Solved

Restricting Permissions on Repository Folder for more security


Userlevel 5
Badge
hi Veeam CommunityI have a backup server that uses the drives in the backup server as a repository, and the backup server works as a workgroup. I want the permissions on these drives to be only for the veeam service.I want to do this for more security.My question is whether such an idea is good?If it is good, what permissions should I give to these drives?
icon

Best answer by Link State 12 March 2024, 14:33

View original

9 comments

Userlevel 7
Badge +9

Hi @miriam1989  

 

yes it is a good idea follow these BPs
greetings

 

Windows Backup Repository - Veeam Backup & Replication Security Best Practice Guide

 

And

Hardening Veeam 12 Server: the definitive checklist | Veeam Community Resource Hub

 

Userlevel 7
Badge +19

Nice info from the BP guide @Link State ! I wasn’t aware there was info for secured Repos there 🙂

Userlevel 7
Badge +21

Follow the advice above, however, be very careful when playing with permissions cause if not done correctly you can cause a world of pain trying to fix them.  I would look at the Best Practice stuff and implement roles and MFA on the server.

Userlevel 7
Badge +9

ye thx @coolsport00 

Userlevel 7
Badge +19

Follow the advice above, however, be very careful when playing with permissions cause if not done correctly you can cause a world of pain trying to fix them.  I would look at the Best Practice stuff and implement roles and MFA on the server.

My concern as well. Good advice!

Userlevel 5
Badge

Nice info from the BP guide @Link State ! I wasn’t aware there was info for secured Repos there 🙂

Me too

Thanks Link State

 

Userlevel 5
Badge

Veeam Security Best practices 2022

 

 

Userlevel 7
Badge +9

As per the User Guide, you need to give Read/Write permissions (See SMB Share section). But, not sure doing so poses any benefit. Anyone who gains access to the VBR server could potentially wipe the files anyway, regardless if you give explicit permissions or not.

Hi @miriam1989 ,

Just to add to this, It seems that your Repository is on the same VBR server, you will not be meeting the best practice and an error will be displayed on the “Security and Compliance” wizard.


Veeam recommends placing the repository server(s) in a restricted area, because they contain 100% copy of your prod env and MUST be physically secured and have appropriate access control systems in place which you desire! 

Userlevel 7
Badge +19

As per the User Guide, you need to give Read/Write permissions (See SMB Share section). But, not sure doing so poses any benefit. Anyone who gains access to the VBR server could potentially wipe the files anyway, regardless if you give explicit permissions or not.

Comment