Easy Six Steps Backup Servers Are Not Hacked

Backup servers are very powerful. This server can read or overwrite any file or database in your enterprise. Without such a server, businesses cannot back up or restore files. By combining these capabilities with many backup software that requires a backup administrator to have root privileges or administrator privileges to access the system, you give a person the right to read or overwrite any files and databases in your environment. Of course, this means that the backup server is broken is a very scary thing. Therefore, you should make every effort to protect the backup server. Here are six tips for protecting your backup server.

1. Close unused ports

Check your backup vendor's documentation to determine which port is absolutely necessary for your backup system to function properly, then block all other port. For example, if your backup server does not need to be an NFS (Network File System) or CIFS (Common Internet File System) server, then you should turn off or revoke the backup server to provide this service. The same blocking measures are required for Web, print, Telnet, and other backup servers to run unneeded services.

2. Require Encrypted Access

If you are managing your backup server using a plain text protocol, the intruder can monitor your packets and determine your administrative password. Create a policy that blocks plaintext access to your backup server and enforces this policy. First, you must uninstall or close the plain text protocol, such as Telnet, FTP, HTTP, and so on. Then, all management tasks must be implemented through an encrypted protocol such as SSH, HTTPS, encrypted FTP, and SCP.

3. Reduce the number of people with full access

If your backup server requires root or administrator access to manage, limit the number of people with this permission. Provide a different administrative password for the backup server and only provide the password to the person who needs access to the backup server. The average administrator may not like this approach because they usually have access to the entire system. However, you have to explain to them that this is to protect them. Put the backup system's administrative password in a safe place and only allow those who really need it to access the password.

4. Record backup activities and place records on other servers as much as possible

Use the system logging function in the Unix backup server or a third-party data protection management product to record all backup activities. And put the records on another server to prevent malicious administrators from overwriting these records.

5. Separate media management from backup management

You can also give media management and backup management permissions to two people, one for loading tapes and the other for setting up backups. Generally speaking, these tasks are all done by one person. However, separating these jobs can avoid the disaster caused by malicious employees. If a malicious employee has administrative rights, but they have access to the storage medium, he can't cause any damage. If a malicious employee has access to the storage medium, but he does not have permission to put anything into the medium, he can't cause any damage.

6. Investigate the security features of your backup products

Backup software products have added many security features over the past few years, including encryption, task-based security and enhanced customer and Administrator identification, etc. Encryption can encrypt the backup process, back up tapes or manage processes. Task-based security measures prevent processes that require root or administrator access to manage the system and allow you to separate responsibilities and decentralize power. Finally, the enhanced identity system abandoned the old practice of using IP addresses and hostname identification systems. Investigate which of the above features your product uses and use them immediately.

Some of the above tips are difficult to do. However, applying these tips is much better than without any tricks. Let us make sure these backup servers are safe!