Endpoint Backup User repositoreis best practice

Backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)

Endpoint Backup User repositoreis best practice

Veeam Logoby alu » Wed Mar 09, 2016 1:55 pm

Hello

My task is to back up notebooks from users with endpoint backup to a Veeam Server. Important is that the users can only see their own backup. My idea is to create for each user (~30) a repository and add the specific AD user. Is that the best way? Can the user do a recovery on their own?
Or is it better with encryption (not on users harddrive)?

Thanks
alu
Lurker
 
Posts: 2
Liked: never
Joined: Wed Mar 09, 2016 1:38 pm

Re: Endpoint Backup User repositoreis best practice

Veeam Logoby Dima P. » Thu Mar 10, 2016 12:16 am

Hello alu,

That is a perfect idea, the best is, however, to set up a dedicated ‘backup’ account for every user and let only VEB job know the creds (BTW AD computer accounts can be used for setting the access to the repository). With last approach you will protect your backups in the repository from unauthorized access of malware that can be executed by regular end user account. Encryption on backup repository can help as well.
Dima P.
Veeam Software
 
Posts: 6111
Liked: 434 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Endpoint Backup User repositoreis best practice

Veeam Logoby poussah » Sat Mar 12, 2016 10:12 am

Follow up question: if the repository is authorized for all relevant AD users but the storage target (NAS) is on a separate network and thus not directly accessible to the users, could a malware damage the backup files?
poussah
Influencer
 
Posts: 11
Liked: never
Joined: Wed Mar 26, 2014 4:01 pm
Location: Paris, France
Full Name: Renaud Boitouzet

Re: Endpoint Backup User repositoreis best practice

Veeam Logoby Dima P. » Tue Mar 15, 2016 12:16 am

Renaud,

Most likely NAS remains hidden.
Dima P.
Veeam Software
 
Posts: 6111
Liked: 434 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Endpoint Backup User repositoreis best practice

Veeam Logoby JChris » Fri Sep 16, 2016 4:04 am

Dima P. wrote:Hello alu,

That is a perfect idea, the best is, however, to set up a dedicated ‘backup’ account for every user and let only VEB job know the creds (BTW AD computer accounts can be used for setting the access to the repository). With last approach you will protect your backups in the repository from unauthorized access of malware that can be executed by regular end user account. Encryption on backup repository can help as well.


Sorry for reviving this topic after a long time, but my question is so similar that I believe it would be best to quote here. So, I have a SOHO Synology NAS running inside my home network that I'll use for backup target. I really thought about creating a separate user that will only interact with my /backup share. For example: Mike will have two users in the NAS: Mike and Mike_BK. Mike is the default user, the one that is configured inside Windows File Explorer and he uses on a daily basis to access his files inside the NAS and the public share. On the other hand, Mike_BK is only configured inside Veeam Endpoint Backup and will only have R/W inside /backup. My question is, how secure will be Mike_BK credential stored inside Veeam software? Do you guys encrypt the credentials or something like that?

I'm thinking about only having a single shared folder called /backup and I'd configure it in a way that each "user_BK" would only have R/W inside the folder he's the owner and he wouldn't even be able to see other users folders. In short, anyone would be able to create his "Backup Job for XYZ" inside /backup and put their files in there, but wouldn't be able to affect other user folders. Is that a good approach?
JChris
Enthusiast
 
Posts: 27
Liked: 1 time
Joined: Fri Sep 16, 2016 3:51 am
Full Name: Juan C.

Re: Endpoint Backup User repositoreis best practice

Veeam Logoby Vitaliy S. » Fri Sep 16, 2016 4:10 pm

JChris wrote:My question is, how secure will be Mike_BK credential stored inside Veeam software? Do you guys encrypt the credentials or something like that?

Yes, all user sensitive data is encrypted with machine specific key using WinAPI.

In short, anyone would be able to create his "Backup Job for XYZ" inside /backup and put their files in there, but wouldn't be able to affect other user folders. Is that a good approach?

Yes, seems good to me.
Vitaliy S.
Veeam Software
 
Posts: 19472
Liked: 1092 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Endpoint Backup User repositoreis best practice

Veeam Logoby folerx » Fri Oct 21, 2016 10:49 am

ok, but what is best practices if b&r server is not domain member? one repository, multiple?
today i receive 6x8tb hdds and need to configure test repository. 50 clients in domain.
also how to schedule backup across day? wont overload repository. 3gb incremental per day/client changes.
folerx
Expert
 
Posts: 105
Liked: 8 times
Joined: Wed Jun 22, 2016 9:47 pm
Full Name: Daniel Kaiser

Re: Endpoint Backup User repositoreis best practice

Veeam Logoby Vitaliy S. » Fri Oct 21, 2016 12:11 pm

If Veeam B&R is not a member of a domain, you can still use 1 or multiple repositories, all VEB users will see only their backup files. Scheduling is a bit tricky, you need to do that for all clients individually. There is no central management for Veeam Endpoint Backup / Veeam Agent for Windows yet, however you can set a limit of concurrent tasks on the repository that would fit best to your deployment.
Vitaliy S.
Veeam Software
 
Posts: 19472
Liked: 1092 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov


Return to Veeam Agent for Windows



Who is online

Users browsing this forum: No registered users and 9 guests