Looking for Windows Server Backup Advice

Last week I started a new job and as I was getting myself acquainted with the network I found that our backups haven’t been properly running for god knows how long. Apparently, the NAS that we’ve been backing our server up to has filled up with 9-year-old data most of which isn’t reflected on our current server. So I’m in the process of figuring out a new way of backing up our server and was looking for recommendations and advice.

Our current backups are being done through QNAP software running on the server and I don’t know why we aren’t just using a scheduled Windows Server Backup that points to the NAS as its location. In my mind having third-party software on the server is kind of a security issue regardless of its authenticity, am I wrong to think that I should change our process to use Window Server Backup instead? Also, I can’t think of how this backup is worthwhile. Like if we were subject to a network attack that wrecks the server surely it would wreck the NAS, sure in the case of a disaster having on-site backup might be fortuitous but I guess I’m wondering is a way to protect my NAS in the case of a malicious attack.

Also, anyone with data storage policy recommendations would be appreciated because apparently, we don’t have a policy for deleting old data from the NAS. Instead, I’m thinking of just pulling the old drives, shelving them, and starting fresh.

Thank you for your advice.

I would troubleshoot why the QNAP backups are failing because it might be an easy fix. I would start here because the previous person who set it up went through all the trouble of configuring the backups, so it would save you a lot of trouble.

I would also recommend sending backups to a remote destination. It could be Amazon S3, Wasabi, B2, whatever works. Be sure to configure it so your application sending the backups has write only permissions. If the device sending backups is compromised, you don’t want a bad actor to be able to read your off-site backup status or even delete your backups.

As for retention, that is up to your own personal needs. I keep on-site backup for two weeks, then remotely I keep six months worth of weekly backups and two years worth of monthly backups. This sort of thing can be easily configured with object storage lifecycle hooks.

They’re failing because the NAS is out of space. It’s an easy fix, but I’m thinking of reconfiguring if I’m starting with a fresh raid.

I would not really be as concerned with security in this case. It is more that you are presumably locked into this specific NAS box, and any old backups would be invalid if the box breaks? While with a more standard backup system, you could just copy the backups to a new box without issues.

Yes, say ransomware or whatever would probably get the NAS as well. But backups are useful for more than just malicious attacks.

Here are some what ifs that you should consider if you are protected from, or if they are something you would want to be protected from:

  • What if someone deletes a file off the server accidentally and notices right away?
  • What if someone deletes a file off the server accidentally and does not notice for a long time?
  • What if due to failing hardware or a random bitflip a file is corrupted? (i.e. data rot)
  • What if the raid controller or drives on the server fail catastrophically?
  • What if you get ransomware or a similar malware on your network?
  • What if you have a malicious employee go through and delete as many things as they can.
  • What if the entire building burns down or gets flooded and ruins both the server and the NAS?

So, just a single NAS on site is not really good enough.
Follow the 3-2-1 rule for backups.

Two options for the ransomware specifically are having an offline backup (something that gets physically unplugged), or having something that pulls backups and keeps a history.

I would suggest some sort of staggered backup. It depends on how important the data is and what the data is that you are storing as to how long the tiers are.