Create a vcbuser – VCB Best Practice
January 9th, 2008 | 
Author: When you use VCB you have to specify either ESX root or VC2 administrator credentials. These credentials are added and easily found stored in the required vcb-pre-backup and vcb-post-backup .bat files, and the config.js file when using a third party backup integration module. Therefore, a best practice is to create a new user that has the required permissions for backing up VMs. The new user, vcbuser, will allow you to keep your administrator and root accounts secure.
In the latest version of VC, VC2.5, the vcbuser role and permissions are predefined and called “VMware Consolidated Backup User”. The steps in this post are intended only for VC2.02 and earlier.
To create the vcbuser do the following:
On the VC2 server create a local windows account named vcbuser.
You do NOT need to add it to the local admins group.
Create a VCBUser role in VC2
- Log on to the VI Client as a user with Administrator privileges.
- From the VI Client, click Administration in the navigation bar.
- Click the Roles tab.
- Click Add Role.
- For th ename of th enew role type VCBUser.
- Select the following privileges for the new role. Click the plus (+) signs to expand the lists, as needed.
- ? VirtualMachine > Configuration > Disk Lease
- ? VirtualMachine > State > Create Snapshot
- ? VirtualMachine > State > Remove Snapshot
- ? VirtualMachine > Provisioning > Allow Virtual Machine Download
- ? Virtual Machine > Provisioning > Allow Read?only Disk Access
Click OK to complete the process.
Associate the Windows local vcbuser user with this role
- Using the VI client select the Datastore where you want to assign the vcbuser permissions
- Click the Permissions tab
- Add the local Windows vcbuser account and assign the new VCBuser role to it
Potential issue if permissions not assigned at the datacenter level http://communities.vmware.com/thread/104829
Straight from VMware’s VCB Best Practices .pdf, here’s some additional VCB recommendations:
You should also lock down the backup proxy server itself, following these guidelines:
- Create a new VCB user with minimal privileges. Assign the VMware Consolidated Backup role in VirtualCenter to this user. Consider disabling such services as remote control and terminal services profile for this account for added security. Specify this user’s credentials in config.js to initiate backups from your backup software.
- Use local authentication — The backup proxy server should not use any form of network authentication when using credentials to initiate the backup. This guideline protects against the possibility that other users might log in to the machine, a possibility that is greater if any network authentication is used.
- Restrict access to the proxy server —You should not use the backup proxy server as a general purpose server. The person who uses the vcbuser role on the VirtualCenter Server host should be the same person as the administrator of the backup proxy server. If these are separate people, the administrator on the backup proxy server can easily get access to the password for the vcbuser role.
- If you have multiple backup proxy server hosts, use different vcbuser accounts with different passwords for each host.
- Rotate the vcbuser account’s password regularly.
Related Posts
Posted in 
Tags: -
Craigslist Proxy
