[V13] Veeam Server Appliance host admin lockout, MFA reset, password reset

[squebel]

Hello,

How would one go about resetting the built-in "veeamadmin" MFA should the original info for it get lost? Let's assume there is not another user that is able to get onto the machine.

[Gostev]

Hello, same as with any other OS: you'd have to boot the server from a live ISO, mount the file system to it and edit the OS configuration files manually. So not a quick fix and best avoided by making sure there are at least two admin accounts!

[squebel]

Gostev, is this a process that Veeam Support will be documenting and providing via support cases if needed? I opened case 07824123 to inquire about an official process and so far only a rebuild has been suggested as an option.

[Gostev]

@Dima P. do we have any documentation for Live ISO yes and if not, when does the Technical Writing team plan to release it?

[Dima P.]

Sure, here you go guys > How to use Veeam Live OS ISO.

[Gostev]

@Dima P. what about the instructions of resetting host admin account access in case the password and/or MFA are lost.

[Dima P.]

Asked team to update the KB with step by step instructions. Please stay tuned.

[Dima P.]

The KB has been updated with information on unlocking users and resetting user passwords.

We are currently working with the Technical Writing team to prepare step-by-step MFA reset instructions for Host Admin and Security Officer accounts, which will be published in the Help Center soon — stay tuned!

For MFA resets via LiveOS mage, we strongly recommend opening a support case first to avoid possible misconfigurations.

[Gostev]

I really like the on-going updates to the Common Tasks section thanks Dima!

[pirx]

After a new install and some configuration I managed to lock veeamadmin user by entering wrong password inVM console.

https://helpcenter.veeam.com/docs/vbr/e ... king-users

But how can I do this if there is no other user with host admin permissions than veeamadmin? Logged in as veeamso user I don't see any option to reset other users passwords or unlock accounts. Is there a timeout after a lock is released like in most Linux?

There is a KB for hardened repository pw reset, but it does not work for v13 appliance.

https://www.veeam.com/kb4663

[Mildur]

Hi Pirx,

You can use the Veeam Live OS ISO to unlock accounts in the Veeam Software Appliance if no other Admin account is available.
Please follow the steps outlined in KB4761.

Best regards,
Fabian

[pirx]

Thx, I did search forum but did not find this thread. Maybe it would make sense to add the unlock feature to veeamso account

[Gostev]

Not your fault, we routinely merge topics discussing different variations of the same issue (in this case, host admin lockout when no other host admin present) and in the process we expand the original topic name with all key words to improve search hits.

You are right, simple unlock should be a safe operation in terms of Zero Trust.

[DaStivi]

for my and overall understanding:

for every account veeadmin and veeamso (and all others created afterwards), as soon as there are 3 incorrect logins, the accounts get locked out!?

so either you can reset them, for veeamso apparently this works with the recovery code, resulting in resetting the password, creating a new MFA Token and getting a new recovery code?

or going down the live OS ISO route...

EDIT: clearly this is also a lack of experience (and/or ignorance) from my side... i just read and saw that you can also unlock, EVEN the veeamso user out of the veeam host management, as long as you can login there with a host admin user! so this also alleviates my concerns of the following sentences.


I'm not sure if this is really a good approach... on one side this will cause plenty of support-cases because it could be multiple reasons to have the passwords incorrect 3 times in a row... even more if you're working with different Veeam appliances (I just talk out of experience, right now!) its very easy to get the incorrect password and keyboard layout is another big error here

either the lockout count should be upped to a higher number or there should be an automatic account unlock after 10 or 15 minutes... und once this has been hit 3 times, for example, the accounts should get locked longer or permanent...

and more over as a attacker you could also trigger some issues with locking these accounts by simply giving some random logins..

the biggest issue though there is no single reporting this is happening, either "stupidity" or a bad actor... the admins never get this until they try to sign in and don't know what's going on, brings me to the next issue.. the failure message is exactly the same. " Authentication failed." i get it, might be hard to implement. but i would opt-in for another message as soon as the account is locked... overall this brings me back to this will raise cases on Veeam's-end immensely!

i fully understand the security concerns and why this all maters!

just said resetting these accounts, as explained above with the veeamso directly results in the next potential issue that the old account gets invalidated with new password/totp that directly can result in the next lock....


this is just my personal two cents but I'm sure I am not alone with these thoughts!

[Gostev]

I believe our security team has also recently approved that we can add auto unlock after a decent timeout, @Dima P. knows the details.

[Dima P.]

Hello DaStivi,

so either you can reset them, for veeamso apparently this works with the recovery code, resulting in resetting the password, creating a new MFA Token and getting a new recovery code?

1. When VSA is deployed with the Security Officer (SO) role, any locked user can request a password reset via the login form. The SO resets the password to a temporary one and shares it with the admin. Once the admin logs in, they are prompted to set a new password.
2. Without the SO role, locked users are automatically re-enabled after 15 minutes.
3. With or without the SO role, a second admin can re-enable the user anytime via the Host Management Console.
4. For the SO account itself, the Recovery Code is the only way to restore access since admins are not allowed to interfere with SO access.

the biggest issue though there is no single reporting this is happening, either "stupidity" or a bad actor... the admins never get this until they try to sign in and don't know what's going on, brings me to the next issue.. the failure message is exactly the same. " Authentication failed." i get it, might be hard to implement. but i would opt-in for another message as soon as the account is locked... overall this brings me back to this will raise cases on Veeam's-end immensely!

We are adding email reporting in the 1301 release to user lock events and all the SO approval actions. Thank you!

[DaStivi]

point 4. I cannot confirm! luckily... I was able to unlock the veeamso with my normal hostadmin user... ?!