Self Service restores in a corporate environment? Is it possible to do securely?

Thread needs solution
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Beginner
Messaggi: 1
Commenti: 1

I would like for users to be able to restore their own files without system administrator intervention. Seems like a reasonable and very common situation right? Also seems like it's functionality that is advertised as available with this Acronis Backup & Recovery. As far as I can tell this is NOT do-able *securely* using Acronis.

In theory, I just need to grant read-only access on each machine to that particular machine's backup archives. Acronis has this cool feature of being able to browse the .TIB archives and pull any files you'd like. Can't get more "self-service" than that, right? Unfortunately it really IS a "help yourself" situation. Help yourself to system files. Help yourself to files that ARE NOT OWNED BY and SHOULD NOT BE READABLE by you. Help yourself to your office mate's personal files. Yikes. In a corporate environment with multiple users of a single machine, this is simply not acceptable. Browsing a .TIB archive does not seem to follow any NTFS permissions.

Mounting an archive as a virtual drive DOES follow NTFS permissions and users can browse this mounted drive and pull any files that they could have accessed when the backup was made but NOT any files that they darn well please (e.g. system protected files, other user's files, etc.) Why is this not the behavior when browsing a .TIB archive?

The problem is, as far as I can tell, there is no mechanism for users to mount and unmount archives as drives without allowing them access to the .TIB files themselves (and thereby giving them the ability to just explore those without mounting them and helping themselves to someone else's files).

Am I missing something here? Is there a way to *securely* provide access for users of a particular machine to that machine's archives and *only* let them see/restore files that they are supposed to have access to (e.g. those that they had access to at the time of the backup)?

I do not want users to be able to make their own backups, manipulate vaults or archives, etc. I just want them to be able to browse the available archives as themselves and access files as themselves (not system or whatever). If the explorer plugin or whatever it is that allows simple browsing of archives followed NTFS file permissions this would be simple: Provide read-only access to the .TIB files for a machine and you are done. Unfortunately the way it is now, unless I'm missing something, we need to make the archives NOT readable by users and then have a system administrator mount up an archive (or multiple archives if they don't know which date the file was modified/deleted) and then unmount them so that proper NTFS file ACL's are honored. What a pain. Please tell me I'm wrong.

Ven, 09/30/2011 - 22:16
0 Users found this helpful
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Forum Star
Messaggi: 27
Commenti: 1940

If you could run some program as a service under admin credentials that invokes acrocmd /mount to mount some archive that is readable only by said admin, and then control this service with some kind of crutch... e.g. "How to Create a Windows Service Using PowerShell"

Ven, 09/30/2011 - 23:15