I have a (physical, not Azure VM!) Windows server whose files are automatically backed up using Azure Backup.
If the server gets compromised, how much damage to the backups can the attacker do?
Background: Newer generations of ransomware have the unfortunate tendency to actively search for and delete backups (volume shadow copies, external hard drives, etc.). I guess it's only a matter of time before they start targeting cloud backups as well.
Research I have already done: I think that the worst damage that an attacker could do would be to lower the retention period to the minimum of 7 days, thus destroying backups older than a week. I have looked through the Azure Backup Powershell Cmdlets (which seems to be the official API for Azure Backup instrumentation) and have not found any way to explicitly delete or overwrite recovery points.
Related question: Protecting Azure Backup from malicious deletion. That question is about the case where the Azure management credentials get compromised. My question is about the case where only a vault-registered server gets compromised, but the management credentials are safe.
Unfortunately, and rather scarily, you are incorrect. you can use
Remove-OBPolicywhich has an option to delete all associated backups with the-DeleteBackupparameter.I can't think of an immediate way to protect against this either. Maybe it would be possible to swap credentials out in someway.
You could have them backing up to a intermediate filestore, being pushed up from there. Unfortunately that is very much a bandaid solution.
Azure just (November 2016) added new security features to Recovery Services vaults which can be activated in the recovery vault settings and address exactly these issues: