NetWorker Blog

Commentary from a long term NetWorker consultant and Backup Theorist

  • This blog has moved!

    This blog has now moved to nsrd.info/blog. Please jump across to the new site for the latest articles (and all old archived articles).
  •  


     


     

  • Enterprise Systems Backup and Recovery

    If you find this blog interesting, and either have an interest in or work in data protection/backup and recovery environments, you should check out my book, Enterprise Systems Backup and Recovery: A Corporate Insurance Policy. Designed for system administrators and managers alike, it focuses on features, policies, procedures and the human element to ensuring that your company has a suitable and working backup system rather than just a bunch of copies made by unrelated software, hardware and processes.
  • This blog has moved!

    This blog has now moved to nsrd.info/blog. Please jump across to the new site for the latest articles (and all old archived articles).
  •  


     


     

  • Twitter

    Error: Twitter did not respond. Please wait a few minutes and refresh this page.

Preventing users seeing backups from other hosts

Posted by Preston on 2009-09-24

Something I’ve seen a few people complain about – and indeed that I’ve also complained about in the past, is that in high security environments, NetWorker allows end users on one host to be able to see the backups done for other hosts. This is obviously a security concern.

After a brief discussion with EMC, it was also obviously something that is readily changeable with only a couple of clicks of the mouse button – so I feel somewhat sheepish that I hadn’t picked up on it before. All you have to do is take away the “Monitor NetWorker” privilege from the Users usergroup.

Here’s the (to some environments) offending setting:

Monitor users privilege

Monitor users privilege

Once that setting is unchecked, end users won’t be able to view the backups for other hosts – just their own.

Advertisements

4 Responses to “Preventing users seeing backups from other hosts”

  1. Johannes said

    Hi Preston.

    This is a very interestin topic. But have you configured this already and done any testing from the client’s perspective?

    Did you get any answers why EMC has the monitor NetWorker privilage enabled as default?

    Johannes

    • Preston said

      Hi Johannes,

      Yes, I tested it and confirmed that it worked. Stripping away the ‘Monitor NetWorker’ privilege results in users on clients only being able to see the backups for those clients themselves (so long as they were not also NetWorker administrators).

      I didn’t ask EMC why this is left enabled by default, but my surmise, based on previous NetWorker design considerations, is that it would have been to preserve existing behaviour. For the most part, whenever there’s been a change to NetWorker that can alter standard behaviour, the change is typically left disabled and can be turned on by the backup administrator. That’s been a driving force behind upgrades not causing sudden changes of behaviour for some time in NetWorker.

      Cheers.

  2. Johannes said

    Hi Preston.

    I tried this in our environment and did some testing from clients. Client and server verston 7.5.1.

    Now, instead of being able to get all media db info with mminfo, I’m unable to get any media db information with mminfo from the client.

    When I do a saveset recovery on a client it’s not possible to check “Required Volumes” it just says: “17499: winworkr: no Volume information”. The save set restore works, but gives a message about resource not being found. But seems to be OK.

    We’re able to mitigate the fact that the client wont be able to query the media db with mminfo. Did EMC say anything about if they support doing this change?

    Johannes

    • Preston said

      Interestingly now running mminfo on the client with the “Monitor NetWorker” removed I can’t retrieve mminfo detail for that individual client. That seems at odds with what I got yesterday – maybe I mixed terminals and ran mminfo as root (which was a valid admin).

      Can certainly do recoveries using ‘recover’ though and view volumes – I’ve not tested under Windows.

      Didn’t ask EMC about support, but this is a documented privilege that can be removed, so it must be supported.

      I didn’t log a case as such with EMC – I bounced a few questions through less official channels. I’ll aim to do some tests, document issues relating to volume detail display, and open an RFE.

Sorry, the comment form is closed at this time.

 
%d bloggers like this: