backup utility that marks files read-only?

[ratsrcute]

I want to keep both local and cloud backups. My local drive is always connected, so I understand that a ransomware attack could encrypt files on it. There's a simple protection, if I understand right---making the files on the external drive read-only with no permissions to modify the name or delete them. Is that possible with any Windows backup utilities?
Mike

 

[ThrashZone]

Hi,
Leaving a back up/ system image drive connected all the time defeats it purpose

 

[Lady Fitzgerald]

The only way for a backup drive to be safe is to keep it disconnected from the computer except when updating the backup. And, since that backup drive will be vulnerable while connected to the computer, it's a good idea to have a second backup drive.

Ideally, you should have two backup drives, one that is kept onsite and one that is kept offsite. Besides protecting from possible corruption when updating a backup, the offsite drive will also preserve most of your data should the onsite drive and your computer should get damaged or destroyed in a disaster or get stolen (the more frequently you update the offsite drive, the less data will get lost if things go pear shaped).

A possibly less expensive alternative that requires less effort on your part is to use a paid cloud backup service (not cloud storage or any of the free alternatives) for your sole backup (not as desirable since all your eggs data is in one basket) that also have versioning, such as Carbonite.com. Carbonite will keep previous copies of a file that has changed or been deleted for 30 days so, even if your data gets infected and uploaded, you can recover the earlier version if you catch it soon enough (and most likely you will). The downsides of a cloud backup is you do have to have a broadband internet connection, it will cost at least $60 a year, and data recovery will take a long time (the initial upload can take between days and weeks, depending on how much data you have and the speed of your connection).

 

[ratsrcute]

I already have offsite and cloud backups. The purpose of an always-connected local backup, ThrashZone, is to provide the most recent copy of large files if my main hard drive fails, which I think is a more likely scenario than ransomware. Cloud backups are not as recent for large files, as they take a looong time to upload. Offsite backups are not as recent as local ones for obvious reasons.

So protecting the local backup drive from ransomware is just another layer of protection and convenience in dealing with a ransomware attack.

In the Unix world, apparently it is common to store backup files set to restricted permissions. Enterprises, as a strategy to minimize ransomware damage, are taking to care to limit the permissions that any one user has, because if that user should be the entrance point for ransomware, it can do limited damage. In fact, I read a description of the CryptoWall process, and the first thing it does is scan for files it has permission to modify or delete. It leaves alone other files and directories.

In the Windows world, as a home, single user I have not had to deal with file permissions. So what I am asking is whether there is a Windows backup utility that can log in as another user. Say I'm user Mike. Then I create another user, MrBackup, and the backup software runs as him. The crucial thing is that Mike doesn't have write, delete, or modify permissions for files owned by MrBackup.

Is this actually possible in Windows?

Mike

 

[Lady Fitzgerald]

Again, if the backup drive is connected to the computer, it is subject to infection the same as internal drives so the answer is no, what you want to do is not possible in Windows.

 

[DavidE]

In the Windows world, as a home, single user I have not had to deal with file permissions. So what I am asking is whether there is a Windows backup utility that can log in as another user. Say I'm user Mike. Then I create another user, MrBackup, and the backup software runs as him. The crucial thing is that Mike doesn't have write, delete, or modify permissions for files owned by MrBackup.

Is this actually possible in Windows?

Mike

If user Mike (or any user) is an Administrator account, they can access any files owned by any other user, one way or another, and make any other system changes.
If User Mike is a Standard (Limited) account, you can protect files and settings for other users.
That's my understanding of how Windows security works.

 

[ratsrcute]

In the Windows world, as a home, single user I have not had to deal with file permissions. So what I am asking is whether there is a Windows backup utility that can log in as another user. Say I'm user Mike. Then I create another user, MrBackup, and the backup software runs as him. The crucial thing is that Mike doesn't have write, delete, or modify permissions for files owned by MrBackup.

Is this actually possible in Windows?

Mike

If user Mike (or any user) is an Administrator account, they can access any files owned by any other user, one way or another, and make any other system changes.
If User Mike is a Standard (Limited) account, you can protect files and settings for other users.
That's my understanding of how Windows security works.

Thanks, that makes sense. I know some backup software will run as another user, such as GFI backup. Mike is not an administrator.

But if ransomware infections on Windows are able to get admin permissions regardless of what user downloads and initiates the infection, then all is for naught. (Of course, that's why I have cloud and offsite backups.)