-
- Veteran
- Posts: 487
- Liked: 106 times
- Joined: Dec 08, 2014 2:58 pm
- Full Name: Steve Krause
- Contact:
Feature Request: Two-factor auth support for Veeam Console MFA 2FA
At my organization we are in the nascent stages of requiring 2-factor auth on all of our systems (we currently have DuoRDP on about 75% of our production servers) and it would be nice to have two factor be available in the Veeam Console at some point. Sure, we could RDP into our B&R server with 2FA and launch the console from there, but that is so version 8
Some form of integration with a widely available 2FA solution would be a useful addition for us.
Not a high priority or anything, just something that I was thinking of.
Some form of integration with a widely available 2FA solution would be a useful addition for us.
Not a high priority or anything, just something that I was thinking of.
Steve Krause
Veeam Certified Architect
Veeam Certified Architect
-
- Product Manager
- Posts: 14652
- Liked: 1678 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
Hi Steve,
Interesting request - thanks for sharing. We will discuss it with the team for sure.
Interesting request - thanks for sharing. We will discuss it with the team for sure.
-
- Veteran
- Posts: 377
- Liked: 32 times
- Joined: Oct 17, 2013 10:02 am
- Full Name: Mark
- Location: UK
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
+1 for this, our place is also looking at making all admin related activities require MFA.
-
- Enthusiast
- Posts: 62
- Liked: 20 times
- Joined: Jul 08, 2013 1:47 pm
- Full Name: Carl McDade
- Location: Leeds, UK
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
Quick thought on this
If you use Veeam Availability Console, technically you could install the 2FA agent for webserver on the IIS App. That would then give you 2FA whilst accessing VAC
I've only used RSA, and ive used their webserver agent for RDS/Sharepoint/internal sites.
Cheers
If you use Veeam Availability Console, technically you could install the 2FA agent for webserver on the IIS App. That would then give you 2FA whilst accessing VAC
I've only used RSA, and ive used their webserver agent for RDS/Sharepoint/internal sites.
Cheers
mail@carlmcdade.com
http://twitter.com/CarlMcDade
http://www.carlmcdade.com
http://twitter.com/CarlMcDade
http://www.carlmcdade.com
-
- Influencer
- Posts: 10
- Liked: 2 times
- Joined: Jul 07, 2016 8:26 pm
- Full Name: Nathan McClintock
- Contact:
-
- Influencer
- Posts: 15
- Liked: never
- Joined: Jul 20, 2012 2:05 pm
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
Would be interested in this as well
-
- Veteran
- Posts: 298
- Liked: 85 times
- Joined: Feb 16, 2017 8:05 pm
- Contact:
-
- Veteran
- Posts: 253
- Liked: 40 times
- Joined: May 21, 2013 9:08 pm
- Full Name: Alan Wells
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
+1 on the 2FA. Please give an ETA ASAP.
-
- Enthusiast
- Posts: 96
- Liked: 24 times
- Joined: Oct 08, 2014 9:07 am
- Full Name: Jazz Oberoi
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
+1
This could also mitigate the scenario where the attacker could log into VEEAM and delete all the backups from there.
This could also mitigate the scenario where the attacker could log into VEEAM and delete all the backups from there.
-
- Expert
- Posts: 227
- Liked: 46 times
- Joined: Oct 12, 2015 11:24 pm
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
Surely you have bigger security problems if someone has got to the point where they can login to the Veeam console?
-
- Influencer
- Posts: 19
- Liked: never
- Joined: Jan 24, 2011 5:22 pm
- Full Name: Dean Richman
- Contact:
-
- Service Provider
- Posts: 40
- Liked: 1 time
- Joined: May 13, 2013 2:32 am
- Location: Brisbane
- Contact:
-
- Enthusiast
- Posts: 64
- Liked: 10 times
- Joined: May 15, 2014 3:29 pm
- Full Name: Peter Yasuda
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
Sure, but anything you can put into place to slow an attacker post-breach gives you more time to (let's hope) detect the breach before irreparable harm is done.adapterer wrote:Surely you have bigger security problems if someone has got to the point where they can login to the Veeam console?
-
- Enthusiast
- Posts: 55
- Liked: 12 times
- Joined: Jan 20, 2015 2:07 pm
- Full Name: Brandon Payne
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
+1. In healthcare, we are also being pushed to implement MFA wherever possible.
-
- Enthusiast
- Posts: 57
- Liked: 8 times
- Joined: May 09, 2011 12:43 pm
- Full Name: Sebastian
- Location: Germany
- Contact:
-
- Novice
- Posts: 9
- Liked: never
- Joined: Jan 25, 2017 9:07 am
- Contact:
-
- Influencer
- Posts: 10
- Liked: 3 times
- Joined: Aug 16, 2013 8:19 am
- Full Name: Geoff Grice
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
RADIUS 2fa would be a nice addition!
-
- Veteran
- Posts: 259
- Liked: 40 times
- Joined: Aug 26, 2015 2:56 pm
- Full Name: Chris Gundry
- Contact:
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Dec 18, 2017 10:56 am
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
That's exactly what you can hope for in that situation. I'm fully in favor of this suggestion too. We could also use this in our firm.
-
- Service Provider
- Posts: 176
- Liked: 53 times
- Joined: Mar 11, 2016 7:41 pm
- Full Name: Cory Wallace
- Contact:
-
- Service Provider
- Posts: 114
- Liked: 12 times
- Joined: Nov 15, 2016 6:56 pm
- Location: Cayman Islands
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
+1 for sure, though will probably try DUO on the VAC!
Jason
VMCE
VMCE
-
- Novice
- Posts: 9
- Liked: never
- Joined: Feb 21, 2016 9:07 pm
- Full Name: Paul
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
A bit of time has passed since the last post on this thread. I was wondering, I saw one of Gostev's weekend blog emails about maybe 6 months ago that had a good story/review of a Ransomware attack. Then Gostev goes on to talk about two factor authentication for the Veeam BU server it self. I can't find that blog! If anyone remembers this and/or can point me toward it I'd appreciate it. I've got a lot of other material about this but I want to find that one excellent post if possible. Thanks in advance.
-
- Veteran
- Posts: 298
- Liked: 85 times
- Joined: Feb 16, 2017 8:05 pm
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
Perhaps this is it:
Another attack story from one of our customers, who hired a security firms post attack to investigate this attack thoroughly – thus all the scary details. Cryptomix Arena made it's way into the network and started encrypting Windows file servers and Hyper-V VMs. Once VHDs were encrypted, the ransomware deleted the original VHDs and ran a disk scrubber. Next, actual hackers appeared (feels like just like sharks sensing blood in the water, doesn't it – but what really happens is ransomware "phones home"). After failing to connect to the Veeam backup server through PowerShell, hackers managed to instead logon to one locally by brute forcing RDP, and proceeded to delete all backups manually – both those sitting on the local NAS, and their copies in Cloud Connect. They also manually ran a disk scrubber to ensure those local backups could not be recovered. Finally, they accessed Hyper-V management console and deleted the backup server VM entirely. The only way customer managed to recover some of their data was from storage snapshots.
So if this does not teach you to implement two-factor authentication for RDP access to your critical systems, then I don't know what else will. And naturally, the Insider Protection functionality for Veeam Cloud Connect cannot come fast enough – luckily, Update 3 is just around the corner now. Also, this story confirms the importance of having some sort of air gap – even if it was not true air gap in this case, still the hacker either was completely unaware of the presence of storage snapshots, or simply was not able to break into the storage array management console to delete those. Although I'm guessing the disk scrubbing probably overfilled snapshot storage location, so most snapshots were lost anyway.
By the way, another reason to use two-factor authentication and not just use strong password alone is repeating reports on the presence of keyloggers in OEM drivers like Synaptic and Conexant. Which means it's hard to find a modern PC that would not be at risk... the article's name is actually very misleading – not sure why would they pick on HP specifically, when other PC vendors are equally affected. For example, my Lenovo X1 had both Synaptic Touchpad and Conexant Audio drivers preinstalled too.
Blog post from December 11 - December 17, 2017
Please note that this is not the entire content of the post.
Another attack story from one of our customers, who hired a security firms post attack to investigate this attack thoroughly – thus all the scary details. Cryptomix Arena made it's way into the network and started encrypting Windows file servers and Hyper-V VMs. Once VHDs were encrypted, the ransomware deleted the original VHDs and ran a disk scrubber. Next, actual hackers appeared (feels like just like sharks sensing blood in the water, doesn't it – but what really happens is ransomware "phones home"). After failing to connect to the Veeam backup server through PowerShell, hackers managed to instead logon to one locally by brute forcing RDP, and proceeded to delete all backups manually – both those sitting on the local NAS, and their copies in Cloud Connect. They also manually ran a disk scrubber to ensure those local backups could not be recovered. Finally, they accessed Hyper-V management console and deleted the backup server VM entirely. The only way customer managed to recover some of their data was from storage snapshots.
So if this does not teach you to implement two-factor authentication for RDP access to your critical systems, then I don't know what else will. And naturally, the Insider Protection functionality for Veeam Cloud Connect cannot come fast enough – luckily, Update 3 is just around the corner now. Also, this story confirms the importance of having some sort of air gap – even if it was not true air gap in this case, still the hacker either was completely unaware of the presence of storage snapshots, or simply was not able to break into the storage array management console to delete those. Although I'm guessing the disk scrubbing probably overfilled snapshot storage location, so most snapshots were lost anyway.
By the way, another reason to use two-factor authentication and not just use strong password alone is repeating reports on the presence of keyloggers in OEM drivers like Synaptic and Conexant. Which means it's hard to find a modern PC that would not be at risk... the article's name is actually very misleading – not sure why would they pick on HP specifically, when other PC vendors are equally affected. For example, my Lenovo X1 had both Synaptic Touchpad and Conexant Audio drivers preinstalled too.
Blog post from December 11 - December 17, 2017
Please note that this is not the entire content of the post.
-
- Novice
- Posts: 9
- Liked: never
- Joined: Feb 21, 2016 9:07 pm
- Full Name: Paul
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
Big Thank You nitarmd! This is definitely the one. I'm trying to find the entire post in the Blog Digest. If you have the url could you post it up or pm it to me? Thanks very much, we're in Florida.
-
- Veteran
- Posts: 298
- Liked: 85 times
- Joined: Feb 16, 2017 8:05 pm
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
Entire post:
Veeam Community Forums DigestDecember 11 - December 17, 2017
THE WORD FROM GOSTEV
vSphere users, note that VMware Tools 10.2.0 is now generally available, and there are two major new features that make it quite a significantly release – so much I decided to highlight one here. First, this release finally adds offline bundles VIB which can be deploying using vSphere Update Manager to vSphere 5.5 and later ESXi hosts. Woohoo! Second, it brings support for Microsoft System Center Configuration Manager (SCCM) for distributing and updating VMware Tools on your VMs. Which will also be appreciated by many! Here are the direct links to Release Notes and the actual bits for your convenience.
Release notes link: https://docs.vmware.com/en/VMware-Tools ... notes.html
Actual tidbits link: https://my.vmware.com/group/vmware/deta ... ductId=614
Another attack story from one of our customers, who hired a security firms post attack to investigate this attack thoroughly – thus all the scary details. Cryptomix Arena made it's way into the network and started encrypting Windows file servers and Hyper-V VMs. Once VHDs were encrypted, the ransomware deleted the original VHDs and ran a disk scrubber. Next, actual hackers appeared (feels like just like sharks sensing blood in the water, doesn't it – but what really happens is ransomware "phones home"). After failing to connect to the Veeam backup server through PowerShell, hackers managed to instead logon to one locally by brute forcing RDP, and proceeded to delete all backups manually – both those sitting on the local NAS, and their copies in Cloud Connect. They also manually ran a disk scrubber to ensure those local backups could not be recovered. Finally, they accessed Hyper-V management console and deleted the backup server VM entirely. The only way customer managed to recover some of their data was from storage snapshots.
So if this does not teach you to implement two-factor authentication for RDP access to your critical systems, then I don't know what else will. And naturally, the Insider Protection functionality for Veeam Cloud Connect cannot come fast enough – luckily, Update 3 is just around the corner now. Also, this story confirms the importance of having some sort of air gap – even if it was not true air gap in this case, still the hacker either was completely unaware of the presence of storage snapshots, or simply was not able to break into the storage array management console to delete those. Although I'm guessing the disk scrubbing probably overfilled snapshot storage location, so most snapshots were lost anyway.
By the way, another reason to use two-factor authentication and not just use strong password alone is repeating reports on the presence of keyloggers in OEM drivers like Synaptic and Conexant. Which means it's hard to find a modern PC that would not be at risk... the article's name is actually very misleading – not sure why would they pick on HP specifically, when other PC vendors are equally affected. For example, my Lenovo X1 had both Synaptic Touchpad and Conexant Audio drivers preinstalled too.
Keyloggers in OEM drivers link: http://www.zdnet.com/article/keylogger- ... of-hp-pcs/
To those using Data Domain as a target for Veeam: according to DELL EMC, close to a thousand of your systems are still running DD OS 5.4 and 5.5. Please, schedule the upgrade in the next few months, as we're planning to end support for these DD OS versions in the next update. With the real reason being the DDBoost SDK required by the upcoming DD OS version supporting 5.6 and later only.
Did you know the biggest bubble in the human history was with tulips? I was fascinated reading the article, especially that snippet on how much goods you could get for a single bulb. Luckily, the humanity advanced so far in 500 years, and this sort of explainable craziness can never repeat... just kidding, actually I learnt about tulip mania while watching the video on the mother of all bubbles.
Veeam Community Forums DigestDecember 11 - December 17, 2017
THE WORD FROM GOSTEV
vSphere users, note that VMware Tools 10.2.0 is now generally available, and there are two major new features that make it quite a significantly release – so much I decided to highlight one here. First, this release finally adds offline bundles VIB which can be deploying using vSphere Update Manager to vSphere 5.5 and later ESXi hosts. Woohoo! Second, it brings support for Microsoft System Center Configuration Manager (SCCM) for distributing and updating VMware Tools on your VMs. Which will also be appreciated by many! Here are the direct links to Release Notes and the actual bits for your convenience.
Release notes link: https://docs.vmware.com/en/VMware-Tools ... notes.html
Actual tidbits link: https://my.vmware.com/group/vmware/deta ... ductId=614
Another attack story from one of our customers, who hired a security firms post attack to investigate this attack thoroughly – thus all the scary details. Cryptomix Arena made it's way into the network and started encrypting Windows file servers and Hyper-V VMs. Once VHDs were encrypted, the ransomware deleted the original VHDs and ran a disk scrubber. Next, actual hackers appeared (feels like just like sharks sensing blood in the water, doesn't it – but what really happens is ransomware "phones home"). After failing to connect to the Veeam backup server through PowerShell, hackers managed to instead logon to one locally by brute forcing RDP, and proceeded to delete all backups manually – both those sitting on the local NAS, and their copies in Cloud Connect. They also manually ran a disk scrubber to ensure those local backups could not be recovered. Finally, they accessed Hyper-V management console and deleted the backup server VM entirely. The only way customer managed to recover some of their data was from storage snapshots.
So if this does not teach you to implement two-factor authentication for RDP access to your critical systems, then I don't know what else will. And naturally, the Insider Protection functionality for Veeam Cloud Connect cannot come fast enough – luckily, Update 3 is just around the corner now. Also, this story confirms the importance of having some sort of air gap – even if it was not true air gap in this case, still the hacker either was completely unaware of the presence of storage snapshots, or simply was not able to break into the storage array management console to delete those. Although I'm guessing the disk scrubbing probably overfilled snapshot storage location, so most snapshots were lost anyway.
By the way, another reason to use two-factor authentication and not just use strong password alone is repeating reports on the presence of keyloggers in OEM drivers like Synaptic and Conexant. Which means it's hard to find a modern PC that would not be at risk... the article's name is actually very misleading – not sure why would they pick on HP specifically, when other PC vendors are equally affected. For example, my Lenovo X1 had both Synaptic Touchpad and Conexant Audio drivers preinstalled too.
Keyloggers in OEM drivers link: http://www.zdnet.com/article/keylogger- ... of-hp-pcs/
To those using Data Domain as a target for Veeam: according to DELL EMC, close to a thousand of your systems are still running DD OS 5.4 and 5.5. Please, schedule the upgrade in the next few months, as we're planning to end support for these DD OS versions in the next update. With the real reason being the DDBoost SDK required by the upcoming DD OS version supporting 5.6 and later only.
Did you know the biggest bubble in the human history was with tulips? I was fascinated reading the article, especially that snippet on how much goods you could get for a single bulb. Luckily, the humanity advanced so far in 500 years, and this sort of explainable craziness can never repeat... just kidding, actually I learnt about tulip mania while watching the video on the mother of all bubbles.
-
- Expert
- Posts: 206
- Liked: 14 times
- Joined: Jul 23, 2013 9:14 am
- Full Name: Dazza
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
As a Veeam customer, I like the product, but I do feel increasingly disappointed with the lack of built-in security features. It seems to me that Veeam are incredibly keen to keep pushing this 3-2-1 responsibility down to the customer, and whilst that is a perfectly valid principle of backup protection, I think it's pushed hard by Veeam because there's an internal acceptance that the built-in product defence measures are very limited. Please Veeam, start listening to customers and provide this security within the product stack itself... find ways to deliver multi-factor authentication, backup file immutability, etc. Set CloudConnect perhaps to be a pull-only architecture, instead of a push copy job that requires that authentication to be on the Veeam server. Make security your primary focus, built into every piece of functionality within the product. This is where other new-world backup providers have an edge I think (i.e. Rubrik) - they provide a box-solution and own the entire stack, including the file system and the storage - therefore that have greater capacity to affect security end to end within their platform. Veeam's "strength" in it's flexibility to be built into any storage you want, is also it's weakness when on the discussion point of storage.
I'm not Veeam-bashing.... just keen to see a product I like deliver more security to its customers.
I'm not Veeam-bashing.... just keen to see a product I like deliver more security to its customers.
-
- Expert
- Posts: 227
- Liked: 46 times
- Joined: Oct 12, 2015 11:24 pm
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
I still think this is a silly request (IMHO)
You can still delete backups without the console with PowerShell.
If the bad actor is at the point where they can access your Veeam console, they have likely already breached your network elsewhere which means they can also likely access any SMB or DAS storage available, and happily deploy any malware or backdoor they like.
Wouldn't it make more sense to implement 2FA to stop bad actors getting into your systems in the first place?
Again, just my $0.02
You can still delete backups without the console with PowerShell.
If the bad actor is at the point where they can access your Veeam console, they have likely already breached your network elsewhere which means they can also likely access any SMB or DAS storage available, and happily deploy any malware or backdoor they like.
Wouldn't it make more sense to implement 2FA to stop bad actors getting into your systems in the first place?
Again, just my $0.02
-
- Service Provider
- Posts: 153
- Liked: 34 times
- Joined: Dec 18, 2017 8:58 am
- Full Name: Bill Couper
- Contact:
-
- Service Provider
- Posts: 25
- Liked: 4 times
- Joined: Jun 20, 2012 11:12 am
- Full Name: Benjamin Elveng
- Contact:
-
- Service Provider
- Posts: 153
- Liked: 34 times
- Joined: Dec 18, 2017 8:58 am
- Full Name: Bill Couper
- Contact:
Re: Feature Request - Two-factor auth support for Veeam Cons
No. You are wrong. There are times when security is a priority. Customer data is #1 on that list.adapterer wrote:I still think this is a silly request (IMHO)
You can still delete backups without the console with PowerShell.
If the bad actor is at the point where they can access your Veeam console, they have likely already breached your network elsewhere which means they can also likely access any SMB or DAS storage available, and happily deploy any malware or backdoor they like.
Wouldn't it make more sense to implement 2FA to stop bad actors getting into your systems in the first place?
Again, just my $0.02
If a "bad actor" can infiltrate any of your systems and from there delete your Veeam backups, then you sir have designed a terrible system. Even worse if they can delete your customer backups!
On top of that certain security certifications require that ALL access to customer data is protected by 2FA. Since you can restore customer data from the Veeam Console it requires 2FA. In my company I am not allowed to give anybody access to it - the Veeam console is locked up in a secure server that can only be accessed after multiple two-factor logins. It's a right PITA being the only person who can work on it, let me tell you!
I round your 2 cents down to 0.
EDIT: -9999 (adjustment)
Who is online
Users browsing this forum: Bing [Bot], Google [Bot] and 29 guests