I backup my Windows system partition using Macrium Reflect 6's backup schedule. The software adds an entry to Windows Task Scheduler and the backup usually runs without trouble. Since the backup location is a folder on an always mounted hard drive -- F:\Files --, I risk backup corruption if my computer gets infected (ie ransomware) before I can copy the files to an external drive. To deal with this, here is what I've done:

• I use the PC as a standard (non-administrator) account
• I've right-clicked the backup folder, gone to Properties >> Security >> Edit permissions, and clicked "Deny" under the "Write" permission for users belonging to the Users group.

My intent is to make it impossible for non-admin users -- and hence most malware -- to overwrite or corrupt the backup files. The restriction took effect as I expected: for instance I now need to enter an administrator password if I wish to write a file to F:\Files. The problem is that the backup job now fails. In Macrium UI, here is the error I see:

Backup aborted! - None of the specified locations could be written to

I'm surprised by this error because I think the task is set to run as the Admin account; when I setup the backup job in Macrium I was explicitly asked which user account should be used, and to enter that user's password so I chose Admin. As a result I expected the software to have no problem writing to the backup folder even after I revoked write permissions from non-admins. If I open up Task Scheduler and look at the task details, here is what is shown under Security options:

As you can see, the task is run as Admin. The author of the task (not shown in the screenshot) is also Admin. The action of the task is:

C:\...\Reflect.exe 
   -e -w "F:\Files\Schedule.xml" -inc -g {some long token here}

Am I overlooking something or is this a bug with my backup software? The last run result in Task Scheduler shows simply (0x1)

---

Upon further investigation, I discovered that if I log in as Admin and try to write a file to the restricted folder, I can't. Denying Write perm for the Users group also denied it for the Admin account. This is probably why my backup job is failing. The image below shows the Effective Permissions for Admin after I deny write permissions to the Users group.

I also discovered that although blocked accounts could not save a new file to the folder, they could still delete the files already present. So I was still vulnerable to malware deleting these files. I needed more restrictive permissions. I also need to find a way to deny perms for all non-admin users, but allow it for admins.

Here is what I did

Instead of denying permission for the entire Users group, I decided to try denying permission for only the account I use day-to-day.

From the folder Properties screen (right click the folder and select Properties):

1. click Advanced
2. click Change Permissions
3. click Add
4. type the account username I want to restrict
5. click Check Names: the fully qualified username (eg: MyPC\John) should auto-populate the textarea
6. click OK
7. A popup that allows to set permissions granularly for the selected users should open. Here is what I did with mine:

Most importantly, I denied all Write, Delete, Change permissions and Take ownership permissions. Now things seem to be working as intended. With my day-to-day account I can neither write, nor delete files in the backup folder. However as Admin I can do both. A manual backup just completed successfully as well so things seem to be OK. I'll know tomorrow whether the scheduled task runs without trouble.

This is still not the fix I'm looking for

What I'd like is for all non-admin users to be restricted. My solution blocks just one non-admin -- MyPC\John -- but if another non-admin profile were created (or maybe even if my username changed?) the restrictions would be bypassed. I'm looking for something closer to the protection on C:\Program Files directory: I'm always blocked from making changes there if I'm not an admin.

This is a bit confusing. Before I started denying folder permissions, all accounts could modify the backup directory or run backup task. I never needed to actually give permission to run the task. Thus if I remove my "deny" rule, there will be no restriction on who can corrupt the files.

Also please note: if I don't deny any permission, then regardless of who actually runs the backup job, the regular user account would have full access to the backup files. Any malware -- acting as the current user -- would be able to corrupt or delete my backups. This is what I was trying to avoid in the first place.

@Beetlejuice - Which is the reason you should allow access to specific users instead a user group. Of course you do understand, none of this, will prevent ransomware from still running. If you download and execute ransomware its already to late to prevent it.

I understand it won't prevent ransomware from running. But if the ransomware is acting as the logged in user, this would prevent it from encrypting my backups. So although I wouldn't have prevented the ransomware, I would be able to recover from it pretty easily by restoring from backup. As for "allow access to specific users instead of a user group", please explain with an answer if you care to. I never proactively allowed any user group; by default, users can modify the folder -- so this advice confuses me a bit.

Thanks for the write-up Scott. If I uncheck Allow at the drive root F:`, wouldn't it prevent non-admins from modifying files anywhere within that drive? I'm trying to restrict only the backup directory F:\Files`.

@BeetleJuice: I have edited my answer to clarify that. … … P.S. Use double backticks (e.g., ⁠`⁠`F:\`⁠`⁠) to get a code-formatted backslash (\) in a comment; e.g., F:\.  The facts that comments follow different formatting rules from posts, and that there is no preview for comments, are long-standing problems here.