Windows Backups - Security Essentials The SANS Institute

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:36

lượt xem

Windows Backups - Security Essentials The SANS Institute

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

We will review backup strategies, techniques, and other practices that make system and data recovery a reliable and viable option when data loss occurs. Superb backup tools exist for the Windows platform. A recent SANS Institute survey indicates that several backup programs are in wide use. Veritas’ (formerly Seagate’s) BackupExec and Computer Associates’ ArcServe programs were the most popular products in this survey. Legato’s Networker is also represented and is a good tool for managing backups in a combined Windows/Unix network....

Chủ đề:

Nội dung Text: Windows Backups - Security Essentials The SANS Institute

  1. Windows Backups Security Essentials The SANS Institute Windows Backups - SANS ©2001 1 This portion of the SANS Security Essentials curriculum has been developed for information technology professionals responsible for backing up Windows 2000 and Window NT systems. 5-1
  2. Course Topics • Backup methods • Important recovery tools • Procedures and processes • Other backup topics Windows Backups - SANS ©2001 2 This course will allow you to implement effective backup strategies for all your Windows 2000 and Windows NT systems. 5-2
  3. Recommended Products • ArcServe - Computer Associates • BackupExec - Veritas (formerly Seagate) • Networker - Legato • NTBackup - included with Windows 2000 and Windows NT Windows Backups - SANS ©2001 3 We will review backup strategies, techniques, and other practices that make system and data recovery a reliable and viable option when data loss occurs. Superb backup tools exist for the Windows platform. A recent SANS Institute survey indicates that several backup programs are in wide use. Veritas’ (formerly Seagate’s) BackupExec and Computer Associates’ ArcServe programs were the most popular products in this survey. Legato’s Networker is also represented and is a good tool for managing backups in a combined Windows/Unix network. Every installation of Windows 2000 (and NT) includes Microsoft’s NTBackup program, though the program is different on each version of the operating system. Because NTBackup is included free with Windows and performs the most essential backup and restore functions, we will examine NTBackup in-depth. 5-3
  4. Backup Methods • Backups may… Tape drive – Occur to tape Windows NT Server – Duplicate information to another disk/server/location – Save full configurations or portions • Require software and procedures Windows Backups - SANS ©2001 4 Backups are like insurance. We put backups in place with hopes that we will not have to use them. Unfortunately, the better we perform our jobs as we set up and integrate networks, the more often our attention is diverted from backups. It’s important that we keep an eye on our backups – and the processes we use to manage them. 5-4
  5. The Archive Bit • Used by backup programs to decide which files require safekeeping C:\>attrib SCANDISK.LOG C:\SCANDISK.LOG A AUTOEXEC.BAT C:\AUTOEXEC.BAT A CONFIG.SYS C:\CONFIG.SYS A COMMAND.COM C:\COMMAND.COM MYFILE.TXT C:\MYFILE.TXT SHR IO.SYS C:\IO.SYS SHR MSDOS.SYS C:\MSDOS.SYS C:\> • Files with “A” bit need to be saved! Windows Backups - SANS ©2001 5 The Windows FAT and NTFS file systems are similar to other file systems in that important pieces of information are stored along with your files. An archive bit accompanies every file stored on your Windows system. When this bit is present, it tells backup programs that the file has changed since the previous backup operation. Seven files are listed on the slide – three have their archive bit set “on” and the others do not. Our backup solution will use these settings to capture these files the next time we back up this computer. 5-5
  6. Full Backups • Capture the entire system configuration • Clear files’ archive bits • Are expected to safely copy the Windows Registry • Require full permission to the system Windows Backups - SANS ©2001 6 When you capture an entire system configuration with a backup, that backup is referred to as a full backup. Full backups are typically run on a weekly basis. If you experience a catastrophic failure, you will need a full backup to restore your system to operational status. Note that you or the backup software you utilize must have at least Backup Operator-level permissions in order to perform backups. If you do not have Backup Operator or Administrator privileges, you may not be able to backup all files or the system registry. 5-6
  7. Partial Backup Methods • Incremental – Check for the archive bit – Backs up files with the bit set – Clears the archive bit • Differential – Same as above, BUT – Does NOT clear the archive bit Windows Backups - SANS ©2001 7 An incremental backup will back up files that have changed since the last full or incremental backup. The backup software scans the file system for files that have their archive bit turned on, and backs those files up. When an incremental backup is completed, the files that have been backed up will have their archive bits turned off. Combining full and incremental backups allows an administrator to save the system configuration using a full backup, then use an incremental backup to quickly capture the information that has changed since the last full backup. Because incremental backups only capture the data that has changed, they tend to run very quickly. It is common to perform a full backup once a week, followed by incremental backups each of the remaining days of the week. However, this backup method may present a challenge when restoring data. You may have to restore data from five or six tapes to obtain the most recent version of a file. To properly restore a system from full loss, you must first restore from the full backup tape, then restore from every incremental backup that was made in the order in which they were made. It is also important that you keep your full backup and all following incremental backup tapes together in case you need them. If any of the tapes are missing or bad, you cannot perform a full restore. Differential backups resolve most of the complications that incremental backup techniques introduce. While incremental backups clear the archive bit on all files that are successfully backed up, differential backups leave the archive bit after backing up the file. If you perform a full backup on Sunday and a differential backup on Monday, then Monday’s tape will contain only the information that changed between Sunday and Monday. A differential backup on Tuesday will store files that changed on Monday and Tuesday. If differential backups are used every day of the week, Friday’s backup will be larger than the Monday or Tuesday backup. On Mondays, incremental and differential backups will require the same quantity of space and time to complete. On Fridays, incremental backups will be faster and require less space than differential backups. Because differential backups capture cumulative changes, you will need, at most, two tapes to perform a full system restore - the last full backup and the most recent differential backup. 5-7
  8. Disk Imaging • Drive Imaging vs Disk Cloning • Create drive or partition images for backup • Create disk clones for workstation replication or forensics • Products include: Symantec’s Ghost, UltraBac, and PowerQuest Drive Image Windows Backups - SANS ©2001 8 Another approach to backup is that of drive imaging. Instead of copying selected files to a backup location, consider copying the entire contents of a hard drive or partition to a file at another location. For example, we may choose to create an image of an entire hard drive, which may consist of multiple partitions, or create an image of the first partition (e.g. C:\). Imaging differs slightly from cloning, which aims to replicate the contents of a fixed disk. Cloning is useful for replicating multiple workstations or for forensic purposes. Disk cloning usually proceeds at a low disk access level and copies sector to sector, preserving file system structures such as the Master Boot Record and partition tables. Furthermore, cloning will copy unused space - even that space that occurs between partitions or within the hidden sectors of the boot track. Imaging occurs with knowledge of the file system, and only copies data-filled space. This is useful for disaster recovery by backup, upgrading hard drives, or migrating from an old to new PC. One good product for imaging and cloning is Symantec’s Ghost. Others are UltraBac and PowerQuest Drive Image. Here, we’ll be looking at Symantec, but the other products offer much the same capabilities. 5-8
  9. Backups and Symantec’s Ghost • Image file(s) can be written: – locally, to another disk or partition – to a networked peer using NetBIOS • Run Ghost from a bootable floppy • Write image file(s) to CD for diasaster recovery Windows Backups - SANS ©2001 9 Symantec’s Ghost allows transfers from disk to disk, disk to image file, partition to partition, or partition to image file. Transfers can be made to a local disk, or to a networked peer using the NetBIOS protocol. A facility also exists to transfer contents from one machine to another using a parallel port cable. This is a very slow method however. To use Ghost, start by booting the Windows system to DOS. Many imaging tools, including SafeBack, use this approach. If shutting down Windows is not an option, then backup with Ghost imaging is not for you. Ghost provides an option to write and compress an image across multiple volumes of various media. Images can be split across multiple Jaz, Zip, or Superdisks, and can also be written to tape. After imaging, the split image files can be shifted to (re)writable CD. If your CD writing software has the ability to write bootable CDs, then a set of bootable disaster recovery CDs can be created that can be used to recover from worst-case scenario system failure. These CDs contain the system image, boot files, CD driver, and Ghost executable. Even if your hard drive has been formatted, and the Master Boot Record is corrupted, your system can still be restored by booting from your recovery CD. Next, we’ll look at how Symantec’s Ghost can be used for recovery purposes. 5-9
  10. Disaster Recovery - CD Preparation Windows Backups - SANS ©2001 10 An alternative to making a bootable CD is to write your system image to multiple CDs, and create a bootable disaster recovery floppy that contains CD drivers and the Ghost executable. The commands to do this are shown in the DOS screenshot. First, we use a DOS window from Windows 9x (or DOS itself) to create a bootable floppy. The command SYS C: A: will copy system files to the floppy and write a boot track. Next, we copy files to enable the CD. These files are: mscdex.exe and .sys. The Ghost executable is also copied, and the final act is to create the files autoexec.bat and config.sys. These are created using the echo command followed by the output redirector ( > ). autoexec.bat and config.sys will get the CD up and running for DOS. Note: you may need to edit autoexec.bat and config.sys with the proper commands to load the CD-ROM drivers from floppy. See your Windows or DOS documentation for further information. When your system is booted from this floppy, an image of a fixed disk is created as follows: ghostpe -clone,mode=dump,src=1,dst=D:\image1.gho -split=550 -z2 This will dump the contents of fixed disk 1 (src) to the image file image1.gho (dst). The image file is limited to 550MB (-split=550) and contains data in a medium compressed format (-z2). If more image files are needed, Ghost will prompt for the names of additional files (e.g., use image2.gho, image3.gho, etc.). When complete, the image files can be shifted to CD. To recover fixed disk 1 from disaster, boot from the floppy and use: ghostpe -clone,mode=load,src=E:\image1.gho,dst=1 where E: is the CD-ROM drive. Ghost will prompt for additional image file names/CD’s when required. The transfer speed is dependent on the level of compression and mode of operation. On a Pentium 120 with a 2GB IDE drive, Ghost imaging progressed at 30MB per minute. For disk cloning, which bypasses the file system and uses zero compression, UltraBac was found to transfer data at 100MB per minute. 5 - 10
  11. System Activity • Activity during a backup may corrupt the backup “snapshot” • Some applications are constantly modifying files • Backup agents are necessary for 24x7 applications • Use the verify option included with your backup software Windows Backups - SANS ©2001 11 Most of us support computing environments that need to be available continuously. E-mail systems and database applications generally require 24x7 uptime. These full-time applications pose two problems to the backup administrator. First, they may write information continuously. If you back up a Microsoft Exchange database while it is delivering mail, you may back up only part of the mail database before Exchange modifies it again. This is a common problem with any database application. The second problem is also very common – an application may hold a data file open in order to write information to that file. The application will have exclusive access to the file during the write operation, and the backup software will not be able to back up the file. Third-party software vendors provide backup agents that allow backup software to operate with special situations such as databases, electronic mail systems, and open files as though the backup software were a user of that application. It is as though the “backup user” were logged into a SQL database (for example) as a system administrator. Because the backup software is using the typical access channel to read the data, it can safely read what otherwise would have been a file that was open in exclusive mode. The most common backup agents are database agents and open file agents. Each of these allow your backup software to access information that the normal backup software could not copy. Agents for applications are available from your backup software vendor or the application creator. 5 - 11
  12. Best Practices • Use full backups frequently (at least weekly if possible) • Differential preferred over Incremental • Consider disk imaging approach • Organize your tapes • Maintain a written log of events Windows Backups - SANS ©2001 12 Best practices: • Perform full backups as often as possible – why perform incremental or differential backups if we can obtain a full backup every day? • When full backups cannot be performed on a daily basis, use differential backups when possible, not incrementals. • Consider a disk imaging (file system copy) or disk cloning program (binary copy) for full system snapshots. • Place legible, unique labels on all tapes. • Create a log in which you record which tapes are used and on which servers. Note any errors or pertinent events every day. 5 - 12
  13. Implementing NTBackup • Install your tape drive and drivers • Run “ntbackup /?” for syntax and assistance • Format tapes as required • Select files for backup • Define your settings Windows Backups - SANS ©2001 13 The major steps for implementing NTBackup are outlined on the slide above. NTBackup has both a GUI interface and a command-line interface on both Windows NT and Windows 2000 (though the GUI is different on NT and 2000). Note that help is available by typing ntbackup /? at the command prompt, or accessing the Help menu in the GUI interface. The command line version of NTBackup on Windows NT can be used in batch files with the at or winat command and the Scheduler service to automatically schedule and run backup jobs. The version of NTBackup included with Windows 2000 allows you to schedule backup jobs directly through the GUI interface. 5 - 13
  14. Install Tape Drive Windows Backups - SANS ©2001 14 To install your tape drive, click Start → Settings → Control Panel. For Windows NT, double-click the “Tape Devices” icon; the screen pictured above will appear. In most cases you can install your tape drive driver by clicking the “Detect” button. If this does not work, select the “Drivers” tab and click the “Add” button to install an OEM driver. For Windows 2000, from the Control Panel, click the “Add/Remove Hardware” icon and use the Add/Remove Hardware Wizard to detect your tape drive and install drivers. Please do not attempt to install a Windows NT 4.0 device driver on Windows 2000 unless you know exactly what you are doing. 5 - 14
  15. Run NTBackup Windows Backups - SANS ©2001 15 This slide shows where the backup program is located on the Start menu in Windows NT. Click Start → Programs → Administrative Tools (Common) → Backup. In Windows 2000, click Start → Programs → Accessories → System Tools → Backup. 5 - 15
  16. Prepare Tapes Windows Backups - SANS ©2001 16 For the next few slides, we will focus on the Windows NT version of NTBackup. Before you use a tape, select “Operations” from the menu bar, then “Erase tape” to properly format the tape. The slide shows the error message you’ll receive if you attempt a backup on a tape that is not properly formatted. 5 - 16
  17. Select Files to Backup Windows Backups - SANS ©2001 17 In the Drives dialog box, you may choose local and remote drives. Note that if you want to backup the local registry, you must back up at least one file on the drive where Windows NT is installed (the %systemroot% drive, generally C:\Winnt). 5 - 17
  18. Click Backup and Choose Settings Windows Backups - SANS ©2001 18 After clicking the “Backup” button on the tool bar, this window allows you to specify the following: • whether to verify the backup after copying files to tape • whether to backup the local registry (this option only appears if you are backing up one or more files on the %systemroot% drive; the registry files are located in the %systemroot%\system32\config directory on both Windows NT and Windows 2000. However, because the registry files are always loaded and in use, they require special handling in order to be backed up properly) • whether access to the backup should be restricted to the Administrator and the Owner of the backup job (user account that performed the backup) • whether to use hardware compression • whether the backup should be appended to existing data on the tape, or overwrite it You also use this interface to select the type of backup. Microsoft’s Normal backup type is equivalent to a Full backup. Copy is used to copy all files on the computer without modifying any archive bits. This method is useful if you need to make a Full backup during the middle of a tape rotation comprised of Incremental backups. In addition to the standard Differential and Incremental backups, there is also a Daily option. The Daily backup type is a Differential backup that also looks at the date and time stamp on files, and only gathers files changed on the same day. The Daily backup type is not recommended. At the bottom of this dialog box, you may specify the location for a log file and the level of detail stored in the log. The default location for the log file is in the %systemroot% directory. Be aware that using the Full Detail setting can log a great deal of information. Also, the log file is not overwritten; information is continually appended to the end of the file. It’s a good idea to monitor the size of the log file so that it doesn’t consume all of your free disk space. Log files should be backed up or archived and new log files created on a regular basis. 5 - 18
  19. Complete! Windows Backups - SANS ©2001 19 A status window will appear noting the progress of the backup. When the backup is complete, click the OK button to return to the main screen and exit the program. 5 - 19
  20. Win2000 Backup Windows Backups - SANS ©2001 20 Noteworthy features of Win2000 NTBackup (Start → Programs → Accessories → System Tools → Backup.) include: • The option to backup to media other than the tape drive (e.g. Zip disk or hard disk). • The ability to backup the system state. This includes the registry, boot files (e.g. and system files. Or an emergency repair disk (ERD) – which helps repair system files, the start-up environment and boot sectors – can be created from within NTBackup. System information and the registry are written to the %systemroot%\repair folder. This replaces the Windows NT command-line rdisk utility, which no longer exists in Windows 2000. • An option exists to exclude certain types of files from the backup. This is more useful than a simple “include” file option. • Pushing F8 during start-up provides repair options such as safe mode and the recovery console. To resolve conflicts, safe mode allows start-up with a minimal set of drivers. Among other things, the recovery console can be used to enable/disable services or drivers, copy and delete files, fix boot records, and list available services. As in Windows NT, Administrators and Backup Operators have the right to backup and restore files regardless of the permission set on the files. Backup Operators can also log on to the computer at the console and shut it down, but they cannot change security settings. Backing up and restoring data files and system files requires the ability to copy the file. The Backup Operators Group has this right. It is not necessary to grant Backup Operators any special permissions on files. This right will not allow a Backup Operator to open and read a file through an application such as Microsoft Word, unless the read permission is specified on the file for Backup Operators. Backup Operators are able to back up and restore files through two explicit Windows rights: “Back up files and directories,” and “Restore files and directories.” The Backup Operators group (and the Administrators group) has both of these rights by default. A well-known security best practice is separation of duties. For this reason, you may wish to remove the “Restore files and directories” right from the Backup Operators group, and create a separate Restore Operators group that has only the “Restore files and directories” right. 5 - 20
Đồng bộ tài khoản