What do I mean by „Hardening“? And why is it even worthwhile?
The goal of backups is to restore data and, in a broader sense, to maintain the operational and survival capabilities of companies in the event of a disaster or at least make them possible.
Modern attack scenarios involve first disabling disaster recovery (DR) measures and components and then proceeding in reverse priority order (from less important to more important systems). Attackers do this to ensure that they remain undetected for as long as possible and that, from the moment the attack is detected, they can no longer carry out recovery operations, and so on.
The objective of the DR infrastructure should, therefore, be to run as independently as possible from the production infrastructure. This can be implemented at the network level as follows:
- Physical and/or logical separation of DR components, e.g., through VLANs.
- Ensuring permanent access through static DNS names and IP addresses.
- No integration into Active Directory or similar interconnected directory services.
- Ensuring access even in a disaster scenario (e.g., through static glass-break firewall rules for one or two specific IP addresses).
- Usage of firewall rules (external firewalls as well as Windows firewalls).
Once this is in place, in the case of Veeam, for example, you often rely predominantly on Windows operating systems on which Veeam and its components are run. An up-to-date and supported operating system should be the basic requirement, but you can perform hardening without incurring additional licensing costs, etc., using built-in tools. This can look like:
- Disabling internet access.
- Using complex passwords with a combination of uppercase and lowercase letters, numbers, and symbols (at least 20 characters).
- Using dedicated service accounts for Veeam and SQL services (avoiding „Local System“ context).
- Using personalized accounts for Veeam.
- Adjusting the local security policy (Service accounts should not be allowed RDP logins, administrators should not be allowed to run services).
- Deactivating RDP.
- Implementing Role-Based Access Control (RBAC) within Veeam for Windows.
- Creating a glass-break account.
From the legal and organizational perspective, auditors and IT security officers always appreciate well-documented DR and backup concepts. It often makes sense to create a traditional emergency manual while simultaneously creating technical documentation so that the hardened and more complex environment can be maintained and troubleshooted more quickly if necessary.
As a final thought on the topic of reporting mechanisms within emergency manuals:
Often, when I ask customers what to do in the event of suspected ransomware attack, they respond with „I’ll restore a backup with Veeam.“ In practice, these customers quickly find themselves overwhelmed because they are hesitant to load a backup directly after learning of an attack.
This is absolutely correct! The first step usually involves reporting the incident to IT support or, from there, to a senior executive. Only then do „documented“ reporting routes and chains come into play, as from a legal perspective, it is often necessary to refrain from immediately restoring or overwriting the infected core systems and instead retain them for potential evidence preservation.