Backup Server as a non-domain-member

by | Jun 23, 2020 | Security

With the rise in malware and system compromises in the last few years, there have now been multiple incidents where the backup server was targeted.  In these attacks, all accessible backups habeen erased including any tapes that were online in the tape drive, changer, or library. 

Backups are a critical part of a sound disaster recovery plan, so how do we keep them safe?  In order to remove them as an attack point, we need to make the backup server a standalone solution.  This helps separate it from any domain credential compromises. 


Even if a domain account is compromised, access to the backups and storage will not be available to the offenders. 

  • Accounts that are compromised in Active Directory will have no impact on backups 
  • The accounts used on the backup server will have a much smaller exposure to attack 


As a workgroup server, accounts used to access domain resources and services may take more configuration from both the domain and the backup server side.  You may want to continue using the account(s) you currently use for these purposes.  Ithere isn’t a separate dedicated account just for backups, we recommend that it be changed to one or more. 

  • Antivirus, windows updates, and policies need to be implemented and configured and then any issues should be resolved for the workgroup backup server.
  • Depending on the backup software it most likely will require a rebuild of the backup server to get full functionality and a clean backup environment. 

Need assistance planning or reconfiguring your backup serverEmail We are happy to help.