Comprehensive data protection for all workloads
Post Reply
DavidS
Veeam ProPartner
Posts: 11
Liked: 6 times
Joined: Aug 18, 2014 12:00 pm
Full Name: David
Location: Switzerland
Contact:

Security Doubts - Microsoft Exchange Explorer

Post by DavidS »

Hello All

We've ecoutered some security questions about the Microsoft Exchange Explorer for Veeam B&R Restores.

After I demonstrated a file restore through the Microsoft Exchange Explorer in Veeam, my boss had some doubts about the security-aspects of this explorer.
I am able to read and restore any mail in any inbox of any person on the backed-up exchangeserver (not on the production server, but on the backupserver), and thats considered as a lack of security...

So, is there any possibility to restrict the avaibilities of the Exchange Explorer?
Like, no opening of the mails, just read the subject.
Or password query before you can open a specific mailbox.
Or just give access to one ultimate-master-admin for restoring through the exchange explorer?

Maybe my question is a bit of an overkill, or this is a real need which more people had thoughts about.

Glad for any feedback :)

Greetings
David
srebuccicellularline
Novice
Posts: 6
Liked: 1 time
Joined: Nov 21, 2013 2:10 pm
Full Name: Simone Rebucci c/o Cellular Italia SpA
Contact:

Re: Security Doubts - Microsoft Exchange Explorer

Post by srebuccicellularline »

Hi David, this is not a lack of security of the software: your boss should be aware that you as the IT Manager, should be able to read every email and every file on your file server.
geksi
Novice
Posts: 5
Liked: 1 time
Joined: Jan 27, 2012 1:24 pm
Full Name: Alexander
Contact:

Re: Security Doubts - Microsoft Exchange Explorer

Post by geksi »

srebuccicellularline wrote:Hi David, this is not a lack of security of the software: your boss should be aware that you as the IT Manager, should be able to read every email and every file on your file server.
Absolutely, but not a BackupAdmin.
Our organization has two "SUPER" admins who can do everything
All others are restricted.
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Security Doubts - Microsoft Exchange Explorer

Post by Gostev » 1 person likes this post

Backup Admins are gods, because they can physically access and obtain a copy of any data from any server. And anyone with physical access to data can do anything at all. Including things like retrieving any account's password from Domain Controller backup, reading every email in Exchange mailbox database backup, reading every credit card number from SQL Server backup, etc.

While in theory it would be possible for us to restrict access to Veeam Explorer for Exchange, in practice this makes no sense, as you cannot prevent Backup Admins from downloading any other similar tool (of some dozen that exist) which will do the same thing being pointed at a mailbox database file from backup.
DavidS
Veeam ProPartner
Posts: 11
Liked: 6 times
Joined: Aug 18, 2014 12:00 pm
Full Name: David
Location: Switzerland
Contact:

Re: Security Doubts - Microsoft Exchange Explorer

Post by DavidS »

Thanks for the answers, that's more or less what I thought.

So I wonder what bigger companies, like banks, with more resctrictive policies do about this problem?
Do they have special agreements with their backup admins or they simply don't use veeam?

Or is my question really this odd :shock:
dellock6
Veeam Software
Posts: 6137
Liked: 1928 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: Security Doubts - Microsoft Exchange Explorer

Post by dellock6 »

David,
having worked for some banks (even in the country listed in your profile.. ;)) I can tell you, it's a mix of technical multi-tenancy, and also deep auditing of operator activities and procedural agreements.
If you need to segregate restore operator, you should rellay look deeper at our Enterprise Manager, there you can create roles and scopes. My session about it at VeeamON is free to be viewed online here: http://go.veeam.com/veeamon-free-sessions. Look for VT-09. Hope it can help you get a better idea on how to limit restore options.
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2022
Veeam VMCE #1
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Security Doubts - Microsoft Exchange Explorer

Post by Gostev »

Correct, it's all about the auditing of who is doing what. For example, this is why we do not allow deleting session history, and provide designated Restore Operator Activity report in Veeam ONE.
DavidS wrote:Do they have special agreements with their backup admins or they simply don't use veeam?
You have to understand that specific product does not matter. Give me an access to image-level Exchange VM backup produced by any backup tool out there, and I will first extract EDB, and then all emails out of it with Veeam Backup Free Edition (or similar tool) in no time.
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 305 guests