none
Protecting DPM 2010 with a firewall RRS feed

  • Question

  • Now that I have D2D2T working, is is easy to setup a firewall on DPM to help protect it and the storage pool from hackers/worms?

    I am particularily interested in whether I can prevent access to shared folders/admin shares of drives (I belive that this is probably the most vunerable part of DPM)? Ideally, I would really like to disable file sharing.

    I have it in the back of my mind that file-sharing has to be enabled because BMR backups runs backup (e.g. wsbackup.exe) on the proected server which then connects back to the DPM server via a shared folder.

    Thanks,

    Bruce.

    Wednesday, March 7, 2012 9:45 PM

All replies

  • Hi,

    Just a couple of things you should look at:

    • For firewall settings on a DPM server use the following article: http://technet.microsoft.com/en-us/library/ff399062.aspx
    • Use a good AV client (for example Forefront Endpoint Protection)
    • Make sure that on all fileshares the group Everyone is not used.
    • Make sure all the accounts used on your server have complex passwords.
    • Patch your AV and Windows version frequently (after testing of course :) especially on patch tuesday)

    But above should be applied to all servers within your environment. Your environment is as strong as your weakest link.

    You are right about the fact that BMR uses shared folders. Therefore it is not possible to disable File and Printer sharing.

    Kind regards,

    Bart Timmermans


    Bart Timmermans | Technical Consultant at KPN Consulting
    Follow me @ My Blog| Linkedin| Twitter

    Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.


    Wednesday, March 7, 2012 10:29 PM
  • Not being able to disable Windows "File and Print sharing" on the DPM server (when BMR backups are enabled) is a serious design/security flaw.

    Worms tend to use Windows File and Print sharing as a method to to spread to servers (e.g. Conficker), enabling file sharing enabled leaves your DPM server (including any off-site secondary DPM servers!) vunerable to hackers/worms.

    Coming into to work to find that all of your production servers have been wiped by a malicious hacker (or worm) is one thing.  But finding that it's got your DPM server(s) too, is another.

    It should be possible to disable all inbound connections.

    Bruce.

    Thursday, April 5, 2012 9:33 PM