How to build a Windows disaster recovery toolkit

Sooner or later, a security incident will shut down or disrupt your network. You'll be better prepared with these items in your disaster recovery toolkit.

Windows logo / life preserver / rescue / recovery / fix / resolve / solution
PaulFleet / Getty Images / Microsoft

Over the weekend I dealt with a misbehaving server. That experience reminded me that no matter how large or small your business is, you need a security disaster toolkit at the ready should any event occur. You’ll also need a disaster checklist that maps out processes and resources to speed recovery.

Microsoft-specific tools

You have good Microsoft-specific tools to consider for your toolkit starting with Sysmon. Microsoft’s tool adds detailed information about process creations, network connections, and changes to file creation time. It remains resident in the system after and during reboots. You’ll want to review a sample Sysmon configuration on Github to start.

Then if you haven’t already, install the Local Administrator Password toolkit. Attackers gain access to a network through targeted phishing attacks. From there they use a variety of means such as Mimikatz or wdigest harvesting to gain hashes of a single local administrator password. In the past, admins often went down the easy road and used the same password throughout the network. Attackers know our habits and as a result use lateral movement from harvested passwords to then gain full access to the network. Install this now before an incident. If you are rebuilding your network after an incident, do so in a more secure manner by using this toolkit and take away the ability for attackers to move laterally via compromised passwords.

Another tool you might want to bookmark, but not necessarily download is the Microsoft Safety Scanner, which finds and removes malicious files from systems. To ensure you have the latest definitions, download it for each incident. The Safety Scanner only scans when manually triggered and is available for use for 10 days after being downloaded.

Make a disaster-recovery jump bag

Often disaster teams have a “jump bag” of key personal and professional items ready at a moment’s notice. You may be up late or needing to travel to various locations to deal with a disaster. Include mundane items such as a toothbrush, toothpaste and snacks with your computing tool bag as you might be pulling an all-nighter to get your network functional again.

With the advent of cloud computing, you’ll want access to the Azure portal and, of course, licenses and ISO images of the relevant operating systems. Having operating system access so you can boot into and restore from a backup is key to recovering quickly. Document the means to access such items as your firm’s Azure portal, volume licensing center or other access to ISOs and product keys and store them both online and offline in a secured paper format (seriously). You may need to have access to a credit card or other purchasing authorization to acquire resources and access to services to rebuild.

Think in terms of alternatives to your normal channels of communication and ensure that there are authorized processes. In a disaster, your firm’s email might be down, so what alternative ways do you have to communicate with key team members or management? Have in that bag a list of contact information; review that list on a regular basis.

Things to consider for your on-premises jump bag include:

  • Several network cables including straight-through and loopback
  • USB or serial cables as needed for your environment
  • Juniper and Cisco serial adapters
  • Hard drives, SSDs and external USB drives of various sizes
  • Flash drive
  • Various drive interface adapters
  • Handheld label printer
  • Four-port hub
  • Digital camera or phone that can take photographs
  • Cable ties and cable snips
  • Assorted screw and hex drivers
  • Notebooks and pens
  • Chain of custody forms
  • Incident handling procedure
  • Business cards for all members of the team

If you are part of a forensic team, you need to have such items as imaging software and portable drive duplicators with write-blocker.

As we move our data to the cloud and data centers, you’ll need fewer physical items in your jump bag and more tools such as logins to Azure portal, Office 365 or contacts on incident responder teams in the data center where your data is located.

Have disaster-recovery checklists ready

You’ll also want a checklist of actions to take. For example, on compromised inboxes in Office 365 you’ll want to follow the Microsoft guidance on actions to take. Take the time to go through the Microsoft guidance to secure Office 365, including reviewing the actions you can take on the Office Secure Score.

If you have a checklist and are in the process of moving to the cloud, it’s wise to review it to ensure that it includes steps with security in mind. You might also need to expand your plan to include steps for notification of cyber insurance or media impact. Security plans and documentation need to be periodically reviewed to ensure that you have appropriate steps in place. You may need to also revisit it to ensure you are in regulatory compliance.

Many people start with the NIST documentation as a foundation. The National Institute of Standards and Technology has several documents that can help you review your own disaster plans and checklists. The SANS organization has resources to help you as well.

You’ll want to ensure that your disaster kit has links and resources as well as mundane items such as information on how to access the internet using alternative means should such things as domain controllers and internet-connected devices be impacted.

List processes to take on suspect devices. For example, for many years the standard process to deal with hacked machines was to turn them off and isolate them to ensure you maintained the log files and evidence. Now the standard process might depend on where the device is located and what it is. Instead of taking the device offline, you might flip it to an isolated network for further investigation.

When you are investigating workstations and servers, ensure your processes include taking backups of the impacted devices in their impacted state. Once the network and devices are operational again, you’ll need to investigate for any breach and the potential impact. In fact, you might want two teams, the first dedicated to investigating the incident and maintaining evidence for future analysis, and the second team to recovering the network operations.  Thoughts of maintaining evidence is often forgotten in the zeal to recover operations as soon as possible.

Take the time now to plan for a disaster before you have one. Make sure you are ready for when, not if.

As always, Don’t forget to sign up for TechTalk from IDG the new YouTube channel for tech news of the day.

Copyright © 2019 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline