Re: Vista/7 Shadow Copy

[Theodore Pham <telamon () CMU EDU>]

As far as I know, all the tools for directly accessing the shadow volume
snapshots require administrator privileges.  So running with UAC insulates you
to a degree from malware being able to get to them.  This of course assumes the
user doesn't give the malware admin privileges and or some exploit isn't being
used to escalate privileges.

Disabling Volume Shadow Copy also disables the Previous Versions (aka right
click on a file and the Previous Versions tab lets you view prior revisions to
the file corresponding to system restore snapshots.)

Not to mention VSS is a treasure trove of forensic data should you need it.

However, if you're in a managed environment where your user data is stored on
file servers and re-imaging a machine isn't an ordeal, then disabling VSS might
be a good idea.

Off the top of my head, another way to deal with this might be to create
separate OS/software and user data partitions.  Set VSS to monitor and shapshot
the OS/software partition and turn it off for the user data partition.

Ted Pham
Information Security Office
Carnegie Mellon University

Flynn, Gary wrote:
> --_000_C82152385F25flynngnjmuedu_
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> Yes, the question concerned clients.
>
> NTBACKUP appears to use the service to handle files in use. If the service =
> is shut down, the files will be skipped.
>
> But disabling the "System Protection" feature for a volume doesn't appear t=
> o shut down the Volume Shadow Copy service and make it unavailable to other=
>  applications. All it does is tell one application, the System Protection a=
> pplication that makes the automated copies, to no longer make use of the se=
> rvice.
>
> The concern is inadvertent storage of sensitive data in the shadow copies. =
> Note that data may be present even if a "secure delete" utility is used as =
> the shadow functionality will copy any blocks overwritten by the secure del=
> ete utility. And even if full disk encryption is present, that only protect=
> s the data if the computer is stolen. It doesn't provide any protection fro=
> m malware and I'd argue that malware is a more serious and common threat to=
>  the confidentiality and integrity of data than theft. I've seen several we=
> b sites that give instructions for recovering data from shadow copies from =
> the command line and even mapping drive letters to them though I've not tri=
> ed them.
>
>
>
>
> On 5/25/10 9:10 AM, "Sam Stelfox" <SStelfox () VTC VSC EDU> wrote:
>
> I could be wrong but the original question looks less like a question about=
>  servers and more about clients. I don't see any reason that this should be=
>  on for a normal workstation. Volume Shadow Copy is used to access files th=
> at are currently in use and have a lock (assuming that the program that is =
> holding the lock supports VSS).
>
> If you are using a backup solution to backup your workstations, even with V=
> SS disabled the backups should not fail.
>
> I can't see any reason to keep it enabled on clients/workstations.
>
> On 05/24/2010 04:23 PM, Dexter Caldwell wrote:
>
> Agree.  A number of backup and other products use this service.  Even some =
> enterprise storage mechanisms leverage it on systems for things like snapsh=
> ots or system-state (Active Directory recovery) backups when you backup Dom=
> ain Controllers.  It just depends what you have on the back end.  I'd just =
> be careful about where it's disabled.  (Ex, be sure to exclude servers, for=
>  example)  It's not always obvious what dependencies exist.  Also apps like=
>  SQL Server, Exchange sometimes use this for various functions, here's an a=
> rticle that's not directly related, but includes buried in the article some=
>  information that describes things that can be impacted by the service's ab=
> ility to run properly.
>
>
> http://support.microsoft.com/kb/826936
>
>
> D/C
>
> The EDUCAUSE Security Constituent Group Listserv <SECURITY@LISTSERV.EDUCAUS=
> E.EDU> writes:
>
> On 5/21/10 3:25 PM, Flynn, Gary wrote:
>
> > What do you think of disabling Shadow Copy on computers not having full
>
> > disk encryption to prevent inadvertent storage of sensitive data? Our
>
> > support folks indicated they don't use the feature for maintenance or
>
> > troubleshooting. Some of our Windows folks are worried that it might be
>
> > used as part of the backup process or to recover files from servers
>
> > (???). And it it nice to have around when pushing patches or changes
>
> > that have higher risk of failure (e.g. Service packs).
>
>
> At least one major enterprise backup application I'm aware of uses VSS
>
> and backups will fail should that be disabled. You'll have to test your
>
> client machines to see if your client backup process is similarly hobbled.
>
>
>
> --_000_C82152385F25flynngnjmuedu_
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <HTML>
> <HEAD>
> <TITLE>Re: [SECURITY] Vista/7 Shadow Copy</TITLE>
> </HEAD>
> <BODY>
> <FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=3D'font-size:=
> 11pt'>Yes, the question concerned clients. <BR>
> <BR>
> NTBACKUP appears to use the <B>service</B> to handle files in use. If the s=
> ervice is shut down, the files will be skipped.<BR>
> <BR>
> But disabling the &#8220;System Protection&#8221; feature for a volume does=
> n&#8217;t appear to shut down the Volume Shadow Copy service and make it un=
> available to other applications. All it does is tell one application, the S=
> ystem Protection application that makes the automated copies, to no longer =
> make use of the service.<BR>
> <BR>
> The concern is inadvertent storage of sensitive data in the shadow copies. =
> Note that data may be present even if a &#8220;secure delete&#8221; utility=
>  is used as the shadow functionality will copy any blocks overwritten by th=
> e secure delete utility. And even if full disk encryption is present, that =
> only protects the data if the computer is stolen. It doesn&#8217;t provide =
> any protection from malware and I&#8217;d argue that malware is a more seri=
> ous and common threat to the confidentiality and integrity of data than the=
> ft. I&#8217;ve seen several web sites that give instructions for recovering=
>  data from shadow copies from the command line and even mapping drive lette=
> rs to them though I&#8217;ve not tried them.<BR>
> <BR>
> <BR>
> <BR>
> <BR>
> On 5/25/10 9:10 AM, &quot;Sam Stelfox&quot; &lt;<a href=3D"SStelfox () VTC VSC=
> .EDU">SStelfox () VTC VSC EDU</a>&gt; wrote:<BR>
> <BR>
> </SPAN></FONT><BLOCKQUOTE><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"=
> > <SPAN STYLE=3D'font-size:11pt'>I could be wrong but the original question =
> looks less like a question about servers and more about clients. I don't se=
> e any reason that this should be on for a normal workstation. Volume Shadow=
>  Copy is used to access files that are currently in use and have a lock (as=
> suming that the program that is holding the lock supports VSS).<BR>
> <BR>
> If you are using a backup solution to backup your workstations, even with V=
> SS disabled the backups should not fail. <BR>
> <BR>
> I can't see any reason to keep it enabled on clients/workstations.<BR>
> <BR>
> On 05/24/2010 04:23 PM, Dexter Caldwell wrote: <BR>
> </SPAN></FONT><BLOCKQUOTE><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"=
> > <SPAN STYLE=3D'font-size:11pt'> &nbsp;&nbsp;&nbsp;<BR>
> </SPAN></FONT><FONT SIZE=3D"2"><FONT FACE=3D"Arial"><SPAN STYLE=3D'font-siz=
> e:10pt'>Agree. =A0A number of backup and other products use this service. =
> =A0Even some enterprise storage mechanisms leverage it on systems for thing=
> s like snapshots or system-state (Active Directory recovery) backups when y=
> ou backup Domain Controllers. =A0It just depends what you have on the back =
> end. =A0I'd just be careful about where it's disabled. =A0(Ex, be sure to e=
> xclude servers, for example) =A0It's not always obvious what dependencies e=
> xist. =A0Also apps like SQL Server, Exchange sometimes use this for various=
>  functions, here's an article that's not directly related, but includes bur=
> ied in the article some information that describes things that can be impac=
> ted by the service's ability to run properly.<BR>
> </SPAN></FONT></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPA=
> N STYLE=3D'font-size:11pt'> <BR>
> &nbsp;<BR>
> </SPAN></FONT><FONT SIZE=3D"2"><FONT FACE=3D"Arial"><SPAN STYLE=3D'font-siz=
> e:10pt'><a href=3D"http://support.microsoft.com/kb/826936";>http://support.m=
> icrosoft.com/kb/826936</a><BR>
> </SPAN></FONT></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPA=
> N STYLE=3D'font-size:11pt'> <BR>
> &nbsp;<BR>
> </SPAN></FONT><FONT SIZE=3D"2"><FONT FACE=3D"Arial"><SPAN STYLE=3D'font-siz=
> e:10pt'>D/C<BR>
> </SPAN></FONT></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPA=
> N STYLE=3D'font-size:11pt'> <BR>
> </SPAN></FONT><FONT SIZE=3D"2"><FONT FACE=3D"Arial"><SPAN STYLE=3D'font-siz=
> e:10pt'><B>The EDUCAUSE Security Constituent Group Listserv &lt;<a href=3D"=
> SECURITY () LISTSERV EDUCAUSE EDU">SECURITY () LISTSERV EDUCAUSE EDU</a>&gt; writ=
> es:<BR>
> </B></SPAN></FONT></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial">=
> <SPAN STYLE=3D'font-size:11pt'> <BR>
> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:12pt'>On 5/21/10 3:25 PM, Flynn, Gary wrote:<BR>
> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:11pt'> <BR>
> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:12pt'>&gt; What do you think of disabling Shadow Copy on comp=
> uters not having full<BR>
> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:11pt'> <BR>
> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:12pt'>&gt; disk encryption to prevent inadvertent storage of =
> sensitive data? Our<BR>
> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:11pt'> <BR>
> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:12pt'>&gt; support folks indicated they don&#8217;t use the f=
> eature for maintenance or<BR>
> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:11pt'> <BR>
> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:12pt'>&gt; troubleshooting. Some of our Windows folks are wor=
> ried that it might be<BR>
> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:11pt'> <BR>
> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:12pt'>&gt; used as part of the backup process or to recover f=
> iles from servers<BR>
> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:11pt'> <BR>
> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:12pt'>&gt; (???). And it it nice to have around when pushing =
> patches or changes<BR>
> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:11pt'> <BR>
> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:12pt'>&gt; that have higher risk of failure (e.g. Service pac=
> ks).<BR>
> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:11pt'> <BR>
> &nbsp;<BR>
> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:12pt'>At least one major enterprise backup application I'm aw=
> are of uses VSS<BR>
> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:11pt'> <BR>
> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:12pt'>and backups will fail should that be disabled. You'll h=
> ave to test your<BR>
> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:11pt'> <BR>
> </SPAN></FONT><FONT FACE=3D"Geneva, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:12pt'>client machines to see if your client backup process is=
>  similarly hobbled.<BR>
> </SPAN></FONT><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=
> =3D'font-size:11pt'> <BR>
> &nbsp;<BR>
> </SPAN></FONT></BLOCKQUOTE></BLOCKQUOTE>
> </BODY>
> </HTML>
>
>
> --_000_C82152385F25flynngnjmuedu_--