Veeam Backup & Replication

[GrzegorzK]

Hello everyone,

I'm currently in the process of planning the implementation of Veeam Backup & Replication for our company's backup needs. We have around 150 PCs primarily running on Windows, and I'm seeking some guidance on how to integrate this solution safely with Active Directory (AD).

In my testing phase using the Community edition, I've utilized the main Administrator account with all privileges. However, I'm concerned about potential unauthorized access to our AD environment. Could anyone provide insights into how I can mitigate this risk and ensure a secure integration with AD?

Please send me some documentation or guideline about it.

Your expertise and advice would be greatly appreciated. Thank you in advance for your assistance!

Best regards,

[Mildur]

Hello Grzegorz

Welcome to the forum. First I want to suggest to use a trial license instead of community edition.
With the trial license, you get the complete feature set to test.
https://www.veeam.com/kb1191

In my testing phase using the Community edition, I've utilized the main Administrator account with all privileges. However, I'm concerned about potential unauthorized access to our AD environment. Could anyone provide insights into how I can mitigate this risk and ensure a secure integration with AD?

Some backup operations such as application aware processing of your domain controller will require a service account with full administrative permissions. Veeam Backup & Replication v12 allows you to use gMSA accounts for your VM backups. With gMSA, you don't have to store this service accounts on the backup server -->
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

The permissions required for service accounts are documented here:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

We have around 150 PCs primarily running on Windows, and I'm seeking some guidance on how to integrate this solution safely with Active Directory (AD).

Protecting your 150 PCs can be done by our Veeam Agent. For the deployment, a service account with administrative permissions is required. Or you use a protection group from type "Computers with pre-installed agents". With pre-installed agents, you must deploy the agent by yourself. With such a protection group, Credentials are not stored in the backup server and therefore cannot be exported by an attacker.
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

The most important thing is to protect your server from any unauthorized access. An attacker with administrative access to the backup server can export saved credentials, delete mutable backups, change all settings, .....
Use a workgroup or dedicated active directory for the backup server components. Never install the backup server in your production domain. Don't let your helpdesk/backup operators directly connect to the backup server. Install the backup console on a jump server and use that one to manage the backup server remotely. Additionally enable MFA for those logins.
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Best,
Fabian

[GrzegorzK]

Thanks for your awesome answer. I read some documentation and I will apply it.

Use a workgroup or dedicated active directory for the backup server components. Never install the backup server in your production domain.

What you mean by saying it?

[Mildur]

You're most welcome.

Best practice is to not add the windows server where you install Veeam Backup & Replication to the same active domain you need to protect.
Deploy the windows server in a Windows workgroup or Management Domain. You can read more about it in our best practice guide (not updated yet for V12):
https://bp.veeam.com/vbr/Security/Security_domains.html

Best,
Fabian