VeeamOne on Domain, VBR in Workgroup, access denied

[Rumple]

I did have to switch over the account used within the configuration to be the Windows Standard user/Veeam user account to get the data as people expected so no big deal.
Now one challenge with the offline bundle is it reports back the actual System Name of the Veeam backup server and our's are literally the serial number which makes it tough.
I wish there was a way to change the servername or add a friendly name tag to these

[jorgedlcruz]

Hello Mark,
We usually use the hostname of the Veeam Backup & Replication, do you mind sharing some redacted images of the hostname vs how VONE sees it?

I was looking at the .yaml files we deploy with the agent, but the closest I see is appsettings.yaml

Code: Select all

Connection:
  Enable: true
  HostName: localhost

Perhaps changing that to something VONE and VBR knows might work. I would prefer if you open a support case just to be sure if there is a better way to change this.

Thank you

[Rumple]

Its not that important really...just one of those nice feature requests....I COULD have just renamed the veeam servers to match the site, if I had of thought of it before hand...lol

when looking at 9 sites, you have no idea which is which, but you can click on them and load the job names which thankfully I do have named with sitename

MXL336342N Veeam Backup & Replication (Windows)
MXL336343R Veeam Backup & Replication (Windows)
MXL420356V Veeam Backup & Replication (Windows)

Just one of those, nice to have options to just name them in the console whatever I wanted.

[Rumple]

I have an open ticket on Vone permissions in a workgroup (Veeam Support - Case # 07871490) and I'm a little flabbergasted and confused to be honest. for #1 the response is contradictory that only works in a domain (aka, they expect you to use a domain account customized permissions to connect remotely and run the service, but will NOT work in a workgroup (which is literally veeam's best practice).
Worse, the account CANNOT have MFA and need to be a full administrator....so effectively I lock the doors with my account having MFA, but I leave the Window open with curtains blowing in the breeze.
I totally could understand using a "service" account that was a read only backup operator which would minimize the risk substantially, but no, our monitoring account needs to have full access permissions without mfa

Here is the ticket response


My name is Ian, and I am here to assist you with your security and permissions concerns regarding Veeam ONE integration with your Veeam Backup & Replication (VBR) servers. Thank you for reaching out.
To address your questions:
1. Service Account Requirements:
For Veeam ONE analytics integration with VBR, a dedicated service account is required. This account should not be a local administrator or domain administrator, and it should not be the local administrator account. Instead, create a dedicated service account that does not exist on any VBR server. This approach helps prevent account lockouts and reduces security risks. The account connecting to Veeam Backup & Replications can be assisgned manual WMI permissions which will give the account only the specific permissions it needs. For details on these permissions, see Configuring Permissions to Remotely Access WMI - Veeam ONE Deployment Guide.
2. Permissions:
The service account must additionally be assigned the Veeam Backup Administrator role within VBR. This is required to collect backup data from the server. The absence of the role will cause backup data collections to fail. This is the minimum required permission for Veeam ONE to collect data and perform analytics. Please note that a read-only account cannot be used for this integration; the Backup Administrator role is necessary.
Reference: Connection to Backup Servers
3. Multi-Factor Authentication (MFA):
MFA must be disabled for the service account used by Veeam ONE, as MFA is not supported for this integration and non-interactive sessions used by the Veeam ONE Agent.
Reference: Multi-Factor Authentication - Veeam Backup for Microsoft 365 Guide
4. Manual Agent Installation:
If your VBR servers are in workgroup or non-trusted domains and automatic agent deployment fails, you can manually install the Veeam ONE Agent.
o Copy the agent folder from the Veeam ONE ISO to the VBR server.
o Open Command Prompt as administrator and run:
msiexec.exe /i VeeamONE.Agent.x64.msi
o After installation, register the agent from the Veeam ONE client.
Summary:
• Use a dedicated, non-administrator service account with the Veeam Backup Administrator role (without MFA) for Veeam ONE integration.
• Do not use local administrator accounts.
• Read-only accounts are not supported for analytics integration.
Let us know if you need further clarification or assistance.

[jorgedlcruz]

Hello Mark,
Thank you so much for your feedback and concerns. I do not see any reason to be surprised as this has been mentioned multiple times on this forum, plus it is documented in our official documentation. Support team will try to offer you a supported approach to make the integration works. Current data collection should work on different domains, or workgroups as per the documentation mentioned, as long as everything else in the article is in order.

Moreover, as Veeam ONE has been using WMI, WinRM, and other native windows methods to do data collection, it comes with many, many challenges, including this workgroup vs domain, etc.

I understand that this is far than ideal, and have been working on changing it for years, so have good and less good news:

• Good news first: In Veeam Backup & Replication v13 Linux (Veeam Software Appliance), we do not require any service account to operate once our agent is installed (to do this we need either using offline bundle the best option in my eyes 0 additional users, or the usual Veeam Backup Administrator role using Veeam ONE remote deployment, but you can delete this account later). We do have a secure mechanism for the agent to extract data out of Veeam Backup & Replication and send it to Veeam ONE
• Less good news: In Veeam Backup & Replication v13 Windows, we did move our data collection to gRPC a much modern protocol, so we are finalizing the documentation as we might need less permissions than before (but always more than in a hardened linux like VSA)

So, my advice would be to start exploring Veeam Software Appliance if you want a 100% hardened environment, that includes the monitoring agent. Also, as soon as we confirm the permissions for VBR v13 windows, we will share it here as well.

Thank you so much

[Rumple]

I get the idea of the windows service account needing to run as an account vs system. That can be managed by making sure it's not a local administrator and has a few elevated permissions as needed.
I get the idea that the account used for Veeam one needs to be able to connect to the VBR system/database to read out the information and can't have MFA...understandable because as a windows app, VBR is not going to have an API interface.
I don't understand WHY the account MUST BE BACKUP ADMINISTRATOR to READ data from the system.
The least privilege principle (PoLP) is a fundamental security concept in information technology that dictates that any user, process, or program should only have the minimum level of access or permissions necessary to perform its intended function.

There is literally no justification in the world that can be made that a monitoring solution uses an account that has Write access to the VBR environment. We all know that VBR servers are a juicy target and everyone WILL have an attack at some point (not IF), so leaving such an obvious hole these last few releases seems sloppy. You cannot tell me that its impossible for someone to have figured out how to make monitoring use a read only account in 2+ years (especially if they are also developing v13 at same time).

We will eventually move to the appliances once it hits .1 and we slowly replace environments at the 9 sites, but short term, my whole point of VeeamOne was to try and improve on monitoring because the enterprise summary reports suck when you get an email with this subject - Last 24 hours: 1 Errors, 0 Warnings, 1733 Successes and then you have to literally scroll forever through the email to find the errors (or as we found out, realize an entire environment hasn't been checking in and the only way to tell is if you know that 1733 successes seems too low of a number....)

Having VeeamOne being able to do alerting seemed like the obvious solution since it will alert if a VBR server is not responding (among other nice alerts), but how I have to try and get security exceptions in place (if I can) because I have to allow a console MFA bypass to occur with a privileged account (which was the surprising part).

Fun fact, the oldest email I can find for Veeam is from Jan 2010 (FastSCP 3.1) and in March 2010 I received my first license file for VBR 4.1 NFR and my Forum profile was created March 10, 2010....so I've seen, sold, and implemented it all with VBR, and yet you still apparently can surprise me.

[jorgedlcruz]

Thank you Mark,
I agree with all the points. In 2+ years of development what we have achieved is to implement PoLP for Veeam Software Appliance, as said, it doesn't even need a Veeam account in the VBR, we communicate locally with the agent.

For Windows, we will revisit after v13.0.1 is released and improve it with even less privileges. I do not think we can modify any of the logic of VBR v12.

Veeam ONE has indeed great alarms about the status of the VBRs, or any components, or my favorites based in RPO (VM with no backup it is called), Those are the crown jewels once configured properly, so you stop monitoring jobs, or paying less attention because 1800 jobs are a lot, and instead you do receive granular information about those VMs missing RPO, like missing 1 day Warning, missing 2 error, etc. Much more efficient and reliable.

I was 25 in 2010 and I was as well implementing Veeam on a few Customers, among other technologies. I was using Nagios for monitoring most of the stuff, and even back then it was challenging.

We hear you, we will discuss VBR v13.x Monitoring to see if of course the service should run with some permissions, but have other less restricted permissions to connect to VBR, or as we do for Linux, our own communication.

Thank you for the patience, if you want we can arrange a call, once you figured out if you can run VONE due security, and walk through everything to make the most out of the tool.

[Rumple]

for now the most important part of VeeamOne is the offline server alerting....the enterprise summary works for knowing if a job has gone to hell (infrequently at these sites we get jobs stuck not being able to read disk layout until we restart the ESX management agents so the failures on the summary of the email tell us when something has gone horribly wrong and now veeam (even without analystics) tells us when a veeam server had just gone completely dark (which is almost impossible to tell with the enterprise summary report).
Once we are ready for the software appliance then I can get fancy with other reporting with Vone...but for now I can use it as my canary in the coal mine without needing any special permissions on the VBR side...