App Aware and local admin account?

[jrbaumann]

Hello,

Currently we have a mix of App Aware jobs and non App Aware jobs in a mostly Windows servers environment along with a few Linux servers. After researching the forums it appears that the recommendation is to enable AA on all servers, not just highly transactional ones which i would like to do.

The problem i am having is convincing our security team to allow our backupadmin user account to be a local admin on each of our 600+ servers. Currently our backupadmin user account is a member of domain admins, which in our AD setup sets the backupadmin account as a local user on the servers. They are requesting a removal of the backupadmin user account from domain admins which kind of forces the backupadmin user account to be a local admin if we want to use AA on all servers. The security team is asking for "explicit privileges" to be assigned this backupadmin account....I'm not exactly sure what they are looking for.



Any help would be appreciated.

Thanks!

[bdufour]

i would agree with your security team, in removing that account from the domain admin group. i would also restrict login hours to this account (if possible), and disable all internet access to this service account (if its only for backup/replication that shouldnt be an issue). set a 20+ complex password.

here are the required permissions:
https://helpcenter.veeam.com/docs/backu ... tml?ver=95

[jrbaumann]

Thanks Blake,

Agreed, not sure why the user is in the domain admin group, i assume the AA jobs were failing? I don't know, i was assigned this role a short time ago.

The login hours may or may not work, and we do follow the last two recommendations you listed.

So according to the permissions link i'll need the backupadmin user account to be a local admin or run as a local system account on all of the backed up servers, correct? No other way around it?

"The account used to run the Veeam Backup Service must be a Local System account or must have the Local Administrator permissions on the backup server."

Jeff

[bdufour]

it was probably in the domain admin group - bc that's the easiest way to get everything to work, although not the best security design obviously.

and yes, youre correct, the backup account will need local admin rights to the servers being backed up for application aware image processing.

also, to back up domain controllers, you will need to add this account to the builtin\administrators group. there isnt a local admin group on DCs, like member machines. the builtin admin group is basically the local admin account for DCs. builtin\administrators is less privileged than the domain admin group. DA is local admin on all member joined servers and workstations, builtin\administrators is only on the DC. but with local admin access to the DCs, you could elevate yourself to a more privileged group in theory. so its important to have alerts set up on all accounts or at least the admin accounts when group membership is changed.

sounds like you guys are doing your due diligence on the security side.

[jrbaumann]

Yessir,

Thanks for the help Blake!