Host-based backup of Microsoft Hyper-V VMs.
Post Reply
ksims
Service Provider
Posts: 43
Liked: 4 times
Joined: Sep 16, 2020 2:34 pm
Full Name: Kyle Sims
Contact:

Service accounts?

Post by ksims »

I'm spitballing around with some different ideas for implementing 'service accounts'.

We're looking at rolling out a process for rotating our local admin account passwords across all endpoints - One of the hiccups preventing this, is that Veeam utilizes local admin accounts to do its thing, and having to log into ~30ish endpoints to update credentials so Veeam can continue to access VMs isn't super feasible, especially if we want to do the rotations fairly frequently - I've heard rumors that they'll be rotating biweekly if not more frequently, but that's neither here nor there

We run hyper-v, don't domain join our hosts as a matter of practice, so using gMSA's I don't think will work? Generally speaking, Veeam runs in the hyper-v host OS, and backs up the VMs on that host. In a few environments, Veeam runs on a 'network appliance', reaching out to the hyper-v host and backing up the VMs from there.

I've been tossing around the idea of creating a local admin account, naming it 'Backups' or something similar, give it local admin rights and use the local security policy to disable login - But that still doesn't seem as secure as it could be.

Thoughts? Suggestions?
PetrM
Veeam Software
Posts: 3815
Liked: 643 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: Service accounts?

Post by PetrM »

Hi Kyle,

I'm not sure I understand which hosts are not joined to the domain. Are you referring to Hyper-V hosts? For gMSA usage, the requirement is that the guest interaction proxy and the target machine have network access to the domain controllers and are in the same domain to obtain the gMSA password.

Regarding frequent credential updates, the only idea that comes to mind is to schedule a script to update the credentials. One part of such a script can update the credentials using this cmdlet on Veeam B&R side, while another part must retrieve the actual updated information from a trusted source.

The idea of using a single 'Backups' account seems to be a compromise between security and usability, but I cannot say how it will work with the disabled login. Could you please elaborate a bit more on how you are going to configure such an account?

Thanks!
Post Reply

Who is online

Users browsing this forum: No registered users and 29 guests