Backup servers are all-powerful. They have the ability to read or overwrite any file or database in your enterprise, without which they couldn't backup or restore files. Combine that with the fact that many backup software packages historically require the backup administrator to have root or administrator access to the system, and you've given one person the ability to read or overwrite any files or database in your environment. That...
means, of course, that a compromised backup server is a very scary thing. Therefore, you should do everything you can to protect it. Here are six quick tips for doing so.
1. Lock down unused ports
Consult your backup vendor's documentation to determine which ports are absolutely necessary for proper operation of your backup system, and then lock down all others. For example, if your backup server doesn't need to be a NFS (Network File System) or CIFS (Common Internet File System) server, then shutdown or remove its ability to provide those services. The same is true for Web, print, Telnet and any other services that aren't necessary for proper backup server operation.
2. Require encrypted access
If you are using plain text protocols to manage your backup server, an intruder can monitor your packets and determine your administrative password. Create a policy that forbids plain text access to your backup server, and enforce it. Start by uninstalling or shutting down plain text protocols, such as Telnet, FTP, HTTP, etc. Then require all administration to be done via encrypted protocols such as SSH, HTTPS, secure FTP and SCP.
3. Minimize the number of people with full access
If your backup software requires root or administrator access for administration, limit the number of people with that access. Give backup servers a different administrative password, and only give it to those who require access to backup servers. Regular administrators probably won't like it -- because they're used to having the administrative password to the entire world -- but explain that it's for their own protection. Put the administrative password for the backup system in a sealed envelope in a safe and only permit access those who really need it.
4. Log backup activity and changes to a separate server if possible
Use syslog capabilities in Unix backup servers or third party data protection management products to log all backup activities and changes to a separate server that can't be overwritten by a malicious administrator.
You can also apply the separation of powers concept to media management by dividing the responsibilities of loading tapes and configuring backups between two people. Typically, one person performs these tasks, but separating these duties makes it harder for a malicious employee to wreak havoc. If a malicious employee has administrative privileges but cannot get their hands on media, they can't do any damage. If they can get their hands on media but can't put anything on it because they don't have the right privileges, they also can't do any damage.
6. Investigate the security features of your backup product
Backup software products have added a number of security features over the last few years, including encryption, role-based security, and enhanced authentication of clients and administrators. Encryption features may encrypt backup sessions, backup tapes or administrative sessions. Role-based security stops the process of requiring root/administrator access to administer the system, and gives you the ability to split duties and separate powers. Finally, enhanced authentication systems abandon the old practices of using IP addresses and hostnames to authenticate systems. Investigate which of these features your product has implemented, and start using them immediately.
Some of these tips will be harder to follow, but following any of these tips is better than following none of them. Let's lock down those backup servers!
About the author
W. Curtis Preston is vice president of data protection at consultancy Glasshouse Technologies. He is also the author of "The Storage Security Handbook," "Using SANs and NAS," and "Unix Backup and Recovery." Preston has also contributed numerous data protection articles to leading IT publications and has been designing and implementing data protection systems for more than 12 years. Currently he consults on data protection with end users from Fortune 100 and Fortune 500 companies, as well as with vendors around the world. Preston is also one of the mostly highly rated presenters at Information Security Decisions.