Service accounts hardening

[ksl28]

Hi,

We are using a range of service accounts, based on what role they want to administer (repo, proxies, etc), for security reasons.
Im planning on adding the accounts to Protected Users (https://docs.microsoft.com/en-us/previo ... dfrom=MSDN), and based on what i have read, then it should be fine.

But i cant find any documention from Veeam, if this is supported or not.

Can anyone help clarify?

[Mildur]

Hi Kristian

Looks like NTLM authentication will be disabled for the service accounts in the "Protected Users" group, which is currently not supported with Veeam V11.
https://docs.microsoft.com/en-us/previo ... dfrom=MSDN

The member of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP.

NTLM authentication is still mandatory for the communication between all veeam infrastructure servers.
https://helpcenter.veeam.com/docs/backu ... ml?ver=110

However NTLM authentication is still required for communication between Veeam backup infrastructure servers (backup server, backup proxies, backup repositories, guest interaction proxies, log shipping servers, mount servers).

Kerberos only will be supported with Veeam Backup & Replication V12. V12 will also allow using gMSA Accounts for application aware processing. This two new features should help you to get better security for all service accounts.

Thanks
Fabian

[ksl28]

Hi Fabian,

Thanks for the update - you are correct regarding the NTLM part.

If i read it correctly then we need to keep NTLM open internally at our backup AD domain (its seperated from the production).
But the service accounts we use for Guest indexing / Application-aware in the production AD domains, could be added to the protected users in the production AD domain.
Correct?

Do you have any other suggestions / guides how to harden the Windows infrastructure that hosts Veeam?

[Mildur]

Hi Kristian

You are very welcome.

There is another limitation. Guest Application Aware Processing must run temporarily a small service todo it's work:

Accounts for services and computers should never be members of the Protected Users group. This group provides incomplete protection anyway, because the password or certificate is always available on the host. Authentication will fail with the error "the user name or password is incorrect" for any service or computer that is added to the Protected Users group.

I suggest to run a test with a single VM and a test service account.

We have some recommendations in our best practice guide:
https://bp.veeam.com/vbr/Security/

For me, one important thing is that you do not log in to the VBR server via remote or physical console.
No user should work directly on the VBR server. If you need to manage the VBR environment or perform a restore, use the VBR console on a dedicated jump host. Should have a windows version with the same or higher patch level as your backed up server, or you could face issues with restoring certain backups (VB365 Jet DB, reFS filesystems, deduplication).