Re: Extend this idea of restricting write privileges
The problem is it can't be controlled by "write privileges" on any box that is potentially compromised.
If your cryptolocker is run as an ordinary user then any normal backup is fine because it is done by a privileged account. But if your malware is anything smarter than a small user-mode script then it will exploit either the meatware for a suitable password or use any one of the numerous flaws in *ANY* OS to gain what it needs to attack all. There is always some sort of admin account, and pointing to the all-powerful UNIX root is a distraction that if you have a more compartmentalised model (as Windows should be, but usually is not) you still only need a few more steps to get the account you need.
Really, the only viable option is to reverse the process, so the backup machine comes in and reads what it needs from servers and desktops and where it writes it to, and how versioning/snapshots/etc, are controlled is well separate from the at-risk boxes.
Of course this also assumes you can simply log-in to the backup machine using an account on the others...
Biting the hand that feeds IT
