User with Veeam Agent for Windows cannot restore files

[BackupUserInReno]

Veeam created an extremely useful tool that a user could use to retrieve her own archived files without assistance. Then they broke it. Solution below, if they want to use it...

I just found out why the user cannot restore her files using the Veeam Agent.

Code: Select all

• A user account under which you start the restore operation must have administrative privileges on the Veeam Agent computer. If the account under which you are currently logged on to Microsoft Windows does not have administrative privileges, you will be prompted to enter administrator credentials.

The backup process includes recoding file authentication information.

The restoration process includes reading all the file information.

Veeam should show only the files the user has read and read/write access to, and only restore them to areas she has write-access.

This way, the user in question could restore their own files, preserving security to other files in the backup file.

As a big bonus, the user is not waiting on being scheduled with help desk to restore a files the Veeam agent should have allowed her to restore on her own.

[Gostev]

I'm not sure I follow: who broke what and when? What worked before that does not work now? Please clarify.

As for the issue, I'm pretty sure it's technically impossible to mount a new volume without local administrative privileges. While this is an essential step to be able to restore individual files from an image-level backup.

Perhaps image-level backup is simply a wrong approach for your specific needs and requirements?

[BackupUserInReno]

I'm fairly certain the Veeam backup agent could be designed to run as SYSTEM level service. After all, there are many other services in the Windows environment that run without the user needing to elevate processes. That would allow the Veeam Agent to open the backup image. After that, it would merely be a case of checking user credentials against the files in the archive to (1) confirm access to the files selected, and (2) confirm the user has access to the requested destination.

[Gostev]

Well, there's actually a reason why mount operation requires admin-level access in both Windows and Linux: mounting filesystems has multiple very high security risks associated and allowing regular users do that (even if by asking a local service running as SYSTEM to do it for them) is a very bad idea indeed from security perspective... Veeam Agent would be the best tool in any hacker's arsenal with all sorts of privilege escalation vulnerabilities such functionality would enable.