More than backup & recovery: modern cyber-resilience techniques for legacy Windows Servers

Are you running a legacy Windows operating system that has been in end-of-support for years? Don’t worry; I’m not here to give you a lecture on the need to upgrade. For the most part, no administrator wants to run Windows Server 2012 in the 2020s, but they often have to.

Legacy business apps often require old operating systems. Administrators then have a tough challenge – how to back up these old systems securely. 

The problem is, backup and disaster recovery (BDR) strategies from a decade ago won’t cut it… but many modern tools aren’t compatible with legacy systems. You need a BDR plan that is both compatible with legacy operating systems and cyber-resilient against modern threats. 

So, what does a modern BDR solution that can accommodate legacy Windows operating systems look like? Here, we’ll take a closer look at the security and BDR challenges with old Windows operating systems and help you understand how to implement a secure and robust backup system for legacy machines.  

Legacy operating systems are a security double whammy: no patches and new threats 

Legacy operating systems are a double whammy for system administrators. First, Windows no longer provides security patches for these systems. That means you’re on your own when it comes to hardening them. In practice, that often means living with vulnerabilities on production systems.  

Then comes the second problem: a whole new threat model to protect against in the 2020s.
A backup and disaster recovery strategy that worked well in the early 2010s isn’t going to cut
it today. For example, the prevalence of ransomware today makes it a threat model you must address in modern environments.  

To understand just how much things have changed, let’s take a closer look at backup security today compared to a decade ago. 

Legacy operating system backups: threats of the past vs threats of today 

In the 2000s through the early 2010s, it was still common for all data to be stored on-premise. Even when “on-premise” included additional sites (e.g., cold storage locations) as part of a 3-2-1 backup strategy, data security threats included those that physically compromised storage mediums (e.g., fire, natural disaster, and theft). For practical purposes, cloud backups mitigated that risk. However, along with the rise of cloud computing came the rise of threats like ransomware, account hijacking, and social engineering.  

With that in mind, here’s a high-level breakdown of data risks that were common when legacy Windows operating systems were in their prime vs today. 

Data riskCommon a decade ago?Common today?
Hardware failureYesLess so
Physical theftYesLess so
Destruction/natural disastersYesLess so
Accidental deletionYesYes
Intentional (malicious) deletionYesYes
RansomwareNoYes
Account hijackingNoYes
Account deletionNoYes
Compliance (e.g., PCI DSS, HIPAA)YesYes

As you can see, while some risks have remained the same, the overall data security landscape has changed a lot. In fact, backup strategies that were secure in the past aren’t necessarily secure today.  

Case-in-point: backing up to a secure network attached storage (NAS) device may have been “good enough” in the early 2010s. Today, some ransomware exploits — like the eCh0raix ransomware variant — specifically target NAS devices. Similarly, the Server Message Block version 1 (SMB v1) protocol, which used to be a popular protocol for copying files, isn’t viable in modern production due to vulnerabilities exploited by malware like WannaCry and NotPeyta.  

6 Pillars of a robust backup & disaster recovery system for legacy Windows Servers 

Now that we’ve covered the changes in threat models and challenges related to securely backing up legacy Windows Server machines, let’s explore what a modern cyber-resilient solution looks like. A genuinely resilient BDR system requires 6 specific characteristics, which we call the 6 Pillars of Legacy Server Backup and Disaster Recovery. They are: 

  1. Full system backup and recovery – If you ever need to restore your legacy Windows Server backup, simply restoring data isn’t enough. You need to be able to restore the system in an operational state without a ton of manual work. That’s where full system backup and recovery, such as Bare Metal Disaster Recovery (BMDR) with BackupAssist, can help. BMDR allows you to restore and recover your legacy servers “anywhere”, whether it’s a physical host or virtual machine.   
  1. Fast and predictable recovery – When it comes to business continuity, speed matters.
    Just having the backups isn’t enough; you need to meet your Recovery Time Objective (RTO). A fast recovery means it has to be mistake-free: do it once and do it right. That’s why
    BackupAssist also comes with the Recovery Bible – step by step instructions for recovery success.  
  1. Onsite and offsite recovery options – Onsite Windows image backups of your old Windows
    Server, accessible via direct connection or LAN, are the fastest way to get back up and running. Of course, you don’t want your backups to be only onsite. Cloud storage adds a layer of flexibility and resilience to your legacy Windows Server BDR plan.  
  1. Offline backups – Hackers can potentially get to anything connected to a network, which is why offline backups are vital. The traditional approach to offline backups – a storage medium completely disconnected from the computer and network (e.g., removable hard drives and even tape drives) – is still viable today. Additionally, many consider cloud backups secured with multi-factor authentication (MFA) to be a viable “offline” backup implementation.  
  1. Active protection from ransomware – Modern BDR strategies must take a proactive approach to protecting against ransomware. Today, hackers are attacking backups directly (encrypting backup files by overwriting them or deleting them altogether) and indirectly (encrypting files before backup). Tools like CryptoSafeGuard can mitigate this risk.
    CryptoSafeGuard restricts access to your backups with granularity to the process level.
    This provides much tighter security than traditional network or user-based restrictions.
    Additionally, CryptoSafeGuard uses intelligent heuristics during a backup to detect suspicious activity, and will notify you if anything requires your attention. 
  1. A robust incident recovery plan – If ransomware or other malware does compromise your legacy Windows Server backups, forensic analysis to identify the root cause is critical. Accurate analysis helps ensure complete remediation occurs and prevents future attacks. Additionally, fast analysis helps restore normal operation more quickly and makes cyber insurance claims smoother. Traditionally a significant gap in incident response has been the lack of data available to investigators. Cybersecurity investigators did not have something comparable to the “black box” recorders so useful to aviation investigations. Cyber Black Box is a new technology designed to solve precisely this problem. It works by transparently logging forensic data in the background and storing current and historical information for later analysis in the event of a hack.   

How to get on the road to cyber-resilience with BackupAssist

Does your current backup solution have all 6 pillars of robust BDR?  

Unfortunately, for many admins, the answer is no.  

Administrators know their legacy Windows server backup strategy isn’t ideal, but they can’t find the right tools to get things up to par.  

BackupAssist with CryptoSafeGuard and Cyber Black Box is purpose-built to address these challenges. With BackupAssist, not only do you get all 6 pillars of robust BDR, but you get them affordably and in a solution that is fast, simple, and designed with best practices out of the box. You’re also constantly in the know with backup report emails and warnings in the event
CryptoSafeGuard detects ransomware.  

To learn how BackupAssist can help you secure your legacy Windows Server backups, sign up for a free expert consultation today

Leave a Comment

Share on email
Share on print
Share on facebook
Share on google
Share on twitter
Share on linkedin

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email. Join 1,874 other subscribers