Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
dejan.ilic
Enthusiast
Posts: 37
Liked: 1 time
Joined: Apr 11, 2019 11:37 am
Full Name: Dejan Ilic
Contact:

Why isn't "Backup Operator" role used ("day 2" question)

Post by dejan.ilic »

Why does Veeam Agent require permanent local administrator permission to work?
While I do understand why it would be required for initial installation of the software, possibly also for updates.
I could live with it requiring administrator role for certain recovery operations..

But the rest of 99,9999...% of the time if just takes backup of files/blocks.
So why isn't it possible to rely on backup operator the rest of the time, instead of having a password with administrative permission on backup server.
Nils
Enthusiast
Posts: 48
Liked: 7 times
Joined: Jun 18, 2013 8:12 am
Full Name: Nils Petersen
Contact:

Re: Why isn't "Backup Operator" role used ("day 2" question)

Post by Nils » 1 person likes this post

Veeam Agent uses volume shadow copies and requires full access to the disk(s). After all, even files with priviledged access are backed up.
dejan.ilic
Enthusiast
Posts: 37
Liked: 1 time
Joined: Apr 11, 2019 11:37 am
Full Name: Dejan Ilic
Contact:

Re: Why isn't "Backup Operator" role used ("day 2" question)

Post by dejan.ilic »

Yes, but the backup operator is able to access these files as a part of the role features:
"Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files."
https://docs.microsoft.com/en-us/window ... poperators

The VSS handling could be done thru a minimal Veeam VSS handling service and nothing else (for security reasons), or possible if the the software (MSSQL) does that when asked to go into backup mode.
I think that Veeam Agent for Linux does that separation into two parts, one daemon with priviledges and other part with less permissions.
If restore requires administrative rights it could ask for the user/password without saving credentials with the higher permissions thus not leaving a possible stash usefull for malware.
Dima P.
Product Manager
Posts: 14726
Liked: 1707 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Why isn't "Backup Operator" role used ("day 2" question)

Post by Dima P. »

Hello Dejan,

When you install Veeam Agent for Windows as a standalone produce (i.e. not managed by Veeam B&R console) it runs under local system account. For Veeam B&R perspective admin access is required to access the machine, install the agent, upgrade all the needed components it, run required services. Thanks!
Post Reply

Who is online

Users browsing this forum: No registered users and 11 guests