I backup my Windows system partition using Macrium Reflect 6's backup schedule. The software adds an entry to Windows Task Scheduler and the backup usually runs without trouble. Since the backup location is a folder on an always mounted hard drive -- F:\Files --, I risk backup corruption if my computer gets infected (ie ransomware) before I can copy the files to an external drive. To deal with this, here is what I've done:
- I use the PC as a standard (non-administrator) account
- I've right-clicked the backup folder, gone to Properties >> Security >> Edit permissions, and clicked "Deny" under the "Write" permission for users belonging to the
Usersgroup.
My intent is to make it impossible for non-admin users -- and hence most malware -- to overwrite or corrupt the backup files. The restriction took effect as I expected: for instance I now need to enter an administrator password if I wish to write a file to F:\Files. The problem is that the backup job now fails. In Macrium UI, here is the error I see:
Backup aborted! - None of the specified locations could be written to
I'm surprised by this error because I think the task is set to run as the Admin account; when I setup the backup job in Macrium I was explicitly asked which user account should be used, and to enter that user's password so I chose Admin. As a result I expected the software to have no problem writing to the backup folder even after I revoked write permissions from non-admins. If I open up Task Scheduler and look at the task details, here is what is shown under Security options:
As you can see, the task is run as Admin. The author of the task (not shown in the screenshot) is also Admin. The action of the task is:
C:\...\Reflect.exe
-e -w "F:\Files\Schedule.xml" -inc -g {some long token here}
Am I overlooking something or is this a bug with my backup software? The last run result in Task Scheduler shows simply (0x1)
Upon further investigation, I discovered that if I log in as Admin and try to write a file to the restricted folder, I can't. Denying Write perm for the Users group also denied it for the Admin account. This is probably why my backup job is failing. The image below shows the Effective Permissions for Admin after I deny write permissions to the Users group.
I also discovered that although blocked accounts could not save a new file to the folder, they could still delete the files already present. So I was still vulnerable to malware deleting these files. I needed more restrictive permissions. I also need to find a way to deny perms for all non-admin users, but allow it for admins.
Instead of denying permission for the entire Users group, I decided to try denying permission for only the account I use day-to-day.
From the folder Properties screen (right click the folder and select Properties):
- click
Advanced - click
Change Permissions - click
Add - type the account username I want to restrict
- click
Check Names: the fully qualified username (eg:MyPC\John) should auto-populate the textarea - click
OK - A popup that allows to set permissions granularly for the selected users should open. Here is what I did with mine:
Most importantly, I denied all Write, Delete, Change permissions and Take ownership permissions. Now things seem to be working as intended. With my day-to-day account I can neither write, nor delete files in the backup folder. However as Admin I can do both. A manual backup just completed successfully as well so things seem to be OK. I'll know tomorrow whether the scheduled task runs without trouble.
What I'd like is for all non-admin users to be restricted. My solution blocks just one non-admin -- MyPC\John -- but if another non-admin profile were created (or maybe even if my username changed?) the restrictions would be bypassed. I'm looking for something closer to the protection on C:\Program Files directory: I'm always blocked from making changes there if I'm not an admin.
No comments:
Post a Comment