Educause Security Discussion mailing list archives
Re: Vista/7 Shadow Copy
From: Theodore Pham <telamon () CMU EDU>
Date: Tue, 25 May 2010 10:37:56 -0400
As far as I know, all the tools for directly accessing the shadow volume snapshots require administrator privileges. So running with UAC insulates you to a degree from malware being able to get to them. This of course assumes the user doesn't give the malware admin privileges and or some exploit isn't being used to escalate privileges. Disabling Volume Shadow Copy also disables the Previous Versions (aka right click on a file and the Previous Versions tab lets you view prior revisions to the file corresponding to system restore snapshots.) Not to mention VSS is a treasure trove of forensic data should you need it. However, if you're in a managed environment where your user data is stored on file servers and re-imaging a machine isn't an ordeal, then disabling VSS might be a good idea. Off the top of my head, another way to deal with this might be to create separate OS/software and user data partitions. Set VSS to monitor and shapshot the OS/software partition and turn it off for the user data partition. Ted Pham Information Security Office Carnegie Mellon University Flynn, Gary wrote:
--_000_C82152385F25flynngnjmuedu_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Yes, the question concerned clients. NTBACKUP appears to use the service to handle files in use. If the service = is shut down, the files will be skipped. But disabling the "System Protection" feature for a volume doesn't appear t= o shut down the Volume Shadow Copy service and make it unavailable to other= applications. All it does is tell one application, the System Protection a= pplication that makes the automated copies, to no longer make use of the se= rvice. The concern is inadvertent storage of sensitive data in the shadow copies. = Note that data may be present even if a "secure delete" utility is used as = the shadow functionality will copy any blocks overwritten by the secure del= ete utility. And even if full disk encryption is present, that only protect= s the data if the computer is stolen. It doesn't provide any protection fro= m malware and I'd argue that malware is a more serious and common threat to= the confidentiality and integrity of data than theft. I've seen several we= b sites that give instructions for recovering data from shadow copies from = the command line and even mapping drive letters to them though I've not tri= ed them. On 5/25/10 9:10 AM, "Sam Stelfox" <SStelfox () VTC VSC EDU> wrote: I could be wrong but the original question looks less like a question about= servers and more about clients. I don't see any reason that this should be= on for a normal workstation. Volume Shadow Copy is used to access files th= at are currently in use and have a lock (assuming that the program that is = holding the lock supports VSS). If you are using a backup solution to backup your workstations, even with V= SS disabled the backups should not fail. I can't see any reason to keep it enabled on clients/workstations. On 05/24/2010 04:23 PM, Dexter Caldwell wrote: Agree. A number of backup and other products use this service. Even some = enterprise storage mechanisms leverage it on systems for things like snapsh= ots or system-state (Active Directory recovery) backups when you backup Dom= ain Controllers. It just depends what you have on the back end. I'd just = be careful about where it's disabled. (Ex, be sure to exclude servers, for= example) It's not always obvious what dependencies exist. Also apps like= SQL Server, Exchange sometimes use this for various functions, here's an a= rticle that's not directly related, but includes buried in the article some= information that describes things that can be impacted by the service's ab= ility to run properly. http://support.microsoft.com/kb/826936 D/C The EDUCAUSE Security Constituent Group Listserv <SECURITY@LISTSERV.EDUCAUS= E.EDU> writes: On 5/21/10 3:25 PM, Flynn, Gary wrote:What do you think of disabling Shadow Copy on computers not having fulldisk encryption to prevent inadvertent storage of sensitive data? Oursupport folks indicated they don't use the feature for maintenance ortroubleshooting. Some of our Windows folks are worried that it might beused as part of the backup process or to recover files from servers(???). And it it nice to have around when pushing patches or changesthat have higher risk of failure (e.g. Service packs).At least one major enterprise backup application I'm aware of uses VSS and backups will fail should that be disabled. You'll have to test your client machines to see if your client backup process is similarly hobbled. --_000_C82152385F25flynngnjmuedu_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML> <HEAD> <TITLE>Re: [SECURITY] Vista/7 Shadow Copy</TITLE> </HEAD> <BODY> <FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=3D'font-size:= 11pt'>Yes, the question concerned clients. <BR> <BR> NTBACKUP appears to use the <B>service</B> to handle files in use. If the s= ervice is shut down, the files will be skipped.<BR> <BR> But disabling the “System Protection” feature for a volume does= n’t appear to shut down the Volume Shadow Copy service and make it un= available to other applications. All it does is tell one application, the S= ystem Protection application that makes the automated copies, to no longer = make use of the service.<BR> <BR> The concern is inadvertent storage of sensitive data in the shadow copies. = Note that data may be present even if a “secure delete” utility= is used as the shadow functionality will copy any blocks overwritten by th= e secure delete utility. And even if full disk encryption is present, that = only protects the data if the computer is stolen. It doesn’t provide = any protection from malware and I’d argue that malware is a more seri= ous and common threat to the confidentiality and integrity of data than the= ft. I’ve seen several web sites that give instructions for recovering= data from shadow copies from the command line and even mapping drive lette= rs to them though I’ve not tried them.<BR> <BR> <BR> <BR> <BR> On 5/25/10 9:10 AM, "Sam Stelfox" <<a href=3D"SStelfox () VTC VSC= .EDU">SStelfox () VTC VSC EDU</a>> wrote:<BR> <BR> </SPAN></FONT><BLOCKQUOTE><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"=<SPAN STYLE=3D'font-size:11pt'>I could be wrong but the original question =looks less like a question about servers and more about clients. I don't se= e any reason that this should be on for a normal workstation. Volume Shadow= Copy is used to access files that are currently in use and have a lock (as= suming that the program that is holding the lock supports VSS).<BR> <BR> If you are using a backup solution to backup your workstations, even with V= SS disabled the backups should not fail. <BR> <BR> I can't see any reason to keep it enabled on clients/workstations.<BR> <BR> On 05/24/2010 04:23 PM, Dexter Caldwell wrote: <BR> </SPAN></FONT><BLOCKQUOTE><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"=<SPAN STYLE=3D'font-size:11pt'> <BR></SPAN></FONT><FONT SIZE=3D"2"><FONT FACE=3D"Arial"><SPAN STYLE=3D'font-siz= e:10pt'>Agree. =A0A number of backup and other products use this service. = =A0Even some enterprise storage mechanisms leverage it on systems for thing= s like snapshots or system-state (Active Directory recovery) backups when y= ou backup Domain Controllers. =A0It just depends what you have on the back = end. =A0I'd just be careful about where it's disabled. =A0(Ex, be sure to e= xclude servers, for example) =A0It's not always obvious what dependencies e= xist. =A0Also apps like SQL Server, Exchange sometimes use this for various= functions, here's an article that's not directly related, but includes bur= ied in the article some information that describes things that can be impac= ted by the service's ability to run properly.<BR> </SPAN></FONT></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPA= N STYLE=3D'font-size:11pt'> <BR> <BR> </SPAN></FONT><FONT SIZE=3D"2"><FONT FACE=3D"Arial"><SPAN STYLE=3D'font-siz= e:10pt'><a href=3D"http://support.microsoft.com/kb/826936">http://support.m= icrosoft.com/kb/826936</a><BR> </SPAN></FONT></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPA= N STYLE=3D'font-size:11pt'> <BR> <BR> </SPAN></FONT><FONT SIZE=3D"2"><FONT FACE=3D"Arial"><SPAN STYLE=3D'font-siz= e:10pt'>D/C<BR> </SPAN></FONT></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPA= N STYLE=3D'font-size:11pt'> <BR> </SPAN></FONT><FONT SIZE=3D"2"><FONT FACE=3D"Arial"><SPAN STYLE=3D'font-siz= e:10pt'><B>The EDUCAUSE Security Constituent Group Listserv <<a href=3D"= SECURITY () LISTSERV EDUCAUSE EDU">SECURITY () LISTSERV EDUCAUSE EDU</a>> writ= es:<BR> </B></SPAN></FONT></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial">= <SPAN STYLE=3D'font-size:11pt'> <BR> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:12pt'>On 5/21/10 3:25 PM, Flynn, Gary wrote:<BR> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:11pt'> <BR> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:12pt'>> What do you think of disabling Shadow Copy on comp= uters not having full<BR> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:11pt'> <BR> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:12pt'>> disk encryption to prevent inadvertent storage of = sensitive data? Our<BR> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:11pt'> <BR> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:12pt'>> support folks indicated they don’t use the f= eature for maintenance or<BR> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:11pt'> <BR> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:12pt'>> troubleshooting. Some of our Windows folks are wor= ried that it might be<BR> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:11pt'> <BR> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:12pt'>> used as part of the backup process or to recover f= iles from servers<BR> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:11pt'> <BR> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:12pt'>> (???). And it it nice to have around when pushing = patches or changes<BR> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:11pt'> <BR> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:12pt'>> that have higher risk of failure (e.g. Service pac= ks).<BR> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:11pt'> <BR> <BR> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:12pt'>At least one major enterprise backup application I'm aw= are of uses VSS<BR> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:11pt'> <BR> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:12pt'>and backups will fail should that be disabled. You'll h= ave to test your<BR> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:11pt'> <BR> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:12pt'>client machines to see if your client backup process is= similarly hobbled.<BR> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE= =3D'font-size:11pt'> <BR> <BR> </SPAN></FONT></BLOCKQUOTE></BLOCKQUOTE> </BODY> </HTML> --_000_C82152385F25flynngnjmuedu_--
Current thread:
- Vista/7 Shadow Copy Flynn, Gary (May 21)
- <Possible follow-ups>
- Re: Vista/7 Shadow Copy Roger Safian (May 21)
- Re: Vista/7 Shadow Copy Cal Frye (May 21)
- Re: Vista/7 Shadow Copy Dexter Caldwell (May 24)
- Re: Vista/7 Shadow Copy Sam Stelfox (May 25)
- Re: Vista/7 Shadow Copy Flynn, Gary (May 25)
- Re: Vista/7 Shadow Copy Dexter Caldwell (May 25)
- Re: Vista/7 Shadow Copy Theodore Pham (May 25)