Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
minahanse
Lurker
Posts: 2
Liked: never
Joined: Jul 06, 2016 2:46 pm
Contact:

Run as different user?

Post by minahanse »

I'm wondering if by creating a designated user account in Windows and using that for backing up would prevent ransomware from encrypting the USB drive. The USB drive would of course only be accessible to that specific user account. I tried doing this but where I keep getting stuck is the fact that Veeam Endpoint Backup service runs as "Local Systems account" and thus SYSTEM account needs access to the USB in order for the backup to be successful. Is there a way to do something in these lines? I am trying to find a solution to elderly people who won't remember to replug the USB drive if using the unplug after backup done feature. Another thing I was wondering was that could the USB drive be shared to the network and then using the Veeam's backup to share feature?
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Run as different user?

Post by Dima P. »

Hi minahanse,
Is there a way to do something in these lines?
By setting another account you have to grant the same level of permissions localsystem account has, so I believe it does not make any difference.
Another thing I was wondering was that could the USB drive be shared to the network and then using the Veeam's backup to share feature?
Yes, it should work. If shared drive is visible thru the network surroundings you can use it as a shared folder destination.
minahanse
Lurker
Posts: 2
Liked: never
Joined: Jul 06, 2016 2:46 pm
Contact:

Re: Run as different user?

Post by minahanse »

Thank you Dima P for the quick reply.

I got the USB drive shared and Veeam is now backing up to it as it should, the key was to also make the service run as same username. I'm just curious if this is enough to prevent ransomware from infecting the backup files on the USB drive? Assuming of course that the username which has write access won't be used for anything else and thus never logged on as unless backup needed.
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Run as different user?

Post by Dima P. »

Thanks for the heads up. I guess, if the account is dedicated to backup job and not used by end users - you are good to go.
folerx
Expert
Posts: 113
Liked: 8 times
Joined: Jun 22, 2016 9:47 pm
Full Name: Daniel Kaiser
Contact:

Re: Run as different user?

Post by folerx »

is is this good procedure?
1. make new local account, example "backup"
2. add this account to local "backup operators" group
3. sign in as this new account
4. make new folder on external usb disk and set ntfs acl with write permission to this new account
5. configure veb and point it to this new folder
6. sign out and sign in to standar user
7. veb will backup in background as we configure it in step 5?
8. ransom cant access backup folder?

tnx
folerx
Expert
Posts: 113
Liked: 8 times
Joined: Jun 22, 2016 9:47 pm
Full Name: Daniel Kaiser
Contact:

Re: Run as different user?

Post by folerx »

update
my steps 1-8 wont work, access denied
veb wont eject hdd
how to run veb as different user against ransomware?
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Run as different user?

Post by Dima P. »

Daniel,

VEB is not running under your local user account - instead it operates under built in LocalSystem account
folerx
Expert
Posts: 113
Liked: 8 times
Joined: Jun 22, 2016 9:47 pm
Full Name: Daniel Kaiser
Contact:

Re: Run as different user?

Post by folerx »

Ok, how to set ntfs acl for different user so that only this user can access files? If standard user run ransomware he cant encrypt files.
chaycock
Enthusiast
Posts: 98
Liked: 17 times
Joined: Jul 15, 2016 4:51 pm
Full Name: Carlton Haycock
Contact:

Re: Run as different user?

Post by chaycock »

Since VEB runs as SYSTEM, could you just create a backup folder on the USB and remove all rights and just grant SYSTEM the rights needed to write to the drive/folder?
folerx
Expert
Posts: 113
Liked: 8 times
Joined: Jun 22, 2016 9:47 pm
Full Name: Daniel Kaiser
Contact:

Re: Run as different user?

Post by folerx »

chaycock wrote:Since VEB runs as SYSTEM, could you just create a backup folder on the USB and remove all rights and just grant SYSTEM the rights needed to write to the drive/folder?
ok, but when i need to restore job, how to access backup files?
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Run as different user?

Post by Vitaliy S. »

I guess you will need to revert all the changes back to access these files.
Post Reply

Who is online

Users browsing this forum: No registered users and 32 guests