First published on TECHNET on Apr 29, 2008
Are the Backups secured?
Yes
. The Complete PC Backup (CPC) or Windows Server Backup (WSB) can be only invoked by a user belonging to either Administrators or Backup operators Group.
§ Disk:
Backups are ACLed to be accessible only for only Administrators and Backup Operators Group.
§ Network:
By default the Backups inherit the ACLs from its parent directory;
However if an user chooses to ACL the Backups strongly, the Backups would be ACLed to be accessible only to the user whose credentials are provided at the time of Backup rather than inheriting from the parent; Also the Backups are acled for Administrators and Backup Operators of the machine which hosts the Network Share.
§ Optical:
The Backup is done after the media is formatted to UDF format which doesn’t support ACLs. So The Backup to Optical Media is only as secure as the physical media.
§ Removable:
The Backup is done after the media is formatted to NTFS format and the Backups are ACLed to be accessible only for Administrators and Backup Operators group.
Can I additionally secure the Backups by backing up to an encrypted folder (Creating Encrypted WindowsImageBackup directory in the root of the volume or in network share and backing up to the volume or the network share)?
No
. Backup to a target which is encrypted at file system level is not allowed.
If you attempt the same, you would be getting following the error message:
“Backups cannot be stored on an encrypted volume. Please decrypt the volume and retry the operation”
Can CPC or WSB backup the Systems protected by BitLocker?
Yes
. You can use CPC or WSB to backup your systems protected by BitLocker.
Additionally you can secure the Backup Target Disks too by protecting the same with BitLocker.
Ensure the volumes which are backed and the Backup Target, if BitLocked are unlocked for Backups to succeed.
Are the Backups of volumes which are protected by BitLocker encrypted?
No
. The Backups of volumes which are protected by BitLocker aren’t encrypted. Backup reads the data blocks from VSS Shadow created on the volume which is a clear text. Hence Backups are not encrypted.
To secure the Backup data in case of System or Backup Target being stolen or lost, the Backup target if it is a disk, can be secured using BitLocker protection. So if you are restoring your system from the Backup (Bare Metal Recovery), post recovery the volumes which were BitLocked when the backup was taken would not be BitLocked. Hence you would need to BitLock the volumes again.
If the Source Volume(s) or Backup Target is BitLocked, do I need to do any additional steps during System Restore(Bare Metal Recovery) or in Online Recovery?
For Any type of Recovery ensure that the Backup Target if BitLocked is unlocked. If the Recovery is a file-level recovery (File Recovery, App Recovery, System State Recovery) the Recovery Target too needs to be unlocked if it is BitLocked. However unlocking a locked BitLocked Recovery Target is not needed if the Recovery is a volume-level recovery (Volume Recovery, System Recovery(Bare Metal Recovery))
Appendix:
Encrypted File System (EFS) and BitLocker links:
http://technet.microsoft.com/en-us/magazine/cc138009.aspx
http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/default.mspx
...
http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/analysis/80c0d...
Acronyms:
CPC – Complete PC Backup in Vista and Vista SP1
WSB – Windows Server Backup of Longhorn Server 2008
-
GeethaKrishna S
