Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
akrietsch
Influencer
Posts: 14
Liked: 1 time
Joined: Sep 09, 2016 9:12 pm
Full Name: Alex Krietsch
Contact:

Veeam Agent Restore Permissions

Post by akrietsch »

I have been testing with the new release of VAW. With the servers I am testing, they are all currently backing up to a VBR repository.

It appears that local administrators on the servers that are being backed up have the capability to start backups and restores. Is there a way to control who has the ability to kick off backups and restores? I care less about the ability they have to start a backup, but we tightly control who has the ability to restore something, and we don't want a user to be able to restore something (just because they are a local admin on that server) without going through the proper channels first.

More alarmingly, it looks those same users have the ability to choose to restore something from any other server being backed up by VAW and stored on our VBR repository. For example, a local admin on APPSERVER1 could choose to restore a file, and then in the File Restore Wizard they can click on the "Backup" tab and see and choose from the other VAW servers, including DC1, a domain controller we are backing up that the user otherwise has no access to. That user can then restore files from the DC1 backup using APPSERVER1.

Are there any controls that we have so that users are not able to do any of this unless they are a Veeam administrator?
DGrinev
Veteran
Posts: 1943
Liked: 247 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: Veeam Agent Restore Permissions

Post by DGrinev »

Hi Alex,

You should set agents permissions for the backup repository through Veeam B&R Console by adding computer name. This way, the local admin of the server will see only the backup related to his machine.
Please review this article about Setting up User Permissions on Backup Repositories. Thanks!
skochetkov
Influencer
Posts: 24
Liked: 5 times
Joined: Feb 12, 2015 12:36 pm
Full Name: Sergey Kochetkov
Contact:

Re: Veeam Agent Restore Permissions

Post by skochetkov »

Hello Alex,

Backup configuration and restore processes require administrative privileges. Backup start doesn't. What about ability being able to restore anything from the said VB&R server: did you separate your backups by using agent permission option?
https://helpcenter.veeam.com/docs/agent ... tml?ver=20
akrietsch
Influencer
Posts: 14
Liked: 1 time
Joined: Sep 09, 2016 9:12 pm
Full Name: Alex Krietsch
Contact:

Re: Veeam Agent Restore Permissions

Post by akrietsch »

Ok, originally I had a Veeam service account as the only listed account under Agent permissions for my repository. This is an account that is a local admin on my Veeam servers and is also the account that I specified in the VAW job to connect to the repository.

Is there anything special I need to do when changing the agent permissions? I have tried everything from specifying the Computer account, to denying to everyone, and the restore capability from the servers that I described before is exactly the same. No changes.
DGrinev
Veteran
Posts: 1943
Liked: 247 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: Veeam Agent Restore Permissions

Post by DGrinev »

Hi Alex,

Agents can see all backup files in the repository as they were created by using the same account.
Follow this step by step guideline to achieve what you are after (this can be done only in domain environment):
1. Add a particular server by domain\computer name to the repository permissions.
2. Open Veeam Agent on the server and clear checkbox with personal credentials in Configure backup menu.
3. Initiate new backup run.
4. When it will be completed check that the local admin of the server can see only latest backup.
5. Repeat for each server or user account.

Also, you can use domain user accounts for the repository permissions instead of computer accounts. Thanks!
akrietsch
Influencer
Posts: 14
Liked: 1 time
Joined: Sep 09, 2016 9:12 pm
Full Name: Alex Krietsch
Contact:

Re: Veeam Agent Restore Permissions

Post by akrietsch »

Thanks. That process of adding the computer accounts and removing the service account from the job gave me the desired result.
MichaelG7
Influencer
Posts: 16
Liked: 1 time
Joined: Jul 05, 2018 7:55 am
Full Name: Michael
Location: Germany
Contact:

Re: Veeam Agent Restore Permissions

Post by MichaelG7 »

During a file level restore only the files for the specific workstation are available.
But when performing a bare metal restore i had to use our privileged backup admin user to access the repository. This lead to the fact that all agent backups are available.
Is there any way to restrict the visibility of the other backups in case of bare metal recovery?
Post Reply

Who is online

Users browsing this forum: Amazon [Bot] and 27 guests