[security weakness] DPM protection agent requires 135 and 445 ports to be opened on DPM server
Recently, I've evaluated DPM 2019 server as backup solution for internal infrastructure and found that DPM agent requires 135,445 ports to be opened on DPM server. Without it, DPM agent cannot send it's status and initiate backup job.
This is big security hole. As you know, a lot of ransomware and cryptolockers use these ports to spread across local network. If any of servers with DPM agent will be infected, then they will be able to connect to DPM server (RPC) and encrypt it's datastore.
As you can see, DPM server backups cannot be 'last hope' to recover infrastructure if all others servers were encrypted because DPM server will aslo be encrypted and there is no chance to avoid it.
Please, correct me if I was wrong.