commvault.com commvault.com
Solved

Commvault service account

  • 29 January 2021
  • 8 replies
  • 3316 views
neuwiesener
Rank
Userlevel 2
Badge +7

https://documentation.commvault.com/commvault/v11/article?p=111970.htm how do I identify or assign an account as service account in this context. “To prevent ransomware from encrypting the Commvault install folders, lock down those folders to only the Commvault service account and prohibit System Administrators from using that account unless absolutely necessary.You create the Commvault service account in the CommCell environment during the installation of the CommServe software. Only the Windows administrator account that is also the Commvault service account user should have access rights on the Commvault software installation folders.” under users I only see the commvault internal accounts and under the domain

icon

Best answer by Damian Andre 8 February 2021, 21:44

View original
Regards, Ashutosh

8 replies

Damian Andre
Rank
Userlevel 7
Badge +23

Hey @neuwiesener 

 

We’re discussing this one internally. I think we can agree it is not worded very well. What its trying to say is, create a dedicated windows local user to run the software under and strip the commvault install folder of all other security except for that user. The goal is to try to limit exposure should another account be compromised on the system. It does not have anything to do with an actual commvault commcell/command center account although it's implied.

That being said, hold off on this recommendation, for now. We are evaluating it and will likely update the recommendation. Appreciate you pointing this out!

 

neuwiesener
Rank
Userlevel 2
Badge +7

Thanks @Damian Andre . Much appreciated. Awaiting updates on this one! 

Regards, Ashutosh
Damian Andre
Rank
Userlevel 7
Badge +23

@neuwiesener - Sorry to take so long to update you on this. We do not recommend this recommendation at the moment (that sounds funny). Its going to be re-worked as a broader update to all security stuff in the documentation - there is a post here that describes it a little more: 

 

neuwiesener
Rank
Userlevel 2
Badge +7

Thanks Damian. @Damian Andre any ETA on this?

Regards, Ashutosh
Damian Andre
Rank
Userlevel 7
Badge +23

Hey @neuwiesener, unfortunately, no ETA I am aware of, only that @DMCVault and team are actively working on it!

S
Rank
Userlevel 1
Badge +3

I tried to do this.  I noticed on my CS that the drive/folders where CS is installed gave access to my AD/Domain Users group as well as my AD/Privileged Admins grtoup(my sysadmin team).  I did not think that all the users in my domain should have access to this data, so I took that off.  Then, I was unable to run the commcell console or drill into the Base directory.  I had to log back in to the CS machine  with my domain admin account to add the AD/Domain Users back.  I do not know Windows sercurity/permissions well enough to know why the Windows drive/folder needs AD/Domain Users in addition to AD/Privileged Admins.  I have an admin user in the Privileged Admins, and my non-admin user would be in Domain Users (however, perhaps ALL my users are in Domain Users). 

 

I also have a commvault admin account in my AD, which was also in the CS Server’s Administrator group, which is probably also in the Domain Users.  

So, whatever you do to ‘fix’ or reword this probably needs to consider AD/Domain Users role in allowing access to the installation directories.

C
Rank
Badge +2

So If I may have a question , after the software installation , lets say at the OS level . Is there no other activities the account will be used for example : during backup or refreshing the selection from the server. 

Documentation says service account is recommended to have for Commvault folder and software installation. It didnt cover where are the service account is used within a backup infrastructure and what role does it play. 

 

Please share some thoughts.

 

Mike Struening RETIRED
Rank
Userlevel 7
Badge +23

@Commvualt Team ABB , there are accounts used to perform the backups, i.e. the local service account lacks permission to a set of folders, you can provide an alternate account to use instead.

To answer your question directly, this account is used to access the protected content, which may be fine for the local service account, or might require another account to access.

https://www.linkedin.com/in/michael-struening

Reply


Terms & ConditionsCookie settings