Users have access to all backups in repository

Backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)

Users have access to all backups in repository

Veeam Logoby steffescorp » Mon May 11, 2015 10:38 pm

Good Day,

I am rather new to the Veeam realm, and I have been doing some testing with the new Free Endpoint Client. Within my testing, I noticed that users who have permission to a backup repository, also have access to any backup in that repository... which in my mind makes sense, but I am trying to rollout a backup solution for many users/computers. It appears I would have to create individual repositories for each user if I don't want them to have the ability to see other users backups? I tested this with multiple users, and they have the ability to go into other backup files, and do restores from other devices. Has anyone else come across this same issue, or am I only one? Any information on this would be helpful.

Thank You!
steffescorp
Novice
 
Posts: 5
Liked: never
Joined: Mon May 11, 2015 10:32 pm
Full Name: Perry Schiele

Re: Users have access to all backups in repository

Veeam Logoby Mike Resseler » Tue May 12, 2015 7:09 am 1 person likes this post

Hi Perry,

You can put restrictions on it. Have a look at this article to get everything setup: http://helpcenter.veeam.com/endpoint/10/integrate_permissions.html

Let us know

Cheers

Mike
Mike Resseler
Veeam Software
 
Posts: 3151
Liked: 362 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: Users have access to all backups in repository

Veeam Logoby steffescorp » Tue May 12, 2015 5:07 pm

I followed that document, and that is how I have my environment set up (security group instead). The problem I see, is that if a user is a local administrator (which we strive to not do in our environment), they can essentially roam around and see all of the backups in the repository and restore files that they technically shouldn't see. Is this by design? I understand that if a normal user tries to restore a file, it will throw out an error and say they are not part of the the "Backup Operators" security group on the local machine. It's kind of a security risk from my POV if someone has Local Administrator access to a machine, they can go roam around the "Backup Repository" at will, and have access to backups they should not have access to. I even tried splitting the repositories in Veeam (created 2 different repos), but it seems that the End Point Client sees all of the backups in all of the repositories when doing a simple restore (as either backup operator, or the local administrator of the computer).
steffescorp
Novice
 
Posts: 5
Liked: never
Joined: Mon May 11, 2015 10:32 pm
Full Name: Perry Schiele

Re: Users have access to all backups in repository

Veeam Logoby steffescorp » Tue May 12, 2015 6:58 pm

http://helpcenter.veeam.com/endpoint/10 ... itory.html

This might answer my question. Apparently, since I am using a QNAP as a storage device, there are no permissions being applied (other than the default linux permission for the local user connected to the Veeam Backup Repo). Since that might be the case, it might be the reason why all users can see each others backups?
steffescorp
Novice
 
Posts: 5
Liked: never
Joined: Mon May 11, 2015 10:32 pm
Full Name: Perry Schiele

Re: Users have access to all backups in repository

Veeam Logoby steffescorp » Tue May 12, 2015 8:49 pm

http://helpcenter.veeam.com/endpoint/10 ... itory.html

I've tested this (by creating a LUN on our QNAP). I connected it to our Veeam Server as the E:\ and formatted it as NTFS. I then added it as a backup repository, and I still get the same thing. All users are able to see all of the backups in the backup repository.
steffescorp
Novice
 
Posts: 5
Liked: never
Joined: Mon May 11, 2015 10:32 pm
Full Name: Perry Schiele

Re: Users have access to all backups in repository

Veeam Logoby Mike Resseler » Wed May 13, 2015 4:29 am 1 person likes this post

Perry,

Please make a support case through the built-in system. It shouldn't do that and every user should only see it's own backups. I assume you do connect to the target by using the specific user credentials and not with a special user or the full security group?

Thanks

Mike
Mike Resseler
Veeam Software
 
Posts: 3151
Liked: 362 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: Users have access to all backups in repository

Veeam Logoby steffescorp » Wed May 13, 2015 5:00 am

Are you sure it isn't by design... I am starting to think it is. I don't know how I missed this, but on this page --> http://helpcenter.veeam.com/endpoint/10 ... itory.html

It says on that page in a special note "If the user is granted restore permissions on the Veeam backup server, s/he will be able to see all backups on the backup repository."...

Did this note pop up over night? I swear I did not see this yesterday when I first created this post, but apparently this is by design. If so, I can live with it. We just need to ensure none of the users have the ability to be "Local Admin / Backup Operator" on the computers that have the Endpoint Client installed.


Added note:

I find it rather difficult to manage Endpoint Backups when passwords are changed from the users account (since it is used to connect to the Veeam B&R Repo if you choose this option). The users are not going to change their password on the Veeam Endpoint software (which means their backups will fail), so I had no choice but to create a service account. For my environment this should work, and since this product is Free, I can not complain. It is going to save me a lot of headaches in the end.
steffescorp
Novice
 
Posts: 5
Liked: never
Joined: Mon May 11, 2015 10:32 pm
Full Name: Perry Schiele

Re: Users have access to all backups in repository

Veeam Logoby Mike Resseler » Wed May 13, 2015 5:14 am

Perry,

I owe you an apology, just reread the entire thread and didn't realize that you were talking about permissions on the backup server and not on the local computer. Yes, that is indeed by design. Not sure how I got confused (I blame jetlag ;-))

I like your added note. And if we would go further and develop this more as an enterprise tool (IF!!!!) then this is certainly something we need to keep in mind. I'm thinking now that I will talk to the DEVs and see if there is a possibility to add a checkbox (or something) that says "Use current user" so it becomes single-sign on or something so that when the user changes his or hers password on the computer, it automatically gets changed also for the backups also.

Thanks

Mike
Mike Resseler
Veeam Software
 
Posts: 3151
Liked: 362 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: Users have access to all backups in repository

Veeam Logoby indigomike » Wed Aug 12, 2015 3:28 pm

Perry,

Can I ask how creating a service account fixed this issue for you? I have my environment setup the same way (all Windows though) and have also noticed (luckily before I rolled it out) that all users will be able to browse backups of other users. I have created a service account as well but users will still be able to see all endpoint backups as the agent runs under that service account. Still the only way I see around this is one of the following options:
- Create a repository and service account for each user
- Create a service account for each user and play with NTFS permissions within a single repository to restrict each user's service account to a single folder within that repository (which I am about to test now). All of my users are unfortunately admins on their own PCs.

Any thoughts?
indigomike
Influencer
 
Posts: 15
Liked: 1 time
Joined: Mon Mar 23, 2015 3:16 pm
Full Name: Mike Tisdale

Re: Users have access to all backups in repository

Veeam Logoby Dima P. » Wed Aug 12, 2015 3:57 pm

indigomike,

To clarify, is the backup destination a Veeam backup repository or a shared folder?
Dima P.
Veeam Software
 
Posts: 6242
Liked: 440 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Users have access to all backups in repository

Veeam Logoby indigomike » Wed Aug 12, 2015 7:08 pm

It is a Veeam backup repository.

Based on testing I have done today, it appears that I will just have to have a service account per user for now unless I am missing something. The three PCs I am testing with were all backed up using the same service account (for the reason Perry pointed out about when users change their password). All three of these PCs had the ability to see and restore files from each other's backups, which is a huge security concern and a nightmare for me if an exec found out someone other than IT had access to see the confidential files on his/her PC. I then installed VEB on a 4th PC using a different service account this time and that PC is unable to see the other 3 PC's backups. In the reverse, I cannot see the backup of the 4th PC from any of the other 3 PCs. This leads me to believe in the current design that while each user account (the one running the VEB backup job) must be added to the permissions of the repository in order to read from and write to it, the permissions to view backups start at the folder that is created within the repository for each account that configures a backup job (ie 'DOMAIN_PC1ServiceAccount). In this way a folder will be created each time I configure VEB on a new PC (as long as I create a new service account) and then because it is running under an account no other PC is using, it can only see its own backups. This will keep me from having to also have a repository per user which is good. Just let me know if there is an easier way given the current design or if I am missing something else.
indigomike
Influencer
 
Posts: 15
Liked: 1 time
Joined: Mon Mar 23, 2015 3:16 pm
Full Name: Mike Tisdale

Re: Users have access to all backups in repository

Veeam Logoby Dima P. » Thu Aug 13, 2015 1:40 pm

indigomike,
Thanks! If it’s a backup repository you can use a regular user’s account – users should be able to see only their own backup file once they enter their credentials in the wizards. Additionally, it’s possible to use a computer account to authenticate (and you can add it to the repository permission list)
Dima P.
Veeam Software
 
Posts: 6242
Liked: 440 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Users have access to all backups in repository

Veeam Logoby indigomike » Thu Aug 13, 2015 1:48 pm

Dima P.

Yes, users can only see their own backups but the fact that users change their passwords (as Perry first pointed out) does not make that an acceptable solution as they would also have to reconfigure their own backups. This is why a service account must be used. However, the service account for each user must be unique or it allows all users using the same service account to see each other's backups.

As for the 'computer account' option, where is that? When you add permissions to a repository, the only domain objects you are allowed to select is "User or Group". A computer object would be the best solution by far I think as I would not need a new service account per user.

---UPDATE---
And sorry for missing that under the repository permissions when you switch to Entire Directory in the 'From this location' field you do have the option to select a Computer object.
indigomike
Influencer
 
Posts: 15
Liked: 1 time
Joined: Mon Mar 23, 2015 3:16 pm
Full Name: Mike Tisdale

Re: Users have access to all backups in repository

Veeam Logoby Dima P. » Thu Aug 13, 2015 1:52 pm

If you do not select the Specify your personal credentials check box, Veeam Endpoint Backup will connect to the backup repository using the NT AUTHORITY\SYSTEM
Dima P.
Veeam Software
 
Posts: 6242
Liked: 440 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Users have access to all backups in repository

Veeam Logoby indigomike » Thu Aug 13, 2015 1:54 pm

Ok, I will give this a try and post back later. If this works as I hope it does, then this will be a much better solution. Thanks for pointing that out!
indigomike
Influencer
 
Posts: 15
Liked: 1 time
Joined: Mon Mar 23, 2015 3:16 pm
Full Name: Mike Tisdale

Next

Return to Veeam Agent for Windows



Who is online

Users browsing this forum: No registered users and 8 guests