If this were to happen, it would be a little late for Ghost. Not to mention, you still have to make regular backups, or everything you've done since you made your disk image is lost.

depending on what I plan to do with the system, I typically will just ghost a good bare minimum install and back that up to a file server. I don't mind re-installing software, but m$ installs are not on my list of fun things to do.

I have used this setup in the past...

3 drives... 1 system, 2 to create a mirrored volume.

Drive 1 serves for all system/program related things. Backup images of this are made after I update the system configuration / program installs. It doesn't have to be after everyone one, but after so long, it's not a bad idea to update the system image, eh?

Drive 2 and 3 are mirrored, so hereby reffered as Volume 2. Volume 2 is only and _always_ only data. This data is archived on a regular basis zip/rar for win32, tar.gz for the nix; then offloaded to two seperate places.

The first of these places being another system on the network where access to the data is relatively easy, but sheltered from any outside systems. The second, of course, being some form of media like cdr, dvdr, zipdisk, cf.. all depends on the type of system and size of data.

This has proven to be a relatively simple, painless way to quickly restore different types of losses/corruption without doing a full overhaul. With one exception.. my full 160GB storage device that shit out... and that was my fault for not having 2 available.

But there's more to it than just Ghost.

What I find works pretty well is to do a reference install on a given machine, then dd or ghost that out to backup media. By 'reference', I mean that you install the OS from trusted media, *fully* patch it from trusted sources (service packs, daemon/kernel/application revisions, whatever), and have a final installed version that you can call production-ready up and running.

*BEFORE* any other users touch the box, ghost or dd it to removable backup media. 'Removable' is a flexible term in this case: it may be a mirrored drive, or it may be a compressed version of the reference install on a burned CD. Either way, the end result is the same.

Every month or so, pull out that backup and apply updates as necessary on a second machine that your users can't touch. Re-ghost/dd that box. You now have an up-to-date OS install for quick disaster recovery.

Step 2: if you'd read ahead, you'd know that I was going to recommend backing up *only* user data after the box went live to a secondary source ;) . Here's why:

Let's say the box gets royally 0wn3d. It's rootkitted/spl01t3d to hell & beyond, and your users' directories have active trojans sitting in them with all sorts of funky execute permissions applied all over the place.

- Do whatever forensics you need to do to determine the cause of the attack. Note those causes down for future reference.

- Reformat. Entirely. Blow the box away. It's good for the computer, it's good for the admin.

- Restore the OS from the recently-patched ghost/dd backup you've kept. Apply any interim patches you may have missed and re-dd/ghost. At least they shouldn't be much.

- Reinstall the software used to back up your users' data. Also reinstall any antivirus software you may be using, and update it (particularly in the Windows world).

- Restore your users' data, and check it for virii/trojans. Further, if you found the rootkit / exploit used to gain access, GET RID OF IT and deny logon and execute privileges to the user that spawned it as per your notes (you did take notes during the forensics period, right?).

- PATCH THE FUCKING HOLE. If one person got in, others will. Don't assume that only one person will find the weakness in the machine.

The basic idea here is to minimise the potential for a) an attacker to successfully exploit a box, b) wasting time on recovering from being owned, and c) it happening again.

For backup I dont put the ghost coppies on a harddrive that takes up space i just write ghost coppies to a dvd+rw. I think I might try what c0nv3r9 says

PERC 3
4 36 Gig Barracudas in a RAID-5.


I can lose two drives, as long as one has time to rebuld onto a spare..

No images required, and no downtime while you reimage your machine.

--Medic

And assuming you can afford it... and assuming that your controller card doesn't shit out on you.

But definately a nice hardware-based route to take :)

10 drives. 10 controller cards. Problem solved.

Add clutser server services if you hve extra servers laying around.

How I wish M$ supported RAID50.