Security issues

1) MCUser is a super user and shouldn't be used to administer the system. 

The recommendation in the Avamar Operational Best Practices guide is

Assign each Avamar administrator, operator, or user a unique login credential. Ensure that all users log in to the Avamar system by using those unique login credentials rather than the default Avamar application root and MCUser users.

You can place 'VIP' data in a separate Avamar domain.  Any user(s) to which you grant access over that domain will have their actions audited.

The privileges of the MCUser should not be altered.  Change the password if necessary following the guidance in the Avamar Product Security guide.  Save use of the user for technical support related situations.

2) Edit these global variables on the Avamar utility node /usr/local/avamar/var/mc/server_data/prefs/mcserver.xml

           

             

Change 'true' to 'false'

Restart the MC service as described in the Admin guide.

You might want to test to confirm whether that also affects end user initiated restore operations

Hope that helps..

> Question 1 :

> How can I restrict permissions of MCUser? I have a VIP user  and I'm getting his backups with AVE 5.0.4.

> With MCUser, it is possible  to restore the VIP data to another location. How can I stop this, I  need to edit the rights of MCUser.

Why not to configure LDAP and configure access permissions to different domains ... for instance ...

> Question 2 :

> I have hundreds clients activated on my Avamar Server. They  can start backup and restore when they want via Avamar client software.

> How can I stop this? I do not want my users to start unauthorized  backup or restore.

> I do not want a posibilities of backup or restore via  client agent software. How can I manage this restriction on Avamar  Server.

There is possibilities " allow client initiated backups" in policies .... when you click on client >>> properties ...

Explicitly setting the Allow client initiated backups option overrides the group schedule duration setting. Go to Group Policy for additional information.
Select Navigation > Policy or click the Policy launcher button.
The Policy window appears.
Click the Policy Management tab.
Click the Clients tab.
Select the client for which you want to allow users to initiate backups.
Select Actions > Client > Edit Client…
The Edit Client window appears.
Click the Properties tab.
Set Allow client initiated backups.

Hello,

I want to give a password to my backups. When somebody (MCUser or another admin users) needs to restore, they must find me to enter password for restore operation.

Is it possible with Avamar?

Thanks

I do not understand why not to create aditional accounts for restore purpose only! ... but it is up2you, of course.

Just a work around for you for this "particular" restore operation, let's say so:

to run "change-passwords" script to change existing "MCUser" password to the >>> "whatever"  then after restore operaton you can bring back your old pwl....

WARNING: this program should be run as the "dpn" user in order to avoid file ownership and permissions complications that can be incurred by running as root.