Why does Veeam Agent require permanent local administrator permission to work?
While I do understand why it would be required for initial installation of the software, possibly also for updates.
I could live with it requiring administrator role for certain recovery operations..
But the rest of 99,9999...% of the time if just takes backup of files/blocks.
So why isn't it possible to rely on backup operator the rest of the time, instead of having a password with administrative permission on backup server.
-
- Enthusiast
- Posts: 37
- Liked: 1 time
- Joined: Apr 11, 2019 11:37 am
- Full Name: Dejan Ilic
- Contact:
-
- Enthusiast
- Posts: 48
- Liked: 7 times
- Joined: Jun 18, 2013 8:12 am
- Full Name: Nils Petersen
- Contact:
Re: Why isn't "Backup Operator" role used ("day 2" question)
Veeam Agent uses volume shadow copies and requires full access to the disk(s). After all, even files with priviledged access are backed up.
-
- Enthusiast
- Posts: 37
- Liked: 1 time
- Joined: Apr 11, 2019 11:37 am
- Full Name: Dejan Ilic
- Contact:
Re: Why isn't "Backup Operator" role used ("day 2" question)
Yes, but the backup operator is able to access these files as a part of the role features:
"Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files."
https://docs.microsoft.com/en-us/window ... poperators
The VSS handling could be done thru a minimal Veeam VSS handling service and nothing else (for security reasons), or possible if the the software (MSSQL) does that when asked to go into backup mode.
I think that Veeam Agent for Linux does that separation into two parts, one daemon with priviledges and other part with less permissions.
If restore requires administrative rights it could ask for the user/password without saving credentials with the higher permissions thus not leaving a possible stash usefull for malware.
"Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files."
https://docs.microsoft.com/en-us/window ... poperators
The VSS handling could be done thru a minimal Veeam VSS handling service and nothing else (for security reasons), or possible if the the software (MSSQL) does that when asked to go into backup mode.
I think that Veeam Agent for Linux does that separation into two parts, one daemon with priviledges and other part with less permissions.
If restore requires administrative rights it could ask for the user/password without saving credentials with the higher permissions thus not leaving a possible stash usefull for malware.
-
- Product Manager
- Posts: 14726
- Liked: 1707 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Why isn't "Backup Operator" role used ("day 2" question)
Hello Dejan,
When you install Veeam Agent for Windows as a standalone produce (i.e. not managed by Veeam B&R console) it runs under local system account. For Veeam B&R perspective admin access is required to access the machine, install the agent, upgrade all the needed components it, run required services. Thanks!
When you install Veeam Agent for Windows as a standalone produce (i.e. not managed by Veeam B&R console) it runs under local system account. For Veeam B&R perspective admin access is required to access the machine, install the agent, upgrade all the needed components it, run required services. Thanks!
Who is online
Users browsing this forum: No registered users and 11 guests