Comprehensive data protection for all workloads
rteglgaa
Influencer
Posts: 19
Liked: 7 times
Joined: Jan 23, 2017 10:51 am
Full Name: Rasmus Teglgaard
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by rteglgaa » 1 person likes this post

Gostev wrote: Dec 22, 2020 10:39 pm Please see my response above. If you want the real protection against malicious actors, you need to secure the entire backup server with something like Duo (which is super easy to implement, and is free for up to 10 users). More importantly, it will provide the real protection, and not just the feeling of it from seeing 2FA on the console: "I have 2FA on the console so my backups must be safe".
I agree - the server needs to be protected. But I believe both versions are required, and I can't believe this post was started in 2016, and the feature is still not implemented or even agreed upon. The first thing hackers will do, when they compromise our business, is to find an admin workstation and work his way forward from there. I have the Veeam console installed, so having MFA on the server itself is not secure enough, when everyone with access to my workstation can access Veeam through the console and encrypt all our backups with an unknown password with Veeams own encryption feature, or simply delete them entirely.

We need this feature ASAP. And as someone else suggested in the thread, RADIUS support would be great, because then we can utilize the Azure MFA plugin for NPS, and thereby use our existing MFA solution. But a simple SMS would also do the trick.

/Rasmus
Gostev
Chief Product Officer
Posts: 31459
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by Gostev » 2 people like this post

Unfortunately, where you only see one attack vector (through your backup console), hackers will see hundreds of other. Even if the incoming console connections will be protected with MFA, hackers won't just say "ah, too bad" and go away. Instead, they will go to your backup server through PowerShell, do a non-interactive logon, use Veeam internal APIs etc.

Further, if a hacker has admin access to your admin workstation, then you already lost in any case, because MFA will NOT protect your backup server in this case.

You can only achieve a meaningful protection today by changing the Windows firewall on the backup server to block all incoming connections, only leaving RDP protected by MFA application like Duo, and perform all management tasks through the RDP console.

And of course, you could always implement what has been the best practice for backup infrastructures for over 20 years now: keep your backup infrastructure on an isolated network with no access from the Internet physically possible. Otherwise, it's a losing game: you need to be sure you have closed every single one of hundreds attack vectors possible, which is literally impossible because some will be based on zero-day vulnerabilities. While hackers only needs a single hole to get in! It's a classic Whack-a-mole game you can never win.

The very reason why we implemented hardened repositories with immutable backups in v11 is because of the realization that unless the customer goes a "dark site" route, even the smartest security professionals are destined to loose their environment to a hacker sooner or later, even just because zero-day vulnerabilities will not magically cease to appear. So instead of wasting time preventing an inevitable, now you can at least ensure that hackers cannot do anything to your backups.
cloudy
Novice
Posts: 9
Liked: 13 times
Joined: Mar 16, 2016 8:42 pm
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by cloudy » 12 people like this post

@Gostev, your arguments are completely valid. There are innumerable attack vectors these days and no, 2FA on the console certainly doesn't thwart committed attackers. 2FA on the server/endpoint is not enough. Veeam's own security guide https://bp.veeam.com/vbr/VBP/Security/i ... components recommends uninstalling the console from the server. As a customer, my perspective is that Veeam should support 2FA although it is not a panacea. You may not see the value of 2FA on the console but rest assured, there is intrinsic and quantitative value in it.

1. My organization can't renew our cyber insurance without 2FA on all our switches, routers, firewalls, sans, servers, appliances, endpoints and any other administrative system, especially the backup infrastructure. This is no joke. This year we cannot renew our cyber insurance without meeting these requirements. Insurance companies are tired of paying out and now its requirement, full stop. The requirement of 2FA on everything is a quick way to lessen the risk pool. 2FA is low hanging fruit. We have 2FA enabled everywhere possible but there are a few stubborn products (in my env) that still don’t provide this capability...in 2021 :cry:

2. The community continually asks for it. I understand your position on the matter from a technical standpoint, completely sound, and I think a lot of people on the forum understand and agree. We can all agree that 2FA is not the answer to all the security issues that IT professionals face daily. That doesn't change the fact that we all still want it. The fact that this discussion, I’m sure there are other threads on the subject as well, continues year after year should say something.

3. As others have said, sales may start to be impacted as orgs add requirements that the product support 2FA. This might amount to a rounding error for Veeam so perhaps this does not matter.

Image
Gostev
Chief Product Officer
Posts: 31459
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by Gostev » 3 people like this post

This is very well put, Cloudy. Quite contrary to your nickname ;) easily one of the best posts on this topic thus far... and not because of the kitten!

I would agree that one of very few valid reasons to add 2FA to the backup console is the fact that it is becoming a "checkbox feature" even despite being largely useless in reality for our specific scenario. It's visibility raises specifically because most folks out there don't understand that it won't help against the committed attackers who are unlikely to use legitimate ways to take over the backup server in principle. All they know is that from common sense perspective, two factors on any console is better than one. But they don't realize that hackers will NEVER be taking over a backup server through the backup console in the first place.

But accordingly, for me this feature has always had a priority of a "checkbox feature" (read, not high). Which is why we still don't provide this capability in 2021.

The feedback like yours does help though, as we need arguments to prioritize between those pending "checkbox features" too!
rteglgaa
Influencer
Posts: 19
Liked: 7 times
Joined: Jan 23, 2017 10:51 am
Full Name: Rasmus Teglgaard
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by rteglgaa »

Now that MFA has come to vCenter server 7.0 as well, I personally would like a scenario where a firewall on the Veeam server would block everything but Veeam Console access. Then have MFA on the Windows server (for the rare cases where Windows access is needed through the vCenter remote console) and then the mentioned MFA feature on the Veeam console. And yes, there's probably something I missed, but when Microsoft can have MFA on their Powershell-access to Azure, I think we should be able to come a long way.
theta12
Influencer
Posts: 21
Liked: 1 time
Joined: May 24, 2017 1:37 pm
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by theta12 »

Gostev wrote: May 27, 2021 6:06 pm This is very well put, Cloudy. Quite contrary to your nickname ;) easily one of the best posts on this topic thus far... and not because of the kitten!

I would agree that one of very few valid reasons to add 2FA to the backup console is the fact that it is becoming a "checkbox feature" even despite being largely useless in reality for our specific scenario. It's visibility raises specifically because most folks out there don't understand that it won't help against the committed attackers who are unlikely to use legitimate ways to take over the backup server in principle. All they know is that from common sense perspective, two factors on any console is better than one. But they don't realize that hackers will NEVER be taking over a backup server through the backup console in the first place.

But accordingly, for me this feature has always had a priority of a "checkbox feature" (read, not high). Which is why we still don't provide this capability in 2021.

The feedback like yours does help though, as we need arguments to prioritize between those pending "checkbox features" too!
Gostev, I will add a +1 to Cloudy's response. We as IT people (or so I assume) understand that MFA is a minor inconvenience at best to an inside threat, but it's the Cyber Insurance companies that don't understand this. We too are being told to use MFA for all sensitive logins or else they won't insure you. It's becoming something we don't even have a choice in anymore regardless of the actual security benefits is may or may not provide. Our hands are tied...
bkain1
Expert
Posts: 137
Liked: 8 times
Joined: Dec 23, 2020 4:43 pm
Full Name: Becki Kain
Contact:

[MERGED]MFA for VBR

Post by bkain1 »

It does not seem to exist yet but are there plans for multi factor authentication for the VBR/V1/VEM products, in the future? thank you
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

[MERGED]Re: MFA for VBR

Post by Mildur »

MFA for Veeam is discussed here already, have a look:

veeam-backup-replication-f2/feature-req ... 67-60.html
Product Management Analyst @ Veeam Software
Egor Yakovlev
Veeam Software
Posts: 2536
Liked: 680 times
Joined: Jun 14, 2013 9:30 am
Full Name: Egor Yakovlev
Location: Prague, Czech Republic
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by Egor Yakovlev »

Hi Becki.

I have merged your post into existing thread. Please check conversation above.
Counted your +1 towards the idea too.

/Thanks!
bkain1
Expert
Posts: 137
Liked: 8 times
Joined: Dec 23, 2020 4:43 pm
Full Name: Becki Kain
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by bkain1 »

thank you.
ChuckS42
Expert
Posts: 189
Liked: 27 times
Joined: Apr 24, 2013 8:53 pm
Full Name: Chuck Stevens
Location: Seattle, WA
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by ChuckS42 »

+1 for console MFA. We're having the same issues with cyber insurance as well.
Veeaming since 2013
jazzoberoi
Enthusiast
Posts: 96
Liked: 23 times
Joined: Oct 08, 2014 9:07 am
Full Name: Jazz Oberoi
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by jazzoberoi »

+1 for console MFA. We're having the same issues with cyber insurance as well.
Watts
Lurker
Posts: 2
Liked: never
Joined: Aug 03, 2020 12:50 pm
Full Name: Michael Watts
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by Watts »

+1. This should be implemented.
Coldfirex
Enthusiast
Posts: 80
Liked: 15 times
Joined: May 22, 2015 1:41 pm
Full Name: Alan Shearer
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by Coldfirex »

+1 definitely.
BearHuntr
Enthusiast
Posts: 27
Liked: 3 times
Joined: Jan 01, 2006 1:01 am
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by BearHuntr »

+1 here too, same issue with insurance request.
ing:DT79
Novice
Posts: 5
Liked: never
Joined: Aug 09, 2016 7:24 am
Full Name: Ing. DAVIDE TONINI
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by ing:DT79 »

+1 here too, security auditors suggested to adopt MFA also for VBR Console and VEM, especially for VEM
Egor Yakovlev
Veeam Software
Posts: 2536
Liked: 680 times
Joined: Jun 14, 2013 9:30 am
Full Name: Egor Yakovlev
Location: Prague, Czech Republic
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by Egor Yakovlev »

Counted all "+1's" above into the pool.
As for the MFA for EM, please check if SAML support we have added a few versions ago will suit your need?

/Cheers!
ChuckS42
Expert
Posts: 189
Liked: 27 times
Joined: Apr 24, 2013 8:53 pm
Full Name: Chuck Stevens
Location: Seattle, WA
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by ChuckS42 » 1 person likes this post

SAML support for Enterprise Manager definitely helped; if you could implement that for the Veeam Console as well, we'd be set.
Veeaming since 2013
CaliMSP
Enthusiast
Posts: 34
Liked: 7 times
Joined: Jan 06, 2022 9:20 pm
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by CaliMSP »

+1

specifically for Veeam B&R Console, not the enterprise manager. We do not resell veeam, but recommend to our clients (who buy directly) and deploy it. Have about 100 organizations of various sizes under our management who run their own Veeam B&R systems that we manage. WE REALLY NEED 2FA.

Due to compliance issues being pushed onto government contractors, we are facing questions from auditors about 2FA not being present in the system (Veeam) that touches and manages storage of CUI. The fact that the server where the console is installed uses 2FA is ignored since that server itself doesn't touch the CUI.

If we don't get 2FA soon (sometime this year,) we may be forced to replace all Veeam deployments with an alternative that has 2FA. That's many hundreds of servers.
Gostev
Chief Product Officer
Posts: 31459
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by Gostev » 9 people like this post

We have added MFA to the Veeam B&R Console in V12, which will be released sometime this year ;)
ChuckS42
Expert
Posts: 189
Liked: 27 times
Joined: Apr 24, 2013 8:53 pm
Full Name: Chuck Stevens
Location: Seattle, WA
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by ChuckS42 »

Excellent, thank you!
Veeaming since 2013
GreenAlpha55
Enthusiast
Posts: 32
Liked: 3 times
Joined: Oct 25, 2018 2:20 pm
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by GreenAlpha55 »

Not sure if this request is needed.

If you use DuoRDP I'm guessing you have Duo Authentication for Windows deployed.

Modify your config and limit it to an AD group that only administrators belong to. Duo will prompt after entering admin creds in to all UAC prompts, and admin logins. You're not using an admin account as your daily right?

https://duo.com/docs/rdp#advanced-deplo ... oup-policy
https://help.duo.com/s/article/5424?language=en_US
Gostev
Chief Product Officer
Posts: 31459
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by Gostev »

Well, apparently Cyber Security Insurance companies have a strong opinion and this is what matters in the end so... let it be.
larry_grant
Lurker
Posts: 2
Liked: never
Joined: Mar 03, 2021 2:58 pm
Full Name: Larry Grant
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by larry_grant »

+1 for this as well
mfahey
Novice
Posts: 8
Liked: 6 times
Joined: Jan 03, 2018 4:49 pm
Full Name: mike fahey
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by mfahey »

+1 on this as well. looking forward for the v12 release.
Backup.Operator
Enthusiast
Posts: 64
Liked: 1 time
Joined: Oct 31, 2022 11:39 pm
Full Name: Backup Administrator
Contact:

Re: Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by Backup.Operator »

Yes, this sounds great ! 👍
:arrow: :mrgreen:
Post Reply

Who is online

Users browsing this forum: Mildur and 145 guests