I'm spitballing around with some different ideas for implementing 'service accounts'.
We're looking at rolling out a process for rotating our local admin account passwords across all endpoints - One of the hiccups preventing this, is that Veeam utilizes local admin accounts to do its thing, and having to log into ~30ish endpoints to update credentials so Veeam can continue to access VMs isn't super feasible, especially if we want to do the rotations fairly frequently - I've heard rumors that they'll be rotating biweekly if not more frequently, but that's neither here nor there
We run hyper-v, don't domain join our hosts as a matter of practice, so using gMSA's I don't think will work? Generally speaking, Veeam runs in the hyper-v host OS, and backs up the VMs on that host. In a few environments, Veeam runs on a 'network appliance', reaching out to the hyper-v host and backing up the VMs from there.
I've been tossing around the idea of creating a local admin account, naming it 'Backups' or something similar, give it local admin rights and use the local security policy to disable login - But that still doesn't seem as secure as it could be.
Thoughts? Suggestions?
-
ksims
- Service Provider
- Posts: 43
- Liked: 4 times
- Joined: Sep 16, 2020 2:34 pm
- Full Name: Kyle Sims
- Contact:
-
PetrM
- Veeam Software
- Posts: 3818
- Liked: 643 times
- Joined: Aug 28, 2013 8:23 am
- Full Name: Petr Makarov
- Location: Prague, Czech Republic
- Contact:
Re: Service accounts?
Hi Kyle,
I'm not sure I understand which hosts are not joined to the domain. Are you referring to Hyper-V hosts? For gMSA usage, the requirement is that the guest interaction proxy and the target machine have network access to the domain controllers and are in the same domain to obtain the gMSA password.
Regarding frequent credential updates, the only idea that comes to mind is to schedule a script to update the credentials. One part of such a script can update the credentials using this cmdlet on Veeam B&R side, while another part must retrieve the actual updated information from a trusted source.
The idea of using a single 'Backups' account seems to be a compromise between security and usability, but I cannot say how it will work with the disabled login. Could you please elaborate a bit more on how you are going to configure such an account?
Thanks!
I'm not sure I understand which hosts are not joined to the domain. Are you referring to Hyper-V hosts? For gMSA usage, the requirement is that the guest interaction proxy and the target machine have network access to the domain controllers and are in the same domain to obtain the gMSA password.
Regarding frequent credential updates, the only idea that comes to mind is to schedule a script to update the credentials. One part of such a script can update the credentials using this cmdlet on Veeam B&R side, while another part must retrieve the actual updated information from a trusted source.
The idea of using a single 'Backups' account seems to be a compromise between security and usability, but I cannot say how it will work with the disabled login. Could you please elaborate a bit more on how you are going to configure such an account?
Thanks!
Who is online
Users browsing this forum: No registered users and 20 guests