Storage configured for use with DATASTOR Shield Professional, such as an RDX cartridge, can be locked down to prevent unauthorized access and protection from Ransomware attack. Three methods of storage protection are discussed here: BitLocker encryption, air gap protection and NTFS permission restrictions.
BitLocker Drive Encryption
To prevent unauthorized access to archive data, use BitLocker to encrypt the storage that holds the archive data. Your computer must be running a version of Windows that support BitLocker and must have a Trusted Platform Module (TPM) chip on the motherboard. For Windows server operating systems, you may need to add the feature using Server Manager > Add Roles and Features.
Type Bitlocker into the search bar on your task bar to find and click the Manage BitLocker app or open it from the Control Panel.
Under 'Removable Data Drives - BitLocker To Go', click to turn on BitLocker.
Enter an encryption password of your choosing. The password should be recorded in your backup documentation and shared with company management.
Set BitLocker to automatically unlock the drive so the passphrase does not need to be entered each time the cartridge is inserted, unless otherwise required by company security protocol.
The encrypted drive can be decrypted on another computer running BitLocker if the encryption passphrase is known, so you can install DATASTOR Shield Professional on a second computer and recover data there.
BitLocker prevents access of storage from another computer by a user who does not know the BitLocker passphrase, that is, it provides protection against access of stolen cartridges. It does not protect an unlocked cartridge from Ransomware so additional protection measures may be implemented.
Air Gap Protection
Use cartridge rotation of two or more cartridges to create redundancy across media in case one cartridge is rendered unusable. Rotation also creates an air gap between an infected computer and the ejected cartridge to prevent encryption by Ransomware. Create an air gap as soon as possible after the backup completes.
To set cartridge ejection after the completion of a backup, go to Options > Rotation tab and check the box for a reminder to rotate a cartridge after it is used by a protection plan and check the checkbox to automatically eject the cartridge on the rotation reminder.
Click OK to save the settings.
Restricted NTFS Permissions
Create a DATASTOR user account that alone will have full access to storage, then set the protection plan to run with the DATASTOR user account. Any Ransomware process running under a different account will not be able to encrypt the storage.
- Create a DATASTOR user account with membership in the local Administrators group and Backup Operators group.
- Type 'Computer' in the search bar to find the Computer Management app and open it.
- Go to Local Users and Groups > Users, right click the Users folder and select New User... from the contextual menu.
- On the New User page, enter user name DATASTOR and enter a complex password for the account. Uncheck the box 'User must change password at next logon' and check the box 'Password never expires'. Record the password in your documentation.
- Click Create to create the user account.
- Find the DATASTOR user account in the Users folder. Double click it to open the account Properties page.
- Click the Add button. Type Administrators and add the Administrators group. Click the Add button. Type Backup Operators and add the Backup Operators group. Remove any other groups listed. Then, click OK to save.
- Create a DATASTOR Admins security group. This account will have read permissions for the NTFS volume. In Computer Management, expand the Local Users and Groups folder in the left pane, then select the Groups folder. Right click in the right pane and select New > Group. Enter DATASTOR Admins in the Group name: field. See image.
Add any administrator accounts to DATASTOR Admins that you want to be able to manage DATASTOR Shield processes without granting write access to the storage drive. These accounts should be a member of the local Administrators group on the server hosting the software to permit them to work in the software.
- Grant the DATASTOR user account full permissions to the NTFS formatted RDX cartridge. Grant the DATASTOR Admins group Read Only permissions on the NTFS formatted RDX cartridge. Remove write permissions for other accounts.
- Log on the server with the DATASTOR user account. Open a command prompt as an administrator.
- Lockdown storage using the icacls utility (recommended). Type:
icacls [drive letter:] /grant "DATASTOR":(OI)(CI)(F) /grant "DATASTOR Admins":(OI)(CI)(R) /inheritance:r /remove "Administrators"
where [drive letter:] is replaced with the drive letter of the volume that contains the store. For example, if the store resides on the J: drive, the command would be:
icacls J: /grant "DATASTOR":(OI)(CI)(F) /grant "DATASTOR Admins":(OI)(CI)(R) /inheritance:r /remove "Administrators"
- The icacls command can display existing permissions on a drive by running it without additional parameters, e.g. icacls J:. Run the command to check current permissions.
- If there are additional security groups present, remove them as well.
icacls [drive letter:] /inheritance:r /remove "[group]"
where [drive letter:] is replaced with the drive letter of the volume that contains the store and [group] is replaced with the security group. For example, if the store resides on the J: drive and the Builtin\Users group was granted permissions, the command would be:
icacls J: /inheritance:r /remove "Builtin\Users"
- Refrain from logging onto the server regularly with the DATASTOR user account. A Ransomware attack initiated under the only account that can write to the cartridge would leave the storage vulnerable to encryption.
- Run protection plans with the DATASTOR user account. Set the protection plan settings > Schedule tab to use an advanced schedule, then enter the service account username and password.
When NTFS permissions are restricted on the cartridge, ejection through the reminder is not functional. To enable ejection of cartridges with restricted NTFS permissions through the reminder, set the DATASTOR Shield Archive Manager service to log on with the DATASTOR service account.
- Open the Services console. Type services into the search bar to find the Services desktop app or open it from the Control Panel.
- Scroll to DATASTOR Shield Archive Manager and double click it.
- Click the Log On tab and then click the radio button 'This account:'.
- Enter the DATASTOR service account.
Click Apply and OK, then restart the service.
Note: To access storage on a second computer after putting NTFS restricted permissions in place, take ownership of the root folder and grant full access to a local administrator account.
Known Limitations
Member accounts of the DATASTOR ADMINS security group will be able to log in and create a protection plan, explore restore points and restore data. Access errors may be logged related to DATATOR tasks while logged on with the member accounts that do not impact successful completion of the above tasks.
Storage cannot be renamed or added while logged on with any DATASTOR Admins member account.
The DATASTOR Shield Professional app in the system tray may alert you the storage is unreadable if it detects cartridge insertion before the storage is unlocked by BitLocker.
Log on the computer with the DATASTOR user account solely to configure the software or when full software functionality is desired, then log off immediately when tasks are completed. Check email and browse the Internet with a different account. Storage can be infected If Ransomware infection occurs while logged in with the DATASTOR user account.