This question has been asked here a few different ways, but I couldn't find one that specifically addresses this for Windows 10 ACL / permissions.
In our work environment we have individual machines make backup images onto a shared folder on a Windows 10 machine that acts as a file server and only that client machine/user has access to that folder.
The concern, of course, is that if the client is ransomware attacked it could access that shared folder and encrypt / overwrite the backup files.
It would seem that using the fine grained special permissions in Windows 10 would make it possible to create a new file and store the backup, but prevent that file from being encrypted and overwritten / deleted?
Best Answer
I've dealt with with this exact scenario, as have many others in this forum, I suspect.
If a person can login as a user and read/write to server files, the files are at risk. I.e., if a user can edit a word document, then can encrypt it.
Rather than change server access permissions (they should be set up as minimum privilege needed), most organizations are changing what users can access. Our organization blocked all of Google Drive, for example. This isn't a great solution, but it's worked so far (knock on wood).
If it's just local backups you're concerned about, creating a 'backup user' that solely holds write permissions to the backup volume technically works, although I haven't tried this.
Ultimate solution is segregated incremental cloud backups.