Security best practises for company network

Backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)

Security best practises for company network

Veeam Logoby hoFFy » Thu Apr 23, 2015 8:57 am

Hi all,

I'm in the process of deploying ENdpoint in our network and backing up to a dedicated B&R repository.
I'm not sure if the way of my deployment is secure enough: During Endpoint installtion I'm putting the recovery iso in the same folder of our backup server by using the domain admin account and the path bkp01\f$ because I would like to have these ISOs all in one place. Is there a way for the users to extract these credentials later, after Endpoint has been installed? Or is it better to safe this iso first to the local hard drive and copy it later to the desired place in network?

At the moment I'm telling every user to enter his own credentials during setup for the B&R repository, because I don't want them to see the backups of the other users.
I believe that our users will not try to restore lost files on their own... so... is it possible to enter at this point admin credentials, or is it possible that the user extracts these credentials later from the software or can he gain access to the other backups without entering this credentials again?
VMCE 7 / 8 / 9, VCP-DC 5 / 5.5 / 6, MCITP:SA
Blog: machinewithoutbrain.de
hoFFy
Veeam ProPartner
 
Posts: 161
Liked: 25 times
Joined: Fri Apr 27, 2012 1:10 pm
Location: Germany / Lohne
Full Name: Sebastian Hoffmann

Re: Security best practises for company network

Veeam Logoby Mike Resseler » Thu Apr 23, 2015 12:48 pm

Sebastian,

When you create that recovery media, the credentials you use to store the ISO to the share are not saved anywhere. In fact, after the creation of the ISO, they are lost (sort of speak... :-)). You can test this easily... Simply reboot the computer afterwards, try to access the share with the end user credentials. Or try to run the Veeam recovery media creation wizard again (search for Veeam in the start menu and you will see create recovery media). You will notice that you will need to enter the credentials again.

For the B&R repository. I think it is the best method to create a security group with your users in it. Attach that group to the permissions on the B&R repository. Now every user has the possibility to recover IF he or she would want to do it, they can't see any other backup (of other users I mean) and you can easily "disable" users by removing them from that security group (or adding if new people start at the company)

Extracting the "admin" password as a User is not possible. They can go through the backup configuration wizard again (if they have the rights... UAC so local admin rights necessary) and they can see the username, but the password field will have the status To change the saved password, click here so there is nothing to worry about. But I still prefer the above method :D
Mike Resseler
Veeam Software
 
Posts: 3165
Liked: 362 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: Security best practises for company network

Veeam Logoby hoFFy » Thu Apr 23, 2015 1:29 pm

Mike Resseler wrote:...For the B&R repository. I think it is the best method to create a security group with your users in it. Attach that group to the permissions on the B&R repository. Now every user has the possibility to recover IF he or she would want to do it, they can't see any other backup (of other users I mean) and you can easily "disable" users by removing them from that security group (or adding if new people start at the company)...



Hi Mike,

the other points are clear, but I have my problems with the credentials...
Okay members of a special group are able to backup to the repository. They are only able to see their own backup until they are not a Restore Operator.
But am I right that there won't be a way to setup Endpoint on client side as the domain admin for example (and with his credentials for the repository) and later the normal user will only be able to see the backups of his client(s)? As longer as I'm thinking about it... this design makes sense... the Repository Server CAN'T decide which backups will be accessible by the user, if all backups are created with the same account...
Therefore: During configuration of Endpoint it is necessary to have the credentials of the user working with that client, right?

A nice feature for a future release might be, especially together with a feature for remote installations via group policies, to specify an account with which all backups are written to the repo (to be able to remote setup it, or to install software with a service-account, not with the normal user credentials (as an admin I don't always wan't to know the login data of all users out there we are administrating for reasons of data security, responsablility, legal rights and things like that)) and the ability to specify wich backups are readable with additional credentials (in this case the credentials of the user normaly working with that pc to enable file level restore to the enduser without contacting the admin.
VMCE 7 / 8 / 9, VCP-DC 5 / 5.5 / 6, MCITP:SA
Blog: machinewithoutbrain.de
hoFFy
Veeam ProPartner
 
Posts: 161
Liked: 25 times
Joined: Fri Apr 27, 2012 1:10 pm
Location: Germany / Lohne
Full Name: Sebastian Hoffmann


Return to Veeam Agent for Windows



Who is online

Users browsing this forum: No registered users and 9 guests