Six steps to beating backup server hacks

Backup servers are all-powerful. They have the ability to read or overwrite any file or database in your enterprise, without which they couldn't backup or restore files. Combine that with the fact that many backup software packages historically require the backup administrator to have root or administrator access to the system, and you've given one person the ability to read or overwrite any files or database in your environment. That means, of course, that a compromised backup server is a very scary thing. Therefore, you should do everything you can to protect it. Here are six quick tips for doing so.

1. Lock down unused ports
Consult your backup vendor's documentation to determine which ports are absolutely necessary for proper operation of your backup system, and then lock down all others. For example, if your backup server doesn't need to be a NFS (Network File System) or CIFS (Common Internet File System) server, then shutdown or remove its ability to provide those services. The same is true for Web, print, Telnet and any other services that aren't necessary for proper backup server operation.

2. Require encrypted access
If you are using plain text protocols to manage your backup server, an intruder can monitor your packets and determine your administrative password. Create a policy that forbids plain text access to your backup server, and enforce it. Start by uninstalling or shutting down plain text protocols, such as Telnet, FTP, HTTP, etc.

    Requires Free Membership to View

Then require all administration to be done via encrypted protocols such as SSH, HTTPS, secure FTP and SCP.

3. Minimize the number of people with full access
If your backup software requires root or administrator access for administration, limit the number of people with that access. Give backup servers a different administrative password, and only give it to those who require access to backup servers. Regular administrators probably won't like it -- because they're used to having the administrative password to the entire world -- but explain that it's for their own protection. Put the administrative password for the backup system in a sealed envelope in a safe and only permit access those who really need it.

4. Log backup activity and changes to a separate server if possible
Use syslog capabilities in Unix backup servers or third party data protection management products to log all backup activities and changes to a separate server that can't be overwritten by a malicious administrator.

Related information

Learn more about beating backup threats in this webcast.

Download this presentation to learn basic techniques for encrypting sensitive data.

5. Separate media management from backup management
You can also apply the separation of powers concept to media management by dividing the responsibilities of loading tapes and configuring backups between two people. Typically, one person performs these tasks, but separating these duties makes it harder for a malicious employee to wreak havoc. If a malicious employee has administrative privileges but cannot get their hands on media, they can't do any damage. If they can get their hands on media but can't put anything on it because they don't have the right privileges, they also can't do any damage.

6. Investigate the security features of your backup product
Backup software products have added a number of security features over the last few years, including encryption, role-based security, and enhanced authentication of clients and administrators. Encryption features may encrypt backup sessions, backup tapes or administrative sessions. Role-based security stops the process of requiring root/administrator access to administer the system, and gives you the ability to split duties and separate powers. Finally, enhanced authentication systems abandon the old practices of using IP addresses and hostnames to authenticate systems. Investigate which of these features your product has implemented, and start using them immediately.

Some of these tips will be harder to follow, but following any of these tips is better than following none of them. Let's lock down those backup servers!

About the author
W. Curtis Preston is vice president of data protection at consultancy Glasshouse Technologies. He is also the author of "The Storage Security Handbook," "Using SANs and NAS," and "Unix Backup and Recovery." Preston has also contributed numerous data protection articles to leading IT publications and has been designing and implementing data protection systems for more than 12 years. Currently he consults on data protection with end users from Fortune 100 and Fortune 500 companies, as well as with vendors around the world. Preston is also one of the mostly highly rated presenters at Information Security Decisions.

This was first published in February 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.