Backup & Disaster Recovery

ANF backup policy user for SMB

I’d like to give a quick overview and demo of the ANF backup policy user functionality, which is part of the ANF Active Directory connection settings. The following screenshot of the official learn page describes the functionality as follows:

What this means is that users that are added to this field, will be able to access files/folders on a SMB volume, even if they don’t have the required NTFS permissions to do so. Needless to say, this is ideal for backup scenarios, hence the name 😉

In order to properly setup the functionality, we need to do a couple of things.

Step 1 – create domain user
In this example, I’ve created a regular domain user named backup.

Step 2 – add backup user to local Backup Operators group
RDP into the Windows Server that has the ANF SMB volume mounted, utilizing a user that has administrator access. Open Computer Management and select Local Users and Groups –> Groups –> Backup Operators –> Add…

In the pop-up, enter the backup user and click OK. Verify the user has been added and click OK.

Step 3 – add backup user as ANF backup policy user
In the Azure Portal, navigate to the ANF Active Directory connection, select Edit, add the backup user (excluding domain name) and click OK.

Step 4 – prepare SMB share
We’ll now prepare the files/folders and NTFS permissions on the SMB share. From the administrator RDP session, open the ANF SMB volume, create a folder named admin and a folder named everyone. The everyone folder we leave as is, for the admin folder NTFS permissions, we add Domain Admins to have full control (current logged on user) and we remove the everyone rights. NTFS permissions on the folders now should look like this.

Create a test file in each of the folders.

Step 5 – test functionality with Robocopy
We’ll now check if the backup user will be able to access all files and folders on the share. In order to do so, the backup user needs to temporarily elevate access, utilizing SeBackupPrivilege/SeRestorePrivilege. Some applications will refer to this as backup mode. In this example, we’ll use Robocopy with the /b flag, indicating it should use backup mode.

We’ll now open a new RDP session to the Windows Server, logging in as the backup user. Open an elevated Command Prompt, by right-clicking on Command Prompt and selecting Run as administrator, enter the password for the backup user and click OK.

Examine the current user privileges by executing:
whoami
whoami /priv

Note that both SeBackupPrivilege and SeRestorePrivilege are visible, but currently Disabled. This is as expected, the status will only change to Enabled when a user/process is actively utilizing the privileges.

We’ll now mount the SMB volume in the backup user session, by executing:
net use Z: \ANFSMB-3208.anf.test\smb01

We’ll try to access both folders.

As you can see from the picture above, the backup user can successfully read the everyone folder. This is as expected, since the backup user is part of the everyone NTFS permissions, which has full control.

However, the backup user cannot read the admin folder, which is also as expected, since only the group Domain Administrators has NTFS permissions on the admin folder, of which the backup user is not a member. Keep in mind we’re still not utilizing SeBackupPrivilege/SeRestorePrivilege here!

We’ll now try to copy the everyone folder through Robocopy with the /b flag, by executing:
robocopy z:\everyone d:\target\everyone /b /e

Success. In theory, we would not have needed to include the /b flag to copy the everyone folder, since the backup user has proper NTFS permissions anyway. Let’s see this by running the command without the /b flag:
robocopy z:\everyone d:\target\everyone /e

Of course, always executing in backup mode would be a good practice, since it will mitigate the risk of someone accidentally or purposefully messing with the NTFS permissions.

On to the good part. We’ll try to copy the admin folder without the /b flag, by executing:
robocopy z:\admin d:\target\admin /e

As expected, we cannot read the file without being in backup mode. We’ll now run the command including the /b flag:
robocopy z:\admin d:\target\admin /b /e

We’ve now successfully copied the admin file utilizing the elevated privileges!

In summary the requirements are:

  • Create domain user for backup process
  • Domain user needs to be added to local Backup Operators group
  • Domain user needs to be added as ANF backup policy user
  • Backup software needs to utilize backup mode, triggering elevated privileges (SeBackupPrivilege/SeRestorePrivilege)

Leave a Reply

%d bloggers like this: