Endpoint Backup User repositoreis best practice

[alu]

Hello

My task is to back up notebooks from users with endpoint backup to a Veeam Server. Important is that the users can only see their own backup. My idea is to create for each user (~30) a repository and add the specific AD user. Is that the best way? Can the user do a recovery on their own?
Or is it better with encryption (not on users harddrive)?

Thanks

[Dima P.]

Hello alu,

That is a perfect idea, the best is, however, to set up a dedicated ‘backup’ account for every user and let only VEB job know the creds (BTW AD computer accounts can be used for setting the access to the repository). With last approach you will protect your backups in the repository from unauthorized access of malware that can be executed by regular end user account. Encryption on backup repository can help as well.

[poussah]

Follow up question: if the repository is authorized for all relevant AD users but the storage target (NAS) is on a separate network and thus not directly accessible to the users, could a malware damage the backup files?

[Dima P.]

Renaud,

Most likely NAS remains hidden.

[JChris]

Hello alu,

That is a perfect idea, the best is, however, to set up a dedicated ‘backup’ account for every user and let only VEB job know the creds (BTW AD computer accounts can be used for setting the access to the repository). With last approach you will protect your backups in the repository from unauthorized access of malware that can be executed by regular end user account. Encryption on backup repository can help as well.

Sorry for reviving this topic after a long time, but my question is so similar that I believe it would be best to quote here. So, I have a SOHO Synology NAS running inside my home network that I'll use for backup target. I really thought about creating a separate user that will only interact with my /backup share. For example: Mike will have two users in the NAS: Mike and Mike_BK. Mike is the default user, the one that is configured inside Windows File Explorer and he uses on a daily basis to access his files inside the NAS and the public share. On the other hand, Mike_BK is only configured inside Veeam Endpoint Backup and will only have R/W inside /backup. My question is, how secure will be Mike_BK credential stored inside Veeam software? Do you guys encrypt the credentials or something like that?

I'm thinking about only having a single shared folder called /backup and I'd configure it in a way that each "user_BK" would only have R/W inside the folder he's the owner and he wouldn't even be able to see other users folders. In short, anyone would be able to create his "Backup Job for XYZ" inside /backup and put their files in there, but wouldn't be able to affect other user folders. Is that a good approach?

[Vitaliy S.]

My question is, how secure will be Mike_BK credential stored inside Veeam software? Do you guys encrypt the credentials or something like that?

Yes, all user sensitive data is encrypted with machine specific key using WinAPI.

In short, anyone would be able to create his "Backup Job for XYZ" inside /backup and put their files in there, but wouldn't be able to affect other user folders. Is that a good approach?

Yes, seems good to me.

[folerx]

ok, but what is best practices if b&r server is not domain member? one repository, multiple?
today i receive 6x8tb hdds and need to configure test repository. 50 clients in domain.
also how to schedule backup across day? wont overload repository. 3gb incremental per day/client changes.

[Vitaliy S.]

If Veeam B&R is not a member of a domain, you can still use 1 or multiple repositories, all VEB users will see only their backup files. Scheduling is a bit tricky, you need to do that for all clients individually. There is no central management for Veeam Endpoint Backup / Veeam Agent for Windows yet, however you can set a limit of concurrent tasks on the repository that would fit best to your deployment.