Backup Strategy should include Security

Planning for protection as a part of an IT Service Continuity plan often takes into consideration backup of applications and data as well as restore. But what about security?

When planning for protection of applications and data in your environment security should right up there in the forefront. “Backup Security” should be a key part of the plan.

Security in the context of backup can be thought of #1 as securing the backups, and #2 backups being used as an added measure for security breach mitigation. Let me break this down further.

In regards to securing backups you want to do things like encrypt backup data as it travels offsite, encrypting backup data at rest, being able to protect encrypted data, requiring security pins or further authentication of admins and more.

In regards to backup as an added measure for security backup becomes a direct part of Security planning in organizations. Sometimes when security measures fail backups are the only thing that can save you as a last resort. Backups are commonly becoming a way to recover from ransomware attacks as an alternative to paying the hackers. Here is a real world example.

Recently an unnamed hosting providers entire data center became hostage to a ransomware attack. This hacker got in due to a mistake of one of the system admins (more on how to protect at this level later) and basically had full domain admin rights to everything. Keep in mind majority of the servers in this scenario are for customers.

In this case the hosting provider had two choices. Option #1 go to the dark web via a tor network and pay a ton of money in bitcoin for the decryption key. Option #2 Restore everything from offsite backups and pray.

This hosting provider went for option #2 and thank goodness it worked. In this case if it weren’t for a solid offsite backup solution this hosting provider would have been up a creek without a paddle.

It is becoming more common that ransomeware will actually target backups because these are a high target and hackers understand this is a last resort for companies to save themselves. If the backups are deleted there is no other choice but to pay the ransom. This raises the security level of the backups. Administrative actions on backups need an extra layer of security.

Microsoft Business Continuity products help with not only protection but also security. These products consist of System Centers Data Protection Manager (DPM) and Operations Management Suites Azure Backup (AB) and Azure Site Recovery (ASR). In this post I am only going to touch on DPM and AB.

Some exciting things have been happening with Azure Backup and Data Protection Manager to ensure security is front and center as a part of your enterprise backup solution. Microsoft’s goal with the backup security is to provide prevention, alerting, and recovery.

More about this including a video can be found here:
https://azure.microsoft.com/en-us/blog/azure-backup-security-feature

Just yesterday DPM update rollup 12 for 2012 and update rollup 2 for 2016 was announced. Along with UR2 comes some enhanced security features for DPM. These will be called out later in this blog post. Microsoft has rolled out some great security features to both across hybrid clouds. I will go ahead and break these down.

– Azure Backup –

Encrypted backup data at rest
Described in DPM section.

Security PIN
With Azure Backup you can require a security pin for sensitive operations such as removing protection, deleting data, or changing other settings in Azure Backup itself such as changing a Passphrase.

Azure Backup also has some other security measures in place like a minimum retention range to ensure a certain amount of backup data is always available and notifications upon critical operations to subscription admins or others as specified.

NOTE: These security features are now also available in DPM with the UR’s (UR 12 for 2012 and UR2 for 2016) announced yesterday. When an administrator changes the passphrase, or delete backup data, you need to enter the PIN if you have Enhanced Security Enabled. Also, there is a minimum retention range of 14 days for cloud protected data that is deleted.

MFA
MFA is Multi-Factor Authentication. Microsoft has MFA available as a part of Azure Active Directory. Within Azure Backup you can configure it to require MFA of admins when performing critical operations. By enabling MFA you would then ensure via authentication from a second device usually physical to the user that they are who they say they are.

NOTE: When you enable security settings they cannot be disabled.

Ransomware attacks
Described in DPM section.

– Data Protection Manager –

Backup data encrypted during offsite transfer
When data is sent from DPM to Azure Backup it is encrypted before it even leaves your four walls. Data is encrypted on the on-premises server/client/SCDPM machine using AES256 and the data is sent over a secure HTTPS link.

Encrypted backup data at rest
Once backup data is on Azure it is encrypted at rest. Microsoft does not decrypt the backup data at any point. The customer is the only one with the encryption key that can decrypt the backup data. If this key is lost not even Microsoft can decrypt your backup data. This is very secure.

Protection and recovery of encrypted computers
The release of Hyper-V on Windows Server 2016 included a new feature known as Shielded virtual machines (VM’s). This feature essentially utilizes Virtual Trusted Platform Module (vTPM) technology and BitLocker to encrypt a VM to encrypt virtual machines at the virtual layer. This means if a VM is physically copied off a Hyper-V host whoever has the VM will not be able to get to the data on the virtual hard drive.

With the release of DPM 2016 it supports protecting Shielded VM’s. DPM can protect Shielded VM’s regardless if they are VHD or VHDX. This is great news because as a secure organization you should want to encrypt your virtual machines and DPM can protect them. This gives you an added layer of security on top of having backups.

Ransomware attacks
In today’s world ransomware attacks are a common thing. These type of attacks are targeted at small, medium, and large enterprise businesses. No company is too small or too big to be put in the crosshairs of ransomware attacks. A well-known attack is Cryptolocker.

As mentioned before in this blog post backups are an alternative to paying the ransom of a ransomware attack. They key here is to ensure you have a solid offsite backup in place such as Azure Backup. Having that offsite backup will ensure you can get your data back even if the ransomware attack get ahold of your onsite backup data.

I even go as far as to recommend sticking to the 3-2-1 rule (3 copies of backup data 2 offsite and 1 onsite). This way if something happens to one of your offsite copies of data you have another one. It may seem overkill to have 2 offsite copies but you would be surprised how often offsite backup data is accidently destroyed.

So there you have it. Security is a critical part of any backup solution. It is clear that Microsoft realizes this based on the security enhancements they have made to both Azure Backup and Data Protection Manager 2016. Their goal is to ensure both backup solutions are enterprise ready. I have been working with DPM for years and Azure Backup as soon as it came out. I know the team behind these products have a lot of new features and functionality planned for the future of these products and I am looking forward to it.

Read more

System Center 2012 R2 UR7 Highlights

Its been a while since I have posted a new blog. I have been busy working on multiple System Center projects and other behind the scene activities. Today update rollup 7 for System Center 2012 R2 was released and this is definitely worth a post. This UR includes DPM, SCSM, SPF, VMM, , SCORCH, Azure Pack, but not Operations Manager. UR7 for Operations Manager will be coming within a few weeks. More info here.  It is interesting that SCOM is not in this UR and we actually see SCORCH included. Here are some highlights from UR7:

For Orchestrator The Monitor SNMP Trap activity has an issue fixed and there is a fix for Stop Job and Stop Runbook. The SCORCH UR also includes some fixes for SMA.

For Service Manager we see a bunch of fixes. Some fixes I want to call out are MPSync Data Warehouse job stop responding and the Get-SCDWInfraLocations cmdlet introduced in update rollup 5 have been fixed. Great work from the Service Manager team. Keep it up.

Beyond just fixes we see new features in two of the System Center components VMM and DPM. As always its exciting to see new features added via UR’s.

In VMM we see support for Windows 10, the ability to provision and customize Debian 8 Linux as a Guest Operating System, support for VMWare vCenter 5.5, the ability to have Multiple External IP Addresses per Virtual Network, the ability to re-associate orphaned virtual machines to their service or VM role, and support for VMM DHCP Extension PXE/TFP Forwarding. There also is a ton of great fixes for issues in VMM. This is great work from the team and should make VMM more stable.

In DPM we see support for Windows 10 client protection, and a really cool feature being the ability to use alternate DPM servers to recover backups from Azure Backup vault. These means if you sent your backup data to Azure from one DPM server and it croaks you can connect a different DPM server to your Azure Backup subscription and recover data from Azure! I have a feeling we will continue to see greater collaboration between on premise backup/DR (DPM) and cloud backup/DR Azure Backup in the future.

To access update rollup 7 visit this link: https://support.microsoft.com/en-us/kb/3069110

Read more

Early look: DPM BaaS in Azure Pack

I am very excited about something new with Data Protection Manager (DPM) that I was able to announce during my Enterprise Backup session @ Microsoft Ignite (http://meme.ms/d5gpbrq). It is DPM Backup As A Service (BaaS). I wanted to blog about it with even more information about this new functionality in DPM.

Well what is DPM BaaS? In a nutshell it is Backup as a Service in Azure Pack powered by Data Protection Manager. This is a new resource provider built by the DPM team. It lights up the functionality for tenants to protect VM’s in Azure Pack. Here is a screenshot of what the new BaaS in Azure Pack looks like for a tenant:

clip_image001

DPM has always had a role in the Microsoft Private Cloud story. This role has been on the backend through backing up the Private Cloud fabric components that power Private Cloud (Windows Server, Hyper-V, System Center). The following image is the framework of Microsoft Private Cloud:

clip_image002

DPM has also been used for protection of front end tenant workloads such as websites, SQL databases and virtual machines. However protecting tenant workloads had no visibility or control by the tenants themselves. This story changes with the introduction of BaaS for Azure Pack giving the control for tenants to choose if they want to protect their virtual machines from their cloud!

NOTE: As of now BaaS for Azure Pack can only protect virtual machines in tenant clouds. If you would like to see BaaS extended to protect other areas of the Private Cloud such as SQL databases or websites feel free to reach out to me.

Now let’s pick apart this new DPM BaaS to gain a better understanding of it in the rest of this post.

DPM BaaS in Azure Pack Architecture

So what do you need for this new BaaS? The following components make up BaaS:

clip_image003

You can deploy many DPM servers for scale as your Private Cloud grows. The rest of the components are standard with a Private Cloud so if you already have Azure Pack running you simply need to add DPM and the DPM BaaS Resource Provider.

As previously stated BaaS only protects virtual machines. A DPM agent needs to be installed to Hyper-V hosts. The BaaS in Azure Pack does not do this for you. The DPM agent will not be required inside VM’s. The agent will be installed on Hyper-V hosts only.

Admin Perspective

Now let’s take a look at what can and admin do with BaaS. NOTE: The BaaS is still under development so some of these features may change. If you have any feedback about the features and functionality you would like to see feel free to contact me. Let’s explore the BaaS admin perspective through a series of screenshots.

Here is a shot of the VM Backup within the Azure Pack admin site. Here is where you would register the resource provider with SPF, you could also add a DPM server, or create a server group. Note that you still need to deploy your DPM servers before you can add them to BaaS. BaaS will not deploy the DPM servers for you.

A server group allows you to logically group DPM servers and then add DPM servers to the group and you can set settings based on a group and then add this to a plan for a tenant. An admin of the Resource Provider will set the Protection Group policy settings that will be used for all subscriptions to a particular plan.

clip_image004

The next two screenshots show creating a new group.

clip_image005

clip_image006

This screenshot shows the registration of a DPM server. Notice you have the ability to add the DPM server to a group. Adding the DPM server to a group is optional.

clip_image007

The next three screenshots give you an idea of what settings you can set for a group. These settings will help you apply limits to the tenant that will be assigned this group via a plan. Notice that some of the settings will look familiar to what you see in DPM when setting up a Protection Group.

clip_image008

clip_image009

clip_image010

This final screenshot is of the Usage & Metering within for the Resource Provider. The cool thing about this is we do not have a dashboard like this in DPM. This monitoring can be scoped per VM or All Up of the BaaS Resource Provider. Here is what you can see as the part of this monitoring:

  • Retention Days
  • Number of Restore Points
  • Size used

clip_image011

Tenant Perspective

So we walked through what and administrator can do in the BaaS let’s look at the tenants perspective. Here is what a tenant can do with BaaS?

Ability to add a VM under protection. This essentially adds the VM to a DPM protection group on the backend. If a Protection Group does not exist for this tenant’s subscription yet one will be created.

Ability to back up a protected VM. This creates a Recovery Point in DPM on the backend. An admin of the BaaS resource provider has the option to allow this or not allow this to tenants.

Ability to restore a protected VM. This will restore a VM from a Recovery Point in DPM on the backend. Self-service restore of a deleted VM that is protected is out of scope as DPM doesn’t have VMM information (cloud, etc.) to correctly reassign it to a tenant. However an administrator with direct access to DPM could still go and restore the VM.

clip_image012

Ability to remove a VM’s protection. The protection group for the tenant subscription will be created when the first VM is protected and destroyed when the last VM is removed.

clip_image013

For more information:

My Microsoft Ignite session on this:

http://meme.ms/d5gpbrq

Download the DPM BaaS Resource Provider:

Coming Soon!!!

Read more

DPM 2012 R2 Upgrade unable to connect SSRS. ID: 33431

I recently had to help someone do a DPM upgrade from DPM 2012 SP1 UR3 to DPM 2012 R2. I am a fan of starting fresh when I can but in this case we had no choice but to do an upgrade. We had to first upgrade SQL 2008 R2 to SQL 2012. After upgrading to SQL 2012 and trying to run the DPM upgrade we got the following error regarding SSRS:

“DPM Setup is unable to connect to the specified instance of SQL Server Reporting Service. (ID: 33431)”

clip_image001.png

 

What is happening is that the DPM installer is trying to access the 2008 R2 SSRS even though it no longer exists as SQL has been upgraded to 2012. I manually removed the left over SQL 2008 components and rebooted but this did not help. The DPM installer uses WMI to get information about the SSRS installation during the install, so in order to fix this I had to go into WMI and remove the SQL 2008 references. Here are the steps:

Open the WMI tool:

From the Run window type: wbemtest

clip_image002.png

In the namespace type the following:

\\NAMEOFYOURDPMSERVERGOESHERE\root\Microsoft\SqlServer\ReportServer\RS_NAMEOFYOURSQLINSTANCEGOESHERE

clip_image003.png

You will now be connected. Click on Query.

clip_image004.png

Put in the following query:

SELECT * FROM __NAMESPACE

clip_image005.png

You will then see two entries for SSRS that DPM is trying to access. You will see one for v10 and one for v11.

v10 is for SQL server 2008 R2 and v11 is for SQL 2012. We want the DPM installer to connect to SSRS on SQL 2012.

Click the Apply button in the query window and you will see the results.

clip_image006.png

Highlight v10 and click the Delete button. Now click Close and click Exit to close out the WMI tool.

Now run the DPM 2012 R2 upgrade again and it should go through without any issues.

DPMSSRSerror1

Read more

DPM How to Videos

Are you new to System Center Data Protection Manager (DPM)? Here is a list of some videos from myITforums.com that will help you get up to speed on DPM: Overview of System Center Data Protection Manager http://www.myitforum.com/absolutevc/avc-view.aspx?videoid=922&categoryid= DPM 2007 SP1 — How does DPM really work http://www.myitforum.com/absolutevc/avc-view.aspx?videoid=1324&categoryid= TechNet Webcast: Protecting Microsoft SharePoint with Data Protection … Read more

Data Protection Manager 2010 Overview Poster

  I was honored to work with Microsoft DPM MVP Yegor Statsev and Sean O Farrell on a DPM 2010 poster. Both Yegor and Sean are great guys and run blogs with lot’s of good information on them. You can find  links to their blogs under the Tech Blog Sites section. Here is a a … Read more

DPM could not connect to SQL Reporting

I needed to pull some reports on our backup in Data Protection Manager. So I clicked on Reporting in Data Protection manager and it threw an error like this:

DPM could not connect to SQL Server Reporting Services server because of IIS

connectivity issues.

On the computer on which the DPM database was created, restart the World

Wide Web Publishing Service. On the Administrative Tools menu, select

Services. Right-click World Wide Web Publishing Service, and then click Start.

Apparently there is a permission requirement in IIS 7 for ISAPI extensions that use a wildcard script. DPM uses this.

So you have to go into IIS 7 and set the permission for script to resolve this. Here are the steps:

Open up Server Manager expand Roles, expand Web Server (IIS).

Read more