Restrict Administrator from accessing Endpoint Files

[rezwan_mahbub]

Hello,

I am a Veeam partner. One of my customers wants to take backups of their management laptops and desktops along with their Servers and VMs. I need to know whether there is any way to restrict the Administrator so that he/she can't see or access the files of those endpoints, since they might be strictly confidential. We need a way so that these backups can be encrypted and can't be read. Only restoration should be possible using the password defined by the owners of the endpoints.

Please advise.

[Gostev]

Hello!

No, it is impossible to restrict Administrator from anything. Any account with Local Administrator privileges on the given computer will always have access to all of its files.

To be clear, this is the case whether or not Veeam (or any other backup product) is installed. This is just how OS security works: root can do anything and bypass any software-based protection. This includes bypassing both OS-based and 3rd party software encryption. For example, if a backup software can encrypt data during backup and decrypt it for the purpose of restoration, then root can always obtain the encryption password stored in the backup software configuration.

The only way to truly secure management laptops in an environment with untrusted IT staff is to ensure the only account with Local Administrator privileges belongs to the laptop owner. Which in turn means, they will have to deploy and manage backup on their own (according to your instructions perhaps). These backups can then go into a backup repository located in an untrusted IT infrastructure, because all data will be encrypted "at source" (before it leaves the laptop).

Thanks!

[rezwan_mahbub]

Thanks for the great response, that solves my question.

But being Administrator, it should also have the right to restrict itself from decrypting only with the permission of the endpoint owner, as this is an exceptional issue to ensure privacy.

You may raise it to the developer to include this option in the next update.

[Gostev]

Perhaps you did not read my previous response carefully, but it is literally impossible to restrict Administrator from performing certain operations on a computer even in theory, because they can always bypass any and all software-based restrictions.

So not only options attempting to restrict Administrator from doing whatever are completely and utterly useless from security and privacy perspective (because it is trivial to bypass them), if officially documented as a product feature they will result in a CVE vulnerability with CVSS score 10 logged immediately

[Nils]

Another way would an encrypted container/virtual disk sitting on the laptop's HDD/SDD, using perhaps Bitlocker or VeraCrypt.

A backup would copy the container as is - encrypted. An admin could restore the encrypted container but he couldn't open it without the key. (With Bitlocker, the admin could use domain policies to get his hands on the volume key but he couldn't do it without some elaboration. VeraCrypt would be entirely safe.)

Care should be taken and a bit of testing done to ensure that the container is indeed intact in backup.

[Gostev]

This won't help, as the end user would have to supply a password each time they need to open the encrypted container. And nothing prevents bad admin to deploy a logger that continuously dumps all input into a file.

Don't waste your time coming up with more ideas, this is really the only way:

The only way to truly secure management laptops in an environment with untrusted IT staff is to ensure the only account with Local Administrator privileges belongs to the laptop owner.

[Nils]

nothing prevents bad admin to deploy a logger - absolutely true. I was implying a 'normal' admin (is there such a thing? ). Given sufficient criminal energy, a clear cut in adminstrative privileges is the only way.