[Box Backup] How to secure Box Backup on Windows clients?
E.W. Peter Jalajas
boxbackup@fluffy.co.uk
Tue, 19 Jun 2007 07:00:10 -0700 (PDT)
Thanks, Chris.
To summarize so far,
*key.pem
*cert.pem
*Keys.raw
1. must have Full Control (Modify, Read & Execute, Read, and Write) by the Administrators and SYSTEM security groups (and maybe also the Backup Operators group if you are using that), and
2. must have NO access by any other group. (I'm guessing that the SYSTEM group holds the "Local System account" Log On user under which the Box Backup services runs.)
Now, let's move on to the executables (.exe), .dlls, bbackupd.conf, and any home-grown batch files or scheduled tasks? They:
1. must have Full Control (Modify, Read & Execute, Read, and Write) by the above groups, and only the above groups, and
2. may optionally be readable by anyone,
--correct?
(I'm guessing that a bad guy could stop [DoS] or crack the Box Backup application/service, or do rogue restores, by modifying or running those files.)
(I found that the QBDataServiceUser, presumably from QuickBooks, had Full Control on everything--go figure.)
Thanks again,
Pete
----- Original Message ----
From: Chris Wilson <chris@qwirx.com>
To: Box Backup Mailing List <boxbackup@fluffy.co.uk>
Sent: Monday, June 18, 2007 6:20:44 PM
Subject: Re: [Box Backup] How to secure Box Backup on Windows clients?
Hi Pete,
On Mon, 11 Jun 2007, E.W. Peter Jalajas wrote:
> I'd like to make sure that I am securing sensitive Box Backup
> application files on my Windows clients.
>
> First, let me confirm that I only really need to secure the
> *FileEncKeys.raw file from prying eyes--true? If someone gets a hold of
> that file, they can obtain decrypted files from the server, right?
That is the most sensitive file, but as Martin rightly pointed out, it
makes sense to secure your certificate and private key as well.
> On client machines like Windows 2003 Server in a Windows domain
> (presuming NTFS), I can right-click the *FileEncKeys.raw file, click
> Properties, Security, and then remove all Users and Groups except that
> as which the Box Backup service runs, presumably the "Administrators"
> group. Most importantly, I think, I should remove the "Authenticated
> Users". What should I do with the "SYSTEM" user? Is there anything else
> I should know about this? I want to make sure that I don't break Box
> Backup in some way by over-tightening the permissions on the Keys file.
> Are there any other Box Backup Windows client files which we should
> handle specially?
Whatever user Box runs as should be able to access the files. If you run
bbackupd as a service, then the service user (which is probably Local
System) must have access. If you run bbackupquery from the command line as
a normal user, then that normal user must also have access.
In any case, you must check that Box Backup is still running and backing
up by doing regular compares and investigating any reported compare errors
or mismatches. That will catch permissions problems as long as any
services or daemons are restarted as well.
Cheers, Chris.
--
_____ __ _
\ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |
_______________________________________________
boxbackup mailing list
boxbackup@fluffy.co.uk
http://lists.warhead.org.uk/mailman/listinfo/boxbackup