You are on page 1of 18

Azure Backup

Built in Ransomware Defense


https://docs.microsoft.com/en-us/azure/backup/backup-azure-security-
feature#prevent-attacks
Create the Recovery Services Vault
Note several Security Settings cannot be changed once enabled
Create a Backup Policy for Domain Controllers

From the documentation – these settings were created when


the added security policy was selected.
Associate the VM with the Backup Policy
Review the protected Domain Controller
Restoring to a separate network is fast and straight forward. Conducting
attack forensics to excise the compromised accounts can begin quickly.
Azure Storage
Ransomware Defense
Immutable Blob Containers
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage
Create the Storage Account and Blob Container
Set the Access Policy
Add an Immutable Policy with Time Based Retention
The Policy must be locked to become enforced
Once the Policy is Locked the data cannot be changed or deleted until the time interval is reached
Container or Storage Account Deletion attempts will fail until time retention period is reached and
the objects in the container are removed – even with elevated administrator credentials
Sensible Retention Policy Settings

• 90 days should be adequate to defend against attacks


• A much longer interval can be set if desired
• Likely a different RPO Recovery Point Objective than regular backups
• An Example:
• Create Storage Account(s) with 90-day retention policy containers
• Place a copy of weekly backup files in containers
• Domain Controllers – File Servers – Data Servers – App Servers – etc.
• Age the storage for a quarter and delete the old data & containers quarterly
• Adjust for longer RPO if there is discomfort in 90-day policy
• Integration with third party backup solutions such as Commvault
http://documentation.commvault.com/commvault/v11/article?p=9251.htm
http://documentation.commvault.com/commvault/v11/article?p=9236.htm
Tony DeVolk – Architect
Microsoft State & Local Government