With 2020 came a seemingly biblical stream of plagues. Obviously Covid-19, Murder Hornets, Social Unrest, and… Ransomware. Sure, ransomware isn’t a terribly new concept, but this year the ante has been upped significantly by the bad guys. Not only have crime groups become more brazen, they’re demanding far bigger ransoms causing cyber insurance companies and their unfortunate customers to struggle.
There are a million things that companies need to consider when it comes to protecting their infrastructure from ransomware, and maybe we’ll dive in a little further later, but today we’re going to spend some time talking about what you can do to make sure that you’re able to recover when every domain controller in your organization has been paved over with ransomware or destructive malware.
As you scream ‘But I have backups!’, you might want to stop for a second and think about those backups. Are they performed with an account that has access to everything else (I hope not)? Are the backups themselves stored in a place that’s susceptible to being encrypted? And how long will it take you to actually restore those backups?
Azure System State Backup
Taking advantage of Azure System State Backup is a great way to handle those concerns. The primary benefits here are that this solution involves a simple agent installed on a domain controller, doesn’t involve credentials of any kind, the backups are stored in an offsite location, and those backups are protected from tamper with a host of enhanced security features.
So let’s talk about configuration. Since we’re talking configuration of a critical resource, from a PAW (you ARE using PAWs, right?), we need to make sure that a recovery services vault is available in Azure.
Then, in that recovery services vault we’ll configure a backup:
Since a domain controller backup only involves the system state, it’s a simple configuration. A system state backup will ensure that Sysvol and registry configurations are retained.
then, when prompted, download the MARs agent and move it to the domain controller and start the install. The agent requires Visual C++ Runtime so if it’s not already installed, setup will take care of that for you.
then select where you’d like the agent to be installed:
Backups are shipped to Azure with encrypted, outbound connectivity initiated by the MARs agent. If you’d like to proxy that connectivity configure it next.
Make sure that the agent is configured to be able to update itself moving forward:
Then, finish the installation and the agent will prompt you to register it.
To register the agent you’ll need to go back to the backup that you configured in Azure and in the properties of the backup, ensure that you’ve declared you’re using the latest MARS agent, download the backup credentials, and transfer them to the Domain Controller you’re working on.
Select the previously exported credentials and move forward:
Next, you’ll need to generate a passphrase that will be used when restoring the backup. You can either specify your own, or let the setup generate one for you. Select Browse and specify where you’d like to export that passphrase. This needs to be protected because you won’t be able to restore if the secret is lost. Azure Key Vault (which we’ll talk about on a later date) is a great option here.
Now that registration is complete, you’ll want to schedule your backups. Open the Azure Backup agent and on the right side, select ‘Schedule Backup’.
Since we’re only backing up the system state, select ‘Add Items’ and ‘System State’.
Finally, ensure you’re taking daily backups and we’ll take a look at retention of those backups.
Retention depends entirely on your RTO/RPO strategy, but typically restoring a a domain to a point too far in the past has little value at all. I’ve chosen to perform daily backups and retain them for 14 days, but you might find it more reasonable to only maintain 7 days of daily backups, and maybe 4 single weekly backups to be used in fringe cases.
Finally, we confirm that the schedule is what we need it to be and move forward through the setup.
So there you have it. Nothing complicated at all and there are a handful of topics touched on that we’ll pick up later, but we’ve done some good work! Often, people use complicated or expensive backup/storage solutions that put them at risk for credential theft or data destruction in worst case scenarios. Azure System State Backup is neither expensive or complicated, but it ensures that you’ll be able quickly and confidently recover from disaster.