Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
Nick-SAC
Enthusiast
Posts: 74
Liked: 15 times
Joined: Oct 27, 2017 5:42 pm
Full Name: Nick
Contact:

VAW VB&R Repository Security

Post by Nick-SAC »

Using VAW Free backing up to the VB&R Backup Server Repository(s) :

As VAW Free evidently can’t access the 'Primary' Repository on the VB&R Backup Server (with the Repo Access Permissions set to the seemingly Desired/Default of Deny to Everyone) ...

I created a separate Repo on the VB&R Backup Server with Access Permissions assigned to a single User Account (a Pseudo User with a non-expiring password) and this seemed to work well, except...

I then discovered that the credentials are saved for that User Account in such a way that ANYONE who logs onto ANY computer (that uses VAW with that User Account) can Restore Files from ANY backup of ANY computer that uses that same User Account. Yikes! :shock:

I then did a fair bit of digging around in the Forum and found some related threads but no really viable solution to this conundrum.

So, am I missing something and/or does anyone have a suggestion on how to handle this gaping security issue?

Thanks,

Nick
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: VAW VB&R Repository Security

Post by Dima P. »

Hello Nick.
As VAW Free evidently can’t access the 'Primary' Repository on the VB&R Backup Server (with the Repo Access Permissions set to the seemingly Desired/Default of Deny to Everyone) ...
If account use in VAW setup has access to the repository, then it should be visible - works the same way for custom or default repository. Can you please double check that you used correct account which is listed under repository permissions.
I then discovered that the credentials are saved for that User Account in such a way that ANYONE who logs onto ANY computer (that uses VAW with that User Account) can Restore Files from ANY backup of ANY computer that uses that same User Account. Yikes! :shock:
Only if you used backup administrator account as access credentials to the repository. In case of a regular user account (without administrative access to Veeam B&R console), user will see only his backup files.
Nick-SAC
Enthusiast
Posts: 74
Liked: 15 times
Joined: Oct 27, 2017 5:42 pm
Full Name: Nick
Contact:

Re: VAW VB&R Repository Security

Post by Nick-SAC »

Hey Dima,

Thanks for the quick reply... I’ve now spent some time testing & here’s where I’m at...

For the sake of brevity I’ll refer to these items as:
VBR-Repo = Repository used by VB&R Managed Backups (in my initial post I referred to this as the ‘Primary’ Repository)
VAW-Repo = Repository used by VAW Free (Unmanaged by VB&R)
VBR VM = VM’s Managed & Backed up by VB&R
VAW Computer = Physical Computer using VAW Free (Unmanaged by VB&R)


Just to clarify what I meant in my initial post about the VAW Computers not being able to access the VBR-Repo; I didn’t see this as a problem, in fact I purposefully left the VBR-Repo set to the Default Permission of Deny to Everyone and I wasn’t surprised or concerned that the VAW Computers weren’t able to be able to access it that way.

On the VAW Computers & VAW-Repo: I had used a User Account which had Admin rights on the Backup Server (I was under the mistaken impression that Admin rights were necessary) however, even after removing that User Account’s Admin rights, I found that (probably because I used the same User Account on all the VAW Computers) that any user on any VAW Computer could still access & Restore from any other VAW Computer’s backup in the VAW-Repo.

FWIW, the reason that I used the same User Account..., was that I didn’t want to use the actual User’s accounts and then have to deal with periodic password changes) so I created & used a single Faux User Account with a non-expiring password (which it seemed like a good idea at the time) :roll:

However, I’ve now found that setting the VAW-Repo access permissions to the respective Computer Accounts works great! No passwords and each VAW Computer can only see its own backups... which now has me rethinking my original plan...

Given that both of these Repos are on the same physical storage and that the VAW Computers wouldn’t be able to access the other machine’s backups..., I now think it’d be preferable to just use the VBR-Repo for all the backups (and thus be able to leverage the Repo’s Concurrent Tasks setting to simplify scheduling & load conflicts, etc.).

However, this raises another question of greater concern. Would granting Access Permissions on the VBR-Repo to the VAW Computer Accounts open a potential attack vector, e.g., if one of those VAW Computers got infected with Crypto/Malware? Or would the security mechanisms in VB&R be considered as adequate protection against that?

Obviously it would be bad if an infected VAW Computer was able to attack the other VAW Computer backups... but it’d be really, REALLY bad if it was able to get to the VBR VM Server backups!

Thanks again,
Nick
Post Reply

Who is online

Users browsing this forum: No registered users and 36 guests