> CommCell Console > Ransomware Protection

Best Practices for Ransomware Protection

  • For accessing network mount paths, create and use a non-interactive user account to access the network mount paths. A non-interactive user is an account that has been denied local log on rights. To create a non-interactive account, use the following procedure:

    1. Open GPEDIT.MSC and go to Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment.

    2. Add the user to the Deny Log on Locally policy.

    3. Create the network using Full Control permission to the administrator and deny permissions for all other users using the following steps:

      • Open Windows Explorer, and then browse to the folder whose permissions you want to manage.

      • Right-click the folder you want to manage, and then click Properties.

      • Click the Sharing tab, and then then click Advanced Sharing.

      • Click Permissions.

        The Permissions dialog box appears. This dialog box lists all the users and groups to whom you have granted permission for the folder.

      • Click Add, and enter the name of the user or group to whom you want to grant permission, and then click OK.

      • Select the appropriate Allow and Deny check boxes to specify which permissions to allow for the user or group.

      • Click OK.

    4. Configure an antivirus software for Ransomware protection.

  • Do not log on to the CommServe or MediaAgent computer directly. Instead, do the following:

    • Use a virtual machine proxy computer that has the JAVA GUI and SQL Management Studio installed.

    • Block all ports on the virtual machine, except for the ones required for JAVA GUI or SQL Management Studio.

    • Log on to the CommCell Console, and then access the MediaAgent computer.

  • Use Install Windows Update Workflow to download and install Microsoft updates on client computers that operate on Windows operating system.

  • We recommend that you store a copy of data in a secondary storage like Hyperscale appliance, tape or on cloud storage. These media can help in storing data in ransomware protection mode, which is not easily accessible to Ransomware attacks .

    To restore the DR dump, copy the volume folders that contain the DR backups to a Windows MediaAgent and then run the MediaExplorer tool on the Windows MediaAgent.

  • Store the DR backup in a dedicated network location that is accessible from both the CommServe hosts. If this network location is on Windows mount path, then ransomware protection is enabled by default. Use an UNC path to access the location. Ensure that this dedicated location is not used for any other CommServe task. Local disk or local clustered disk is not safe and is not a common practice.

  • Do not store unrelated data under a path protected by ransomware protection, such as:

    • Deduplication database (DDB) path

    • Disk library mount path

    • Index cache path

    • Disaster Recovery (DR) path

    Any non-related data placed under a protected path may be blocked as write-protected.

    Important: Do not store non-DDB data under a DDB path.

  • To secure deduplication database from ransomware, the database must not be located in the root of a mount point directory. For example, if a disk is mounted on C:\mountpoint1, the deduplication database should not be located in C:\mountpoint1. However, the database can be located in a subdirectory to the mount point directory. For example, C:\mountpoint1\ddb1.

×

Loading...