This content has been updated since the original publication. You can find all of our updated protection techniques in our Ransomware Prevention Kit. http://www.thirdtier.net/ransomware-prevention-kit/
One of the things we have done from the get-go when it comes to setting up ShadowProtect to stream backups to either a drive set connected to a standalone Hyper-V host or to the standalone DC in a Hyper-V cluster setting is to set the shares to allow the Domain Admin MOD.
Inheritance on the folder’s NTFS permission set is removed/copied out then Domain Users/Machine Users group will get removed altogether.
We do this for a number of reasons
- Users cannot connect to the ShadowProtect images
- They are password protected and are using at least AES128bit
- Users cannot delete the images
While we are into our client’s servers on a regular basis sometimes the occasional domain admin account password will expire in the interim.
ShadowProtect will start failing to back up to the shared folder as a result of not being able to log on so a small bonus in the mix.
We are seeing CryptoLocker problems abound lately where someone clicks on a link in an e-mail or is drawn to a compromised site. What that means is that _any_ file/folder set the user has permissions to access and modify may end up encrypted by the malware.
The _only_ way to “recover” from this situation is via Shadow Copies or backup.
If the backup drive and/or backup folder destinations for those ShadowProtect backup files, or any other product that lays down files for backup, is open for users to access then we all know what can happen.
Point of order: Any backup product that uses the volume snapshot service should have its backup times staggered over the Volume Shadow Copy snapshots as having two snapshots running simultaneously could end up with data toast on both sides.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book
Chef de partie in the SMBKitchen
Find out more at