Something I’ve seen a few people complain about – and indeed that I’ve also complained about in the past, is that in high security environments, NetWorker allows end users on one host to be able to see the backups done for other hosts. This is obviously a security concern.
After a brief discussion with EMC, it was also obviously something that is readily changeable with only a couple of clicks of the mouse button – so I feel somewhat sheepish that I hadn’t picked up on it before. All you have to do is take away the “Monitor NetWorker” privilege from the Users usergroup.
Here’s the (to some environments) offending setting:
Once that setting is unchecked, end users won’t be able to view the backups for other hosts – just their own.
Hi Preston.
This is a very interestin topic. But have you configured this already and done any testing from the client’s perspective?
Did you get any answers why EMC has the monitor NetWorker privilage enabled as default?
Johannes
Hi Johannes,
Yes, I tested it and confirmed that it worked. Stripping away the ‘Monitor NetWorker’ privilege results in users on clients only being able to see the backups for those clients themselves (so long as they were not also NetWorker administrators).
I didn’t ask EMC why this is left enabled by default, but my surmise, based on previous NetWorker design considerations, is that it would have been to preserve existing behaviour. For the most part, whenever there’s been a change to NetWorker that can alter standard behaviour, the change is typically left disabled and can be turned on by the backup administrator. That’s been a driving force behind upgrades not causing sudden changes of behaviour for some time in NetWorker.
Cheers.
Hi Preston.
I tried this in our environment and did some testing from clients. Client and server verston 7.5.1.
Now, instead of being able to get all media db info with mminfo, I’m unable to get any media db information with mminfo from the client.
When I do a saveset recovery on a client it’s not possible to check “Required Volumes” it just says: “17499: winworkr: no Volume information”. The save set restore works, but gives a message about resource not being found. But seems to be OK.
We’re able to mitigate the fact that the client wont be able to query the media db with mminfo. Did EMC say anything about if they support doing this change?
Johannes
Interestingly now running mminfo on the client with the “Monitor NetWorker” removed I can’t retrieve mminfo detail for that individual client. That seems at odds with what I got yesterday – maybe I mixed terminals and ran mminfo as root (which was a valid admin).
Can certainly do recoveries using ‘recover’ though and view volumes – I’ve not tested under Windows.
Didn’t ask EMC about support, but this is a documented privilege that can be removed, so it must be supported.
I didn’t log a case as such with EMC – I bounced a few questions through less official channels. I’ll aim to do some tests, document issues relating to volume detail display, and open an RFE.