VOX

We conducted tests for the customer with a very strict information security policy. Accordingly, it is not possible to use credentials from groups such as backup operators, local administrators, domain administrators and enterprise administrators for backup, and it is also impossible to store such credentials outside domain controllers.

So what credentials/rights can you assign to the BESA?

If you search our (english) admin guide for "Local Admin" you will find a few references that state that accounts should have have local admin permissions, and, for things like domain controllers this gets increased to domain admin rights.

The problem with groups, like Backup Operators is that Microsoft created the concept of that security group well before lots of the newer technologies now present in the Windows Operating System existed in their current form (things such as VSS, DFSR, etc). Unfortunately for whatever reason development of how those security groups could be used did not keep up with the new technologies hence they no longer provide suitable functionality for a number of backup scenarios. ( Oddly enough Vmware have a similar issue where there sample backup role of ' VMware Consolidated Backup user (sample) ' role, also does not have enough permissions for all backup and restore processes. Maybe that is why they called the role a Sample  ;)   )

Whilst theoretically possible to create a custom group with enough permissions and suitable group policies configured, the documentation and ongoing adminstration of such a group and policies (covering future OS + Application changes as well)  would be costly, in man-hours (for both server admins AND backup software developers) and would also introduce much bigger chances of human error causing problems, which then may only be identified when you are trying to restore after a disaster (not a good scenario at all). Which I suspect is part of the reason why we have a warning message stating you should be local admins.

 Of course the message does not state the backup has not completed, it just puts the onus on you to check that it has worked, in effect defining what you are doing as an Alternative Configuration (see our compatibility documents for the definition of this term) meaning we would only be providing reasonable efforts support if you then have problems. As an aside we typically do not allow warning messages like this to be disabled even if you do your own backup and (more importantly) restore testing and decide that your backups are working with reduced security. We obviously only officially test with what we have documented as being required.

Ok, the approach is clear, even if it looks strange. The principle of minimum privileges in information security appeared not yesterday. There are some other backup programs that can match it, but there are not many of them :) I hope Backup Exec will soon be included in their number, using the standard functions or some workarounds (at admin's own fear and risk).