Comprehensive data protection for all workloads
Post Reply
Escapo IT
Influencer
Posts: 11
Liked: 4 times
Joined: May 29, 2012 6:05 pm
Contact:

Console: Disable "Save shortcut" functionality

Post by Escapo IT »

I feel like I'm missing something here, ...

We are in the middle of a substantial backup upgrade and paying extra attention to security/ransomware vectors. The Veeam "control" & repo server will not be connected to the domain, opting to keep that one in a workgroup, obviously with it's own set of credentials and such.

1 precaution we are taking is not enabling RDP on that server but this makes day-to-day operations a bit more cumbersome and less fluid because of the KVM connection. To alleviate this we will be deploying a seperate VM just for running the Veeam Console software, this VM will be domain joined and easily reached via RDP with our administrative accounts.

The 'Save shortcut' function of the Console is compromising this added security I feel, again I might be missing something here. If one of our admin accounts were to be compromised a whole lot of bad stuff would ensue & on top of all of that an attacker could RDP into the Console VM and just use the created shortcut, bypassing the fact that we have seperate creds for the Veeam control server, to delete/manipulate the backups?

(I tried disabling the 'Credential Manager' but this does not seem to be so straightforward for 'Generic Crendentials', even when the service is disabled it still continues working ...)
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Console: Disable "Save shortcut" functionality

Post by Dima P. »

Hello Escapo IT,

If I am not mistaken Remote Console in latest Veeam B&R Update 4 should prompt you to either save shortcut with credentials saved or with credentials being removed whenever you hit Save shortcut. Does that help in your case? Thank you!
Escapo IT
Influencer
Posts: 11
Liked: 4 times
Joined: May 29, 2012 6:05 pm
Contact:

Re: Console: Disable "Save shortcut" functionality

Post by Escapo IT »

You are right, although the question is very vague imho 'Save these crendentials for quick access to the remote backup server via a shortcut?", took me a minute to realise clicking 'No' will also create a shortcut, but will not save the password in the Windows Credential Manager.

This is certainly a step in the right direction but does not really solve the issue. Even when you don't save a shortcut upon opening the Console software again the previously used host and username is shown, very convinient I agree, but also giving extra information to an attacker so he/she now knows precisely which server to target and a valid useraccount.

I very much understand this is not the end all be all with regards to securing our backups, even if there was an option to disable the creation of a shortcut and not remember previous host/user there is nothing to prevent one of our admins to create a textfile named 'Veeam_creds.txt' on the desktop .... but every little helps?
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 235 guests