Best Practices for Backup Storage

Always Test and Install the Latest Agent Versions

Keep Backup Agents installed on users' computers up-to-date. New versions not only contain new and improved features, but also stability, performance, and security enhancements. You can create a new build for the latest version from Downloads, test it in your environment from the sandbox, and once a new release is approved, click the Make Public option so deployed copies of Backup Agent are automatically updated the next time they start a backup or restore.

To make sure automatic updates are enabled, proceed as follows:

  1. In the Management Console, click Downloads.
  2. In the Downloads panel, switch to the Options tab.
  3. Make sure the Allow Automatic Update check box is selected.

Use Cloud Storage for All Important Backups

If you work with regulated data like medical records, sensitive data like legal or accounting, or want to make sure any data you are backing up is using the best security against disaster/malware, then you must back up to the cloud. You can create local backups to a network share and the cloud, in a single pass, using our hybrid backup technology or you can back up directly to the cloud. The cloud helps protect your backups from malware or a bad actor that can easily access your local backups from the network.

Lock Backup Agent with a Master Password

You can also optionally set a master password to allow access to the Backup Agent (this will also restrict access to the underlying Managed Backup APIs from the client). To enable this feature, you need to use the Computers –> Remote Deployment option. Remote Deployments allow you to create a default set of options and backup/restore plans that can be easily applied to one or more computers through Rules. Rules allow you to deploy to a customer, user account, or a specific computer. To enable the option, check Protect Console with a Master Password in the Settings –> General section.

Lock Out Files Deletion on The Backup Agent

The Storage tab of a Backup Agent is the place where most of the metadata is being stored. You can restore files from it with a few clicks. You can also delete data from this tab.

To disable the option, proceed as follows:

  1. Open the Management Console.
  2. In the Settings menu, select Global Agent Options.
  3. In the General group, unselect the ** Allow data deletion in Backup Agent** check box.
  4. Click Save Changes.

Require Additional Verification for Access

If a user is accessing sensitive data in a cloud, automatically require two-factor authentication to prove their identity.

Enable Two-Factor Authentication for Administrator Accounts

The Two-Factor Authentication (2FA) adds a second layer of login security for the main administrator and sub-admin accounts. You can use Google Authenticator or Microsoft Authenticator with your iOS or Android mobile devices to require a second code to be entered when logging into Managed Backup.

To enable 2FA on the main Administrator account, proceed as follows:

  1. Open the Management Console and log into it under the main administrator credentials.
  2. In the Users menu, select Administrators, and click the Edit button next to the main administrator account.
  3. Select the Enable 2FA check box.
  4. Follow the instructions stated in the Enable Two-factor Authentication dialog box (download and run the Google or Microsoft Authenticator application on your mobile device, click Add Account and scan the QR code in the dialog box. Enter the validation code).
  5. The administrator account is now secured with 2FA access.

After 2FA is enabled, generate alternative codes that can be used to access the Management Console in case of emergency: for instance, if you accidentally remove yourself from the IP Allowlist. To do this:

  1. Click the 2FA Alternative Codes link.
  2. Click Generate New Codes. Once codes are generated, download or print them. These codes can be used for authentication within the Console, so, for security reasons, keep them in a safe place.

To enable 2FA on a sub-administrator, proceed as follows:

  1. Create a new account under Administrators.
  2. Log into Management Console under the new credentials.
  3. Upon the first login, click the Enable 2FA*, then follow the instructions on the screen (download and run the Google or Microsoft Authenticator application on your mobile device, click Add Account and scan the QR code in the dialog box. Enter the validation code).

You can also force 2FA to be switched on for all your sub-administrators. To do this, proceed as follows:

  1. Log into Management Console under the root account.
  2. In the Settings menu, select General.
  3. Select the Force Two-Factor Authentication for all administrators check box.
  4. Click Save.

Once complete, your admin accounts will be secured with 2FA access. If someone accidentally saved their username and password in a browser or someone gained access to an admin password, they will not be able to log into Managed Backup without access to the administrator's mobile device.

| Top |

Use IAM Role Access to your AWS S3 Storage

When creating your AWS S3 Storage in Managed Backup, use Identity and Access Management (IAM) Roles instead of the classic Access / Secret Keys. IAM roles do not have associated access keys, so there are no credentials to steal. Instead, temporary access is granted so backup and restore plans can access S3 storage. Configuring your S3 accounts in Managed Backup with IAM Roles is detailed in this help article:

Activate MFA for Wasabi Account Control Manager (WACM)

  1. Configure and validate a virtual MFA device as described in Wasabi documentation
  2. Login to your WACM account
  3. Navigate to My Profile.
  4. Navigate to Multi Factor Authentication section under Profile tab and click Turn On.
  5. On Setup one-time password page activate MFA by providing Confirmation Code using the validated MFA device and then click Register.

| Top |