[ID# 01232862] User can change his access without permission

VMware specific discussions

[ID# 01232862] User can change his access without permission

Veeam Logoby VeaamGuy » Wed Dec 16, 2015 4:54 am

Hi guys,
For Veeam Enterprise Manager installed on the same server as Veeam Backup and Replication, a local admin on the veeam server shouldn't necessarily have access to change his portal permissions from operator to administrator.
This is a security risk as a system admin may not be the necessarily be the backup admin.

Any quick fix for the above?

Cheers.
VeaamGuy
Influencer
 
Posts: 21
Liked: never
Joined: Mon Oct 19, 2015 4:11 am
Full Name: Rushad Irani

Re: [ID# 01232862] User can change his access without permis

Veeam Logoby v.Eremin » Wed Dec 16, 2015 9:55 am

But isn't local admin capable of basically everything on that system that has both VB&R and EM installed? Logging to backup console, deleting backup files, restoring necessary data, etc. (way more than a backup admin can do). Thanks.
v.Eremin
Veeam Software
 
Posts: 13296
Liked: 973 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: [ID# 01232862] User can change his access without permis

Veeam Logoby VeaamGuy » Tue Dec 22, 2015 3:15 am

Bringing an OS level access into the backup application is a bit risky.

Lets look at the bigger picture, in a 5000+ organisation, a person with an admin role on the OS side of Veeam might not be privileged to private information stored on some VMs so even though he might have access to delete the backup that is still better than giving him the loop hole to restore the encrypted backup files somewhere to get access to that privileged information.

Kind Regards,
Rushad.
VeaamGuy
Influencer
 
Posts: 21
Liked: never
Joined: Mon Oct 19, 2015 4:11 am
Full Name: Rushad Irani

Re: [ID# 01232862] User can change his access without permis

Veeam Logoby VeaamGuy » Fri Feb 19, 2016 12:13 am

v.Eremin wrote:But isn't local admin capable of basically everything on that system that has both VB&R and EM installed? Logging to backup console, deleting backup files, restoring necessary data, etc. (way more than a backup admin can do). Thanks.


Hi guys,
As mentioned above as well, the administrator might not be privilege to some specific VMs for example an HR system which only HR staff should have access to. I have also raised this in another post that the restores should ask for password confirmations which the system doesn't do as of now: vmware-vsphere-f24/improving-security-of-backups-case-id-01236063-t31847.html

I hope this is taken into consideration as this can have serious impact for the security of the backups.
VeaamGuy
Influencer
 
Posts: 21
Liked: never
Joined: Mon Oct 19, 2015 4:11 am
Full Name: Rushad Irani


Return to VMware vSphere



Who is online

Users browsing this forum: No registered users and 28 guests