Many to one proxy security

[b.vanhaastrecht]

Hi,

I'm in the proces of building a many to one Veeam proxy with WAN acceleration enabled. The sources are going to be managed customers, but nevertheless security is high priority. We are able to split the respository, but I have security concerns about the proxy.

1) We manually deployed the destination proxy software, and future updates are going to be done manually. So we think we eliminated the rights needed for installation of software, correct?
2) What are the minimum rights needed of the user used in the Windows Server object in which is going to be used as the destination proxy? Can it be brought down to a (normal) user, perhaps with some file/registry rights set?
3) Focussed on the destination proxy, are there any other security issue's we should know about?

Thanks again, regards,
Bastiaan

[foggy]

Bastiaan, basically, administrative account is required for the initial proxy setup only, but we haven't tested the minimum required permissions set internally. You can go on and check this by yourself.

[b.vanhaastrecht]

Hi. I've finished my testing. There is no way around the administrative level access. The administartive share /ADMIN$ can only be accessed by a administrator level user. Veeam B&R uses this thare to deploy/maintain it's components. The wizard of a Windows Server object in Veeam B&R does a access level check, no read/write to /ADMIN$ results in an access error.

To bad, as when the necessary Veeam components are already installed there should be no need for this access level. The services run as LocalSystem and they have all the rights they need to operate. This means we need to deploy a seperate proxy per customer to maintain optimum security. Unless somebody has a genius sloution for this...?