Protect Commvault Disk Libraries from Ransomware

To protect disk libraries from Ramsomware, you can activate Ramsomware Protection on properties of Commvault Media agent

Another important feature, you can get alert if commvault backed up encrypted ransomware files

Security Tips for Storage and Backup Admins

1. EMC Networker: Change “remote access” option *@*  on every client” –>

2. Veritas Netbackup: Remove No.Restrictions file –>

3. EMC VMAX: Change default password of SMC user in unisphere (take snapshot or backup before changing. If you would get “Failed to authenticate user.” error, there is no way to fix except restore or reinstall. And, If you reinstall unisphere you will loose performance database. There is a trick to not get this error.)

4. EMC VPLEX: Change default passwords of VPLEX. Default passwords of VPLEX is already complex, but anyone can find default passwords of service, admin and root users in the documents.

5. Commvault: Activate Ransomware Protection –>

Security expolit on Netbackup (No.Restrictions)

Sometimes we or some consultants put No.Restrictions file in “INSTALL DIR\netbackup\db\altnames” directory, this option  makes our work easier. But it is a security risk, because of every netbackup client on the your network can restore data from any other clients. So, anybody can restore data of your important servers, then they can lookup and/or copy your important datas. To close this security exploit, you must delete the file No.Restrictions.

EMC Networker security exploit that “Remote access”

If you didn’t care when you installed EMC networker software, some consultants enter an option *@* for every client, this means that every networker client on the your network can restore data from any other clients. So, anybody can restore data of your important servers, then they can lookup and/or copy your important datas.

You can check and change this option on “EMC Networker Administration –> Configuration –> Clients” then double click on client(or right click and select Modify Client Properties) and select Globals(2 of 2)


remote access       (read/write, string list)
              This  attribute  controls who may back up, browse, and recover a
              client's files.  By default this attribute  is  an  empty	 list,
              signifying that only users on the client are allowed to back up,
              browse, and recover its files.   Additional  users,  hosts,  and
              netgroups	 may  be  granted  permission  to access this client's
              files by adding their names to this attribute.   Netgroup	 names
              must  be	preceded by an ampersand ('&').	 Each line specifies a
              user  or	a  group  of  users,  using  one  of  these   formats:
              user/host@domain , group/host@domain , user@host , user@domain ,
              group@host , group@domain , &netgroup (only available  on	 plat-
              forms that support netgroups) , user_attribute=value[, ...].

              where  user is a user name; host is a host name; group is a user
              group name; domain is a domain name; user_attribute can be user,
              group,  host,  nwinstname, nwinstancename, domain, or domaintype
              (type of the domain, NIS or WINDOMAIN).

              The user attributes: nwinstname and nwinstancename are  used  to
              indicate	a  NetWorker  instance name.  The value that should be
              entered for either of these  attributes  is  the	value  in  the
              "name"  field  in	 the  NSRLA  resource  for the machine where a
              matched user is connecting from.

              value can be any string delimited by white space. If  the	 value
              has  space in it, then it can be quoted with double quotes.  The
              value may contain wild cards, "*".  Entering just	 a  user  name
              allows  that user to administer NetWorker from any host (equiva-
              lent to user@* or */user	or  user=user).	  Netgroup  names  are
              always preceded by an "&".

              The  format:  user_attribute=value[, ...] is more secure because
              the format is not overloaded. For example, if
              is entered, then any users in the test group or users named test
              and that are in the domain;  or  from  the	 host;
     will match this entry.
              Example: The entries:

              remote access: mars, *@jupiter, sam@pluto, */root;

              remote  access:  host=mars, host=jupiter, "user=sam,host=pluto",

              are equivalent.