[Box Backup] How to secure Box Backup on Windows clients?

Chris Wilson boxbackup@fluffy.co.uk
Wed, 20 Jun 2007 21:37:38 +0100 (BST)


Hi Pete,

On Tue, 19 Jun 2007, E.W. Peter Jalajas wrote:

> To summarize so far,
>    *key.pem
>    *cert.pem
>    *Keys.raw
>
> 1. must have Full Control (Modify, Read & Execute, Read, and Write) by
>    the Administrators and SYSTEM security groups (and maybe also the
>    Backup Operators group if you are using that), and
>
> 2. must have NO access by any other group.  (I'm guessing that the
>    SYSTEM group holds the "Local System account" Log On user under which
>    the Box Backup services runs.)

That seems reasonable, but I'd check that the System group actually 
contains the LocalSystem user, or whichever user the Box Backup service 
runs as.

> Now, let's move on to the executables (.exe), .dlls, bbackupd.conf, and 
> any home-grown batch files or scheduled tasks?  They:
>
>  1. must have Full Control (Modify, Read & Execute, Read, and Write) by
>     the above groups, and only the above groups, and

No need for LocalSystem or Backup Operators to have write access to those 
files. Only Administrators should.

>  2. may optionally be readable by anyone,
>
> --correct?

Yes, looks OK to me.

> (I'm guessing that a bad guy could stop [DoS] or crack the Box Backup 
> application/service, or do rogue restores, by modifying or running those 
> files.)

Yes.

Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |