0

I have a small network of Windows 7 PCs. I want to use a Windows NAS file server as a repository to safeguard the backup files from each Windows PC against a ransomware attack. In order for this strategy to work I need to be able to dynamically connect the NAS file server to the network, copy the .TIB backup file, then disconnect the NAS file server from the network.

This is how I envision the process working:

  1. An individual Windows PC creates an Acronis True Image backup .TIB file on the local hard drive using the Acronis True Image backup Scheduler.

  2. The NAS file server runs a Windows Scheduled Task that copies the .TIB file from the Windows PC to the NAS file server. The Scheduled Task runs a command file that first ENABLES the network adapter on the NAS file server (so that the NAS file server can connect to the Windows PC), then the NAS file server copies the .TIB backup file.

  3. Once the copy job is finished, the controlling command file DISABLES the NAS file server network adapter to isolate the NAS file server from the network.

In this scenario all users would be Standard Users, even system administrators, to avoid providing a ransonmware-infected PC with the rights of a logged-in Administrator user.

My question is this: Assuming all of the above, especially the fact that no user on the network will be an Administrator user, will this strategy protect the NAS file server from becoming a victim of a ransomware attack over the network?

Bill Vallance
  • 227
  • 2
  • 7
  • Just unmount the file share when you're done. No need to disable networking on the NAS. As long as the CIFS share isn't actively mounted on a potentially infected system, it's not going to be accessed. – Spooler May 15 '17 at 22:28
  • If you can set file permissions on the NAS to prevent delete and update of existing files you could keep it connected 24/7. Keep the NAS software up to date, it will have different vulnerabilities from the computers. A NAS is not a backup, it's a copy. To me backups are incremental, offsite, and ideally offline. You should upgrade your PCs to Windows 10. – Tim May 15 '17 at 22:32

1 Answers1

0

The most effective barrier would be if the users won't even have permission to access the share, or if it's not shared at all. In every backup system, where the backup is done using users own credentials, the malware will have equal access to the backup, possibly causing it to be encrypted, too.

If you can run the backup the opposite way, i.e. from a server or even from a NAS that can access individual computers, creating the backup instead of being just a storage, the data should be safe – even if the server / NAS is always online.

I'd suggest using an incremental backup for this, in order to have several versions of every file.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Thanks SmallLoanOf1M, Tim, and Esa Jokinen for your replies. I am aware of the ability to unmount a Windows share by using the 'net use /delete //sharename' command. If I wanted a guaranteed, no-entry-possible method of preventing a ransomware malware attack (or, for that matter, any other malicious attack), isn't disabling the network interface on the backups file server the only guaranteed method to achieve this result? Assuming a static IP on the server, disabling/enabling the NIC would function just like unplugging the NIC cable, correct? – Bill Vallance May 16 '17 at 16:17
  • Since I can only notify one respondent at time in a comment, would you please take a look at my comment, above, and let me know if it's correct? Thanks. – Bill Vallance Jun 03 '17 at 16:26
  • If the backup server is dedicated for that purpose, it doesn't need to have any network services enabled or any ports open. Even if it's not, in usual cases limiting user permssions and not sharing the backup destination are enough. In rare conditions a malware can use remote exploits, if not yet patched. – Esa Jokinen Jun 03 '17 at 16:42