Password recovery

[mog54]

Hello,

I follow this magic trick post329685.html#p329685 to recover a password lost by customer.

My question is, there is way to block/secure that ?

That saved my life, but in case of an attack it's can be a nightmare

Thank you
Have a nice day

[Mildur]

The veeam server needs to decrypt the password from the database to use it in the jobs.
This credenrials are encrypted with the machine privat key of the veeam backup server.
An administrator can use that key to decrypt the passwords. The same happens, when the vbr server needs to use the credentials todo the backups.

I don‘t think that it is possible to hide this key from an administrator account on the vbr server. An Admin has always access to everything on the host.

You need to secure/harden your VBR Server.
Don‘t place it in you active directory, use MFA for accessing the server. Close rdp or other remote tools. Put the server behind a firewall.
There are many things you can do to harden the server.

Best practice Guide
https://bp.veeam.com/vbr/VBP/Security/

[mog54]

Hello,

Thank you for your answer.

I understand that, but is there no ways to limit this ? not just a veeam way, it try to have global reflection.

If ad is compromised and veeam BR is in the domain, so this is a mess.
If ad is compromised and veeam BR is not in the domain, so this is a litle bit less the mess.

I can block the ability of veeam BR to go on the internet to download sql management studio. Good start but not really unbreakable.


In this two scenario, if admin privileges is granted this is game over.
For a workgroup veeam BR server, the local admin account password can be reset pretty easly too (veeam media creation of veeam agent do it well).

Tomorow if a customer challenge me on this topic i don't have a "good" answer to give.

EDIT: didn't saw your edit sorry

[Mildur]

No problem, sorry for editing the post with the guide a little bit to late

I don‘t see any other possibility as hardening the backup server. You don‘t need the access the management server over rdp todo daily backup management.
You can install vbr console on the clients computer and he can access the vbr server with the console.
If no one can access the vbr Server directly, than the possibility to have a security incident will be much smaller.

I have disabled rdp and ssh on all of my backup components. Idrac, ILO or other mgmt guis are behind a hardware firewall. The ports are closed.
It‘s not 100% Security, but with additional features like linux hardened repo or object storage with immutability, we are feeling secure enough at the moment.
How much hardening you can do, depends of the customer, of course.

Not every small customer can afford a high level of security. But it should be discussed with the customer. Veeam is a really good software, but you have „todo some of the hardening“ by yourself.

[Gostev]

1. There's no protection against an account with root privileges in principle, as any "limits" you put they can always revert. So focus on making sure those stolen root credentials cannot be easily used remotely. While perhaps it is not realistic for a management server, in theory the most secure server would be the one that can only be managed with the local (physical) console. For example, this is how we recommend setting up V11 Hardened Repository, but there it's easy because you don't need to ever touch it after deploying.

2. Physical security is the king of course, as any and all security measures can be bypassed when you have physical hardware access. So if physical security can't be achieved, then there's little point to discuss anything else security-related. And if you are talking about a malicious insider scenario, then it is the very reason why people shipped tape backups to Iron Mountain even before ransomware and hackers was a thing.

EDIT: Mildur has beat me to it.

[mog54]

Hello,

the BP say a good thing !

Unnistall veeam console on the VBR server, and install it on a DMZ server and allow only the ports needed.

I think i will explore this way !

Thank you