Commvault

Prevention

Owned by Carl Brault (Unlicensed)
Last updated: Nov 30, 2021 by tdopko@commvault.com (Unlicensed)
16 min read

Quick Links to Topics:

Credits:

Great thanks to Mike Byrne for his hard work with the screen captures!

Prevention is a critical part of a sound protection strategy. It must combine human intervention and software systems. 

Recommended prevention methods:

  • Users and administrators training
  • Antivirus and anti-spyware systems
  • Firewall
  • Applying updates
  • Offsite/offline backups
  • Commvault® software storage lockdown
  • CommServe® server DR Backups to cloud
  • Strengthening the CommServe® Server security

Users and Administrators Training

Training users and administrators on best practices on the use of IT resources significantly reduces the risk of infections. Administrators need to keep up to date on new viruses and how they spread. Sound knowledge enables them to educate users about potential risks, such as opening a suspicious attachment or running an unknown source file.

Periodically re-schedule the training to ensure users are up-to-date on new threats.

Antivirus and Anti-Spyware

Each system, servers, and end-user workstations must have a solid enterprise-level up-to-date antivirus and anti-spyware software installed. A common mistake is to consider test servers or lab servers to be less important to protect with such software. But if a less critical system gets infected, it may propagate the virus to more important resources.

Commvault recommends using an antivirus software that is managed centrally to detect attacks and to manage different virus definition versions. It also allows the implementation of centralized policies, such as preventing users from disabling their antivirus engine.

Firewall and Switches

A company should always invest in a comprehensive firewall and network security technology. It secures the corporate network from outside threats by blocking ports from untrusted systems. It also provides tools to create internal network segregation, offering stronger isolation for the most critical systems, even from other corporate servers.

Applying Updates

Newer versions of malware do not even require a user to open a file or an attachment. It exploits operation system and software vulnerabilities. Companies are frequently running outdated versions of OS and software for many reasons, such as hosting a legacy application that is no longer supported, (e.g., Microsoft® Windows XP or MSSQL 2000).

Since software vendors are no longer offering new updates and patches to address modern threats, these legacy systems are a potential risk for the entire IT assets. The applications and operating systems should always be updated to supported versions.

Offsite/Offline Backups

Any serious business requires protecting its data. Commvault® software offers all the tools needed to reach that goal. However, it is important during the design and the implementation of the protection strategy, to ensure having an offsite/offline copy of the backup data. This requirement still maintains the popularity of tape media. A tape that is in a vault location cannot be infected by any viruses of any types.

Storage replication, although offsite, does not offer full protection. The source data can be infected, and then replicated offsite. And there is nothing that can guaranty that in the future, hackers will not find a way to create ransomware viruses capable of attacking storage unit systems directly.

Commvault® Software Storage Lockdown

In its mission to protect customer data, Commvault® introduced efficient methods to prevent access to all storage. Now, each storage target can be securely locked down.

Locking down Commvault® storage

Commvault® Ransomware Driver

To protect disk-based storage, enable the Commvault® Ransomware driver from the MediaAgents Advanced options. Once enabled, it restricts the access to the storage that is presented to the MediaAgent as disk library mount paths to Commvault processes only, ensuring that no other process such as malware modifies disk library files.




To enable the  ransomware driver

1 - Expand Storage Resources | MediaAgents | Right-click the desired MediaAgent.

2 - Check to enable the driver protecting disk storage.


DataServer IP

Disk libraries can be protected using the DataServer IP feature. This feature provides a simple method to create shared libraries. Each MediaAgent will manage local storage and can access other MediaAgent mount paths in the shared library on demand. This mechanism provides a simple method to create large shared libraries and avoids access permission issues since it uses the local service account instead of UNC mount paths, and user entered credentials.

How does it help to protect against ransomware? Simply by mounting the mount path on demand, only when needed. When a mount path is required by another MediaAgent than the one hosting the mount path, for a restore operation, for instance, it is mounted on-demand using a technology called '3dfs' server that presents the mount path as an NFS share to the target MediaAgent. The target MediaAgent can then have access and read any required blocks.

When setting up such a library, the MediaAgent hosting the library acts as the 3dfs server, which in Commvault® software is called the DataServer IP.

In a Data Server IP environment, firewalls must be opened for some specific ports. Port requirements are as follows:

Port

Protocol

Description

From

To

2049 TCP

NFS

The 3DFS server listens on this port for NFS remote procedure calls (RPCs)

DataServer IP MediaAgent

MediaAgent

111 TCP and UDP

SUN RPC PortMapper

This port is used by the DataServer-IP MediaAgent to find the mount and NFS ports used by the MediaAgent performing the backups

DataServer IP MediaAgent

MediaAgent


When the disk library is shared, you can create storage policies. Ensure that the DataServer IP is selected as the default data path. By default, the mount path is shared with 'Read/Write' access and therefore is used for backups and restores. However, you can select the 'Read Only' access type from the list to use the mount path only for restores by the remote MediaAgent.

To share a library using DataServer IP, first create a traditional disk library and mount paths. Then share the mount paths using the DataServer IP transport mode.




To share a mount path using Data Server

1 - Expand the library | Right-click the mount path | Share Mount Path.

2 - Select the mount path and click Share.



3 - Select the required Data Server transport type.

4 - Select the MediaAgent to which the library will be shared.

5 - Mount path is shared as read only by default but can be changed to read/write.

6 - Displays the MediaAgent sharing the mount path and the transport type used.



Cloud libraries Encryption

The 'Offline' or 'Copy-based' encryption uses Commvault® software encryption to secure data in a cloud library. From the Data Encryption section in the storage policy copy's Advanced tab, the 'encryption cipher,' 'key lengths,' and the option to 'store keys on the media' are configured. Note that encryption is not enabled by default and must be enabled manually.

Software encryption keys are scrambled using a proprietary algorithm and maintained in the CommServe® database. Encryption keys are destroyed when the job is aged and deleted from the CommServe database. This provides complete end-to-end encryption key management, and it ensures that those ransomware attacks have no access to the cloud library data.

Encryption Overview




To configure copy-based encryption

1 - Expand the storage policy | Right-click the storage policy copy | Properties.

2 - In the Advanced tab select Re-encrypt Data option and configure the cipher and media access key.


Commvault software supports the following encryption algorithms

Cipher

Key Length

3-DES
Triple Data Encryption algorithm symmetric-key block cipher. 3-DES Applies cipher algorithm three times to each block.

192

AES (Rijndael)
Advanced Encryption Standard (AES) is a symmetric block cipher which encrypts data in 128-bit blocks and uses a key length from 128 to 256 bits.

128 or 256

Blowfish
Symmetric cipher, which divides data into 64 bits and encrypts the blocks individually. This algorithm is available in the public domain and is fast, and it is claimed never to have been compromised.

128 or 256

Serpent
Serpent is a symmetric cipher, which encrypts data in 128-bit blocks and uses a key size between 128 to 256 bits. This algorithm is in the public domain.

128 or 256

TwoFish
The successor to Blowfish, this symmetric encryption method uses keys up to 256 bits. This algorithm is fast and, like Blowfish, is available in the public domain.

128 or 256


AES (Rijndael) encryption is the industry standard used by hardware devices and most encryption software. The other ciphers were AES candidates and met all requirements. Some are faster, and some are stronger. Rijndael was selected as the most flexible.




CommServe® Server DR Backups to Cloud

Once the CommCell storage is locked down, it is important to protect the CommServe® server database. This is achieved by configuring the DR backups, which can then be sent to a share location. However, it's quite possible that a ransomware attack can occur causing the network share to encrypt the DR Backup file. If this happens, even if all disk and cloud libraries are locked down, without the CommServe® server database the data cannot be recovered. To maintain a secure DR backup, make sure to configure the DR backup to send a copy to Commvault® cloud services on cloud.commvault.com.

Sending a copy of the DR backup to the cloud is a free service offered to all customers.




To access CommServe DR settings

1 - Select configuration tab | DR backup.

2 - Check to upload a copy of the DR Backup to Commvault® Cloud Services.

3 - Define the Commvault® Cloud Services user account.



Strengthening the CommServe® Server Security

The CommServe® server is the most important component of the CommCell® environment. It is the orchestrator of all jobs and tasks, and its database contains all configuration options and job metadata. It is therefore important to tighten the CommServe server security to a maximum to avoid any potential virus or malware attacks.

The following steps can be implemented:

  • Relocate all consoles to a dedicated host (CommCell® console, WebConsole, and Web Server)
  • Configure the Web-based CommCell console to use SSL/HTTPS
  • Create a certificate for SSL connection
  • Set-up an SSL connection to the CommCell console
  • Limit CommServe server database access
  • Rename and disable the SQL Server 'SA' administrative account
  • Change SQL server ports
  • Change and hide the SQL Server instance name

Relocate All Consoles to a Dedicated Host

If IIS was enabled on the CommServe® server before the installation of Commvault® software, three components could be installed; the CommCell® console, the Web Console, and the Web Server. These web-based consoles should be relocated to a dedicated host to avoid any direct connections to the CommServe server.

The CommCell console can be installed as a stand-alone component on an administrator workstation, or the web-based version can be hosted on a dedicated IIS host.

For more information on installation and configuration, consult the Commvault Online Documentation, CommCell Console – Advanced.
The WebConsole and Web Server components can also be hosted on the dedicated host, but require firewall and ODBC connection configurations. Refer to the Commvault Online Documentation for Post-Installation Configurations for Web Server and Web Console.

Configure the Web-based CommCell® Console to use SSL/HTTPS

To install the web-version of the CommCell® Console, IIS must be installed before the installation of the Commvault® software. By default, it uses an unsecured HTTP connection. It is possible to enforce the use of SSL certificate for console connections.

Configuring the use of SSL is made of the following three steps:

  1. Create the SSL certificate
  2. Set-up the SSL connection for CommCell Console
  3. Configure IIS to use SSL




To configure the use of SSL

1 - On the IIS host computer, open the control panel and click Administrative Tools.



2 - Click to open IIS Manager.



3 - Select the IIS host.

4 - Click to create the SSL certificate.



5 - Provide a meaningful name for the certificate.

6 - Click to save the certificate.



7 - Certificate appears in the list.




To set-up the SSL connection

1 - On the IIS host computer, open the control panel and click Administrative Tools.



2 - Click to open IIS Manager.



3 - Select the Default Web Site.

4 - Ensure that there is no https entry, and if there is one remove it.



5 - Select the Consoles site.

6 - Click to add the SSL connection.



7 - Choose https from the list.

8 - Leave to All Unassigned.

9 - The universally agreed SSL port is 443. An alternate port can be used to make it more secure, however, the port must be provided at the end of the URL.

10 - Provide the IIS host name.

11 - Choose the created certificate from the list.

12 - Click to save the configuration.




To configure IIS to use SSL

1 - On the IIS host computer, open the control panel and click Administrative Tools.



2 - Click to open IIS Manager.



3 - Select Consoles in the browser.

4 - Click SSL settings.



5 - Check to enable the use of SSL.

6 - Define if the client must provide the certificate or not.


Limit CommServe® Server Database Access
The software uses an ODBC connection to communicate with the CommServe database. Only the CommServe component accesses the database. The database is in a DBO-only state allowing access only to

  • System Administrator (SA)
  • Windows account used to install the SQL Instance (used in ODBC)
  • Application use-only accounts created by the installation process which cannot be used for direct log on.
  • At a minimum:
    • Maintain good physical security denying local/console access.
    • Limit users with interactive login rights.
    • Use strong passwords and change them often.
    • Implement a firewall to prevent remote network exploitation.
  • Additionally:
    • Disable NETBIOS.
    • Use the Local Security Policy tool to remove the right of the Everyone group to access the computer from the network. This tool is located in the Administrative Tools group on the computer.
    • Disable null sessions to prevent anonymous, or unauthenticated, sessions. To accomplish this, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\RestrictAnonymous registry value data to 1.



Change the SQL Server Port


SQL Server uses port 1433 for client requests, which is a well know port that hackers tend to target. It is therefore recommended to change the default port to strengthen the security even more.


The selected port should be in the dynamic range 49152-65535 to avoid conflict with any well-known registered ports.




To modify SQL Server port

1 - Open SQL Server Configuration Manager | Expand SQL Server Network Configuration | Select the Protocols for COMMVAULT section.

2 - Open the properties of the TCP/IP protocol.

3 - For all assigned IP sections, clear the TCP Dynamic Ports and TCP Port entries.



4 - In the IPAll section, enter the desired port on the TCP Port line.

5 - Click Apply and restart SQL Services.



Change and Hide the SQL Server Instance Name

One of the installation phase of the Commvault® software creates a SQL instance named COMMVAULT. To make it harder to discover by hackers, it is possible to change the instance name and hide it from network discovery. This involves uninstalling Commvault and SQL server software and re-installing it. However, doing so does not impact previous nor future operations if done using the following steps. Even if the first step is to backup all databases using SQL native tools, it is still recommended to run a CommServe DR Backup.

Steps to change and hide instance name:

  1. Backup all user SQL databases
  2. Uninstall Commvault® software
  3. Uninstall Microsoft® SQL Server software
  4. Create the registry key to allow a different instance name
  5. Install the new SQL instance
  6. Optimize SQL instance memory
  7. Install Commvault software using the new SQL instance
  8. Hide the SQL instance




To backup user databases

1 - Open SQL Management Studio and connect to the Commvault instance.



2 - Right-click the first user database | Tasks | Back Up.

3 - Remove any existing path and click to add a path.



4 - Type the desired path and filename and click OK.

5 - Click to view the backup options.



6 - Check to verify the backup upon completion.

7 - Backup progress is displayed in the lower left corner.

8 - Click OK when completed and repeat for the other user databases.




To uninstall Commvault® software

1 - Simply select Commvault ContentStore and click uninstall.



2 - Select to uninstall all packages.

3 - Click the arrow to go to the next screen.

4 - Click the arrow on the summary window.

5 - Click to finish.



To uninstall Microsoft® SQL software

1 - Uninstall any components related to Microsoft® SQL.



2 - Ensure there are no SQL related packages left.



To create the instance name registry key

1 - Open the registry editor and locate or create the GalaxyInstallerFlags key.

2 - With the key selected, create a new string value.



3 - Type the name szUserSQLInstanceName and double-click to edit the value.

4 - Provide the desire instance name.

5 - Click to save the key.



6 - The key and its value are displayed in the window.



To install the SQL instance

1 - .NET Framework 3.5 must be installed first. To do so, open the Server Manager.

2 - Click to add a feature.



3 - Click Next.



4 - Select Role-Based and click Next.

5 - Select the local server and click Next.



6 - Click to skip adding new roles.

7 - In the features screen, validate or install the .NET Framework 3.5 Features.



8 - From the Commvault® software download, locate the SQL folder.

9 - Execute Setup.exe.



10 - Click the Installation section.

11 - Click to launch the installation wizard.



12 - Keep the pre-populated product key and click Next.



13 - Accept the license terms and click Next.



14 - Check to download updates and click Next.



15 - Ensure all tests have passed successfully and click Next.



16 - Select the option to choose features and click Next.


17 - Select the following features and click Next.



18 - Select Named instance and provide the name of the instance define in the registry key.

19 - Click Next.



20 - For the SQL Database Engine, browse and add the SYSTEM account and click Next.



21 - Ensure the collation is set to latin general and click Next.



22 - Use the Mixed Mode authentication.

23 - Provide the password.

24 - Click to add the user currently logged in and click Next.



25 - Click to launch the install.



26 - Ensure all components were installed successfully.



To optimize SQL memory

1 - Open SQL Management Studio and connect to the newly created instance.


2 - Right-click the instance and select Properties.

3 - Set the maximum memory to half of the server’s physical memory.




To re-install Commvault® software

1 - Launch the installation and go through installation screens as a traditional installation except for the database screens.

2 - Provide the SA password that was set when installing the SQL instance.




3 - Select to use existing databases and select the databases that were manually backed up.

4 - Provide the path and the name of the backup files.

5 - Select Recovery / Production.

6 - Click to finish the installation.




7 - Validate that the database was restored successfully.



To hide the SQL instance

1 - Using SQL Server Configuration Manager | Expand SQL Server Network Configuration.

2 - Right-click the Protocols entity and select Properties.

3 - Select Yes to hide the instance.

4 - Click OK and recycle SQL services.


Copyright © 2021 Commvault | All Rights Reserved.