Hey,
Before our update automation reboots a Veeam host, it currently checks whether a backup job is running by executing the following cmdlet: Get-VBRJob | Where-Object {$_.IsRunning -like "True" -AND $_.IsIdle -like "False"}
As part of our security improvements, we plan to enforce MFA for all accounts and want to avoid using service accounts without MFA. Since the PowerShell module does not support our MFA requirements, I need an alternative approach for checking whether backup jobs are currently active.
On Veeam proxy nodes, I’m able to determine activity by checking the status of the VeeamTransportSvc Windows service. Is there a similar or recommended method to reliably determine whether backup activity is currently running without relying on the PowerShell module or do you have any other alternatives in mind?
-
derSchweiger
- Novice
- Posts: 8
- Liked: 1 time
- Joined: Dec 21, 2021 7:08 am
- Full Name: Kevin Schweiger
- Contact:
-
Mildur
- Product Manager
- Posts: 11752
- Liked: 3315 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: View running Veeam Backup Jobs with MFA enabled
Hi Kevin,
We’ve received requests to allow PowerShell with MFA-enabled accounts, but for automated scripts this usually doesn’t help, as the script can’t complete MFA on its own. The same applies to REST API queries.
We may also consider a future “maintenance mode” to help ensure no backup jobs are running when you start your server updates (Windows patching?). Would that help in your case?
For now, the most practical approach is to use a service account with a strong password stored securely in encrypted form on the machine. I found this external blog (not from Veeam) with some ideas and pros/cons:
https://www.secureideas.com/blog/secure ... -practices
Best,
Fabian
We’ve received requests to allow PowerShell with MFA-enabled accounts, but for automated scripts this usually doesn’t help, as the script can’t complete MFA on its own. The same applies to REST API queries.
We may also consider a future “maintenance mode” to help ensure no backup jobs are running when you start your server updates (Windows patching?). Would that help in your case?
For now, the most practical approach is to use a service account with a strong password stored securely in encrypted form on the machine. I found this external blog (not from Veeam) with some ideas and pros/cons:
https://www.secureideas.com/blog/secure ... -practices
Best,
Fabian
Product Management Analyst @ Veeam Software
-
derSchweiger
- Novice
- Posts: 8
- Liked: 1 time
- Joined: Dec 21, 2021 7:08 am
- Full Name: Kevin Schweiger
- Contact:
Re: View running Veeam Backup Jobs with MFA enabled
Hi Fabian,
Yeah, I see the issue here. This is very likely a classic chicken-and-egg problem.
We need to trigger our automation through a task in the Windows Task Scheduler. However, storing service account credentials directly on the host would introduce another weakness into our security model, which is something we want to avoid.
For our use case, the most practical solution would be to allow certain read-only Veeam PowerShell commands for dedicated service accounts. For example, allowing Get-* cmdlets for users assigned to the Veeam Backup Viewer role would provide the required visibility while maintaining a secure and restricted permission model.
But for now: you do not see any chance to monitor running Veeam backups by, example given, monitoring a certain Windows service (like we do on Veeam Proxy nodes)?
Yeah, I see the issue here. This is very likely a classic chicken-and-egg problem.
We need to trigger our automation through a task in the Windows Task Scheduler. However, storing service account credentials directly on the host would introduce another weakness into our security model, which is something we want to avoid.
For our use case, the most practical solution would be to allow certain read-only Veeam PowerShell commands for dedicated service accounts. For example, allowing Get-* cmdlets for users assigned to the Veeam Backup Viewer role would provide the required visibility while maintaining a secure and restricted permission model.
But for now: you do not see any chance to monitor running Veeam backups by, example given, monitoring a certain Windows service (like we do on Veeam Proxy nodes)?
Who is online
Users browsing this forum: No registered users and 43 guests