Educause Security Discussion mailing list archives
Re: Vista/7 Shadow Copy
From: "Flynn, Gary" <flynngn () JMU EDU>
Date: Tue, 25 May 2010 10:08:56 -0400
Yes, the question concerned clients. NTBACKUP appears to use the service to handle files in use. If the service is shut down, the files will be skipped. But disabling the "System Protection" feature for a volume doesn't appear to shut down the Volume Shadow Copy service and make it unavailable to other applications. All it does is tell one application, the System Protection application that makes the automated copies, to no longer make use of the service. The concern is inadvertent storage of sensitive data in the shadow copies. Note that data may be present even if a "secure delete" utility is used as the shadow functionality will copy any blocks overwritten by the secure delete utility. And even if full disk encryption is present, that only protects the data if the computer is stolen. It doesn't provide any protection from malware and I'd argue that malware is a more serious and common threat to the confidentiality and integrity of data than theft. I've seen several web sites that give instructions for recovering data from shadow copies from the command line and even mapping drive letters to them though I've not tried them. On 5/25/10 9:10 AM, "Sam Stelfox" <SStelfox () VTC VSC EDU> wrote: I could be wrong but the original question looks less like a question about servers and more about clients. I don't see any reason that this should be on for a normal workstation. Volume Shadow Copy is used to access files that are currently in use and have a lock (assuming that the program that is holding the lock supports VSS). If you are using a backup solution to backup your workstations, even with VSS disabled the backups should not fail. I can't see any reason to keep it enabled on clients/workstations. On 05/24/2010 04:23 PM, Dexter Caldwell wrote: Agree. A number of backup and other products use this service. Even some enterprise storage mechanisms leverage it on systems for things like snapshots or system-state (Active Directory recovery) backups when you backup Domain Controllers. It just depends what you have on the back end. I'd just be careful about where it's disabled. (Ex, be sure to exclude servers, for example) It's not always obvious what dependencies exist. Also apps like SQL Server, Exchange sometimes use this for various functions, here's an article that's not directly related, but includes buried in the article some information that describes things that can be impacted by the service's ability to run properly. http://support.microsoft.com/kb/826936 D/C The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> writes: On 5/21/10 3:25 PM, Flynn, Gary wrote:
What do you think of disabling Shadow Copy on computers not having full
disk encryption to prevent inadvertent storage of sensitive data? Our
support folks indicated they don't use the feature for maintenance or
troubleshooting. Some of our Windows folks are worried that it might be
used as part of the backup process or to recover files from servers
(???). And it it nice to have around when pushing patches or changes
that have higher risk of failure (e.g. Service packs).
At least one major enterprise backup application I'm aware of uses VSS and backups will fail should that be disabled. You'll have to test your client machines to see if your client backup process is similarly hobbled.
Current thread:
- Vista/7 Shadow Copy Flynn, Gary (May 21)
- <Possible follow-ups>
- Re: Vista/7 Shadow Copy Roger Safian (May 21)
- Re: Vista/7 Shadow Copy Cal Frye (May 21)
- Re: Vista/7 Shadow Copy Dexter Caldwell (May 24)
- Re: Vista/7 Shadow Copy Sam Stelfox (May 25)
- Re: Vista/7 Shadow Copy Flynn, Gary (May 25)
- Re: Vista/7 Shadow Copy Dexter Caldwell (May 25)
- Re: Vista/7 Shadow Copy Theodore Pham (May 25)