Comprehensive data protection for all workloads
Post Reply
brian.crasto
Novice
Posts: 3
Liked: never
Joined: Sep 23, 2018 12:41 pm
Full Name: Brian Crasto
Contact:

Feature request : Additional Security / Authentication to open Veeam Explorer.

Post by brian.crasto » Sep 24, 2018 7:20 am

Hello Veeam,

As Backup Operators roles in Veeam - it offers backup admins access to read object data using Veeam Explorer - e.g. Exchange.
With our backup environment largely protected by Veeam i have specific requirement to restrict reading backup / Veeam Explorer to specified user 3 out of 10 Backup Operator as a part of security requirement.

This requirement came when we started Exchange 2016 Application aware backups from Veeam and with this all backup admin can explore and read exchange objects without any one getting notified.
We have also explored auditing options using Veeam One, but it would be really helpful if Veeam can define users who can access Veeam explorer restricting read access specified user within backup operator.

Regards
Brian Crasto

Rick.Vanover
Veeam Software
Posts: 553
Liked: 117 times
Joined: Nov 30, 2010 3:19 pm
Full Name: Rick Vanover
Location: Columbus, Ohio USA
Contact:

Re: Feature request : Additional Security / Authentication to open Veeam Explorer.

Post by Rick.Vanover » Sep 24, 2018 5:02 pm

That's an interesting idea - Brian. Maybe an optional configuration with roles to who can run different Explorers? Curious to what PM/R&D thinks.

brian.crasto
Novice
Posts: 3
Liked: never
Joined: Sep 23, 2018 12:41 pm
Full Name: Brian Crasto
Contact:

Re: Feature request : Additional Security / Authentication to open Veeam Explorer.

Post by brian.crasto » Sep 25, 2018 3:28 am

Thanks Rick - Expecting some positives from R$D - and hope the feature is introduced soon.

brian.crasto
Novice
Posts: 3
Liked: never
Joined: Sep 23, 2018 12:41 pm
Full Name: Brian Crasto
Contact:

Re: Feature request : Additional Security / Authentication to open Veeam Explorer.

Post by brian.crasto » Oct 15, 2018 3:26 am

Hello Veeam PM/R&D Team,
any comments on feature request ?

Mike Resseler
Product Manager
Posts: 5275
Liked: 556 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Feature request : Additional Security / Authentication to open Veeam Explorer.

Post by Mike Resseler » Oct 15, 2018 4:52 am

Hi Brian,

There is not much to comment I'm afraid. We are thinking about this (but more specifically for another solution at this moment) and we are thinking on restricting the possibility to read the body (in case of the Veeam explorer). Would something like that work for you? Or in other words, is it enough?

Seve CH
Influencer
Posts: 18
Liked: 9 times
Joined: May 09, 2016 2:34 pm
Full Name: JM Severino
Location: Switzerland
Contact:

Re: Feature request : Additional Security / Authentication to open Veeam Explorer.

Post by Seve CH » Oct 15, 2018 2:36 pm

Hi,

I was surprised to be able to recover backups without any sort of ACLs to limit who can recover what ot ar least, I've not found how to limit it. At this moment, it is full or nothing, and the problem is that there is no audit about what whas recovered or seen by who. Any Veeam operator with Veeam console access will be able to easily access my CEO e-mail and contacts without leaving any trace from the Veeam Explorer for Microsoft Exchange if they do so while restoring somebody else mailbox items.

I think the feature request could be splitted in two:
1 - Auditing. What was seen by who, when and from where, and if it was exported or not.
2 - Access control lists. What is accessible by who.

I think you may have already something ready for the ACL part because endpoints can see only their own backups.

In my use case (4 backup operators with full access and 2 helpdesk operators limited via Enterprise Manager website), what we find really important is the first one: to be able to know who got access to which data. As data, I understand not only element contents (e-mail body, file contents), but also listing things (contact list, e-mail subjects, file and folder names, etc.).

Best regards

Gostev
SVP, Product Management
Posts: 23636
Liked: 3123 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request : Additional Security / Authentication to open Veeam Explorer.

Post by Gostev » Oct 15, 2018 8:37 pm

Seve CH wrote:
Oct 15, 2018 2:36 pm
Any Veeam operator with Veeam console access will be able to easily access my CEO e-mail and contacts without leaving any trace from the Veeam Explorer for Microsoft Exchange if they do so while restoring somebody else mailbox items
I am not sure about this statement: "without leaving any trace".

I am able to see all the activity in the actual restore session. My account name is shown under "Initiated by", and all the items I "touched" are shown on the Statistics tab. This even includes those items I merely viewed and did not actually restore anywhere ("Operation type" in this case is "View content").

Seve CH
Influencer
Posts: 18
Liked: 9 times
Joined: May 09, 2016 2:34 pm
Full Name: JM Severino
Location: Switzerland
Contact:

Re: Feature request : Additional Security / Authentication to open Veeam Explorer.

Post by Seve CH » Nov 08, 2018 7:14 am

Hi Gostev,

Maybe I'm looking on the wrong place, but if I do this:
Item level restore -> exchange -> restore point -> select DB -> look for an user -> click on inbox, I can read the from, to, CC and subject fields for all e-mails.

Then I can go to contact and read any details of them. Then I go to Calendar and see the subject, attendees, location, etc. I can also go to inbox or sent items and see from who to who, dates and subjects.

In the "Restore session->Log" I see "Application item level restore started" and "Mounting restore point" and who launched the restore session. But no trace that I'm looking somebody's else mailbox instead of the one who originated the ticket.

If I click on "Open" in any e-mail, then now I see the "Item: " entry in the statistics window, which I think it's new from U3? (Nice :)!), but still no trace that I was overseeing all e-mails. Some subjects like "Layoff plan", "Merge with XXX", "Marketing plan for ZZZ" are interesting enough subjects without any need to open the item.

I feel it will be nice to have more logging and in a centralized place for auditing.

Regards

Mike Resseler
Product Manager
Posts: 5275
Liked: 556 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Feature request : Additional Security / Authentication to open Veeam Explorer.

Post by Mike Resseler » Nov 09, 2018 8:49 am 1 person likes this post

Hi Seve CH,

In Veeam Backup for Microsoft Office 365 you will be able to see what is touched already in the explorers. So what Anton states does exist. I asked the team if this will be going to Veeam B&R also. Stay tuned

Post Reply

Who is online

Users browsing this forum: douglas.fernandes and 75 guests