Run as different user?

Backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)

Run as different user?

Veeam Logoby minahanse » Wed Jul 06, 2016 6:04 pm

I'm wondering if by creating a designated user account in Windows and using that for backing up would prevent ransomware from encrypting the USB drive. The USB drive would of course only be accessible to that specific user account. I tried doing this but where I keep getting stuck is the fact that Veeam Endpoint Backup service runs as "Local Systems account" and thus SYSTEM account needs access to the USB in order for the backup to be successful. Is there a way to do something in these lines? I am trying to find a solution to elderly people who won't remember to replug the USB drive if using the unplug after backup done feature. Another thing I was wondering was that could the USB drive be shared to the network and then using the Veeam's backup to share feature?
minahanse
Lurker
 
Posts: 2
Liked: never
Joined: Wed Jul 06, 2016 2:46 pm

Re: Run as different user?

Veeam Logoby Dima P. » Wed Jul 06, 2016 11:50 pm

Hi minahanse,
Is there a way to do something in these lines?

By setting another account you have to grant the same level of permissions localsystem account has, so I believe it does not make any difference.
Another thing I was wondering was that could the USB drive be shared to the network and then using the Veeam's backup to share feature?

Yes, it should work. If shared drive is visible thru the network surroundings you can use it as a shared folder destination.
Dima P.
Veeam Software
 
Posts: 6237
Liked: 439 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Run as different user?

Veeam Logoby minahanse » Thu Jul 07, 2016 7:14 am

Thank you Dima P for the quick reply.

I got the USB drive shared and Veeam is now backing up to it as it should, the key was to also make the service run as same username. I'm just curious if this is enough to prevent ransomware from infecting the backup files on the USB drive? Assuming of course that the username which has write access won't be used for anything else and thus never logged on as unless backup needed.
minahanse
Lurker
 
Posts: 2
Liked: never
Joined: Wed Jul 06, 2016 2:46 pm

Re: Run as different user?

Veeam Logoby Dima P. » Sat Jul 09, 2016 2:25 pm

Thanks for the heads up. I guess, if the account is dedicated to backup job and not used by end users - you are good to go.
Dima P.
Veeam Software
 
Posts: 6237
Liked: 439 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Run as different user?

Veeam Logoby folerx » Fri Aug 05, 2016 2:25 pm

is is this good procedure?
1. make new local account, example "backup"
2. add this account to local "backup operators" group
3. sign in as this new account
4. make new folder on external usb disk and set ntfs acl with write permission to this new account
5. configure veb and point it to this new folder
6. sign out and sign in to standar user
7. veb will backup in background as we configure it in step 5?
8. ransom cant access backup folder?

tnx
folerx
Expert
 
Posts: 105
Liked: 8 times
Joined: Wed Jun 22, 2016 9:47 pm
Full Name: Daniel Kaiser

Re: Run as different user?

Veeam Logoby folerx » Fri Aug 05, 2016 3:32 pm

update
my steps 1-8 wont work, access denied
veb wont eject hdd
how to run veb as different user against ransomware?
folerx
Expert
 
Posts: 105
Liked: 8 times
Joined: Wed Jun 22, 2016 9:47 pm
Full Name: Daniel Kaiser

Re: Run as different user?

Veeam Logoby Dima P. » Fri Aug 05, 2016 3:50 pm

Daniel,

VEB is not running under your local user account - instead it operates under built in LocalSystem account
Dima P.
Veeam Software
 
Posts: 6237
Liked: 439 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Run as different user?

Veeam Logoby folerx » Fri Aug 05, 2016 3:52 pm

Ok, how to set ntfs acl for different user so that only this user can access files? If standard user run ransomware he cant encrypt files.
folerx
Expert
 
Posts: 105
Liked: 8 times
Joined: Wed Jun 22, 2016 9:47 pm
Full Name: Daniel Kaiser

Re: Run as different user?

Veeam Logoby chaycock » Mon Aug 08, 2016 12:23 pm

Since VEB runs as SYSTEM, could you just create a backup folder on the USB and remove all rights and just grant SYSTEM the rights needed to write to the drive/folder?
chaycock
Enthusiast
 
Posts: 62
Liked: 12 times
Joined: Fri Jul 15, 2016 4:51 pm
Full Name: Carlton Haycock

Re: Run as different user?

Veeam Logoby folerx » Tue Aug 23, 2016 7:56 am

chaycock wrote:Since VEB runs as SYSTEM, could you just create a backup folder on the USB and remove all rights and just grant SYSTEM the rights needed to write to the drive/folder?

ok, but when i need to restore job, how to access backup files?
folerx
Expert
 
Posts: 105
Liked: 8 times
Joined: Wed Jun 22, 2016 9:47 pm
Full Name: Daniel Kaiser

Re: Run as different user?

Veeam Logoby Vitaliy S. » Tue Aug 23, 2016 11:53 am

I guess you will need to revert all the changes back to access these files.
Vitaliy S.
Veeam Software
 
Posts: 19545
Liked: 1099 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov


Return to Veeam Agent for Windows



Who is online

Users browsing this forum: Bing [Bot] and 12 guests