Hello,
Recently we noticed that the System Administrator of the Server has admin access to VBR. Anyone part of the Local System Administrator group will have access to VBR and it's a serious concern in terms of security as the local admin group will have members from various support teams. As per the response from the Veeam support case, it was confirmed that this is how it works.
Now we are looking for mitigating this issue, Do we have an option to restrict or limit that access to VBR?
Thanks,
Sankar
-
Sankar
- Lurker
- Posts: 2
- Liked: never
- Joined: Jul 02, 2021 3:17 pm
- Full Name: Sankar Pillai
- Contact:
-
Mildur
- Product Manager
- Posts: 9848
- Liked: 2607 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Restricting Access to VBR
Hi Sankar
Users with local admin permissions have always access to all data and processes on a server. Even if you remove vbr permissions for the local administrator, they have the power to get this permissions back.
When you are talking about „as the local admin group will have members from various support teams“, it looks like your server is in the production domain (Domain Admins have Local Admin permission) or you gave them an local admin user to use rdp for remote access to open the vbr console.
That would be my first thing todo, remove the backup server from the production domain. And if you gave them local admins for remote access todo restores, ask yourself, why various support teams needs remote access to the server.
If you want them to have the possibility todo restores, use Enterprise Manager or use vbr console remotely from a management server. The local user for the vbr console should only have Restore Operator permission. Don‘t give put the local windows user in the local administrators group.
You can find more about hardening your vbr server here.
Users with local admin permissions have always access to all data and processes on a server. Even if you remove vbr permissions for the local administrator, they have the power to get this permissions back.
When you are talking about „as the local admin group will have members from various support teams“, it looks like your server is in the production domain (Domain Admins have Local Admin permission) or you gave them an local admin user to use rdp for remote access to open the vbr console.
That would be my first thing todo, remove the backup server from the production domain. And if you gave them local admins for remote access todo restores, ask yourself, why various support teams needs remote access to the server.
If you want them to have the possibility todo restores, use Enterprise Manager or use vbr console remotely from a management server. The local user for the vbr console should only have Restore Operator permission. Don‘t give put the local windows user in the local administrators group.
You can find more about hardening your vbr server here.
Product Management Analyst @ Veeam Software
Who is online
Users browsing this forum: Semrush [Bot] and 34 guests