How to Backup AD without Domain Admin Credentials

[great_vc]

Hi,

We have removed our accounts due to security and on the Domain Admins group it has only the administrator.

So far i was getting the AD backup using 2 DC VM's with application awareness and login as my user which was domain admin.
Now that the user is removed of course i get a failed on backup as it cannot access adminshare $

'Cannot connect to the admin share. Host: []. Account: []. Win32 error:Access is denied.Code

How i make this happen ? Of course using Administrator is not an option.

Thanks

[spiritie]

Don't think it's possible without being part of the Domain Admins since it grants access to the "administrator' group which is local admins on the DC. We've removed Domain Admins permissions from all other servers in our Windows Domain.

Else you must run a Veeam Agent locally on it, but that will loose you the ease of backing it up as an "VM".

[great_vc]

damn! i was afraid of that !

I find this to be a big security issue, do you have any plans on how to solve it. I mean we have removed all VEEAM servers from the domain according to AUDITORS but now we face a very big problem.

Doesn;t anyone bother this ? as VEEAM is this acceptable by for your security standards ?

I find it very strange.

[tyler.jurgens]

I don't know of any way to do this without having a domain admin account solely for backup purposes. How would this work if you could do it? What account would be privileged enough to read every aspect of a Domain Controller to be able to back it up? Any account that had that level of privileges would essentially be a domain admin.

[MarkBoothmaa]

Can you not use Group Managed Service Accounts https://helpcenter.veeam.com/docs/backu ... ml?ver=120 or event just create a service account for backups?

[great_vc]

i do not know. It just seams way off ! I mean we go through all the hoops of using Cyberark of removing Backups and storages from domain so if an attacker gain access of your AD will not be able to encrypt your backups and everything. We got speeches and articles talking about even removing domain admins from client PCs, renaming the administrator account, again using Cyberark to login but in order to backup your AD i have to use a domain admin account ? what about a group backup operators or something if i remember correctly from old days ?

This becomes really interesting. Are you telilng me that enterprizes, F500 companies are using a domain admin to backup their AD ? i really cannot accept that.
What happens if someone gets the database from the SQL, the domain admin password will be there, or have access to the B&R what happens then ?

[great_vc]

Can you not use Group Managed Service Accounts https://helpcenter.veeam.com/docs/backu ... ml?ver=120 or event just create a service account for backups?

nice one didn't know about that, but it clearly states

NOTE

For domain controller VMs, add the gMSA to the domain Administrators group or BUILTIN\Administrators group on the domain controller.

What do you mean a service account for backups ? how do you create a service account in AD for the backup as it needs to have access to the adminshares$
is there a guide ?

[MarkBoothmaa]

You will still need to add the account to either of those groups but from a security perspective you can look to harden the account such as remove the ability for the account to login via RDP etc.

[great_vc]

Harden ? how harden ? RDP is useless no one cares about disabling rdp
if someone gains access to the database or to the account from a vulnerability then they have administrator rights on the domain and then they can do anything
Harding RDP, SMB, logno servers, login time is useless.

So again i want to raise this as a serious fault in terms of VEEAM which advertises security and ransomware ptotection so hard. If there is no other way to take the AD backup then this should be mentioned by VEEAM.

again my questions remains, you gave F500 customers that are using VEEAM and the backup of AD happens with a domain admin account ?? it totally counterparts every VEEAM strategy and talk points.

[DanielJ]

So essentially you want to make VBR read something without giving it access to read it. How would that ever work? Your rage is misdirected. But if you want a suggestion, you can backup your AD to a file using Windows own tools, local on the DC, and then backup the DC without application support. You can still extract and use the file if needed.

[great_vc]

So essentially you want to make VBR read something without giving it access to read it. How would that ever work?

That is a very false statement.
I gave access to read
it is just not Domain Admin.
In SQL backup i only need a read or backup role not sysadmin role

Saying to backup files in AD using the legacy Backup option of windows is completely undermine the B&R. One can also suggest not to backup application awareness the SQL just make a job in sql to backup the databases in files and then backup the folder that contain that files.
How i will restore a table, a row , or an entry.
How i will restore a single object in AD with that method ?
So it is a moo point.

Apparently i'm the only one in a company that find this worth mentioning.

[ksl28]

I agree its not ideal having to use Domain Admins, but that is the way all the major backup vendors are doing it - take Commvault for instance:
https://documentation.commvault.com/11. ... or%20Group

The main challenges you are facing, is that you need to be able to freeze the VSS writers for Active Directory, and also injest the Veeam agent over SMB (Admin share).
You COULD try to add the service account to "Backup Operators" (allows to manage the VSS writers), and manually granting the service account write access to the admin share.
Be aware that its based on theoretical knowledge, so use at your own caution.

Based on 10 years of working with Windows Servers, i cant really see how Veeam should solve this, without installing a agent permanently on the domain controller that runs as Local System.
The "alternative" is that Veeam should alter the permissions on the admin share & change in secpol what users can manage a backup - and as a Windows admin, that approach would infuriate me

Bottom line - nope its not ideal, but its not Veeams fault. Use the Veeam agents instead, or try with persistent agents in Veeam - it might work.

[mcz]

What happens if someone gets the database from the SQL, the domain admin password will be there, or have access to the B&R what happens then ?

If someone "finds" a copy of the database it will be useless, as it is encrypted with a key which only can be found on the veeam-server (Microsoft Crypto-API). AFAIK, veeam's position is that you have to protect the backup infrastructur (=veeam server) as good as possible as this is your last defense.

Now you might say "this is rubbish, if my backups are immutable and protected, why should I protect the veeam server"? Well, imagine and attacker gains access to the backup infrastructure and changes the encryption password, reduces the immutability and probably decreases the retention. After a while he comes back and removes the config or destroys the veeam server. What are going to do then? You have some older or newer backups, but they are encrypted with a key that you don't know. Now your backups are useless.

So it's important to protect the domain AND the backup infrastructure (separated AD is also adviced and bp)...

[matteu]

Hello,
You can use preinstalled agent for this.
It works great and no need admin credential.
It the way I do it for all my customer.
Most secure way and only one to use for me.

[dbewernick]

@matteu has a good hint here.
Use gMSA https://helpcenter.veeam.com/docs/backu ... _gmsa.html

and the

persistent agent https://helpcenter.veeam.com/docs/backu ... nents.html

@great_vc you are right, that a SQL Server offers more granular options for backup and restore. This is simply not available for the Active Directory Service.

If you want to avoid access completely, you can still back up the DC without application aware processing and cross fingers that vss is doing a good job during the snapshot. If you later want to restore single items with the Veeam Explorer for AD, you can still open it and perform this.
Attention: Be aware, that without an application aware backup, a full restore of a DC will not automatically boot into authoritative restore modes and to the magic. You would have to take care of this by yourself.

[matteu]

Carefull, I'm not talking about persistent agent but pre installed agent.
It's not the same .

https://helpcenter.veeam.com/docs/backu ... ml?ver=120

[great_vc]

Thank you @ksl28 for you insightful comments. I knew i wasn't the only one that find this weird

@mczm VEEAM and DB are not on domain and on a seperate VLAN, so even if an attacker gets access to the AD cannot make changes to the Backups. That was based on VEEAM guidelines on how to secure your environment from Ransomware.

@matteu and @dbewernick those are some very helpfull links. So there is a "solution" to this problem only not an easy one.

Thank you all.

[mcz]

VEEAM and DB are not on domain and on a seperate VLAN, so even if an attacker gets access to the AD cannot make changes to the Backups.

very good

[spiritie]

Harden ? how harden ? RDP is useless no one cares about disabling rdp
if someone gains access to the database or to the account from a vulnerability then they have administrator rights on the domain and then they can do anything
Harding RDP, SMB, logno servers, login time is useless.

So again i want to raise this as a serious fault in terms of VEEAM which advertises security and ransomware ptotection so hard. If there is no other way to take the AD backup then this should be mentioned by VEEAM.

again my questions remains, you gave F500 customers that are using VEEAM and the backup of AD happens with a domain admin account ?? it totally counterparts every VEEAM strategy and talk points.

Your ultimate "hardening" will be on your "Hardened Linux Repository" which you have locked away.

[newman]

Not sure how hardened repo would help in the case of the OP here. It has nothing to do with domain admin credentials. As long as Veeam requires a Windows server to run its backup software it not end to end secured. As long as DA credentials can be grabbed - simple google search shows how to do that - from Veeam, it is irrelevant to have an immutable backup or not, especially if the attack target is to fetch the DA credential and not to destroy backups.

[aschmieg]

Carefull, I'm not talking about persistent agent but pre installed agent.
It's not the same .

https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Pre-installed agent does not work when Core version of windows is installed on the domain controllers.
Must use VBR installed/controlled agent , per Veeam documentation. And this requires domain admin.
I take a non application aware backup of the DC's. A successful recovery of AD has been completed from this backup.

[matteu]

For core version (you didnt mentioned it) you should use wbadmin if you don t want veeam to store DA credentials.
I can t recommend you to backup AD without VSS. High risk you take for the highest critical server in an infrastructure.
Gmsa should work if you have veeam guest proxy inside domain. It can maybe be an Alternate method

[jassonmc]

First idea coming to my mind (untested):
Activate the option "Enable Hyper-V guest quiescence" in the backup job options.
Then enable for the application processing on the VM in question the option "Try application processing, but ignore failures"
Check out those two user guides, which provide a bit more background:
https://helpcenter.veeam.com/archive/ba ... hoice.html
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

This way the backup process would put the DCs in question into suspended mode for a short period of time, which could be acceptable, as long as you don't backup all DCs at the same time.
Downside of this method is, that no recovery preparation is being done inside the DCs and the suspension of the DC leads to short outages of logs and VM time, which, dependent on your internal processes, might be unacceptable. On the flip side you should have a consistent backup of your DCs.


Following idea might be better, but more effort (untested):
On the DC VM in Task Scheduler, setup a task which performs the necessary VSS engagement to prepare the AD (freeze).
The task would always need to start at a specific time and check in a loop the existence of a file "checkpoint1.txt" in a specific file share.
You have a backup job option "Pre-Freeze and Post-Thaw Scripts".
Setup a Pre-Freeze script to create that "checkpoint1.txt", which itself is waiting in a loop for the existence of "checkpoint2.txt".
While Pre-Freeze script is waiting, the other task in the DC is now performing the necessary VSS operations and upon completion, does create the file "checkpoint2.txt" and itself is waiting for a file "checkpoint3.txt".
The Pre-Freeze script now finishes, since "checkpoint2.txt" is now found.
From here on, Veeam Backup is configured to create a crash consistent backup, while in fact, the DCs have been VSS prepared just seconds before.
The Post-Thaw script would then create the file "checkpoint3.txt" and exit.
The still waiting task in the DC now sees "checkpoint3.txt" and releases the AD from the freeze and assumes normal operation again.
Check out the user guide here in regards to Pre-Freeze and Post-Thaw:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Actually, I don't know the necessary commands to engage VSS manually to prepare AD for backup and release it's freeze after checkpoint generation, which of course would be necessary to know, in order to get the probably more favorable solution really working. Anyone?

Cheers

[Seve CH]

Doesn;t anyone bother this ? as VEEAM is this acceptable by for your security standards ?

I find it very strange.

Hi
I think you are misunderstanding the problem. I have the feeling you think that the Veeam servers must be removed from the domain to protect the domain. That's incorrect.

The Veeam servers must be removed from the domain to protect the Veeam servers from the domain. Backup administrator on Veeam has higher privileges than Enterprise administrator:

If a hacker gets access to a backup of a domain controller, he can do whatever he wants with your domain, including impersonating the domain controller, you or any other user o service. He has a copy of the SAM database, private keys, etc. If he gets access to a copy of a SQL server or file server, he can read all your data unaudited. If it happens you logged into it, he can use the cached hash of your user account and impersonate you elsewhere (pass-the-hash)

Veeam servers are the ones which require the most protection and not your domain.

Best regards

[mkaec]

If you want to avoid access completely, you can still back up the DC without application aware processing and cross fingers that vss is doing a good job during the snapshot. If you later want to restore single items with the Veeam Explorer for AD, you can still open it and perform this.
Attention: Be aware, that without an application aware backup, a full restore of a DC will not automatically boot into authoritative restore modes and to the magic. You would have to take care of this by yourself.

This is the solution. Turn off Application Aware Processing and enable the two check boxes under Storage > Advanced \ Hyper-V (Enable Hyper-V guest quiescence and Take crash consistent backup instead of suspending VM). Then make sure the VM has the Backup integration service enabled. The host will tell the VM via the integration service to get things consistent (which the NTDS VSS writer will do for AD). Then just be aware that you'll need to do some extra steps if a full restore is needed.

Alternatives are to install Veeam Agent or Windows Server Backup in the guest.

[salih57]

Hı,
I tried it one year ago but it failed. Alter,I created User which is member of backup operator, it failed again when i backing AD appl.awar.backup.
At last, I add the user to the domain admin grup
necessarily.
But in exchange Server backup,
Adding User to organization management group is enough for appl.awa backup.

[cb4444]

Carefull, I'm not talking about persistent agent but pre installed agent.
It's not the same .

https://helpcenter.veeam.com/docs/backu ... ml?ver=120

I know this is an old discussion but i'm in the same boat. Are you saying here that a domain controller can be backed up without using domain admin credentials if a pre-installled agent is used?

[Mildur]

Hi cb4444

Yes, a protection group of pre-installed agents can be used.
Without giving the backup server credentials, you have to install the agents yourself or through another third party deployment tool.

https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Best,
Fabian

[sabicao]

Does that mean I have to consume an additional license to have a DC properly protected in such manner?

[sabicao]

Hi cb4444

Yes, a protection group of pre-installed agents can be used.
Without giving the backup server credentials, you have to install the agents yourself or through another third party deployment tool.

https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Best,
Fabian

Does that mean consuming an additional license to have a DC properly protected without a domain admin account? I sincerely hope not.