I work in a company with around 1000 computers, and our endpoint security software blocks the use of Windows System Restore points. I'm curious if there are significant risks with these restore points being exploited in the real world. Can anyone provide insights or resources that explain why it's advisable to disable such a useful feature?
5 Answers
Yes, attackers could potentially use restore points to access sensitive data. For example, they could access older copies of system files to retrieve password hashes, which is a significant security risk.
It's definitely a risk worth considering, especially in enterprise environments.
I wouldn't recommend using restore points on client machines either. If the system is important enough, make sure there’s a solid backup in place. Otherwise, a simple reinstall does the job just as well.
Honestly, I don’t see much value in system restore points for typical business PCs. If something goes seriously wrong, it’s usually quicker to reinstall or reimage the machine than to troubleshoot. I've found that if a system takes longer than 30 minutes to fix, it’s just better to start fresh.
Exactly, and restoring points can really slow down installs and updates - just not worth the hassle!
Totally agree! A reimage can get users back to work in no time, especially with the way tech is set up these days.
Disabling system restore points makes it clear that critical systems should rely on proper external backups. These points can introduce vulnerabilities that attackers might exploit to persist or damage data. In case of a malware infection, best practice is to treat the machine as compromised and restore from a known good backup.
For domain-joined machines, system restore can cause issues. I’ve seen it revert machines back to states before they were added to the domain, which is problematic. We’ve decided to completely disable system restore to avoid complications, especially since the endpoint software seems to enforce that.
That's concerning! Have any countermeasures been put in place for this? Is it really common enough to justify completely disabling restore functions?