Veeam Backup and Recovery Lock Down Permissions

[marksmithuk]

Hi

I am faily new to Veeam Backup and Recovery but I have it installed to replicate data from one ESXi cluster with an iSCSI datastore to another. I have set the iSCSI initiator to view the two different SANs but I am worried about the possability of another user formating these drives as they appear in drive management.

I have locked down the OS permissions to the server so that only the main system about for backups has access to the server but I am now unable to restore from a normal user account. I get the error "Mount Failed. Client error:Access is denied. OpenSCManger failed. VeeamFSR driver cannot be mounted"

Has anyone tried to lock down the server before and has anyone got any suggestions?

CHeers
Mark

[Gostev]

Hi Mark, the user performing restores must have local administrator privileges, this is by design. Thanks.

[larry]

I replicate between SANs with RO rights for the Veaam lun. The ESX server has rw and will then take care of the writing. This keeps the Veeam server or its users from any chance of changing the SAN data. If you setup a esx server with no VC, assign iscsi luns to this box only you can still replicate from one ESX cloud to this disconnected one ( no vc, which is a windows box) .They cannot do a full vm restore without a change but we don't want a whole VM restored without extra steps. You can do file restores with cut and paste to the running VM itself. One reason we do this is in case a zero day windows virus was to erase everything every windows box had access to, then this lun is protected. I can't count my Veeam backups as offline but I can count these replicas, use Veeam to tape for other VMs to get them to "offline storage". I am required to have all backups also on an offline media.

[marksmithuk]

Hi Larry, where do you set the RO access, on the SAN itself?

[Gostev]

Correct, but keep in mind that not every SAN features this kind of functionality (providing LUN as read-only).

[larry]

Yes, on the SAN itself.

[marksmithuk]

Thanks for your help on this. I ended up working out how to apply this how I wanted, what I did was....

Create new backup accounts for the backup operators (bkMARK for example)
Remove admin rights to everyone other than the backup operators and local admin
Removed logon remotely rights to the local admins
Added logon remotly rights to users normal admin accounts but made sure these were only users on the server itself

The theory of this is that a user cannot logon through RDP as a local admin as the rights have been removed so they need to log on as their normal admin account which isn't an admin of the server. Then when they launch the software they are promoted for admin credentials so they then need to enter their backup opperator account and they can manage Veeam. This means they are unable to see the LUNs presented to them when they log in. They can obviously log onto console and view it if they need to but this is never done for general maintenace so I think it does the job for me.

Let me know if anyone has any thoughts on this but it seems to work for me.

Thanks again for your help.

[Alexey D.]

Thanks for sharing this, Mark.