The Storage Team Blog about file services and storage features in Windows and Windows Server.
Are the Backups secured?
Yes. The Complete PC Backup (CPC) or Windows Server Backup (WSB) can be only invoked by a user belonging to either Administrators or Backup operators Group.
Backups are ACLed to be accessible only for only Administrators and Backup Operators Group.
By default the Backups inherit the ACLs from its parent directory;
However if an user chooses to ACL the Backups strongly, the Backups would be ACLed to be accessible only to the user whose credentials are provided at the time of Backup rather than inheriting from the parent; Also the Backups are acled for Administrators and Backup Operators of the machine which hosts the Network Share.
The Backup is done after the media is formatted to UDF format which doesn’t support ACLs. So The Backup to Optical Media is only as secure as the physical media.
The Backup is done after the media is formatted to NTFS format and the Backups are ACLed to be accessible only for Administrators and Backup Operators group.
Can I additionally secure the Backups by backing up to an encrypted folder (Creating Encrypted WindowsImageBackup directory in the root of the volume or in network share and backing up to the volume or the network share)?
No. Backup to a target which is encrypted at file system level is not allowed.
If you attempt the same, you would be getting following the error message:
“Backups cannot be stored on an encrypted volume. Please decrypt the volume and retry the operation”
Can CPC or WSB backup the Systems protected by BitLocker?
Yes. You can use CPC or WSB to backup your systems protected by BitLocker.
Additionally you can secure the Backup Target Disks too by protecting the same with BitLocker.
Ensure the volumes which are backed and the Backup Target, if BitLocked are unlocked for Backups to succeed.
Are the Backups of volumes which are protected by BitLocker encrypted?
No. The Backups of volumes which are protected by BitLocker aren’t encrypted. Backup reads the data blocks from VSS Shadow created on the volume which is a clear text. Hence Backups are not encrypted.
To secure the Backup data in case of System or Backup Target being stolen or lost, the Backup target if it is a disk, can be secured using BitLocker protection. So if you are restoring your system from the Backup (Bare Metal Recovery), post recovery the volumes which were BitLocked when the backup was taken would not be BitLocked. Hence you would need to BitLock the volumes again.
If the Source Volume(s) or Backup Target is BitLocked, do I need to do any additional steps during System Restore(Bare Metal Recovery) or in Online Recovery?
For Any type of Recovery ensure that the Backup Target if BitLocked is unlocked. If the Recovery is a file-level recovery (File Recovery, App Recovery, System State Recovery) the Recovery Target too needs to be unlocked if it is BitLocked. However unlocking a locked BitLocked Recovery Target is not needed if the Recovery is a volume-level recovery (Volume Recovery, System Recovery(Bare Metal Recovery))
Encrypted File System (EFS) and BitLocker links:
CPC – Complete PC Backup in Vista and Vista SP1
WSB – Windows Server Backup of Longhorn Server 2008
- GeethaKrishna S
We have been working with our MS TAM requesting additional functionality for the Vista Backup utility. We would like a standard user (non admin) to be able to schedule and /or kickoff a user file backup on demand. We would also like a member of the Backup Operators group to have permission to do the same with a Full PC Backup. Do you see these features being added to the product? If so do you have a target timeframe?
Thanks for your feedback. We will definetly consider your request.
Also please note that Complete PC Backup's commandline tool - wbadmin.exe can be invoked by an user belonging to Backup Operator Group.
Is there a way to restore individual files from a backup created with WBAdim or is this just for full computer restores?
CompletePC Backups are meant for Disaster Recovery scenarios.
Restore of individual file is not supported.
I read elsewhere in your blog that Vista Backup was designed to be simple for consumers to use. Well, it seems simplistic to me, and why is a version of back up that has been truncated for simple consumers shipping inside Vista BUSINESS edition? I've never had to buy back up software before, but with no way of determining which directories to back up, Vista's backup is useless to me.
Why would I want to save every document from the program files directory? If I've lost the program, what good are the cryptic text files and license agreements going to do for me. It's absolutely ridiculous that the back up software that ships with Vista would provide no ability to select which directories to back up.
Windows Complete PC Backup is incremental in that after the first backup, only changed blocks are captured. I need to start over with a new Complete PC Backup image because I had to restore a PC back to the factory state after a hard drive failure. If I just delete the <machine name> backup folder, will that cause an entirely new Complete PC backup to be taken? Or do I have to do something else? TIA
Surely removeable backup media are always as secure as phyiscal access. I cant see the difference between 4 &5 except the level of knowledge of the attacker.
What stop somebody with physical access to the device reading the removable media in a syustem which doesn't honour acls?