Restricting Permissions on Repository Folder (Windows ACL's)

[Homes32]

After reading THE WORD FROM GOSTEV May 2 - May 8, 2016 I decided take his advice

2. Restricted remote access. Do your Windows/Linux/Share/Deduplication backup destinations have custom, strict ACL security that has ONLY the Veeam service account granted the access? Or are you still running with the defaults where, for example, all Domain Admins will have Full Control access to anything stored in your Windows-based backup repository?

as this is something that has bothered me for awhile.

My repository is a QNAP NAS attached to the veeam server as a mapped drive via iSCSI
the path is V:\Backups

I set the windows acl on the Backups folder(via the security tab in windows explorer) to only allow access to the DOMAIN\VeeamService (Domain Admin) account and made sure all objects under inherit permissions.
next I tried to run a backup from veeam endpoint on my computer that backs up to the veeam repository using the VeeamService account
and was rewarded with the following error message

5/20/2016 3:22:51 PM :: Error: Access is denied. --tr:Error code: 0x00000005 Cannot create folder. Folder path: [V:\Backups\DOMAIN_VEEAMService]. --tr:FC: Failed to create directory. Directory path: [V:\Backups\DOMAIN_VEEAMService]. --tr:Failed to call DoRpc. CmdName: [FcCreateDir]. Access is denied. Cannot create folder. Folder path: [V:\Backups\DOMAIN_VEEAMService].

checked all the effective permissions on the V:\Backups\DOMAIN_VEEAMService folder. DOMAIN\VeeamService has full access and ownership.

reverted permission on the Backups folder back to full permission for SERVERNAME\Administrators and backups started working again.

Am I crazy and missing something here or do I need to open a support case with veeam? Has anyone else tried to restrict permission on a repository/target to only the veeam service account and been successful?

[Gostev]

Please check what account you have added this share as a repository within B&R itself.

[Homes32]

Hi Gostev,

The repository is attached to the veeam server via iSCSI so it shows up as a physical drive (V:) and is mounted using the "Microsoft Windows Server" repository type so there is no place to specify credentials on the repository level.
When I login to the windows server using the VeeamService account I have full control of the repository and no issues accessing/creating files on the drive.

The Endpoint Backup Permissions for are set to only allow the DOMAIN\VeeamService account

regards,
Homes32

[Homes32]

On further investigation the issue also happens with Veeam B&R backup job.

After some playing around adding the SYSTEM user to the ACL on the repository folder fixed the issue for both endpoint & B&R

So the working ACL is

Users
--------------------
SYSTEM - FULL CONTROL
DOMAIN\VEEAMService - FULL CONTROL

Perhaps the documentation could be improved to include the need for SYSTEM to have permission to control a veeam repository attached to a windows server.

Homes32

[Dima P.]

Hi Jonathan,

Thanks for sharing. Can you clarify for me how permissions were set on a repository level (via B&R console)? Was that a Backup account or NT AUTHORITY\SYSTEM (computer account where the said VEB resides)?

[Homes32]

Hi Dima,

Thanks for sharing. Can you clarify for me how permissions were set on a repository level (via B&R console)?

There are no permissions to set via B&R console on the repository itself as iSCSI mapped drives show up on the host as an actual physical drive.
Endpoint Permissions are set to only allow the service account.

Was that a Backup account or NT AUTHORITY\SYSTEM (computer account where the said VEB resides)?

Both my service account and the NT AUTHORITY\SYSTEM account require full permissions on the filesystem ACL/Permissions. Removing the SYSTEM account from the folder permissions causes the backup to fail.

Steps to reproduce using either B&R Console or Endpoint Client:

1. Create a folder on a windows server. It doesn't have to be on a iSCSI drive, It can be a physical or virtual hard drive attached to the server including the C: drive.
2. Set permissions on the folder to ONLY allow the VEEAM service account full access.
3. add the folder as a repository in VEEAM B&R using the "Microsoft Windows Server" repository type
4. create a backup job that uses your service account credentials, run it and watch it fail with the "Access is denied. Cannot create folder." error
5. edit the permissions for the target folder to include FULL ACCESS for the SYSTEM account.
6. rerun the backup and watch it work.

[Dima P.]

actual physical drive

Now I am confused. How the backup destination in VEB is configured? Is that a local drive or VBR repository? Thanks.

[Homes32]

Now I am confused. How the backup destination in VEB is configured? Is that a local drive or VBR repository? Thanks.

Repository. Although if you follow my instructions for reproducing you will see that it wouldn't matter either way. The destination still needs the NT AUTHORITY\SYSTEM account permissions or it won't work.

[Dima P.]

Jonathan,

Thanks, now I get it. Setting Up User Permissions on Backup Repositories might help you - even though the disk attached locally, you still need to specify the permissions in the backup console.

[Homes32]

Jonathan,

Thanks, now I get it. Setting Up User Permissions on Backup Repositories might help you - even though the disk attached locally, you still need to specify the permissions in the backup console.

I'm not so sure you do get it.
I have those permissions set properly, as I said above. The solution has absolutely nothing to do with veeam at all. its Windows ACL permissions that were at fault here.

After reading THE WORD FROM GOSTEV May 2 - May 8, 2016 I decided take his advice

2. Restricted remote access. Do your Windows/Linux/Share/Deduplication backup destinations have custom, strict ACL security that has ONLY the Veeam service account granted the access? Or are you still running with the defaults where, for example, all Domain Admins will have Full Control access to anything stored in your Windows-based backup repository?

so i removed ALL permissions on the folder the repo points to and only left the active directory login for my Veeam service account with full permissions on the directory. this caused backups from B&R and VEB to fail with access denied errors. Only after I added the NT AUTHORITY\SYSTEM account back on to the folder's ACL did the backups start working correctly.

My suggestion to update documentation was simply an effort to keep other persons trying to restrict permissions and achieve the same level of defense against cryptolocker varieties of malware suggested in Gostev's article from making the same mistake I did by removing the SYSTEM account from the ACL so windows itself was unable to perform basic API operations required for veeam to function.

I apologize if I was unclear.

[Dima P.]

Jonathan,

I accidentally thought that lack of permissions in the VBR console could be replaced with the described approach, thanks for the clarifications. I’ll pass this information to technical writer’s team. Thanks again!