Users have access to all backups in repository

[steffescorp]

Good Day,

I am rather new to the Veeam realm, and I have been doing some testing with the new Free Endpoint Client. Within my testing, I noticed that users who have permission to a backup repository, also have access to any backup in that repository... which in my mind makes sense, but I am trying to rollout a backup solution for many users/computers. It appears I would have to create individual repositories for each user if I don't want them to have the ability to see other users backups? I tested this with multiple users, and they have the ability to go into other backup files, and do restores from other devices. Has anyone else come across this same issue, or am I only one? Any information on this would be helpful.

Thank You!

[Mike Resseler]

Hi Perry,

You can put restrictions on it. Have a look at this article to get everything setup: http://helpcenter.veeam.com/endpoint/10 ... sions.html

Let us know

Cheers

Mike

[steffescorp]

I followed that document, and that is how I have my environment set up (security group instead). The problem I see, is that if a user is a local administrator (which we strive to not do in our environment), they can essentially roam around and see all of the backups in the repository and restore files that they technically shouldn't see. Is this by design? I understand that if a normal user tries to restore a file, it will throw out an error and say they are not part of the the "Backup Operators" security group on the local machine. It's kind of a security risk from my POV if someone has Local Administrator access to a machine, they can go roam around the "Backup Repository" at will, and have access to backups they should not have access to. I even tried splitting the repositories in Veeam (created 2 different repos), but it seems that the End Point Client sees all of the backups in all of the repositories when doing a simple restore (as either backup operator, or the local administrator of the computer).

[steffescorp]

http://helpcenter.veeam.com/endpoint/10 ... itory.html

This might answer my question. Apparently, since I am using a QNAP as a storage device, there are no permissions being applied (other than the default linux permission for the local user connected to the Veeam Backup Repo). Since that might be the case, it might be the reason why all users can see each others backups?

[steffescorp]

http://helpcenter.veeam.com/endpoint/10 ... itory.html

I've tested this (by creating a LUN on our QNAP). I connected it to our Veeam Server as the E:\ and formatted it as NTFS. I then added it as a backup repository, and I still get the same thing. All users are able to see all of the backups in the backup repository.

[Mike Resseler]

Perry,

Please make a support case through the built-in system. It shouldn't do that and every user should only see it's own backups. I assume you do connect to the target by using the specific user credentials and not with a special user or the full security group?

Thanks

Mike

[steffescorp]

Are you sure it isn't by design... I am starting to think it is. I don't know how I missed this, but on this page --> http://helpcenter.veeam.com/endpoint/10 ... itory.html

It says on that page in a special note "If the user is granted restore permissions on the Veeam backup server, s/he will be able to see all backups on the backup repository."...

Did this note pop up over night? I swear I did not see this yesterday when I first created this post, but apparently this is by design. If so, I can live with it. We just need to ensure none of the users have the ability to be "Local Admin / Backup Operator" on the computers that have the Endpoint Client installed.


Added note:

I find it rather difficult to manage Endpoint Backups when passwords are changed from the users account (since it is used to connect to the Veeam B&R Repo if you choose this option). The users are not going to change their password on the Veeam Endpoint software (which means their backups will fail), so I had no choice but to create a service account. For my environment this should work, and since this product is Free, I can not complain. It is going to save me a lot of headaches in the end.

[Mike Resseler]

Perry,

I owe you an apology, just reread the entire thread and didn't realize that you were talking about permissions on the backup server and not on the local computer. Yes, that is indeed by design. Not sure how I got confused (I blame jetlag )

I like your added note. And if we would go further and develop this more as an enterprise tool (IF!!!!) then this is certainly something we need to keep in mind. I'm thinking now that I will talk to the DEVs and see if there is a possibility to add a checkbox (or something) that says "Use current user" so it becomes single-sign on or something so that when the user changes his or hers password on the computer, it automatically gets changed also for the backups also.

Thanks

Mike

[indigomike]

Perry,

Can I ask how creating a service account fixed this issue for you? I have my environment setup the same way (all Windows though) and have also noticed (luckily before I rolled it out) that all users will be able to browse backups of other users. I have created a service account as well but users will still be able to see all endpoint backups as the agent runs under that service account. Still the only way I see around this is one of the following options:
- Create a repository and service account for each user
- Create a service account for each user and play with NTFS permissions within a single repository to restrict each user's service account to a single folder within that repository (which I am about to test now). All of my users are unfortunately admins on their own PCs.

Any thoughts?

[Dima P.]

indigomike,

To clarify, is the backup destination a Veeam backup repository or a shared folder?

[indigomike]

It is a Veeam backup repository.

Based on testing I have done today, it appears that I will just have to have a service account per user for now unless I am missing something. The three PCs I am testing with were all backed up using the same service account (for the reason Perry pointed out about when users change their password). All three of these PCs had the ability to see and restore files from each other's backups, which is a huge security concern and a nightmare for me if an exec found out someone other than IT had access to see the confidential files on his/her PC. I then installed VEB on a 4th PC using a different service account this time and that PC is unable to see the other 3 PC's backups. In the reverse, I cannot see the backup of the 4th PC from any of the other 3 PCs. This leads me to believe in the current design that while each user account (the one running the VEB backup job) must be added to the permissions of the repository in order to read from and write to it, the permissions to view backups start at the folder that is created within the repository for each account that configures a backup job (ie 'DOMAIN_PC1ServiceAccount). In this way a folder will be created each time I configure VEB on a new PC (as long as I create a new service account) and then because it is running under an account no other PC is using, it can only see its own backups. This will keep me from having to also have a repository per user which is good. Just let me know if there is an easier way given the current design or if I am missing something else.

[Dima P.]

indigomike,
Thanks! If it’s a backup repository you can use a regular user’s account – users should be able to see only their own backup file once they enter their credentials in the wizards. Additionally, it’s possible to use a computer account to authenticate (and you can add it to the repository permission list)

[indigomike]

Dima P.

Yes, users can only see their own backups but the fact that users change their passwords (as Perry first pointed out) does not make that an acceptable solution as they would also have to reconfigure their own backups. This is why a service account must be used. However, the service account for each user must be unique or it allows all users using the same service account to see each other's backups.

As for the 'computer account' option, where is that? When you add permissions to a repository, the only domain objects you are allowed to select is "User or Group". A computer object would be the best solution by far I think as I would not need a new service account per user.

---UPDATE---
And sorry for missing that under the repository permissions when you switch to Entire Directory in the 'From this location' field you do have the option to select a Computer object.

[Dima P.]

If you do not select the Specify your personal credentials check box, Veeam Endpoint Backup will connect to the backup repository using the NT AUTHORITY\SYSTEM

[indigomike]

Ok, I will give this a try and post back later. If this works as I hope it does, then this will be a much better solution. Thanks for pointing that out!

[Dima P.]

You are welcome Mike! It should work as described: your case in one of the reasons why we got this implemented.

[indigomike]

So while this did work as expected, the more I think on this I believe I am going to stick with having a service account per user. I think this will provide me some more flexibility in the future. For example, if you have users who do hot have PCs that closely resemble their name (I certainly do), I would rather know by username which jobs succeed/fail/etc. Also, if a user's PC name has to be changed for whatever reason, one of two things will happen.
- either the agent will have to create a new full backup because it will be creating a new folder on the repository with the new PC name in it
- or I will then be left with backups from a new PC name writing to an old PC name folder.

Having a service account per user will also allow each user to keep all their backups visible to them for file restore purposes (assuming you have technical users) if they have multiple workstation/laptops, which we do. For instance, if a user left their work laptop at home but needed access to a file on it from their desktop, as long as that file has been backed up they will be able to restore a copy of it on their own.

Maybe it is not worth having the extra accounts but I think this will keep things cleaner and more straight forward for my environment. Thanks for your help!

[Dima P.]

Thanks for the heads up Mike!

P.S. If you change the computer name the next job run is incremental. Just tested it myself.