cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

BESA Non Domain Admin

MIS_NINJA
Level 2

‎06-02-2015 11:52 AM

Before getting into my question, please understand that I have read the Symantec documentation and also spoken with technical support regarding this topic.

 

My question is WHY does the BESA need to be a domain admin in order to run?  Our organization is very security oriented and a major security hole (in my opinion) is having my Backup Exec server running services as a domain administrator.

I have seperate accounts to back up servers/resources that can ONLY act as a backup operator, not administer the resources themselves.  If I'm not using the BESA to back up the resource why does it need to be a domain admin?

The only answer I get from Symantec is "That's the way it was designed".  Understood, but what is it doing that it HAS to run at this level?  When I use a non-admin account for the BESA the services won't even start, is there a way around this?

One further issue I have with this is that when backing up SQL the credentials are set to "use server's logon account" which I cannot change because it is greyed out.  So now Backup Exec is communicating with my SQL servers with a domain admin level account.  In the scenario that the SQL or backup server gets compromised, they can now get domain admin level access to my infrastructure.

Any explanation or assistance getting around this issue would be appreciated.

0 Kudos
3 REPLIES 3

CraigV
Moderator
Moderator
Partner    VIP    Accredited

‎06-02-2015 01:04 PM

...almost every backup application I've worked with has required a domain account, and in every case, with Domain Admin rights as a minimum.

This would be down too:

1. Simplicity - 1 account to reset a password on, add or remove permissions on, and this carries across all the servers on your domain;

2. Required when ading permissions to Exchange, SQL etc.

3. Ease of admin - as in 1, you don't have multiple accounts to administer;

4. Security - if they compromise your media server I think you've got bigger issues at hand security-wise. This doesnt stop anyone else hacking your primary domain admin account.

Thanks!

0 Kudos

MIS_NINJA
Level 2

‎06-02-2015 01:20 PM

Thanks for the Reply CraigV!

In regards to the first three points, irrelevent.  As stated I'm already using seperate accounts to actually back up the resources so ease of management and simplicity isn't a concern for me.  And frankly that should be my decision on how many accounts I deem acceptable to manage.

I agree with point four, if the server is compromised we have a big issue.  But in the event that this would happen, at least the damage would be contained to that specific server since the credentials used would not have permission anywhere else on the network.  that's kind of my point, if they get in there they can get those domain admin creds and now access my domain controllers.  Since they compromised it in the first place let's assume they know what they're doing and can now do as they please with domain controller access.

I'm trying to find out, aside from simplicity, what the BESA is doing that requires domain admin.  There is no reason why the services shouldn't be able to run as a non domain admin on the Backup Exec server.  Agents are communicating with whatever account I specify when deploying the agent, and the resources are being backed up with whatever account I specify in the job.  What else is there that doesn't pertain to the Backup Exec server itself, which should be fine running with local admin credentials rather than domain admin credentials.

0 Kudos

CraigV
Moderator
Moderator
Partner    VIP    Accredited

‎06-08-2015 11:38 PM

...probably better to ask a technical person by logging a support case with Symantec.

Thanks!

0 Kudos