Security Doubts - Microsoft Exchange Explorer

[DavidS]

Hello All

We've ecoutered some security questions about the Microsoft Exchange Explorer for Veeam B&R Restores.

After I demonstrated a file restore through the Microsoft Exchange Explorer in Veeam, my boss had some doubts about the security-aspects of this explorer.
I am able to read and restore any mail in any inbox of any person on the backed-up exchangeserver (not on the production server, but on the backupserver), and thats considered as a lack of security...

So, is there any possibility to restrict the avaibilities of the Exchange Explorer?
Like, no opening of the mails, just read the subject.
Or password query before you can open a specific mailbox.
Or just give access to one ultimate-master-admin for restoring through the exchange explorer?

Maybe my question is a bit of an overkill, or this is a real need which more people had thoughts about.

Glad for any feedback

Greetings
David

[srebuccicellularline]

Hi David, this is not a lack of security of the software: your boss should be aware that you as the IT Manager, should be able to read every email and every file on your file server.

[geksi]

Hi David, this is not a lack of security of the software: your boss should be aware that you as the IT Manager, should be able to read every email and every file on your file server.

Absolutely, but not a BackupAdmin.
Our organization has two "SUPER" admins who can do everything
All others are restricted.

[Gostev]

Backup Admins are gods, because they can physically access and obtain a copy of any data from any server. And anyone with physical access to data can do anything at all. Including things like retrieving any account's password from Domain Controller backup, reading every email in Exchange mailbox database backup, reading every credit card number from SQL Server backup, etc.

While in theory it would be possible for us to restrict access to Veeam Explorer for Exchange, in practice this makes no sense, as you cannot prevent Backup Admins from downloading any other similar tool (of some dozen that exist) which will do the same thing being pointed at a mailbox database file from backup.

[DavidS]

Thanks for the answers, that's more or less what I thought.

So I wonder what bigger companies, like banks, with more resctrictive policies do about this problem?
Do they have special agreements with their backup admins or they simply don't use veeam?

Or is my question really this odd

[dellock6]

David,
having worked for some banks (even in the country listed in your profile.. ) I can tell you, it's a mix of technical multi-tenancy, and also deep auditing of operator activities and procedural agreements.
If you need to segregate restore operator, you should rellay look deeper at our Enterprise Manager, there you can create roles and scopes. My session about it at VeeamON is free to be viewed online here: http://go.veeam.com/veeamon-free-sessions. Look for VT-09. Hope it can help you get a better idea on how to limit restore options.

[Gostev]

Correct, it's all about the auditing of who is doing what. For example, this is why we do not allow deleting session history, and provide designated Restore Operator Activity report in Veeam ONE.

Do they have special agreements with their backup admins or they simply don't use veeam?

You have to understand that specific product does not matter. Give me an access to image-level Exchange VM backup produced by any backup tool out there, and I will first extract EDB, and then all emails out of it with Veeam Backup Free Edition (or similar tool) in no time.