As protection against ransomware I would like to tighten up security and access to my NAS devices.
I run automated backups/syncs for my file servers at work. We use the donation edition of FFS.
My NAS devices do have authentication but as it stands now I am not using it.
I am using mapped drives for the backup operations. I could use UNC Paths but the issue would remain.
I would like to remove drive mappings and have FFS use login credentials to access my NAS.
Is this possible in any way? TIA
Authentication Options for backing up to NAS (Ransomware Protection)
- Posts: 3
- Joined: 17 May 2023
-
- Posts: 3583
- Joined: 11 Jun 2019
Automated backups are the antithesis to avoiding ransomware. FFS can store credentials for FTP, but that is it as far as I know. Regardless, any automated backup introduces risk, having encrypted data automatically synced is circumventing any efforts to prevent encryption on the destination itself.
- Posts: 3
- Joined: 17 May 2023
My NAS devices do not support FTP unfortunately, only SMB up to version 3.
My FFS jobs are set to update, not mirror. Encrypted files would have a different name/extension. Backing up these encrypted files would not affect unencrypted files already on the NAS.
What I want to prevent is ransomware from crawling onto these drives and encrypting existing files. That is why I want to add authentication and remove the automatic access.
Our PCs on are on a domain and usually have mapped drives or access to network shares. That is how ransomware spreads. My NAS devices are not on a our domain and I would like to add authentication to prevent this automatic access. That is my plan anyway. If anybody else has suggestions, I would appreciate them.
Edit: It turns out, the NAS drives do have FTP and SSH. I had it turned off. How is the performance when backing up to FTP? What should I expect? How does the comparison function work over FTP, I'm wondering?
My FFS jobs are set to update, not mirror. Encrypted files would have a different name/extension. Backing up these encrypted files would not affect unencrypted files already on the NAS.
What I want to prevent is ransomware from crawling onto these drives and encrypting existing files. That is why I want to add authentication and remove the automatic access.
Our PCs on are on a domain and usually have mapped drives or access to network shares. That is how ransomware spreads. My NAS devices are not on a our domain and I would like to add authentication to prevent this automatic access. That is my plan anyway. If anybody else has suggestions, I would appreciate them.
Edit: It turns out, the NAS drives do have FTP and SSH. I had it turned off. How is the performance when backing up to FTP? What should I expect? How does the comparison function work over FTP, I'm wondering?
- Posts: 943
- Joined: 8 May 2006
Two things (if not more) that you have to look at.Backing up these encrypted files would not affect unencrypted files already on the NAS.
1, is malware crawling from a PC onto the NAS.
2, is exploits in the NAS itself.
MANY a NAS, itself, have been hit by malware, where the attached PC were not affected at all.
- Posts: 3
- Joined: 17 May 2023
1. I want to prevent it from crawling. Right now it's wide open. I can type in the UNC path or drive letter if it's mapped. and it will go right in. This was done years ago. I now realize this is a security risk.
2. If I add authentication to the NAS, remove the mappings from all of the PCs, remove credentials from the windows credential manager and prevent it from saving credentials, this should remove automatic access. What I want is for FFS to authenticate and not windows itself.
2. If I add authentication to the NAS, remove the mappings from all of the PCs, remove credentials from the windows credential manager and prevent it from saving credentials, this should remove automatic access. What I want is for FFS to authenticate and not windows itself.
