We've got our VBR servers off our primary domain and recently spun up an Enterprise Manager server; it's also currently off-domain. We're looking into the possibility of joining it to the domain for better management of user roles.
It looks like portal admins have full access to just about everything from the Enterprise Manager dash including the ability to delete backups under the Machines tab. We'd primarily be assigning AD groups & users to Recovery / Portal User roles. I don't want to add unnecessary risk, though, and I'm having some trouble finding clear info on this in the best practices docs & forums. With the service account that's connecting to VBR, would I be adding a substantial amount of unnecessary risk by joining the Enterprise Manager to our domain? Like, if our domain is hit with crypto or something, are our off-domain VBR servers & backups at increased risk with Enterprise Manager on-domain?
-
kestis
- Novice
- Posts: 6
- Liked: never
- Joined: Dec 02, 2020 4:16 pm
- Contact:
-
HannesK
- Product Manager
- Posts: 14370
- Liked: 2902 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Enterprise Manager & AD Domain
Hello,
and welcome to the forums.
The permissions of the roles are described in the user guide https://helpcenter.veeam.com/docs/backu ... ml?ver=100. Yes, admins can do everything the interface allows.
The best practice: work with the lowest permissions possible (just like with every other software product). Restore operator should be fine for most use-cases.
As an alternative, you could also use SAML with your existing Active Directory. But that sounds overkill to me.
Best regards,
Hannes
and welcome to the forums.
The permissions of the roles are described in the user guide https://helpcenter.veeam.com/docs/backu ... ml?ver=100. Yes, admins can do everything the interface allows.
The best practice: work with the lowest permissions possible (just like with every other software product). Restore operator should be fine for most use-cases.
it depends how secure your domain isWith the service account that's connecting to VBR, would I be adding a substantial amount of unnecessary risk by joining the Enterprise Manager to our domain?
As an alternative, you could also use SAML with your existing Active Directory. But that sounds overkill to me.Best regards,
Hannes
-
stewsie
- Veteran
- Posts: 253
- Liked: 21 times
- Joined: May 22, 2015 7:16 am
- Full Name: Paul
- Contact:
[MERGED] Veeam Backup Enterprise Manager
Veeam Backup Enterprise Manager. Domain attached or standalone server?
What is the best practice for this service and if domain attached are there any security issues or risks?
Thanks
What is the best practice for this service and if domain attached are there any security issues or risks?
Thanks
-
foggy
- Veeam Software
- Posts: 21076
- Liked: 2116 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Enterprise Manager & AD Domain
Hi Paul, as Hannes mentioned above - it depends. To my mind, having EM in the domain somewhat defeats the purpose of keeping the backup server itself off the domain as EM would anyway have access to it.
Who is online
Users browsing this forum: Google [Bot], Semrush [Bot] and 77 guests