Best Practices
- For accessing network mount paths, create and use a non-interactive user account to access the network mount paths. A non-interactive user is an account that has been denied local log on rights. To create a non-interactive account, use the following procedure:
- Open GPEDIT.MSC and go to Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment.
- Add the user to the Deny Log on Locally policy.
- Create the network using Full Control permission to the user and deny permissions for all other users.
- Configure an antivirus software for Ransomware protection.
- Do not log on to the CommServe or MediaAgent computer directly. Instead, do the following:
- Use a virtual machine proxy computer that has the JAVA GUI and SQL Management Studio installed.
- Block all ports on the virtual machine, except for the ones required for JAVA GUI or SQL Management Studio.
- Log on to the CommCell Console, and then access the MediaAgent computer.
- Use Commvault Powershell script to harden Windows based on recommendations from Microsoft.
- Use Install Windows Update Workflow to download and install Microsoft updates on client computers that operate on Windows operating system.
- Protect your CommServe Disaster Recovery (DR) backup. In addition to DR Backup location and Export location, use the Edge Drive Uploader Tool to regularly upload a copy of the CommServe databases to a collaborative share on https://cloud.commvault.com.
Note: Storage of CommServe DR backup data on https://cloud.commvault.com is a free service to all customers.
- We recommend that you store a copy of data on tape or on cloud storage. Tape and cloud storage store offline data, and offline data is not easily accessible to ransomware software.
Last modified: 6/24/2019 9:32:34 PM