Re: Vista/7 Shadow Copy

["Flynn, Gary" <flynngn () JMU EDU>]

Yes, the question concerned clients.

NTBACKUP appears to use the service to handle files in use. If the service is shut down, the files will be skipped.

But disabling the "System Protection" feature for a volume doesn't appear to shut down the Volume Shadow Copy service 
and make it unavailable to other applications. All it does is tell one application, the System Protection application 
that makes the automated copies, to no longer make use of the service.

The concern is inadvertent storage of sensitive data in the shadow copies. Note that data may be present even if a 
"secure delete" utility is used as the shadow functionality will copy any blocks overwritten by the secure delete 
utility. And even if full disk encryption is present, that only protects the data if the computer is stolen. It doesn't 
provide any protection from malware and I'd argue that malware is a more serious and common threat to the 
confidentiality and integrity of data than theft. I've seen several web sites that give instructions for recovering 
data from shadow copies from the command line and even mapping drive letters to them though I've not tried them.




On 5/25/10 9:10 AM, "Sam Stelfox" <SStelfox () VTC VSC EDU> wrote:

I could be wrong but the original question looks less like a question about servers and more about clients. I don't see 
any reason that this should be on for a normal workstation. Volume Shadow Copy is used to access files that are 
currently in use and have a lock (assuming that the program that is holding the lock supports VSS).

If you are using a backup solution to backup your workstations, even with VSS disabled the backups should not fail.

I can't see any reason to keep it enabled on clients/workstations.

On 05/24/2010 04:23 PM, Dexter Caldwell wrote:

Agree.  A number of backup and other products use this service.  Even some enterprise storage mechanisms leverage it on 
systems for things like snapshots or system-state (Active Directory recovery) backups when you backup Domain 
Controllers.  It just depends what you have on the back end.  I'd just be careful about where it's disabled.  (Ex, be 
sure to exclude servers, for example)  It's not always obvious what dependencies exist.  Also apps like SQL Server, 
Exchange sometimes use this for various functions, here's an article that's not directly related, but includes buried 
in the article some information that describes things that can be impacted by the service's ability to run properly.


http://support.microsoft.com/kb/826936


D/C

The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> writes:

On 5/21/10 3:25 PM, Flynn, Gary wrote:

> What do you think of disabling Shadow Copy on computers not having full

> disk encryption to prevent inadvertent storage of sensitive data? Our

> support folks indicated they don't use the feature for maintenance or

> troubleshooting. Some of our Windows folks are worried that it might be

> used as part of the backup process or to recover files from servers

> (???). And it it nice to have around when pushing patches or changes

> that have higher risk of failure (e.g. Service packs).


At least one major enterprise backup application I'm aware of uses VSS

and backups will fail should that be disabled. You'll have to test your

client machines to see if your client backup process is similarly hobbled.