Comprehensive data protection for all workloads
Post Reply
real_tarantoga
Expert
Posts: 108
Liked: 23 times
Joined: Aug 20, 2009 12:32 pm
Location: Germany
Contact:

veeam design question - what's more secure: usage of gMSA or Non-AD backup infrastructure?

Post by real_tarantoga »

Until now, I've preffered a veeam infrastructure design following the security best practices under https://bp.veeam.com/vbr.
Only exception: the unistall of explorers on the core backup server is no longer faisable since the penultimate update (to 12.1.x).
(The Oracle KVM plug-in needs to be installed on the core backup server.)

The IT-Security team is concerned of the widely used "functional or service accounts" with strong but never changing passwords.
Putting these accounts into the "protected users group" isn't possible for a considerable number of accounts.
That's why I've tried out "group managed service accounts" for e.g. Exchange backups. But for this I had to use ad-integrated proxy servers ...

Now, I'm wondering if it would be better to completely re-join all the infrastructure into the active directory. Why I am asking for this?

Without AD-join I'm "mostly safe" against a complete takeover scenario and ransomware issues on the repository servers.
With AD-join I could get rid of these never changing accounts with very extensive system permissions.

What are You thinking about these two ways to design the backup infrastructure?
Would it be better in Your opinion to stay "stand-alone" for the backup servers, proxies, repositories and to endure the static accounts?
Or do You see a lower security risk using gMSA with ad-integrated veeam components?

What I did never understand is - why some people feel safe with ad-integrated proxies, but non-AD repositories ... imho the proxies have to hold the repo credentials somewhere locally.
So it can't be more safe than a complete AD-Join, isn't it?

Thank You for Your statements!
Stefan
haslund
Veeam Software
Posts: 903
Liked: 163 times
Joined: Feb 16, 2012 7:35 am
Full Name: Rasmus Haslund
Location: Denmark
Contact:

Re: veeam design question - what's more secure: usage of gMSA or Non-AD backup infrastructure?

Post by haslund » 1 person likes this post

Create a management/backup domain, create a gMSA service account there. Then set up a one-way trust to your production domain. In the production domain, you can assign local administrator rights to the gMSA account from the backup domain.

This way, if someone owns your production domain, they still can't get to your backup domain (which should obviously be locked down hard), while you enjoy the gMSA benefits of managed password changes.
Rasmus Haslund | Twitter: @haslund | Blog: https://rasmushaslund.com
real_tarantoga
Expert
Posts: 108
Liked: 23 times
Joined: Aug 20, 2009 12:32 pm
Location: Germany
Contact:

Re: veeam design question - what's more secure: usage of gMSA or Non-AD backup infrastructure?

Post by real_tarantoga »

That sounds very good - allowing for both: the intended security aspects and gMSA.
Thank You very much!

But will the VMs in the prod domain be able to catch the gMSA password?! I'm afraid, that I'm missing some knowledge here.
Post Reply

Who is online

Users browsing this forum: Semrush [Bot] and 27 guests