Best practice for safeguarding DPM against ransomware? RRS feed

  • Question

  • Hi, I'm looking for some advice. I don't see much info regarding protecting DPM against ransomware. OK, so of course I have the firewall enabled and reasonably locked down, plus anti-virus, etc. But the way I see it, if an IT Admin's PC got infected (for whatever reason - I'm not going to argue the rights and wrongs - this is worst possible case) it could potentially spread to any of the in-house servers, including DPM.

    The only obvious thing I can think of is to block SMB sharing on the DPM server and just leave the agent port(s) and RDP open. Would that stop DPM working normally? Does it need ports 445, etc?

    Friday, June 10, 2016 10:35 AM

All replies

  • Hi Andy,

    Please have a look at the following article regarding anti-virus on a DPM-server:
    Run antivirus software on the DPM server.

    With that said. Step number one to ensure the safety of your backed up data is to always have a backup of the DPM DB on a remote and secure location. I find Azure Backup to be the best place, but it can always be a location physically separated from both your production environment and your backup environment.
    This will ensure that even if your DPM-server gets compromised and the DPM-DB is corrupted you can always install a new DPM-server and restore your backed up DPM-DB to the new server(and connect the storage where your backed up production data resides).

    Regarding the backed up production data stored within DPM. Unless a malware is directly injecting/deleting data onto your SAN/NAS(or whatever kind of storage you use) the only place where you can actually access the files is from the "Volume"-folder in the DPM installation folder. Here you will find mounted volumes to which only the SYSTEM-account have permissions. So only if a malware can impersonate as the DPM-server SYSTEM-account it will be able to mess up your backed up data.

    But to answer your question. Here is the full list of ports and protocols that DPM uses:
    Configure firewall settings for DPM

    Kind Regards
    Markus Eliasson

    Friday, June 10, 2016 12:06 PM
  • Hi Markus,

    Thank you very much for taking the time to reply in such detail. I should add that I have a secondary DPM server configured in circular protection mode. This means the DB is backed up regularly, so that part is taken care of. I've already configured those AV exclusions, too.

    The firewall ports disappoint me though. I would have thought that all comms between client and server would have been done over the DPM agent port alone. I suppose I could configure the DPM server's firewall ports (135, 445) to restrict comms between itself and protected servers, but that's not a system I'd particularly like to maintain in terms of adds, moves and changes.

    I need to do some more thinking. Ransomware is keeping me awake at night.
    Thanks again,

    • Edited by AndyChips Friday, June 10, 2016 2:32 PM
    Friday, June 10, 2016 2:20 PM
  • We’re happy to announce the release of NAKIVO Backup & Replication v10.1! The NAKIVO team has added two long-anticipated features, OneDrive for Business Backup and HPE StoreOnce Catalyst Integration. Download the Free Trial and see the new functionality in action!

    Monday, September 28, 2020 8:43 AM