Currently it is possible to browse files on Windows and Linux servers that are added to the Veeam Console. This is also possible for Linux servers hosting hardened repositories. Connection seems to be done via transport-service with the user that was used to add repository. When implemented correctly, one-time credentials was used and user is not privileged. So it is not possible to delete or change any immutable files. Nevertheless all files - this user has access to - can be seen. Even the content is show. Because of this, a hacker can possibly draw conclusions about the software used on the basis of the existing files and directories.
Is there a plan to change this in a future release?
-
woifgaung
- Veeam Software
- Posts: 50
- Liked: 8 times
- Joined: Oct 15, 2015 2:57 pm
- Full Name: Wolfgang Scheer
- Contact:
Browse Files on Hardened Repository Linux
Wolfgang | vnote42.net | @vNote42
-
HannesK
- Product Manager
- Posts: 14322
- Liked: 2890 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Browse Files on Hardened Repository Linux
Hello,
I see the point, but what makes this more risky on a Hardened Repository than on any other Windows or Linux machine? It's a feature of the software to be able to back up / restore / copy / modify things on managed Veeam servers. If someone already has access to all backups, I'm not sure how much he can really learn from browsing managed server data... he already has access to all backups
Best regards,
Hannes
I see the point, but what makes this more risky on a Hardened Repository than on any other Windows or Linux machine? It's a feature of the software to be able to back up / restore / copy / modify things on managed Veeam servers. If someone already has access to all backups, I'm not sure how much he can really learn from browsing managed server data... he already has access to all backups
Best regards,
Hannes
-
woifgaung
- Veeam Software
- Posts: 50
- Liked: 8 times
- Joined: Oct 15, 2015 2:57 pm
- Full Name: Wolfgang Scheer
- Contact:
Re: Browse Files on Hardened Repository Linux
When you disable this browsing-functionality for hardened repository servers, the server becomes more of a black box. And for these servers it makes no sense to browse files at this level. From my perspective this would be beneficial to the concept of a hardened repository server.
Wolfgang | vnote42.net | @vNote42
-
HannesK
- Product Manager
- Posts: 14322
- Liked: 2890 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Browse Files on Hardened Repository Linux
I'm not convinced yet, because an attacker already has full access to the backups.
On the other hand, I will check whether that might be an "easy improvement" in a future version. Today, Hardened Repository is a repository feature and the files section is a "managed server" thing. They don't know from each other and a user could just remove the checkbox and then it's a normal Linux repository. Or he could mix hardened and non-hardened repositories on one server. That is something that needs to addressed before there is a chance to realize what you ask for.
On the other hand, I will check whether that might be an "easy improvement" in a future version. Today, Hardened Repository is a repository feature and the files section is a "managed server" thing. They don't know from each other and a user could just remove the checkbox and then it's a normal Linux repository. Or he could mix hardened and non-hardened repositories on one server. That is something that needs to addressed before there is a chance to realize what you ask for.
Who is online
Users browsing this forum: Semrush [Bot] and 109 guests