Wed, Aug 4th, 2021

Best Practices for a Secure BCDR Appliance

Attacking backups to make them unavailable is a known part of the ransomware playbook. It is critically important to deploy backup appliances securely within their native environment so that they can be relied upon when needed most.

As a partner in protecting your critical business data, Datto has processes in place to ensure we maintain a cloud copy of backups for appliances with secondary replication enabled. This ensures backed up data is available even if local agent backup data has been maliciously or accidentally removed.

Though this process has been effective in ensuring recovery from accidental and malicious deletions to date, restoring from a secondary offsite backup should be considered the last line of defense in protecting your critical business data and ensuring recovery from accidental and malicious deletions. The first line of defense is taking the proper steps to locally secure your BCDR appliance.

Here are the steps you need to take to prevent an appliance from being maliciously accessed locally:

Establish strong LAN access controls and network segmentation of the BCDR appliance. The BCDR appliance does not need inbound access from the internet -- it needs to only allow outbound access. We provide a list of required outbound access rules in our networking requirements knowledge base. These include: Limit the device communication to only those listed in the article; The BCDR appliance’s management UI should only be accessible by trusted network management workstations or a jump hosts that require access in support of your workflows; and ideally disable the ability to locally log into the device UI and only utilize the Partner Portal’s remote web functionality.

Disable the local WebUI access entirely to prevent malicious logins locally. By disabling the local appliance WebUI, you ensure the only way to log into the appliance is through Remote Web in the Datto Partner Portal. This has the added benefit of ensuring that your appliance’s local WebUI is now protected by the MFA-enabled Partner Portal account. If you do not have MFA enabled on your Partner Portal account, then you should stop reading this message and go do that right now. Seriously, go, we’ll wait. This option is available in the device settings tab of your appliance.

Ensure secondary replication is enabled. If you are deploying a product whose subscription model allows for secondary replication, it is also important to ensure you have secondary replication enabled. This option is in the local appliance’s WebUI under device Settings. The vast majority of BCDR appliances whose subscriptions support secondary replication already have this enabled, but it is still good practice to audit your configs and make sure it is.

If your appliance’s subscription model does not support secondary replication, then we urge you to disable the local appliance WebUI and use the Partner Portal, with MFA enabled, as the only means of access.

Configure local users with strong access credentials. If you must keep the local web interface accessible locally for workflow purposes, it is imperative you use strong unique credentials. If you are lacking a strong identity and password policy, then we strongly recommend the following guidance from NIST SP 800-63. Do not re-use the same username and password across multiple appliances.

We’re actively working to bolster the defenses of these appliances and their backups from accidental and malicious deletes. Datto is also working on efforts to move all appliances that support secondary replication to a state of being enabled. Until then, please confirm you have this important feature enabled on your BCDR appliances and please review your appliance configuration. For more best practices on this topic, go to our knowledge base.