Industry best practices for servers and VM protection

With hyper-distributed workloads and machine-speed threats, the traditional strategy of "securing the perimeter" as a tactic for server and virtual machine (VM) has become obsolete. Today, security must be integrated directly into the workload itself. As organizations manage mixed environments of hardware servers and hypervisors such as VMware, Microsoft Hyper-V, Nutanix AHV, Proxmox VE and cloud-native instances, achieving true protection requires a shift toward unified platforms that consolidate security, backup and disaster recovery into a single, cohesive architecture.

The hypervisor is the most critical component of a virtualized environment. A single vulnerability can lead to a ‘VM escape attack,’ which allows malware to move from a compromised guest to the host, potentially endangering every other VM on that server.

1. Minimalist footprint: For Microsoft Hyper-V environments, deploying on Windows Server Core rather than a full GUI installation is the gold standard. By removing the graphical shell and nonessential components, administrators significantly reduce the attack surface and lower patch complexity compared to full installations.
2. Hardware-rooted trust: Organizations should mandate UEFI Secure Boot and enable virtual trusted platform modules (vTPM) by default to protect the integrity of the boot chain and secure encryption keys within the guest OS. By integrating seamlessly with Secure Boot and BitLocker-protected workloads, Acronis ensures that recovery does not bypass platform trust controls, enables organizations to restore critical servers and VMs with confidence that both data and system integrity are preserved.
3. Agentless protection efficiency:  To further reduce risk at the host layer, many organizations are moving toward agentless protection. Acronis supports agentless backup for platforms such as Nutanix AHV and Proxmox VE by communicating directly with hypervisor APIs rather than requiring software inside every guest VM. This approach reduces guest overhead, minimizes agent sprawl and lowers the risk of unpatched in-guest components becoming attack vectors.
4. Network isolation: Network architecture also plays a critical role. Management traffic, live migration and storage traffic should never share paths with general user or application workloads. These sensitive control-plane and data-plane flows must be isolated on dedicated networks and protected with encryption to prevent interception, lateral movement, and unauthorized access during VM operations.

While snapshots are an essential tool for short-term operational rollbacks (such as before a patch or configuration change), they are frequently misused as a form of backup.

• The 72-hour limit: Snapshots should never be retained for more than 72 hours. Keeping snapshots for longer periods leads to massive "delta" files that degrade disk performance and can unexpectedly fill up datastores, causing total system crashes.
• Chain management: Although hypervisors like vSphere support up to 32 snapshots in a chain, industry leaders recommend keeping no more than two–three active snapshots per VM to ensure stability and rapid consolidation.
• Continuous data protection (CDP): For mission-critical servers, snapshots aren't granular enough. Platforms like Acronis Cyber Protect utilize a resident agent to monitor changes in real-time for specific applications (like SQL or Office documents), capturing modifications as they happen to achieve near-zero recovery point objectives (RPOs).   

In 2026, the baseline "3-2-1" rule has evolved into the 3-2-1-1-0 rule to combat sophisticated extortion tactics:

1. 3 copies of data on 2 different media types.
2. 1 copy kept off-site.
3. 1 copy that is immutable or air-gapped.
4. 0 errors, verified through automated recovery testing.

Acronis supports this by offering immutable storage options for both cloud and local repositories, ensuring that even an administrator with compromised credentials cannot delete or encrypt backup archives during a ransomware event. For extreme security needs, specialized hardened editions provide protection for air-gapped environments completely disconnected from the public internet.

Modern ransomware campaigns increasingly attempt to disable recovery before encrypting production data. As a result, protection must be proactive rather than purely reactive. AI-driven behavioral analysis, such as Acronis Active Protection, detects ransomware based on behavior rather than signatures identifying patterns such as mass file modification or rapid encryption as they begin. When detected early, malicious processes can be terminated automatically and affected files reverted to their last known good state, often before administrators are alerted.

The complexity of modern virtualization demands a consolidation of tools. By moving away from fragmented, multivendor solutions and adopting a unified agent for backup, security and management, organizations can reduce management overhead and eliminate the gaps where threats often hide.

Furthermore, modern protection must account for hardware evolution. Acronis supports WinRE-based remote recovery, enabling disk-level restoration on modern hardware such as proprietary NVMe RAID controllers that traditional Linux-based boot environments often fail to recognize. Combined with Acronis Safe Recovery features that scan for malware during the restore process to prevent reinfection, a resilience-first approach ensures that recovery is designed for when failures occur, not whether they occur.

Download the e-book to learn more about critical workload protection and cyber resilience.

e-book

Boost MSP productivity with unified cyber protection