Best Practices

  • For accessing network mount paths, create and use a non-interactive user account to access the network mount paths. A non-interactive user is an account that has been denied local log on rights. To create a non-interactive account, use the following procedure:
    1. Open GPEDIT.MSC and go to Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment.
    2. Add the user to the Deny Log on Locally policy.
    3. Create the network using Full Control permission to the user and deny permissions for all other users.
    4. Configure an antivirus software for Ransomware protection.
  • Do not log on to the CommServe or MediaAgent computer directly. Instead, do the following:
    • Use a virtual machine proxy computer that has the JAVA GUI and SQL Management Studio installed.
    • Block all ports on the virtual machine, except for the ones required for JAVA GUI or SQL Management Studio.
    • Log on to the CommCell Console, and then access the MediaAgent computer.
  • Use Commvault Powershell script to harden Windows based on recommendations from Microsoft.
  • Use Install Windows Update Workflow to download and install Microsoft updates on client computers that operate on Windows operating system.
  • Protect your CommServe Disaster Recovery (DR) backup. In addition to DR Backup location and Export location, use the Edge Drive Uploader Tool to regularly upload a copy of the CommServe databases to a collaborative share on https://cloud.commvault.com.

    Note: Storage of CommServe DR backup data on https://cloud.commvault.com is a free service to all customers.

  • We recommend that you store a copy of data on tape or on cloud storage. Tape and cloud storage store offline data, and offline data is not easily accessible to ransomware software.

Last modified: 6/24/2019 9:32:34 PM