Hello
I am evaluating Veeam for Office 365 (v7.1.0.2031). I am trying the remote console from a different host, but I am surprised that I need local administrator on my "jump host" when I want to start a console to a remote server (https://xxxx), which also uses remote S3 storage (more https://).
I am doing something wrong?
The documentation (https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=70) states this: "Keep in mind that the account you are using must be a member of the local Administrators group on the specified Veeam Backup for Microsoft 365 server." and doesn't say anything about requiring local administrator rights on the system where the remote console is being run.
Is it expected or in the roadmap, removing that requirement, at least for running the console remotely? I am doing anything wrong?
Best regards
Seve
-
Seve CH
- Enthusiast
- Posts: 99
- Liked: 39 times
- Joined: May 09, 2016 2:34 pm
- Full Name: JM Severino
- Location: Switzerland
- Contact:
-
Mildur
- Product Manager
- Posts: 10316
- Liked: 2754 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Feature request: Run console without admin rights
Hello Seve
The user guide may be a little bit misleading. Those permissions are required wherever you start the backup console. I will ask our help center team to update the statement.
Local administrative permissions are required because we need to load DLL files which require local admin permissions.
When you start a restore, we will mount backups to the remote machine where you start the recovery. That's why a user with local administrative permissions must be used.
We know about the request to remove this requirement, but we don't have information or ETA to share.
For Data Recovery, we recommend to consider the Restore Portal when possible. Our Restore Portal doesn't require local admin permissions on any machine.
And our goal is to bring more recovery features to the portal in upcoming versions.
Best,
Fabian
The user guide may be a little bit misleading. Those permissions are required wherever you start the backup console. I will ask our help center team to update the statement.
Local administrative permissions are required because we need to load DLL files which require local admin permissions.
When you start a restore, we will mount backups to the remote machine where you start the recovery. That's why a user with local administrative permissions must be used.
We know about the request to remove this requirement, but we don't have information or ETA to share.
For Data Recovery, we recommend to consider the Restore Portal when possible. Our Restore Portal doesn't require local admin permissions on any machine.
And our goal is to bring more recovery features to the portal in upcoming versions.
Best,
Fabian
Product Management Analyst @ Veeam Software
-
Seve CH
- Enthusiast
- Posts: 99
- Liked: 39 times
- Joined: May 09, 2016 2:34 pm
- Full Name: JM Severino
- Location: Switzerland
- Contact:
Re: Feature request: Run console without admin rights
Hi Mildur
Thanks for the answer. Add then a +1 to that requirement (Remove local admin requirement for remote console).
Business case:
For security reasons, we don't want anybody logging into the backup server directly.
If the remote console requires local administrator permissions, our service desk operators will need local administrator on the jump host being used to, for instance, export PST files. This is unfortunate, because this allows the SD team do too much things on that machine and opens the attack surface, allowing an SD account to do things like replacing executables being used by other service desk operators with trojanized versions (may it be Veeam for O365, may it be other tools installed on that jump host) which won't be detected by the EDR/Antimalware solution.
Best regards
Seve
Thanks for the answer. Add then a +1 to that requirement (Remove local admin requirement for remote console).
Business case:
For security reasons, we don't want anybody logging into the backup server directly.
If the remote console requires local administrator permissions, our service desk operators will need local administrator on the jump host being used to, for instance, export PST files. This is unfortunate, because this allows the SD team do too much things on that machine and opens the attack surface, allowing an SD account to do things like replacing executables being used by other service desk operators with trojanized versions (may it be Veeam for O365, may it be other tools installed on that jump host) which won't be detected by the EDR/Antimalware solution.
Best regards
Seve
Who is online
Users browsing this forum: No registered users and 64 guests