It is estimated that 25% of SMBs use virtualized environments and the forecast for the coming years looks very promising. There are various benefits gained with virtualization, such as, lower operational costs, resources scalability, IT automation, faster deployments of application servers and many more features. On the other hand, we tend to ignore or give low importance to challenges or risks that are introduced with virtualized environments. As the overall benefits outweigh the challenges, the perceived risks are low! Is this the approach we need to take to move forward towards secure and stable virtualized environments?

What are the new challenges introduced with virtualization? As opposed to the traditional environment, we can hardly define a control structure for a virtualized environment. With the greater flexibility and rapid provisioning there is a risk of sprawl management and with the decentralized unrestricted access management, there is a risk of non-compliance or security breaches – virtualized control management needs to take a new form! The challenge is to create a structure that is dynamic, portable and accurate.

Implementing a control structure to an existent uncontrolled environment may be painful as it may requires configuration changes! As regards to implementing best practices and procedural controls the tasks is somewhat less painful. Therefore, securing and controlling the virtualized environment should take into consideration both the technical aspects and human factors. The best approach would be to plan ahead all controls before implementing the virtualized environment.

There are various areas to consider when designing a virtualized environment. One concept often ignored by IT stuff is to separate the management network traffic from the data services network through separate subnets. Another common trend is to group Virtual Machines by performance levels instead of trust/criticality level first. Is the IT including the hypervisor (virtualized platform) in its patch management exercise? There may be even tougher design decisions at the network level.  As the network components in virtualized environments are all virtual, such as, vnics, virtual switches, etc. special attention is required to design the network layout. The environment may require a firewall or DMZ within the hypervisor or enabling virtual MAC protection. Remember, that certain vendor specific products enable nics in promiscuous mode and disable MAC protection!

If the company backup strategy is based on images and snapshots, then apart from the well defined procedures and policies one needs to test recovery procedures. In a Windows Active Directory environment, restoring an outdated or out of sync AD server will cause problems! Images of Virtual Machines are easily copied to external devices and taken off the premises. Are there any controls in place or detection mechanisms to monitor such movements?

Once, the virtualized environment is up and running, guidelines, procedures and policies need to be put in place. These should include segregation of duties, identity and access management, asset and log management. As it is very difficult to track incidents, access restrictions to logs need to be established. While restricting access to virtualized resources is important, make sure that logs are enabled and collected from all components, including the hypervisor logs. Educating stuff about policies and procedures is essential, however, auditing such procedures on regular basis is vital!

Last 3 posts by George

• Organizational IT Risks - August 24th, 2010
• How can online criminals steal our credit card information? - August 16th, 2010
• Credit Card Processing & PCI - August 10th, 2010

Every organization, risk auditor or analyst, security pro or individual may come up with a different definition of IT risks. While all definitions would most probably fit in the IT risks universe, it is very important that there is a common understanding and terminology within an organization. In fact, we find structures or better frameworks that help organizations manage IT risks.

Frameworks help organizations build an underlying structure that deals with the strategy, the tactical and the operational aspects of security and risks. No single framework is a perfect match and hence, a better approach would be to review a couple of frameworks such as, Cobit, ISO or ITIL and use parts where appropriate.  It is recommended to mix, match and personalize frameworks as to create your own structure. Common sense within a framework is necessary and will drive consistency.

 
IT risks must be put in the context of the big picture and not isolated from the rest of the organization. They may fall in different categories or levels but their impact is always linked directly or indirectly to the business. An organization must integrate risk management with IT Governance and compliance, whether they are external laws and regulations and/or internal corporate policies and procedures.

Custom Search

What kind of Risk levels we find in an organization?

Lowest level isolated type of risks may happen on a day-to-day basis.  User errors are the most common, however, IT related risks may be present in badly configured servers or setups, insecure project tasks, etc. The lack of security awareness and education among the employees will increase the probability of risks. Various tools and controls can be used to minimize these risks.

A combination of low level risks would comprise the organization’s infrastructure security. The impact is higher as it starts disrupting business units. At this level of risks we find project failures, vulnerable infrastructure, violation of SLAs by vendors, etc. The implementation of adequate controls and standards is a must at this level.

A combination of failed projects, violated SLAs and infrastructure vulnerabilities will lead to enterprise level disruption. At this level, apart from the business disruption which means financial losses, the organization may suffer bad reputation as well!

At the highest level of risks we find elements tied to the business such as, market perception, strategic failures and regulatory compliance.  The impact at this level is critical as an organization may lose its market share and ruin the business, can be fined and make it to the news headlines!

Last 3 posts by George

• Virtualized Environments' Challenges - September 7th, 2010
• How can online criminals steal our credit card information? - August 16th, 2010
• Credit Card Processing & PCI - August 10th, 2010

A customer (Cardholder) is purchasing a product form a merchant who accepts credit card on-line payments. The merchant uses a third-party organization (called the acquirer) that provides card processing services. Customers obtain their credit cards from an organization (called issuer) such as, banks or financial institutions. There are various brands (card associations) of credit card networks such as, VISA, MasterCard, etc. These networks act as a gateway between the third-party company (acquirer) servicing the merchants on-line payment and the bank or financial institution (issuer) for authorizing and funding transactions.

The payment process goes through the following steps:

1. The customer pays for a purchase from the merchant on-line store
2. The acquirer verifies with the bank that the card number & transaction amount are both valid and then processes the transaction – transaction authorized
3. Transaction is stored in a batch for later processing by the acquirer
4. Transactions batch is sent to the bank by the acquirer using the respective card association network, which debits the customer accounts and credits the acquirer – acquirer has been paid for all transactions
5. The acquirer pays the merchant, less the processing fee

Credit card companies and banks can be trusted, hopefully! But what security controls are in place for the merchants and acquirers setups? We need a secure process, in other words, a mechanism that oversees that the cardholder’s data is stored, processed and transmitted securely from the Merchant’s website to the Bank.

Payment Card Industry (PCI) Data Security Standard (DSS) governs all the security procedures that all entities involved should adhere to. It started with the major card associations having their own security programs and progressed to a combined effort to develop the PCI standard and council. Apart from acquirers and issuers as PCIs’ member organizations we find service providers. Service providers are companies that provide card related services to acquirers and issuers.

PCI compliance requirements are based on different levels where such levels relate to the volume of credit card transactions performed annually. For example, merchants with more than 6 million annual transactions fall under level 1 while major payment gateways are at level 1 in the service provider’s category. However, a small merchant with a small amount of transactions annually but with a history of data breaches can be moved to level 1. All levels carry the same security requirements, with top levels having more stringent validation requirements. For example, Level 1 requires that merchants or service providers meet the DSS standard, conduct and pass yearly penetration tests, quarterly scans and pass a yearly audit by external auditors. Lower levels have less firm validation requirements.

When we say security requirements we mean that entities should install and maintain a firewall configuration to protect cardholder data, use strong passwords, restrict logical and physical access to data, use updated anti-virus software on their systems, develop and maintain secure systems, protect cardholder data, etc. The list goes on not only to the internal environment but to the cardholder data overall environment which can be a networked system connected to a public network or an off-site data storage service. Most audits fail because merchants or service providers fail to protect stored data according to these requirements!

Last 3 posts by George

• Virtualized Environments' Challenges - September 7th, 2010
• Organizational IT Risks - August 24th, 2010
• How can online criminals steal our credit card information? - August 16th, 2010

Oldest written document ever found

Contingency backups are short term backups people take to protect against computer failure. These backups represent a snapshot of computer documents at a particular instance in time and should be updated as frequently as the implemented backup technology allows. These backups protect users against deleting a file by mistake or taking a working document one notch back rather than one forward. These backups protect against external mishaps such as hardware failure, malware attacks and such like events. Online backups are best suited for this type of backup. 

What I am calling an archive backup can also be termed a prosperity, point-in-time or indefinite backup. An archiving backup is the act of copying documents on a computer for the purpose of referring to them at some point in the future. Compared to contingency backups, when one takes this type of backup there is never the intent to overwrite the backup with a later copy. Certain online backup companies may offer archiving services as part of a standard package or provide the same for a fee. I have encountered situations in which forgotten contingency backups become potential archiving backups when these are discovered stashed in some remote corner of an organisation. 

You can think about archive backups as equivalent to the manuscripts created hundreds and thousands of years ago. From these texts we get a glimpse of the affairs of the era, the people who ruled and the news of the day. Those who take archive backups are not thinking of such a distant future but create these snapshots for one of two reasons: legal obligations or to retain a snapshot of the organisation just in case one needs to go back at that exact point in time. For example, archive backups may be taken prior to a major system upgrade. 

The frequency at which an organisation takes an archive backup can range from daily to once every blue moon depending on legal, computation, physical and financial considerations. A small SME may not afford the time, money and space necessary to make a daily archive backup and a simple “end of year” snapshot would do. 

Progress and change are archived data’s main nemeses. Yet the same progress and change are technology’s main driving forces. This contradiction makes it more difficult to successfully read archived data the longer the time period between when the archive was made and when it is accessed. 

Many organisations try to avoid having to delete files as much as possible. The let’s-keep-it-just-in-case syndrome is nowadays much easier to justify thanks to the dirt cheap price of hard disks. In many organisations all documents are stored on a central file server and with certain companies it is becoming standard practice to have the folder of a former employee moved as a subfolder under his boss’s directory when the person leaves the company. 

There are a few tips that, if followed, increase the chances of successfully accessing archived data at some point in the future: 

1. Export a copy of the files you want to archive to a format that is open. Companies come and go and with them they take their proprietary formats. Just because a company no longer exists does not mean that its file format algorithm is known. Even if the file format may have been deciphered partially or fully, it doesn’t mean that the licence holder of the file format would have granted others the right to reproduce it.
2. Export a copy of documents to a format that can be faithfully read by many programs. This compliments the point above since if a format can be faithfully reproduced by many programs it implies that the format is well documented. It does not mean that the format you are saving to today will be in common use in 25 years’ time but it does mean that the likely hood of finding a tool that deciphers it increases in relation to how popular the format was in the past.
3. No company will last forever / no software will last forever. Do not be misled by the fact that just because the manufacturer of your software is the biggest on the planet it will remain so many years into the future. The absolute majority of tech companies will eventually go bankrupt, be bought out, dwindle into obscurity or move out of certain areas of technology. And while they are on top these companies take decisions that effects the software they produce. For example, in Microsoft’s 25 years of selling Word, there have been 12 versions of the product with 5 distinct file formats. The latest version of the program does not natively read files produced by the first version and the currently available filters do not retain formatting well when importing very old formats.
4. Export to a format that is not compressed or encrypted. This allows you to extract the data if everything else fails.
5. Save documentation about the programs you use to edit the stuff you want to archive. Remember that after 25 years you will not have the vaguest recollection of what program you used to create the stuff with. Having the name of the program makes it easier to target your future searches more accurately. This should be in a plain text file format to ensure readability.
6. Save as much documentation as possible about the format itself. Just because today the internet is packed with information about the format does not mean that when your successors are researching archived data for the 100^th anniversary of the company, any information about the format the documents are written in would be easy to find.
7. Upgrade your documents to the latest version of a program. A newer version of a program normally works flawlessly with the version of the program it replaces. If the file format between program versions has changed, you should upgrade all your documents to use the file. With office productivity tools this normally necessitates that you open the document and “Save As” it to the new format. After having confirmed that everything is OK, you should delete the files having the old extension if the extension would have changed. If you have a large number of documents you may want to automate the process.
8. Store the archives in a secure place. Not only does this help preserve the media on which the archives are backed up, but it also safeguards against anyone reading them—recall the point above that suggested that such archives should not be encrypted.

This doesn’t mean that you should no longer delete files. Business operations take precedence and filling the working folders with useless documents is counterproductive.  Besides, an archive backup is intended to be a snapshot of an organisation and not an organisation modelled to accommodate the snapshot. In order to implement an archive backup system in your organisation does not necessarily mean that you will have to spend an enormous amount of money. 

Only time will tell whether in 500 years researches will be trying to decipher optical disks and backup tapes to understand how organisations in the Cambrian period of computing used their rudimentary machines to communicate, socialise and conduct business. Scholars would be debating how society of the time allowed so much of them to be published on social networks that even allowed indiscriminate photos of third parties to be uploaded without the necessary consent.

Last 3 posts by chribonn

• Choosing Backup Media - August 31st, 2010
• When Green Is Bad - July 5th, 2010
• What your backup solution should be and do - June 27th, 2010

SharePoint requires that the backend database is Microsoft’s SQL Server. Worth noting, a couple of database limitations which are; SharePoint does not support a generic database interface, such as, Open Database Connectivity (ODBC) and you can encounter database size restrictions with previous versions of SQL server editions. Remember that the configuration and user data is all stored in the backend database. Considerations should be made whether to separate the backend database from the application platform as SharePoint is quite heavy on resources.

As the system grows its gets further customized and the need for an effective backup strategy becomes indispensible. I hope it is clear enough as to understand the importance of backing up your SharePoint environment. The Native backup solution is out of question! The major setbacks of this utility are its inexistent functionality of selecting different levels of items or folders for backup or restore operations. Without granularity of backup, an administrator needs to restore the whole database to be able to recover a deleted file. However, in the latest edition of SharePoint there is a Recycle bin where one can retrieve a deleted document.

To overcome such limitations, I suggest you invest in a third-party backup solution that at least provides the following functionality:

1. Tight integrated with Active Directory
2. Data integrity – that is, no data is ignored during backups/restores such as, meta data
3. Backup granularity and classification capabilities
4. Has adequate scheduling capabilities

Last 3 posts by George

• Virtualized Environments' Challenges - September 7th, 2010
• Organizational IT Risks - August 24th, 2010
• How can online criminals steal our credit card information? - August 16th, 2010

Private cloud is an in-house cloud computing solution that is limited to the internal users of an organization. It is more secure and can be later connected with external providers. Public cloud is any commercial cloud computing service provider that offers storage and computing power over the Internet. Hybrid cloud is a cloud model that combines the advantages of public and private cloud computing environments.
Many remote online data backup service providers use public cloud providers as their backend infrastructure. Hence, backed up data is stored at the backend and that is why the backup service provider setup needs to be secure and reliable!

Amazon as one of the first organizations to provide cloud-computing services has become one of the major players. Their setup known as Elastic Compute Cloud (EC2) allows customers to install and run applications on virtual machines (VMs). New VMs are instantiated from a library of images developed by various customers and Amazon themselves. Users can build and customize their own Amazon Machine Images. Running VMs are called running instances and you pay for the amount of computing power per hour and the in/out traffic generated (bandwidth used) while you are billed on monthly basis. Amazon EC2 provides a secure connection with public/private keys and firewall capabilities. Other database and performance/scalability services are provided such as, Simple DB and load balancing functions. Apart from EC2, Amazon has been providing a cloud storage service that provides scalable, unlimited online storage known as S3 that can provide caching functionality across the globe.

Windows Azure is Microsoft’s cloud computing platform. The main services consists of the Azure operating system, the SQL Azure database the AppFabric application connectivity service. Although, Microsoft are relatively new to cloud computing, their marketing strength is showing its force even in this area. They have a strong partnership program with its customers and resellers and this will help them become of the main players soon. Their main advantage is that they are offering their vast suite of products as cloud services plus while, on the other hand, they are offering users to run Azure in their own data centers with the Windows Azure platform appliance. Today, Microsoft cloud computing charges are very competitive with respect to other providers.

The long time hosting provider RackSpace are also in the arena! RackSpace Cloud known as Mosso includes a storage and a server infrastructure service while they still offer the traditional hosting services. RackSpace advantage may be their excellent support services when compared to other providers. RackSpace fellow competitors The Planet (Orbit) have a similar cloud setup whereas they claim that their prices are below that of a fully allocated dedicated server. While, this may be true for virtual servers, one has to work out bandwidth costs as in certain situations where a web server consumes a constant amount of bandwidth it might be cheaper to run your web applications on a dedicated server with an agreed dedicated bandwidth! The list of providers is getting bigger and bigger with names like GoGrid, HP Private Cloud, etc…

Google’s App Engine is a platform for web developers and Web hosting applications and you are charged for storage, bandwidth and CPU power. It is limited to a couple of programming languages.

The Cloud Security Alliance is making a great effort towards cloud computing security. To promote the use of best practices for providing security assurance within Cloud computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

Last 3 posts by George

• Virtualized Environments' Challenges - September 7th, 2010
• Organizational IT Risks - August 24th, 2010
• How can online criminals steal our credit card information? - August 16th, 2010

 
So what is SAS 70 (Statement on Auditing Standard 70) Audit? – The AICPA (American Institute of Certified Public Accountants) responsible body defines it as “Report on the Processing of Transactions by Service Organizations” where professional standards are set up for a service auditor that audits and assesses internal controls of a service organization. At the end of the audit, the service auditor issues an important report called the “Service Auditor’s Report”

Now there two types of SAS 70 audits, Type I and Type II. Type I focuses on the validity of the controls in operation and that they according the specified control objectives objectives while Type II enhances Type I by checking that these controls are actually in place and being executed by the service provider.

In other words, a SAS 70 Audit is an in-depth examination of a service provider control objectives and control activities, including IT controls! Briefly, a service provider must have adequate controls and safeguards over their customers’ data in order to be able to achieve this certificate. However, SAS 70 Audit is slightly flexible and service provider/auditor dependant. That is, you may have customers that may agree or disagree with Amazon’s control objectives or operational standards!

 SAS 70 Type II may be seen as the basis for future more rigid certifications. It may lack some important aspects of security but surely it examines operational performance and the service’s ability to safeguard customer data and many hosting organizations are achieving it.

I have read many expert articles stating that SAS 70 is limited to policies and procedures inside data centers and it does not cover major security weaknesses, such as, personnel unintentional errors. This is quite a pro cloud computing statement. Why? Would an organization (with in-house solutions) take their IT staff (individual) to court in the event of data mishandling? They might and if they do, do they will be able to be paid for the lost revenue/damages from an individual? However, an organization being a customer of a service provider would take that service provider to court in case their data is mishandled. With cloud computing providers, you have higher assurance of getting something back when terrible incidents happen.

Last 3 posts by George

• Virtualized Environments' Challenges - September 7th, 2010
• Organizational IT Risks - August 24th, 2010
• How can online criminals steal our credit card information? - August 16th, 2010

From online backups to tape-drive articles!

The consortium’s roadmap for scalability and growth is already defined for the next three generations, and they state that the LTO Technology is a powerful and adaptable open tape format created to address the growing demands of data protection in the midrange to enterprise-class server environments. It is evident and understandable that such technology does not appeal to the SME (Small to Medium enterprises) market. I am not surprised at all, since the recent trend of remote online backups is very feasible to SMEs and home users, mainly because of its cheaper running costs.

We all agree that the LTO-5 is a big improvement …but over what…over its own technology!… I do not think that customers that went away from tape storage will return because of this new release! I reckon that the consortium needs to revise some concepts in order to be able to attract all kind of users.

The transfer speed improvement of 280 MB /s is quite good but not enough! Without compression it can go down to 140 MB /s and rest assured that you will never achieve a consistent compression rate of 2:1 while bear in mind the good transfer speeds of SATA 3.0 and SSD drives. Without optimal compression rates the storage capacity can go down to 1.5 TB. If I had to compare device with device then hard drives are much faster and can store same amounts data (while SSD capacity is increasing, SATA drives of 1 & 2 TB are quite common nowadays).

I would like to expand the argument about data partitions on tapes. It is a cool concept but is it that practical? Archiving to tape is not so much bound to the underlying operating system but more to the application performing the operation. Most large enterprises use a backup application that handles all backup and archiving operations and hence, I remain dependent on such backup application. So, if I had to take that partitioned tape to another system would I be able to read it without using the same application? Therefore, I would be loosing the interoperability functionality. This may bring up the idea of removing the application in between and write/read directly to the tape partition as to achieve 100% interoperability. But, if I want to use the tape as a data archiving partition, is it feasible to copy large amounts of data to a slow speed medium when I can achieve faster speeds with other media?  For example, disk drives are faster while support for the NTFS format with Linux systems and vice-versa (Ext3 for Windows) has been around for some time now! Therefore, we are platform independent with disk drives as well!

My point is why I should archive to tape when I can do it faster, cheaper and safely too – nonetheless, archiving to disk needs some taught like: having reliable RAID systems, verify features and a good reporting mechanism. However, the physical tapes remain more portable than a set of hard drives but note that their lifespan depend on the storage location, the tape drive head condition and the backup strategy used. A daily full backup reduces the lifespan of both the tape and the drive. From personal experience, some tapes lasted years while others few months!

Last 3 posts by George

• Virtualized Environments' Challenges - September 7th, 2010
• Organizational IT Risks - August 24th, 2010
• How can online criminals steal our credit card information? - August 16th, 2010

The cloud is not just a cool technology model but it is also a business model. It is a well-known fact that Amazon at the outset, designed the infrastructure for their own use but it evolved into a product or better a service offered as – Amazon’s Web, EC2, S3, or Amazon’s cloud. It is quite evident that now they are trying to increase their revenue by pushing their infrastructure to the limits through new offers such as, – Spot Instances enable you to bid for unused Amazon EC2 capacity. We all heard of power outages, resources that disappear and slower response times that may be a consequence of an overloaded setup. However, through personal experience I can say that these incidents are very rare with big providers such as, Amazon. Remember, that downtime is also possible with in-house solutions!

One common SaaS is email – if the main criteria are costs, then outsourcing email is your best option. Although, big corporations can negotiate favorable agreements with email providers such as, Google – remember that small to medium businesses may not get the same favor! A word about Google email and applications services – it is very hard to get reasonable support and you may need to rely on third-party tools for basic stuff such as, backing up email boxes. In addition, there is no guarantee that user data would be secure and backed up.

All cloud services share the available resources and therefore, you are competing for computer resources with other customers. A good alternative would be to place your assets with two different providers or use the cloud just to scale-up your systems when the demand rises. Although, you may implement all of the security measures provided by the cloud provider and by the systems themselves, there is still the risk of possible intrusion/destruction from neighboring hosts. Neighboring hosts are virtual machines that are running on the same server or in the same data center. One university claims to have a prototype/model that can identify the exact location of a virtual machine and eventually can start a neighboring VM (Virtual Machine) with high utilization that can hook the underlying platform! In the event of using the cloud as a storage provider, implementing data encryption would adequately harden security – read Securing your online backup archives

No cloud standards yet exist! If you are using the cloud as an infrastructure service, it is impossible to move your assets elsewhere say, to another cloud provider without rebuilding your systems from scratch and moving all your data, as virtual machines setups are not compatible from one provider to another. If you are using software as a service then you need to find another provider that provides the same service and data migration capabilities. Apart from all this, one of the major setbacks remains your Internet connection – so before contemplating to use cloud services make sure to invest in a good and reliable Internet connection, otherwise, you will be disappointed!

Last 3 posts by George

• Virtualized Environments' Challenges - September 7th, 2010
• Organizational IT Risks - August 24th, 2010
• How can online criminals steal our credit card information? - August 16th, 2010

One solution is to protect each and every document using a password. Many programs have such a capability built in.  For many one, two or three person organisations this solution could work; the people would password protect every file using a phrase that is shared amongst colleagues. As the number of employees increase, guaranteeing that everyone is obeying the rules makes this solution one that is too problematic. Besides certain file types cannot be password protected.

The script I am sharing is one that addresses this problem. It makes use of the commercial product WinRar to archive an entire directory (including subdirectories) into a RAR file. The RAR file name is user definable and is placed in a folder under C:\RSB. The RAR archive is password protected using a password passed to the script. The script is called rsb.cmd.

The example below would archive everything starting from D:\Personal Docs\Articles to an archive called C:\RSB\Documents. The password used to encrypt the archive is 123456.

rsb Documents “D:\Personal Docs\Articles” 123456

If you have another folder you would like to archive, simply call the command above with a different archive name and a different directory. Using a different password is up to you.

Below is the script to perform this task:

@echo off
:: This script archives a directory and all its contents with a
:: password for storage in online backup service. It adds
:: recovery information to the archive thereby increasing the
:: chance of it being opened up if the archive is damaged.
:: This script compresses files thereby reducing the storage
:: requirements as well as upload times.
:: Written by Alan C. Bonnici (email chribonn@gmail.com) 2010/05

set r_Version=1.0

rem This script takes three parameters:
rem  1. The name of the archive
rem  2. The directory (and its sub-directories) that are to be archived
rem  3. The archive password
rem The archive will be placed into a directory called RSB. Your
rem online backup program should backup all files in this
rem directory

rem All 3 parameters are mandatory
if [%1]==[] GOTO :Error
if [%2]==[] GOTO :Error
if [%3]==[] GOTO :Error

set r_Archive=%1
call :DeQuote r_Archive

set r_Dir=%2
call :DeQuote r_Dir

if EXIST C:\RSB\NUL GOTO :DirExists
md C:\RSB

:DirExists

echo The contents of this archive are intended only for the person or entity to whom they belong and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. > "%TEMP%\comment.rsb"

if EXIST "%TEMP%\output.rsb" del /q "%TEMP%\output.rsb" > NUL

"%PROGRAMFILES%\winrar\winrar.exe" u -as -av -cfg- -ow -r -rr10p -inul -ilog"%TEMP%\output.rsb" -t -hp%3 -z"%TEMP%\comment.rsb" -- "C:\RSB\%r_Archive%" "%r_Dir%"
set r_Err=%ERRORLEVEL%
if %r_Err%==0 GOTO :EndCmd

rem An error occurred. Dump the file if it exists
if EXIST "%TEMP%\output.rsb" type "%TEMP%\output.rsb"

echo.

if %r_Err%==1 echo Warning. Non fatal error(s) occurred.
if %r_Err%==1 GOTO :EndCmd

if %r_Err%==2 echo Error. A fatal error occurred.
if %r_Err%==2 GOTO :EndCmd

if %r_Err%==3 echo Error. CRC error occurred when unpacking.
if %r_Err%==3 GOTO :EndCmd

if %r_Err%==4 echo Error. Attempt to modify a locked archive.
if %r_Err%==4 GOTO :EndCmd

if %r_Err%==5 echo Error. Write error.
if %r_Err%==5 GOTO :EndCmd

if %r_Err%==6 echo Error. File open error.
if %r_Err%==6 GOTO :EndCmd

if %r_Err%==7 echo Error. Wrong command line option.
if %r_Err%==7 GOTO :EndCmd

if %r_Err%==8 echo Error. Not enough memory.
if %r_Err%==8 GOTO :EndCmd

if %r_Err%==9 echo Error. File create error.
if %r_Err%==9 GOTO :EndCmd

if %r_Err%==255 echo Error. You aborted the process
if %r_Err%==255 GOTO :EndCmd

rem Undefined error.
echo Error. Undefined error %r_Err%

goto :EndCmd

:EndCmd
rem Clean up
if EXIST "%TEMP%\comment.rsb" del /q "%TEMP%\comment.rsb" > NUL
if EXIST "%TEMP%\output.rsb" del /q "%TEMP%\output.rsb" > NUL
set r_Archive=
set r_Dir=
set r_Err=
set r_Version=

goto :EOF

:Error
echo This script takes three values:
echo    1. The name of the archive
echo    2. The directory (and its sub directories) that are to be archived
echo    3. The archive password
echo The archive will be placed into a directory called RSB (it will be created if it does not exist).
echo Your online backup program should backup all files in this directory.
echo RSB Documents "C:\Users\ACBonnici\Documents" Pa$$w0rd
goto :EOF

   :: Removes the outer set of double quotes from a variable.
   :: Written by Frank P. Westlake, 2001.09.22, 2001.09.24
   :: Modified by Simon Sheppard 2002.06.09

   :: Usage as a function within a script:
   ::   CALL :DeQuote VariableName
   ::
   :: Calling as a function from another batch file:
   ::   CALL DeQuote.cmd VariableName
   ::
   :: If the first and last characters of the variable contents are double
   :: quotes then they will be removed. This function preserves cases such as
   ::   Set Height=5'6" and Set Symbols="!@#
   ::
   :: If a variable is quoted twice and has delimiters then you will
   :: need to run the function twice to remove both sets.
   ::   Set var=""Two Quotes;And,Delimiters=Fails""
   ::
   :: If the variable name itself contains spaces the routine will fail
   :: e.g. %v_my_variable% rather than %my variable%

   :DeQuote
   SET DeQuote.Variable=%1
   CALL Set DeQuote.Contents=%%%DeQuote.Variable%%%
   Echo.%DeQuote.Contents%|FindStr/brv ""^">NUL:&&Goto :EOF
   Echo.%DeQuote.Contents%|FindStr/erv ""^">NUL:&&Goto :EOF

   Set DeQuote.Contents=####%DeQuote.Contents%####
   Set DeQuote.Contents=%DeQuote.Contents:####"=%
   Set DeQuote.Contents=%DeQuote.Contents:"####=%
   Set %DeQuote.Variable%=%DeQuote.Contents%

   Set DeQuote.Variable=
   Set DeQuote.Contents=
   Goto :EOF

If you would like to download this script rather than copy and paste it from this article point your browser to http://www.RemoteStorageBackup.com/downloads/RSBArticleCode.rar. What remains is to set your online backup program to backup everything in the c:\RSB directory. Don’t forget to periodically test that everything is working well.

Next time I’ll delve into the code and explain what it does and how it works. This will allow you to customise it to your needs.

If you have any observations or questions send an email to chribonn@gmail.com.

Last 3 posts by chribonn

• Choosing Backup Media - August 31st, 2010
• Prosperity backups - August 2nd, 2010
• When Green Is Bad - July 5th, 2010