Immutable backup against crypto attacks

Posted on Posted in Backup and Recovery, Security and encryption No Comments Tagged with , ,

Have you heard about Retention lock, Immutable Shared Folder, WORM (Write Once Read Many)? Many NAS and storage manufacturers have that feature, including QNAP, Synology, HPE, NetApp and many others. They all are referring to the same concept: after backup file is written, it is locked for a specified period of time, eg 7 days. Changes are not possible (except maybe adding), but reading is possible which is useful for eg. restores. If virus attacks and tries to encrypt, it will not succeed, not even with hijacked high-privileged credentials. That is why this is a powerful mechanism, but only if also device hardening process is done properly. Closing the system, reducing attack surface to a minimum is eqally important. If you leave SSH or telnet access enabled, attacker might avoid this protection and destroy your data, so hardening is super-important too. Retention lock works well with SQL Server backups, tried and tested.

Do not mix with “Immutable Snapshots” that is something else – prevents snapshots from being deleted. We are dealing here with files on a file share that are immutable for some time period. Here we will describe the process on Synology devices that support WORM (not all of them are).

We can setup WORM only during creation of the shared folder. That setting is not possible to change on existing folders. Option exists only in Shared Folder Creation Wizard:

Choose “Lock immediately”. Do NOT set too long retention period, otherwise you will have problems when you want to delete these files yourself. Something between 7 and 15 days should be ok for SQL Server backups.

There are two modes: Enterprise and Compliance. Compliance is more strict because not even NAS admin can delete files. Also file share itself can NEVER be deleted in that mode, which is a big bummer. In Enterprise mode, NAS admin can delete the file share, as seen here:

But if Compliance mode is selected:

It warns us that deletion of that file share wil NEVER be possible. You are stuck with it for life. Also volume and pool where it resides – you are stuck.

Once shared folder is created, it gets “WriteOnce” mark next to it:

If we try to delete the folder (which is by the way empty) – a no go. That is a real issue to me. IMHO empty folder should be remove-able:

Because of this huge drawback, I suggest using less strict “Enterprise mode”. I hope Synology will fix this nonsense that makes Compliance mode impratical for no real benefit. It just drives users away to a less secure mode, while if they fixed this, Compliance mode would be a “go to” without a doubt.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.