[Box Backup] How to secure Box Backup on Windows clients?

[Chris Wilson]

Hi Pete,

On Mon, 11 Jun 2007, E.W. Peter Jalajas wrote:

> I'd like to make sure that I am securing sensitive Box Backup 
> application files on my Windows clients.
>
> First, let me confirm that I only really need to secure the 
> *FileEncKeys.raw file from prying eyes--true? If someone gets a hold of 
> that file, they can obtain decrypted files from the server, right?

That is the most sensitive file, but as Martin rightly pointed out, it 
makes sense to secure your certificate and private key as well.

> On client machines like Windows 2003 Server in a Windows domain 
> (presuming NTFS), I can right-click the *FileEncKeys.raw file, click 
> Properties, Security, and then remove all Users and Groups except that 
> as which the Box Backup service runs, presumably the "Administrators" 
> group.  Most importantly, I think, I should remove the "Authenticated 
> Users". What should I do with the "SYSTEM" user?  Is there anything else 
> I should know about this? I want to make sure that I don't break Box 
> Backup in some way by over-tightening the permissions on the Keys file. 
> Are there any other Box Backup Windows client files which we should 
> handle specially?

Whatever user Box runs as should be able to access the files. If you run 
bbackupd as a service, then the service user (which is probably Local 
System) must have access. If you run bbackupquery from the command line as 
a normal user, then that normal user must also have access.

In any case, you must check that Box Backup is still running and backing 
up by doing regular compares and investigating any reported compare errors 
or mismatches. That will catch permissions problems as long as any 
services or daemons are restarted as well.

Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |