated VM is another high-speed recovery technique that may
be beneficial in a ransomware situation. It is important to note that for Hyper-V replicated VMs, consider the
domain and account recommendations above. If a Hyper-V replication exists on a domain where the ransomware
could propagate, that could impact the replicated VMs as well. Much like the credential recommendation above,
consider having the Hyper-V hosts on a completely separate Active Directory Forest with no trusts elsewhere as well.
If a Hyper-V host that serves as a replication target is not on a domain and using different credentials, it is more
resilient to ransomware propagating to its filesystem and encrypting the replicated VMs.
• The backup copy job. The backup copy job can be a versatile data mover to take backups that may be on a Windows
storage system and put them onto a Linux storage system or into a Veeam Cloud Connect repository.
• An additional backup job. There may be backup jobs that for many organizations run daily or every few hours
for the organization’s Availability requirements. An additional recommendation is maybe having an additional
backup job that runs on a different retention and with less restore points to provide an additional restore option
if needed. Additionally, an additional Veeam Backup & Replication console could be used with a completely different
configuration and backup repository as well. Note there would be no additional Veeam license consumption in this
configuration, and the backups could go to a different repository with a much longer RPO. An example would
be a backup job that runs only weekly to a Linux repository and keeps only three restore points.

Additional recommendation: Continued diligence


The diligence required in the ransomware era is going to be part of doing business from here onwards. Subsequent
chapters of this series will introduce more recommendations, recommendations for new Veeam products as well
as different approaches to meeting some of the existing recommendations.

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 7
Chapter 2:
Veeam Backup & Replication and Veeam Agents
resiliency tips to enhance data protection

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 5
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 2

Introduction
The threat of ransomware continues to make headlines and keep IT professionals and CIOs wondering what they can
do to be resilient against this threat. This paper is the second chapter of specific recommendations for Veeam® Availability
Platform components to be resilient against ransomware. The first chapter was published on the Veeam website, and this
chapter will continue with additional recommendations for configuration options in regards to ransomware threats.

Many Options for Resiliency


Throughout the years, Veeam has always taken a broad agnostic approach to systems and storage. This applies to the design
for a backup infrastructure and how it can be made resilient against ransomware. To that point, there is no single ransomware
resiliency design that is the “best” for all situations except to have some form of offline storage in the broader plan.
The previous chapter had recommendations on the following:

• Offline storage
• Different credentials for backup repositories
• More frequent and different types of restore points

In this chapter, we’ll introduce some additional recommendations that can be an option to Veeam environments
to strengthen resilience against ransomware. There will be additional chapters for this content at a later time, but for
environments that can easily leverage these recommendations now, resiliency is possible. The three recommendations
in this chapter will complement the previous recommendations and upcoming recommendations as well.

Configuration Recommendation Option 1:


Additional Backup that is File-Only
Veeam Backup & Replication™ can perform image-based backups with exclusion and specific inclusion rules. This can
be very helpful for an additional backup type that contains only critical data that may be at risk of a ransomware attack.
There are a few assumptions here to add this extra level of resiliency:

• The file server in question is a Hyper-V or vSphere virtual machine


• The virtual machine has an additional full image-based backup performed as well
• This file-only backup is ideally going to a different repository

Below is an example of a VMware vSphere virtual machine being backed up with only a specified list of files
included in the backup:

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 3
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 2

This VMware virtual machine serves as a file server and is around 17 GB on disk. The file server data in question is around
1.2 GB. Note that this full backup read the 1.2 GB, applied some storage efficiencies, and transferred just less than 600
MB. This creates a full backup of just the files in question on this system. As a reminder, this is an additional backup job
that is only for a set of files that are critically important to this system.

This capability is made possible by the file exclusions tab in a backup job. This is in the Application-Aware Processing
options of a backup job. A single backup job can have an option to include only selected files and folders OR exclude
selected files and folders. This option is shown in the example below for the file server share in question, which on this
vSphere virtual machine is the “C:\Airdata” folder:

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 9
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 2

There are a few good characteristics of this additional type of backup. First, it is likely quicker than a full image-based
backup. By having this type of backup completely separate of the image of the operating system, there is a potential
to be more resilient against a full system restore that does have the ransomware on the operating system.
For example, imagine this progression of events:

• Day 1: System obtains ransomware, but doesn’t encrypt data, and the ransomware isn’t detected.
• Day 100: Ransomware encrypts data after being dormant.
• Day 100: Restore to backup from Day 99 has encryption return in 1 day.

This can also be an additional backup job in addition to the full image-based backup of the virtual machine.

Restores with a File-Only Backup Job


By having a data-only backup in addition to the image-based backup, there is an additional restore scenario option that
can help in this situation. The restore of the file-only backup is shown below. Note the “AirData” folder is the only visible
folder on the volume, and its contents are completely there:

The file-only backup is an additional level of resiliency, especially for a virtualized file server or a data folder that has critical data.

Note: Veeam Availability Suite™ v10 introduces NAS backup support.


Additional recommendations will come when this is available.

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 10
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 2

Configuration Recommendation Option 2:


Replicated VMs
Replicated VMs have always been critical to a broad Availability strategy and can play a part in ransomware resiliency as well.
Replicated VMs have many characteristics that can benefit a Veeam installation in recovering from a ransomware situation:

• They are a complete recovery of a virtual machine


• The recovery is relatively quick (compared to moving a lot of files)
• It has a power off state at most times, reducing risk of ransomware propagation

Having replicated VMs brings in a few other characteristics as well. For one, not every VM may be a candidate
for a replicated option. One approach would be to identify a “tier” of VMs that need the quickest recovery should
a ransomware situation happen; and have this replication target on the same site and same network for the quickest
and most seamless recovery. It becomes a different discussion if the notion of a replicated VM off-site becomes the right
recovery option in a ransomware situation. That would work in most situations, but it is advised to give some thought
to the failback process and remote network speeds.

One approach to having some or all VMs replicated specifically for a ransomware resiliency approach, or as an additional
level of Availability, is to have the replicated VMs in the production data center. This can be in addition to replicas placed
off-site. Consider the diagram below:

In this example, there are three hosts with four virtual machines on each. The fourth VMware host (and this could be
repeated the same with Hyper-V) has four virtual machines replicated to it. These four virtual machines are (presumably)
the most critical ones in the group of productions hosts. To make this type of configuration resilient against ransomware,
a few designs should be considered:

• Consider creating an additional Veeam Backup & Replication console that manages the replication of the most critical VMs
to replicate and not to have it on the same Active Directory domain or using the same security credentials as other systems.
• Have the target of the replication be a VMware or Hyper-V host that is not in the same administrative realm of the
production hosts. (No Active Directory integration if vCenter is used, no System Center Virtual Machine Manager, etc.)

These points are to keep the process of making the replicated VMs on-premises ready to go yet not connected to any
security constructs of the production hosts. This is a ransomware resiliency technique to consider if Veeam Backup &
Replication or the VMware or Hyper-V hosts are targeted. This is done to be more resilient against encryption of the
powered-off VM through shared authentication.

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 11
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 2

Configuration Recommendation Option 3:


Ejecting Media and Computer Account Permissions
for Veeam Agent for Microsoft Windows
The recommendations thus far have focused on Veeam Backup & Replication for VMware vSphere and Microsoft
Hyper-V environments. These recommendations, however, apply broadly to the Veeam Availability Platform and its
components. This next set of recommendations will apply to the newly released Veeam Agent for Microsoft Windows.
The endpoint device can be an entry point for ransomware, but also may have important data on it as well. Veeam Agent
for Microsoft Windows has one powerful capability to eject the media upon a backup job.

The two recommendations for Veeam Agent for Microsoft Windows involve ejecting removable media to make it offline
and structuring permissions a bit differently for writing backups to a network share.

Eject Removable Media When a Job Is Complete


To configure a backup with Veeam Agent for Microsoft Windows, the backup can be one of three types (entire computer,
volume level or file level) as shown below:

The capability to eject removable media applies to local storage resources. A Veeam Backup Repository or Veeam Cloud
Connect are also viable options to be resilient against ransomware as there is a different authentication mechanism used
to communicate to those storage resources. The destination of a backup is shown below:

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 12
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 2

For removable storage devices (This is a 1TB USB drive), the “VeeamBackup” folder is the default destination as shown below:

In the properties of the schedule, you can select the backup to be ejected once the backup is completed as shown below:

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 13
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 2

Ejecting the removable media is an effective technique because it can be completely offline.

Computer Account Permissions for Network Share


Another option is to go to a remote share with a computer account rather than a user account to be given the permission
to write to the share. When a shared folder is used as a target in Veeam Agent for Microsoft Windows, there is an option to write
to the share with a username and password. This is shown in the figure below:

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 14
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 2

In the properties of that share, this example has several computer accounts listed (rather than user accounts) as permissions
assigned by users. This is shown in the figure below:

While the ejected media and offline storage is more resilient, it is nice to have an additional option when writing to a shared
folder to be more resilient against ransomware. The Cloud Connect backup target would be ideal as it is a completely different
set of authentication (not part of the operating system) and the file system of the target Cloud Connect system is completely
abstracted from the operating system being backed up with Veeam Agent for Microsoft Windows. Subsequent chapters of this
series will include additional recommendations for Veeam Cloud Connect for VM backups.

Ransomware Resiliency Requires Continual Diligence


One of the key attributes of ransomware resiliency is to continually monitor the data for threat-scape, access levels
and business requirements. In this chapter, we covered recommendations for a file-only backup job, replicated VMs
and ejected media on endpoints using Veeam Agent for Microsoft Windows. In this series’ upcoming chapters, we’ll focus
on more resiliency options for Veeam environments.

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 15
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 2

About the Author


Rick Vanover (vExpert, MCITP, VCP, Cisco Champion) is a senior product strategy
manager for Veeam Software based in Columbus, Ohio. Rick is a popular blogger,
podcaster and active member of the virtualization community. Rick’s IT experience
includes system administration and IT management; with virtualization being the central
theme of his career recently. Follow Rick on Twitter @RickVanover or @Veeam.

About Veeam Software


Veeam® recognizes the new challenges companies across the globe face in enabling the Always-On Business™,
a business that must operate 24.7.365. To address this, Veeam has pioneered a new market of Availability for the
Always-On Enterprise™ by helping organizations meet recovery time and point objectives (RTPO™) of < 15 minutes
for all applications and data, through a fundamentally new kind of solution that delivers high-speed recovery, data loss
avoidance, verified protection, leveraged data and complete visibility. Veeam Availability Suite™, which includes
Veeam Backup & Replication™, leverages virtualization, storage, and cloud technologies that enable the modern data
center to help organizations save time, mitigate risks, and dramatically reduce capital and operational costs.

Founded in 2006, Veeam currently has 47,000 ProPartners and more than 242,000 customers worldwide.
Veeam‘s global headquarters are located in Baar, Switzerland, and the company has offices throughout the world.
To learn more, visit http://www.veeam.com.

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 16
Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 2

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 12

You might also like