-
- Novice
- Posts: 3
- Liked: 1 time
- Joined: Jul 07, 2015 5:44 am
- Full Name: Meelis Viht
- Contact:
Veeam servers NTLM disable
As describet here https://helpcenter.veeam.com/docs/backu ... ml?ver=100 NTLM is still needed between servers related with Veeam.
Does this requirement will be also in Veeam 11?
Does this requirement will be also in Veeam 11?
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam servers NTLM disable
Yes, no changes in v11.
-
- Novice
- Posts: 8
- Liked: 2 times
- Joined: Sep 06, 2018 4:15 am
- Full Name: Steve Harris
- Contact:
Re: Veeam servers NTLM disable
I can't believe it's 2022 and VEEAM still does not view this issue as a critical security vulnerability let alone fix for customers.
We will not move to VEEAM until its secure by design (e.g. kerberos default OOTB).
We will not move to VEEAM until its secure by design (e.g. kerberos default OOTB).
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam servers NTLM disable
Could you please clarify what specific "critical security vulnerability" you are talking about? Since all known vulnerabilities have CVE assigned to them, please just share the one you're referring to. Thanks!
-
- Novice
- Posts: 8
- Liked: 2 times
- Joined: Sep 06, 2018 4:15 am
- Full Name: Steve Harris
- Contact:
Re: Veeam servers NTLM disable
RE: Could you please clarify what specific critical vulnerability you are talking about? Since all known vulnerabilities have CVE assigned to them, please just share the one you're referring to. Thanks!
We have all OS fully patched on a per-CVE (too numerous to mention) basis. So no problem!?
Please remember NTLM is 20+ years old. Best practice is don't use it. Full Stop.
We only use Kerberos 88 or LDAPs 636 for applications.
We hope for VEEAM to move to Kerberos by end of 2022 at the latest so we can commence using VEEAM everywhere for our entire physical DC/File/Print/ADDS/ADCS Fleet.
There would be substantial sales uptick / incentive for VEEAM to do so ASAP.
It is still very hard to determine what VEEAM products support MSL Tape Libraries with multiple LTO8 drives. If VEEAM were to make this clearer for customers, it would also boost sales uptick.
As always, I look forward to updates in your Veeam R&D Forums Digest!
We have all OS fully patched on a per-CVE (too numerous to mention) basis. So no problem!?
Please remember NTLM is 20+ years old. Best practice is don't use it. Full Stop.
We only use Kerberos 88 or LDAPs 636 for applications.
We hope for VEEAM to move to Kerberos by end of 2022 at the latest so we can commence using VEEAM everywhere for our entire physical DC/File/Print/ADDS/ADCS Fleet.
There would be substantial sales uptick / incentive for VEEAM to do so ASAP.
It is still very hard to determine what VEEAM products support MSL Tape Libraries with multiple LTO8 drives. If VEEAM were to make this clearer for customers, it would also boost sales uptick.
As always, I look forward to updates in your Veeam R&D Forums Digest!
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Apr 08, 2010 1:40 pm
- Full Name: Adam Whiting
- Contact:
Re: Veeam servers NTLM disable
I agree that Veeam should look to phase out the use of NTLM asap. Here is a page from Microsft about NTLM. https://learn.microsoft.com/en-us/windo ... mendations. Under security Consideration it states: "NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards." I have seen Internal Security tests, on domains that use the default Windows security settings (which are no longer secure), that successfully use NTLM to obtain Domain admin access to a domain. It seems to me that with how bad actors are going after backups that Veeam would not rely on Microsoft default policies as protection. Since NTLM is vulnerable (From the link above - *Malicious attacks on NTLM authentication traffic resulting in a compromised server or domain controller can occur only if the server or domain controller handles NTLM requests. If those requests are denied, this attack vector is eliminated.") Veeam should work to protect their customers even if it is just protecting the backup environment for their customers. They should find ways to use secure authentication.
Who is online
Users browsing this forum: Google [Bot], Semrush [Bot] and 65 guests