Many of my clients have external USB hard drives attached to their computers for backups. Since CryptoLocker can encrypt these drives, then how to protect these devices? I’ve put together a simple process to do this.
I would appreciate it for other experts to examine my approach and find any flaws in it.
- Create a administrative user account “task” and assign a password “task$”. Give this account “SeBatchLogonRight” using NTRights.exe so that it can login as a service for unattended backups.
- On the backup device, create a folder on the root “x:\Backups\” and assign the following ACL. Make sure the ACL propagates. Also, give ownership to "task".
Everyone:(OI)(CI)R (user can read backup files)
- Create a suitable script that runs periodically (hourly, nightly, whatever) that copies user data to the backup device. The script runs from the “task” userid. Also give user a “backup now” icon that launches the backup script under the “task” account using PsExec.
- Demote the user’s account to standard user (a best practice in any event) so that CryptoLocker (running under the user’s security context) cannot take ownership nor change the ACLs on the external device.
- If user is responsible and trustworthy enough, then provide him/her the password to “task” so that s/he may login as necessary to install or update software that requires admin-level access.
In this context, CryptoLocker should be unable to encrypt the attached storage, keeping it safe.
If the user becomes infected with CryptoLocker and the nightly backup runs, then of course the most recent backup will be fully encrypted. But by using VBackup’s versioning restore, it’s a simple matter to restore to a date and time prior to CryptoLocker infection. Since CryptoLocker cannot directly touch the external hard drive, then previous backups should remain safe.
Utilities that I’m using:
vbackup.exe -- robocopy-like command line copy tool with versioning
ntrights.exe -- tool to grant login-as-a-service to the task userid
psexec.exe -- Sysinternals utility to allow running a process from alternate creds
Plus a few minor utilities that I wrote to assist in the script.
What do you guys think of this?
Edited by valkyriebiker, 16 November 2013 - 03:32 PM.