Active Directory Security

Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…

Nov 04 2014

BackupExec Service Account Security FAIL

By Sean Metcalf in Microsoft Security, Technical Reference

Yes. It actually says that if the BackupExec account is a member of Schema Admins, do not remove!

To be fair, it starts off with this Solution which covers the rights required:
From Symantec (http://www.symantec.com/business/support/index?page=content&id=TECH88242)

Please note :The backup account used as the default account and the account used to start the Backup Exec Services must be a member on the following Group Policy objects :

Act as part of the operating system

Create a token object (which can be used to access any local resources)

Log on as a service

Log on as a batch job (allows a user to be logged on by means of a batch-queue facility)

Backup files and directories (provides rights to backup files and directories)

Restore files and directories (provides rights to restore files and directories)

Manage auditing and security log

Take ownership of files and other objects

For more information on any of the above User Rights Assignment, please refer to the link below:

technet.microsoft.com/en-us/library/cc780182(WS.10).aspx

b. If a new account is desired, select New | User, and enter all the appropriate settings such as the account name and password. Click Next twice, and then click Finish. To configure the existing account, locate that account and continue to step c.

c. Open the Users folder, right-click the user, and click Properties

d. Click on the Member Of tab, confirm/add the Administrators

e. If Domain Admins is not the primary group, select Domain Admins and click Set Primary Group

f. Ensure that all other groups besides Administrators, Domain Admins, such as Domain Users are removed. Do not remove Schema Admins or Enterprise Admins (if listed)

g. The account should also have the Log on as a service right. For detailed instructions on granting this user right, see the Related Documents section

2. Go to Control Panel | Administrative Tools | Services

3. Stop all Backup Exec services

4. Enter the correct forest level Backup Exec service account name and password for all Backup Exec services

5. Restart all Backup Exec services

6. After resetting services, open Backup Exec and run a test backup of a remote System State and monitor for success.

Note: If access is not needed at the forest level, the account should be created on the domain controller of the highest level domain requiring backups from the Backup Exec server in question.

Created: 2009-01-29 Updated: 2013-04-24

Article URL http://www.symantec.com/docs/TECH88242

(Visited 1,211 times, 1 visits today)

VendorSecurityFail

Sean Metcalf

I improve security for enterprises around the world working for TrimarcSecurity.com
Read the About page (top left) for information about me. :)
https://adsecurity.org/?page_id=8

Copyright

Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2020.

Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned.

Made with by Graphene Themes.