Ransomware has been a hot topic in IT circles these past few years. We’ve dealt with it in a number of different articles here on TechGenix. For organizations that use Active Directory and Microsoft Azure, however, there’s a new weapon you can use in your war on ransomware: The new and improved Azure Backup feature of Microsoft Azure. I previously asked Shreesh Dubey, Principal Group Program Manager for Azure Backup & System Center Data Protection Manager at Microsoft, to share with us about the new capabilities of Azure Backup in this TechGenix article from back in November 2017.
To show us how Azure Backup can help protect your Active Directory environment from ransomware, I’ve tapped the expertise of Saurabh Sensharma, who is another Azure expert at Microsoft. Saurabh is a Program Manager on the Microsoft Azure Backup product engineering team and is responsible for cloud-integrated backup solutions for hybrid IT environments and integration scenarios for backup and disaster recovery in Azure. Saurabh has worked on enabling several hybrid backup and restore scenarios, including the Restore as a Service-based Instant File Recovery approach for Azure Backup. With 7-plus years of experience in mobile and cloud technologies, one granted patent and three pending patents in security, artificial intelligence, and user-experience, Saurabh hopes to redefine what the public cloud can be for IT data protection and infrastructure management. Let’s now hear from Saurabh as he explains the value of Azure Backup in helping to ensure that ransomware doesn’t wreak havoc with your Active Directory infrastructure.
Protect your Active Directory from ransomware with Azure Backup
The Active Directory (AD) database is the most critical database in the Windows IT infrastructure of every organization and is at the core of providing authenticated access to various network assets in any company. Domain controller (DC) servers provide physical storage for the AD database and, therefore, become the most critical servers of an organization.
Given Active Directory’s crucial role in providing organizational identity management capabilities, it is also the most sought-after target for malicious attackers and ransomware. Once an attacker has admin access to one or more DCs, they can corrupt or even delete the AD-database, triggering an organization-wide compromise of computing systems via AD replication. Therefore, backup admins need to be extra careful about safeguarding DCs from not only from accidental deletion or natural disasters but more importantly, ransomware. Microsoft Information Security and Risk Management (ISRM) prescribes some especially useful recommendations to secure your domain controllers against attack. One of the key defense strategies that DC backup-admins must exercise is to “assume breach” and plan “recovering” from a compromise. In the probable event that your AD is compromised, recovery entails either reversing every adversarial change an attacker makes to the AD Database or just recovering from a “good” backup. A solid AD-backup and restore strategy is therefore critical in reducing costs related to AD-attack recovery.
What is a solid backup and restore strategy for AD?
Backing up the “system state” of two or more domain controllers in a domain-forest using a certified, AD-compatible backup application such as Windows Server Backup ensures the supported method of restoring an AD-environment to a healthy state. System state contains the AD database, log files, the Windows registry, and the SYSVOL folder, which are critical in defining and maintaining the state of AD. The system state backup strategy holds good even for virtualized DCs, when implemented in-guest. Recovering AD from a VM-snapshot is not recommended or supported due to USN-bubbles that can lead to incorrect passwords, lingering objects, and a domain controller that doesn’t converge with other domain controllers in the environment. While VMs on Windows Server 2012 and above alleviate USN-bubble issues by supporting the VM-generation ID, VM snapshot-based AD restore is still not a replacement for system state backups and the AD DS recycle bin. That’s because after restoration from the snapshot, any unreplicated changes that originated from the VM after the snapshot, are permanently lost. A good system state backup is, therefore, the only fully supported way to restore physical or virtual domain controllers.
But is that good enough?
So how does one ensure “good” system state backups? The time-tested Windows Server Backup feature is the most reliable way to make system state backups of your domain controller to a locally attached disk or to a network share. However, there is additional infrastructure backup admins need to provision (such as local-disk space) and ensure availability of disks and network shares, both during backup and restore. But there is something more alarming. Attackers are becoming increasingly sophisticated and one of the exploits they are using to gain access to the AD Database (ntds.dit) is through domain controller backups located on-premises. So while you might be backing up your active directory on schedule, your backups might become the entry-point for compromise. That is not much reward for good behavior of backing up your AD regularly.
Not only is there a need to minimize local backup infrastructure and secure system state backups, but more importantly to isolate or offsite these backups reliably to a robust fault domain that is not linked to your domain controller, so ransomware cannot get to them. The public cloud can come to the rescue here. Backing up AD directly to the public cloud not only satisfies the requirement of creating an isolated fault domain for backups but with advances in network bandwidth, it also meets recovery time requirements since the average size of the AD database is about 30GB, which can be restored relatively quickly from the public cloud.
Back up your domain controller’s system state
Azure Backup is a simple, secure, and reliable solution from the very folks that created Windows Server Backup to take the advantage of the Microsoft Cloud and directly backup your domain controller’s system state to Azure and protect from ransomware and disasters.
Secure, ransomware-protected backups
Backups stored in Azure are encrypted at rest. Azure Backup employs native AES256 encryption to encrypt your backups right at the source with a key that only you have access to and then sends them directly to Azure via HTTPS secure protocol. More importantly, Azure Backup has built-in protection in the form of multifactor authentication (MFA) to prevent ransomware attacks on backups and an alerting mechanism to notify you in case of any suspicious activity.
Reliable, no-cost recoveries
Azure Backup leverages the infinite scale of Azure to provide a bottomless, highly available, and robust offsite backup target. By storing three copies of your data at a minimum, Azure Backup precludes possibilities of backup data loss due to corruption or storage failures, making restores more reliable than ever. Additionally, you can restore your system state backups from Azure without any charges!
Flexible backup and retention policy
Windows Server Backup lacked the capability to specify retention of backups. In addition to providing automated scheduled backups, the Azure Backup enhancement provides a rich experience to specify a retention period for daily, weekly, and monthly system state backups and automatically prunes recovery points that reach the retention age.
Central management at scale
Once a domain-controller is registered with the Azure Backup service, it provides a bird’s eye view of the status of all the backups, provides automated alerts for failed backups, and generates custom reports using Microsoft Power BI. There is no need to deploy any agents or provision additional infrastructure to get these management capabilities, which can be used for backing up your AD infrastructure at scale.
Getting started
- Create your 30-day free trial Azure account which fetches you $200 worth of Azure credits.
- Follow three simple steps in this tutorial to start backing up your domain controller’s system state like never before
- Manage backups from servers at scale with central monitoring and reporting
Get started today and reach out to us on Twitter or the Azure Backup user voice to share your experiences and tell us more about enhancements that can help you bolster your Active Directory’s protection against ransomware.
