Backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
hoFFy
Service Provider
Posts: 175
Liked: 27 times
Joined: Apr 27, 2012 1:10 pm
Full Name: Sebastian Hoffmann
Location: Germany / Lohne
Contact:

Security best practises for company network

Post by hoFFy » Apr 23, 2015 8:57 am

Hi all,

I'm in the process of deploying ENdpoint in our network and backing up to a dedicated B&R repository.
I'm not sure if the way of my deployment is secure enough: During Endpoint installtion I'm putting the recovery iso in the same folder of our backup server by using the domain admin account and the path bkp01\f$ because I would like to have these ISOs all in one place. Is there a way for the users to extract these credentials later, after Endpoint has been installed? Or is it better to safe this iso first to the local hard drive and copy it later to the desired place in network?

At the moment I'm telling every user to enter his own credentials during setup for the B&R repository, because I don't want them to see the backups of the other users.
I believe that our users will not try to restore lost files on their own... so... is it possible to enter at this point admin credentials, or is it possible that the user extracts these credentials later from the software or can he gain access to the other backups without entering this credentials again?
VMCE 7 / 8 / 9, VCP-DC 5 / 5.5 / 6, MCITP:SA
Blog: machinewithoutbrain.de

Mike Resseler
Veeam Software
Posts: 4825
Liked: 509 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Security best practises for company network

Post by Mike Resseler » Apr 23, 2015 12:48 pm

Sebastian,

When you create that recovery media, the credentials you use to store the ISO to the share are not saved anywhere. In fact, after the creation of the ISO, they are lost (sort of speak... :-)). You can test this easily... Simply reboot the computer afterwards, try to access the share with the end user credentials. Or try to run the Veeam recovery media creation wizard again (search for Veeam in the start menu and you will see create recovery media). You will notice that you will need to enter the credentials again.

For the B&R repository. I think it is the best method to create a security group with your users in it. Attach that group to the permissions on the B&R repository. Now every user has the possibility to recover IF he or she would want to do it, they can't see any other backup (of other users I mean) and you can easily "disable" users by removing them from that security group (or adding if new people start at the company)

Extracting the "admin" password as a User is not possible. They can go through the backup configuration wizard again (if they have the rights... UAC so local admin rights necessary) and they can see the username, but the password field will have the status To change the saved password, click here so there is nothing to worry about. But I still prefer the above method :D

hoFFy
Service Provider
Posts: 175
Liked: 27 times
Joined: Apr 27, 2012 1:10 pm
Full Name: Sebastian Hoffmann
Location: Germany / Lohne
Contact:

Re: Security best practises for company network

Post by hoFFy » Apr 23, 2015 1:29 pm

Mike Resseler wrote:...For the B&R repository. I think it is the best method to create a security group with your users in it. Attach that group to the permissions on the B&R repository. Now every user has the possibility to recover IF he or she would want to do it, they can't see any other backup (of other users I mean) and you can easily "disable" users by removing them from that security group (or adding if new people start at the company)...

Hi Mike,

the other points are clear, but I have my problems with the credentials...
Okay members of a special group are able to backup to the repository. They are only able to see their own backup until they are not a Restore Operator.
But am I right that there won't be a way to setup Endpoint on client side as the domain admin for example (and with his credentials for the repository) and later the normal user will only be able to see the backups of his client(s)? As longer as I'm thinking about it... this design makes sense... the Repository Server CAN'T decide which backups will be accessible by the user, if all backups are created with the same account...
Therefore: During configuration of Endpoint it is necessary to have the credentials of the user working with that client, right?

A nice feature for a future release might be, especially together with a feature for remote installations via group policies, to specify an account with which all backups are written to the repo (to be able to remote setup it, or to install software with a service-account, not with the normal user credentials (as an admin I don't always wan't to know the login data of all users out there we are administrating for reasons of data security, responsablility, legal rights and things like that)) and the ability to specify wich backups are readable with additional credentials (in this case the credentials of the user normaly working with that pc to enable file level restore to the enduser without contacting the admin.
VMCE 7 / 8 / 9, VCP-DC 5 / 5.5 / 6, MCITP:SA
Blog: machinewithoutbrain.de

Post Reply

Who is online

Users browsing this forum: No registered users and 9 guests