ReadyNAS 312 systems deployed in various locations. Most workstations are accessing NAS hosted data via mapped drives in a peer networking environment. Everyone around here is clucking about CryptoLocker and the fact that shares and all documents therein can be encrypted for ransom. So, I am looking for ways to protect the files.My notion is to establish directory/file protections on the backup area of the NAS such only the automated backup process is able to write to that location. Others could read/view but only the automated backup would be able to write/update. Of course the actual mapped drive data would be vulnerable, but the backup data would be intact in case of an issue. I have little actual experience in a Linux environment and would be guessing (poke & hope?) on how to establish the permissions for the backup area. Could somebody provide a sketch of how they would approach this issue?Thanks for any help you can provide.

The simplest way to protect the NAS shares is not to map them as network drives. Create shortcuts instead. Blocking write access might also work.http://www.bleepingcomputer.com/virus-r ... nformation

Thank you for your reply. In a commercial environment with task oriented workers with low technology knowledge and rudimentary skills, mapped drives are the only practical approach I have encountered. In a larger environment with actual Domains and group policies, more could be done but in the peer network environment we need to live with mapped drives. You are correct, blocking write access will work for thwarting the CryptoLocker process. What I am seeking is some guidelines or advice on how to accomplish that task for the actual backup directory/files. An example might be running a batch file that changes permissions during the backup process and then changes them back after the backup has been completed. This forum is filled with knowledge, I am hoping someone can provide me guidance.

Are you using PC backup tools, or Frontview backup?

We have standardized on Genie Backup Manager -- http://www.genie9.com/Default.aspx Product is good, uses Microsoft Shadow Copy capability, and reasonably priced for the mid-market consumer with more modest needs. We typically recommend against cloud based backup because the Internet speed (rural America) is too slow and often limited by ISP. The backup program runs on the 'fastest' workstation and in turn backs up critical files and workstation related information nightly. The backup is encrypted and directed to the fastest workstation secondary drive banks in addition to the NAS.

Backup manager seems to support ftp/ftps. So you could enable ftps to the backup share, and limit SMB access to read-only.

Premissions and CryptoLocker | NETGEAR Communities

12 Replies

Replies have been turned off for this discussion

StephenB
Guru - Experienced User
Nov 11, 2013
http://www.genie9.com/home/Genie_Backup ... rview.aspx claims it can back up externally using FTP/FTPS as the protocol. The suggestion was to use that.

Using UNC for the backup folder (instead of a mapped drive) would also work.

Frontview backup can reach Windows shared folders, and back them up. But there are several operational challenges if you attempt to set up a backup schedule using that mechanism - particularly if the user PCs are not available or turned off when the backup is attempted. It also just does file copy, there is no versioning, etc.
Bains
Guide
Nov 11, 2013
The Genie product says it can do FTP/FTPS backup but their support folks are unclear on permissions. I am unfamiliar with FTP transfer except to observe that it works and we often use it for Web Publishing using a FTP Client program. Does the destination folder inherit the same permissions or alternatively can I issue some type of FTP command to remove permissions in the destination directories? That said we can test the results to get the details.

I have just finished a call with the Advanced Support folks at Netgear -- very friendly and helpful. They discussed a feature in their newer ReadyNAS products that allow a destination share to not inherit the permissions of the source folder. They assure me that this will work for backup processes in the ReadyNAS. Using this approach, the backup can occur to a hidden (not drive mapped) area and all of the content can be established as read only. Restoration might be an issue because of the read only status but at least the data is protected from CyberLocker.

Of passing interest is the fact that the support fellow said that CyberLocker related issues are now their #1 problem reported by the client base -- "it is really big right now".

Forum Discussion

Premissions and CryptoLocker

12 Replies

Related Content

CryptoLocker and a backup strategy

How to protect from Cryptolocker?

Premissions--- NAS 2120

Help with file premissions

Help with file premissions

NETGEAR Academy

ProSupport for Business