Permission/Security settings and user access in BE...

RBall · ‎03-19-2008

I need help understanding the permission and security settings in BESR. It came to my attention when I recover a single file or a directory from a backup image that all the security settings are removed... is this the intended functionality? Is there a way to change it?

i.e. I backup a volume that contains a folder called "Administrative" and inside that folder are various files, spreadsheets etc... As maintined only 2 users have access to the files, no one else, not Administrator etc... Those two users can open, view, edit etc... anyone else that tries to even enter the directory is declined access.

When I recover that directory (not a system restore) I can bring the folder back out and place it in the original location or on my desktop etc... and anyone can access the files, the permissions have all been removed.

I would prefer the settings to be preserved. Once restored, only those two original users should have access. Every other backup software I've used does this, is BESR not able to preserve these settings?

/RB

AndrewPBG · ‎03-19-2008

I think this is an artifact of how Windows handles copying files between volumes, and BESR being based on its v2i (Volume to Image) format. If you mount the image into an alternate drive letter, you can browse around and see that the permissions are being backed up and work correctly in the mounted image, but copying to the working volume strips the permissions just the same as restoring from the Recovery Point Browser would.

You could try running through KB310316 (re: ForceCopyAclwithFile) and seeing if that directly fixes the recovery browser. If it doesn't, at least you can mount the image and just copy the files from there using either Explorer with the ForceCopyAclwithFile tweak, or xcopy at any time.

I agree that it's goofy for the recovery browser to not restore permissions, but at least we aren't left without good ways around it. :)

RBall · ‎03-20-2008

This is a problem...

Using BESR Retrieve (the web interface) that requires a user to login and gives access to files they have permissions for... OK

Mounting the v2i file as a drive and browsing to it, only being able to access what your login allows access to... OK

Opening a v2i image in the Symantec Recovery Point Browser SECUITY RISK.

The recovery point browser I understand is a different animal. I know the sys admin should be able to restore ANY file to the original network location, and I could even argue it's OK to restore them to any location. But then to have access to do anything with the files because the permissions have been removed is a serious problem.

As an example, our CEO has a private folder on our company drive. This folder belongs to him and his secretary and contains files that, while not mission critical, should not be available to anyone but them. Think drafting company memos or preparing pay tables etc... Encrypting and adding file by file passwords is not a practical solution, restricting ownership of the file is.

I don't believe this is a Microsoft problem. The recovery point browser should respect the acl permissions while understanding it is OK to "Recover" the files but make sure the end product reflects the full acl permissions as they appear in the original.

Simply password protecting the image file does not resolve the issue either. Sys Admins would still have the image password and thus full access to all files.

Does no one else see this as a problem? How are you coping with it?

/RB

Message Edited by RBall on 03-20-2008 08:27 AM

David_F · ‎10-15-2008

That is actually a good suggestion, and I will pass it to our product architects for review. Right now, as you know, the only security option available is to password protect / encrypt entire images from inappropriate viewing or theft which at least help restricting the number of people who can view/restore files/system images.

VOX

Permission/Security settings and user access in BESR