Feature request : Additional Security / Authentication to open Veeam Explorer.

[brian.crasto]

Hello Veeam,

As Backup Operators roles in Veeam - it offers backup admins access to read object data using Veeam Explorer - e.g. Exchange.
With our backup environment largely protected by Veeam i have specific requirement to restrict reading backup / Veeam Explorer to specified user 3 out of 10 Backup Operator as a part of security requirement.

This requirement came when we started Exchange 2016 Application aware backups from Veeam and with this all backup admin can explore and read exchange objects without any one getting notified.
We have also explored auditing options using Veeam One, but it would be really helpful if Veeam can define users who can access Veeam explorer restricting read access specified user within backup operator.

Regards
Brian Crasto

[Rick.Vanover]

That's an interesting idea - Brian. Maybe an optional configuration with roles to who can run different Explorers? Curious to what PM/R&D thinks.

[brian.crasto]

Thanks Rick - Expecting some positives from R$D - and hope the feature is introduced soon.

[brian.crasto]

Hello Veeam PM/R&D Team,
any comments on feature request ?

[Mike Resseler]

Hi Brian,

There is not much to comment I'm afraid. We are thinking about this (but more specifically for another solution at this moment) and we are thinking on restricting the possibility to read the body (in case of the Veeam explorer). Would something like that work for you? Or in other words, is it enough?

[Seve CH]

Hi,

I was surprised to be able to recover backups without any sort of ACLs to limit who can recover what ot ar least, I've not found how to limit it. At this moment, it is full or nothing, and the problem is that there is no audit about what whas recovered or seen by who. Any Veeam operator with Veeam console access will be able to easily access my CEO e-mail and contacts without leaving any trace from the Veeam Explorer for Microsoft Exchange if they do so while restoring somebody else mailbox items.

I think the feature request could be splitted in two:
1 - Auditing. What was seen by who, when and from where, and if it was exported or not.
2 - Access control lists. What is accessible by who.

I think you may have already something ready for the ACL part because endpoints can see only their own backups.

In my use case (4 backup operators with full access and 2 helpdesk operators limited via Enterprise Manager website), what we find really important is the first one: to be able to know who got access to which data. As data, I understand not only element contents (e-mail body, file contents), but also listing things (contact list, e-mail subjects, file and folder names, etc.).

Best regards

[Gostev]

Any Veeam operator with Veeam console access will be able to easily access my CEO e-mail and contacts without leaving any trace from the Veeam Explorer for Microsoft Exchange if they do so while restoring somebody else mailbox items

I am not sure about this statement: "without leaving any trace".

I am able to see all the activity in the actual restore session. My account name is shown under "Initiated by", and all the items I "touched" are shown on the Statistics tab. This even includes those items I merely viewed and did not actually restore anywhere ("Operation type" in this case is "View content").

[Seve CH]

Hi Gostev,

Maybe I'm looking on the wrong place, but if I do this:
Item level restore -> exchange -> restore point -> select DB -> look for an user -> click on inbox, I can read the from, to, CC and subject fields for all e-mails.

Then I can go to contact and read any details of them. Then I go to Calendar and see the subject, attendees, location, etc. I can also go to inbox or sent items and see from who to who, dates and subjects.

In the "Restore session->Log" I see "Application item level restore started" and "Mounting restore point" and who launched the restore session. But no trace that I'm looking somebody's else mailbox instead of the one who originated the ticket.

If I click on "Open" in any e-mail, then now I see the "Item: " entry in the statistics window, which I think it's new from U3? (Nice !), but still no trace that I was overseeing all e-mails. Some subjects like "Layoff plan", "Merge with XXX", "Marketing plan for ZZZ" are interesting enough subjects without any need to open the item.

I feel it will be nice to have more logging and in a centralized place for auditing.

Regards

[Mike Resseler]

Hi Seve CH,

In Veeam Backup for Microsoft Office 365 you will be able to see what is touched already in the explorers. So what Anton states does exist. I asked the team if this will be going to Veeam B&R also. Stay tuned