Isolated Backup Method for Ransomware Protection

[modem]

I'll keep this brief as possible, but as informative as possible.  

 

I have a client that is a small family construction business.  They are setting up a small dedicated office for about 5-6 people maximum where as they previously ran the family business from each other's homes.  This client will have 1-3 people in the office at any given time as well as the 3 masonry/construction guys have desks/docking stations for themselves whenever they need to be there.  They will have a standard small / home office setup with possibly a small Active Directory server, UniFi switch and two UAP's, then of course usual Dell desktops and laptops.

 

What I'm looking for is a backup solution that is resilient against ransomware/crypto-ware.  Because this is a really small office and most of the staff have admitted their computer ignorance, I'm wondering what is the best way to have an automated ransomware proof backup that allows the backup to be offline in a more automated fashion?

 

My first thought was having a NAS connect to a small switch (which was then connected to the UniFi 24port switch) where the switch port could be enabled/disabled on a daily schedule programmed into the switch.  However, from what I'm researching, that may not be possible for a smaller desktop type switch.  The UniFi switch & controller I know doesn't support this, hence a secondary smaller switch connected.   My second thought is to use a USB dock with on/off power buttons for each individual port and have backup software utilize two USB based external drives for alternating backups, then have someone physically press the button on or off each day.  A third solution is really crude, but  could work for option 1.  Which is get an electrical timer (like what you see used for Christmas lights, etc), plug that into a small desktop switch that is powered on for a few hours to allow Veeam Community to backup, then the timer cuts the power to the switch until the following day, and so forth.

 

If my thinking is entirely off here, what is an adequate solution?  This construction company is small, family based, and they aren't looking to spend $10,000 or such on IT equipment, but simply to go from working at home, to now having a small office that does offer technology they need and backup protection as well.

[jnelsoninjax]

Why not use a backup service like BackBlaze? It is very affordable and easy to configure, or use something like DropBox or OneDrive, depending on how much space you need for backup, those also would be a very easy solution. Combine it with Macrium Reflect and schedule backups, you should be fairly well connected, also invest in a good A/V not just Windows Defender, or take steps to isolate the workstations from the server, and pick a day like Friday to scan each computer then do the backup.

[MattL]

I'm sure its possible although not done it just discussed that you can set Veeam to bring a resource online, backup then drop offline till needed.  Might be wrong on that so don't quote me.

 

Second option, is the NAS used purely for backup?  Is it on a separate network or is it used?  Could you use a second NIC on the server and direct connect to the NAS, as part of the backup job can you script to enable/disable the network card that is then connected to the NAS?