5 1 0:Blocky4sesam Configuration
Overview
Backup is a key area in enterprise ransomware protection, as cyber attacks usually aim to destroy backup data. With Blocky4sesam you choose reliable protection of your SEP sesam backups against Ransomware - secure, fully integrated and without excessive administration effort for your Windows RDS systems.
The ransomware protection is based on GRAU DATA's proven application whitelisting technologies (as recommended by the BSI). It is tailored specially for integration into SEP sesam backup solutions and prevents any modification of the data without explicit authorization. To identify authorized processes, Blocky uses the application fingerprint. Unauthorized access is also logged and reported to the administrator.
Prerequisites
- SEP sesam RDS v. 5.0.0 Jaglion or higher.
- It is recommended to set up Blocky4Sesam on an RDS component without SEP sesam GUI installed.
- Si3 NG runs on a Java platform and requires a Java Runtime Environment. The required Java version depends on the SEP sesam version. For details, see Java Compatibility Matrix, for installation instructions see Installing and Managing Java.
- For the minimum Si3 hardware requirements that apply to SEP sesam Si3 deduplication server, see Hardware requirements.
- Additional amount of RAM is required for the Si3-NG data store. For details, see Configuring Si3 NG Deduplication Store: Required additional amount of RAM and CPU.
- When estimating the maximum size of a deduplication store, you have to ensure that there is enough space available for dedup trash, otherwise the deduplication store will run out of space. You should calculate the required disk space based on a representative sample of your full backup and add the additional storage space equal to approximately 50% of the representative full backup.
- Blocky4Backup requires the Windows GUI component installed on the Windows Server.
Supported operating systems and filesystems
Blocky4sesam supports the NTFS and ReFS filesystems.
The supported operating systems are:
- MS Windows Server 2012 R2 Standard & Enterprise Edition
- MS Windows Server 2016
- MS Windows Server 2019
- MS Windows Server 2022
Configuration procedure
The configuration procedure of Blocky4sesam consists of the following general steps:
- Install Blocky4sesam module.
- Prepare the RDS system.
- Set up the SEP Si3-NG deduplication store on the Blocky-controlled volume.
Security considerations
Sufficient protection can only be achieved by meeting the following security recommendations:
- Disable remote access to the RDS system after setup. RDS should only be accessible over a local console.
- Close all irrelevant ports on the RDS system. Consider using advanced network security.
- The RDS system should not be a domain member.
- Open the Blocky GUI only when performing administrative tasks (for example, licensing or setup). Close the GUI immediately after your work is done.
For more information and additional recommendations see Ransomware Protection Best Practices.
Installing Blocky4sesam module
Install and configure your SEP sesam RDS. Download the Blocky4sesam extension module from SEP Download Center, unpack the installation package and install Blocky4sesam.
Note | |
The Blocky4BackupAdminGuide.pdfdocument is part of the installation package. You can check the Blocky4Backup Administration Guide for more details on installation procedure. |
When the installation is complete, launch the Blocky GUI and set up the password.
Preparing the RDS system
To ensure the full functionality of the sesam Si3-NG deduplication store, the Java interpreter used by sesam's sds service needs to be whitelisted for Blocky.
Because other components might be using the Java interpreter, a dedicated Java interpreter should be created only for SEP sesam use. To enhance security on the RDS system, access to the dedicated Java interpreter must be restricted.
To prepare the SEP sesam RDS and configure the Java interpreter:
- Run the <SESAM_VAR>\ini\sm_prof.ps1 as Administrator to launch the PowerShell terminal with sesam profile.
- Run the following commands:
>ini >$interpreter=(Get-Content sm.ini | findstr java_interpreter ).SubString(17) >$path_only=($interpreter.TrimEnd('\java.exe')) >copy $interpreter $path_only\sdsj.exe >echo $path_only
- In the File Explorer go to the folder printed out by the echo $path_only command.
- Right-click the file sdsj.exe and click Properties.
- In the Security tab click Advanced and then click Change permissions.
- Click Disable inheritance and then select the option Convert inherited permissions into explicit permissions on this object.
- Make sure the user SYSTEM has file ownership and then remove all permission entries except the one dedicated to the user SYSTEM. Click OK.
- Log into Blocky GUI and in the menu bar click Whitelisting and then Whitelist Programs. Browse to the location of the sdsj.exe file and add it to the whitelist.
- Open the config file <SESAM_VAR>\ini\sm.ini using a text editor and change the java_interpreter parameter in section [JAVA] from <JAVA_HOME>\java.exe to <JAVA_HOME>\sdsj.exe. For example:
Before:[JAVA] java_interpreter=C:\Program Files\ojdkbuild\java-11-openjdk-11.0.15-1\bin\java.exe
After:
[JAVA] java_interpreter=C:\Program Files\ojdkbuild\java-11-openjdk-11.0.15-1\bin\sdsj.exe
- Restart the SEP sesam service on the RDS server.
Setting up the SEP Si3-NG deduplication store on the Blocky-controlled volume
To set up the Blocky data store in SEP sesam GUI first create a new SEP Si3 NG deduplication store and then create a dedicated media pool with required retention period:
- In the Main Selection -> Components, click Data Stores to display the data store contents frame.
- From the Data Stores menu, select New Data Store. A New Data Store dialog opens:
- From the Store Type drop-down list, select SEP Si3 NG Deduplication Store.
- From the Device Server drop-down list, select the Blocky4sesam RDS for your data store.
- In the Path field, enter the location of your Blocky4sesam data store or use the Browse button to select it. Click OK.
- From Main Selection -> Media Pools, click New Media Pool. The New Media Pool dialog opens.
- Specify the name, drive group and retention period of the media pool, and other fields as required.
- In the data store contents frame, right-click your Blocky data store and click Properties.
- In the Drives list, double-click the first drive to open the Drive Properties window.
- In the Options field, enter -o use_blocky. This drive option enables the deduplication store to run in a Blocky compatible mode and ensures correct behavior during drive configuration. Click OK.
- Run a test backup on your newly created deduplication store. For more details, refer to Run a test backup on Si3.
- Log in to Blocky GUI and enable Access Control for the volume where your newly created SEP Si3_NG deduplication store resides. For more detailed instructions refer to the Blocky4Backup Administration Guide.
Licensing
To activate your license for the Blocky-controlled volume where your deduplication store is running, you should have received a Capacity-ID. If you purchased Blocky4Sesam for multiple RDS servers, you should have received a Capacity-ID for each instance purchased. In this case repeat the following procedure for every server and corresponding Capacity-ID.
- Launch Blocky GUI on Blocky RDS and type in your password.
- In the upper menu bar click License and then Request License.
- In the popup window select the volume for which you want to activate your license and click OK.
- Enter your Capacity-ID and click OK.
- Follow the wizard to complete the licensing procedure. For more details refer to the Blocky4Backup Administration Guide.
See also
SEP Immutable Storage - SiS – Configuring Si3 NG Deduplication Store – Encrypting Si3 NG Deduplication Store – How to Create a Remote Device Server (RDS) – Standard Backup Procedure – Standard Restore Procedure – Restore Assistant – Licensing