Re: How to secure backups?

Hello Jason,

Thank you for your post and also thank Brian and Cris for the great inputs.

According to your description, I understand that you want to encrypt the backup files on the external drive. If I have misunderstood the
problem, please don't hesitate to let me know.

Based on my research, you can enable EFS on the external drive to store backup files. Then the backup file could only be red from this
SBS.

Enable a EFS folder on the external drive:
============================
1. Connect the external drive to SBS.
2. Create a new folder on the external drive. Right click it and click Properties.
3. Click the Advanced button on the General tab.
4. Select "Encrypt contents to secure data" checkbox and click OK. Then the folder will be turn green.

Then, you can backup you SBS to the encrypted folder on the external disk drive. The bkf file will be encrypted. The encrypted files can
only be red from this SBS.

As we need the EFS private key to decrypt the backup file, we need also backup the EFS certificate and key specifically. Otherwise, if the
system crashes, we are unable to use the encrypted backup on the external drive.

How to back up your EFS certificate and key:
====================================
1. Open Internet Explorer on SBS.
2. Click Tools on the menu bar and select Internet Options.
3. Click the Content tab.
4. In the Certificates field, locate and click the Certificates button.

Verify you are in the Personal tab. There may be several certificates present depending on whether you have installed certificates for
other purpose.

5. Highlight one certificate at a time until the field entitled "Certificate Intended Purposes" states "Encrypting File System". This is the
certificate that was generated when you encrypted your backup folder.

6. Click the Export button to start the Certificate Export Wizard.

7. Click Next.

8. Select "Yes, export the private key" to export the private key. Click Next.

9. Leave the Default value of "Enable Strong protection (requires IE 5.0, NT 4.0 SP4 or above).

10. Click Next.

11. Enter your password. You need a password to protect the private key.

12. Specify the path where you want to save the key. You can save the key to a floppy, another location on the hard disk, or CD. If the hard
disk fails or is formatted the key and the backup will be lost. If you back up the key to a floppy or CD it must be stored in a secure location.

You will need to give the backup file pfx a location. Click Next once you have specified the destination.

Then, when you want to restore your SBS from the encrypted backup file on a new SBS, you can copy this backup certificate pfx file on the
new SBS and double click to import it input new SBS. Then you can read the encrypted backup files.

The following are good information on EFS:

Reference:
=============

The Windows Server 2003 Family Encrypting File System
http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/WinNETSrvr-EncryptedFileSystem.asp

Encrypting File System in Windows XP and Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx#XSLTsection127121120120

I hope this helps. If you have any questions or concerns, please do not hesitate to let me know. I am happy to be of further assistance.
Thank you for your time and cooperation!

Best regards,

Terence Liu (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues regarding other Microsoft products, you'd better post in the
corresponding newsgroups so that they can be resolved in an efficient and timely manner. You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the "Notify me of replies" box to receive e-mail notifications
when there are any updates in your thread. When responding to posts via your newsreader, please "Reply to Group" so that others may
learn and benefit from your issue.

Microsoft engineers can only focus on one issue per thread. Although we provide other information for your reference, we recommend you
post different incidents in different threads to keep the thread clean. In doing so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please check http://support.microsoft.com for regional support phone
numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Jason" <jsantos@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <3B227E4F-4D2F-4B7C-8114-0CBC2158384C@xxxxxxxxxxxxx>
| In-Reply-To: <3B227E4F-4D2F-4B7C-8114-0CBC2158384C@xxxxxxxxxxxxx>
| Subject: Re: How to secure backups?
| Date: Tue, 27 May 2008 11:11:54 -0400
| Lines: 18
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=response
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Windows Mail 6.0.6000.16480
| X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16545
| Message-ID: <eIj1AwAwIHA.5580@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 72.243.119.91
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:109566
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Thanks Brian and Cris. Just to make sure my question is understood, let me
| rephrase. I understand the physical aspects of securing. More specifically,
| I'm looking for information as to how to secure the data on the drive
| through software (NT Backup, preferably) or whichever way would prevent
| someone else from easily accessing the data.
|
| Thank you.
|
|
| "Jason" <jsantos@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
| news:3B227E4F-4D2F-4B7C-8114-0CBC2158384C@xxxxxxxxxxxxxxxx
| > Using SBS 2003.
| > We are using Windows Backup to do nightly backups to an external drive.
| > How can I either encrypt or basically make sure if found, someone else
| > can't simply connect this drive and get all of the information from it?
| >
| > Thanks.
|
|


.