Posey's Tips & Tricks
Automating Air Gapped Backups in Windows
As long as you avoid a couple of possible pitfalls, the process should not take too much effort.
In my own organization, I take a multi-tier approach to data protection. Like so many other organizations, I use a continuous data protection solution as my primary backup. However, I like to hedge my bets by also creating air gapped backups and immutable air gapped backups.
For those who might not be familiar with the term, an air gapped backup is a backup that is physically disconnected when complete. For example, writing a backup to tape and then ejecting the tape when the backup is done is an example of creating an air gapped backup. Air gapped backups will never be as current as a backup that is created by a continuous data protection solution. However, air gapped backups provide enhanced protection against ransomware infections. If a ransomware attack were to occur, the ransomware cannot encrypt a backup that is physically disconnected from the network.
There are any number of different ways in which you can create an air gapped backup. In my case, I write air gapped backups to removable hard drives. I have several such drives and rotate them so that although one drive is usually connected to my network (to enable the creation of a backup), the others are unplugged and stored in a secure location.
Since nearly all of my data is file data, I use a custom PowerShell script to copy data from my file server to the backup drive. The script is written in such a way that the backup perfectly mimics the contents of my file server at that moment in time. In other words, if I move a file to a different folder, the script will detect that the file has moved and will move the file’s location within the backup. Similarly, if I delete a file from my server, the script will acknowledge the deletion by removing the file from the backup.
As you can imagine, a lot of work went into creating this script, but it was worth the effort because the script meets my needs perfectly. Well, almost.
The one issue that I have with my backup script is that I have to run it manually. After all, creating an air gapped backup is often a manual process, especially when you consider the need for inserting or removing physical media. I am usually pretty good about remembering to create at least one air gapped backup each day, but admittedly there are times when I get busy and forget to do it. Thankfully, there is a way to automate the process.
Before I show you how this works, keep in mind that my air gapped backups are based on a PowerShell script. The technique that I am about to show you can be used to automatically run nearly any PowerShell script, but I am focusing specifically on backup scripts.
The Windows operating system contains a built-in tool called the Task Scheduler that can be used to launch an application on a scheduled basis. In fact, Microsoft leverages the task scheduler as a means of performing various scheduled maintenance tasks for the Windows operating system. In the case of a backup script however, the Task Scheduler can be used to automatically launch the script as a schedules time.
You can launch the Task Scheduler by clicking the Start button and entering the words Task Scheduler in the search box.
Overall, creating a scheduled task is a super intuitive process. To do so, you must provide a name for the task, define a trigger (when do you want the task to be performed?), and then tell Task Scheduler what action to perform (what program do you want to run?). As simple as this might be however, there are two "gotchas" associated with using the Task Scheduler to run a PowerShell backup script.
The first of these gotchas is that you will have to come up with a way of ensuring that PowerShell receives the necessary permissions. My backup script for example, requires administrative credentials and must be run in an elevated PowerShell session. The trick to providing the necessary credentials is to create the scheduled task by using the Create Task option, not the Create Basic Task option. If you look at Figure 1, you can see that the Create Task dialog box includes an option for specifying the user account that will be used when running the script. There is also a checkbox that you can use to force the task to run with the highest privileges.
[Click on image for larger view.] Figure 1. You can use the Create Task dialog box to specify the account to be used.
The other gotcha is that the Task Scheduler cannot directly execute PowerShell scripts. Instead, you must instruct the Task Scheduler to launch PowerShell and then tell PowerShell that you want to run a script. The way that you do this is by creating a new action that will launch a program. Set the program name to Powershell.exe. Then, set the arguments to:
-NoProfile -ExecutionPolicy Bypass -File “<The script’s path and filename?”
You can see what this looks like in Figure 2.
This is how you launch a PowerShell script from the Task Scheduler.
[Click on image for larger view.] Figure 2. This is how you launch a PowerShell script from the Task Scheduler.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.