Setting service credentials

[TomBlue]

We had an issue with Cryptolocker/ransomware a few weeks ago. Thanks's to Veeam B&R it was not difficult to restore from last backups. This issue encouraged me to check file system security of our online backups. Our backup server is integrated in our AD domain and because vSphere is also running on the same server, it would be a lot of work to exclude this server from domain at the moment.

So I decided to simply allow an local account to have write access to the backup folders only. I changed the accounts from Veeam services which obviously are responsible for write operations. But it's not that simple. Long story short: With help from Veeam support (case #01236305) we managed to get that running. But I had to change any Veeam B&R service to the local service account, including the Veeam InstallerService (!). Also the local account needs local administrative rights as far as I experienced. Maybe there is a way to achieve this goal, but as it seems, not the easy way.

It would more secure and easy to manage if there is only one "BackupWriter service" which is responsible for any write access to (local) repositories which also do not need local admin rights. This architecture is used from most database products also. Maybe this will be implemented in a future version?

Anyway, Veeam is a really brilliant software (overall, not even compared to backup products), so thanks to all for your work!

Cheers
Thomas

[Vitaliy S.]

Hi Thomas,

Thanks for the feedback, not sure about future versions, cause many services interact with the backup repository, but you've shared a good use case.

Thanks!