• EN
Solved

Restricting Permissions on Repository Folder for more security

M
Userlevel 5
Badge 
hi Veeam CommunityI have a backup server that uses the drives in the backup server as a repository, and the backup server works as a workgroup. I want the permissions on these drives to be only for the veeam service.I want to do this for more security.My question is whether such an idea is good?If it is good, what permissions should I give to these drives?
icon

Best answer by Link State 12 March 2024, 14:33

View original

9 comments

Link State
Userlevel 7
Badge +8

Hi @miriam1989  

 

yes it is a good idea follow these BPs
greetings

 

Windows Backup Repository - Veeam Backup & Replication Security Best Practice Guide

 

And

Hardening Veeam 12 Server: the definitive checklist | Veeam Community Resource Hub

 

Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104 - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)
coolsport00
Userlevel 7
Badge +17

As per the User Guide, you need to give Read/Write permissions (See SMB Share section). But, not sure doing so poses any benefit. Anyone who gains access to the VBR server could potentially wipe the files anyway, regardless if you give explicit permissions or not.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
coolsport00
Userlevel 7
Badge +17

Nice info from the BP guide @Link State ! I wasn’t aware there was info for secured Repos there 🙂

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
Chris.Childerhose
Userlevel 7
Badge +20

Follow the advice above, however, be very careful when playing with permissions cause if not done correctly you can cause a world of pain trying to fix them.  I would look at the Best Practice stuff and implement roles and MFA on the server.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Link State
Userlevel 7
Badge +8

ye thx @coolsport00 

Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104 - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)
coolsport00
Userlevel 7
Badge +17

Follow the advice above, however, be very careful when playing with permissions cause if not done correctly you can cause a world of pain trying to fix them.  I would look at the Best Practice stuff and implement roles and MFA on the server.

My concern as well. Good advice!

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
M
Userlevel 5
Badge

Nice info from the BP guide @Link State ! I wasn’t aware there was info for secured Repos there 🙂

Me too

Thanks Link State

 

M
Userlevel 5
Badge

Veeam Security Best practices 2022

 

 

Iams3le
Userlevel 7
Badge +9

As per the User Guide, you need to give Read/Write permissions (See SMB Share section). But, not sure doing so poses any benefit. Anyone who gains access to the VBR server could potentially wipe the files anyway, regardless if you give explicit permissions or not.

Hi @miriam1989 ,

Just to add to this, It seems that your Repository is on the same VBR server, you will not be meeting the best practice and an error will be displayed on the “Security and Compliance” wizard.


Veeam recommends placing the repository server(s) in a restricted area, because they contain 100% copy of your prod env and MUST be physically secured and have appropriate access control systems in place which you desire! 

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3*]

Comment


Terms & Conditions