A few questions about security of Backup & Replication

[PeterC]

We have had some questions from a customer about monitoring of our Veeam B&R environment.
They are asking if we can see alerts being raised when something/someone is tampering with the backup environment.
They have some use cases:

-Unauthorised Access to Backup Application
This use case is designed to detect unauthorised access to (Veeam’s) backup and replication console. An alarm will be generated when a logon was observed by an unauthorised user.

-Backup Configuration Tampering
This use case is designed to detect unauthorised changes within (Veeam’s) backup and replication console. An alarm will be generated when a change was performed by an unauthorised user.

-Suspicious Deletion of Backup Resource
This use case is designed to detect unauthorised deletion of backup resources within (Veeam’s) backup and replication console. An alarm will be generated when such a deletion was performed by an unauthorised user.

To see alerts from these use cases do we need something like Veeam One, or is this something that we can implement using other tooling?

Hope that someone has some experience with this.

Grtx

Peter

[david.domask]

Hi Peter,

1. Logins

This can be monitored within the normal Windows event log for logons to the VBR server -- console login currently does not have a report, however, can you clarify the situation you're imagining where an unauthorized user gets access to the Veeam Backup and Replication Console? Only users configured in User Roles can access the console, and it is strongly advised to utilize the Roles to control what each user has access for, i.e., don't give Backup Administrator access to users who do not really need it. Review our Best Practices Guide on Roles and Users for further suggestions for hardening here. Similarly, consider Enterprise Manager for limiting access as opposed to giving people access on the Veeam server itself -- Enterprise Manager is intended to provide limited and controlled access for users who may need to perform backups/restores on their own for a limited scope of resources.

2. Change Audit Reports

Please see the following Veeam One reports:
Infrastructure Changes Audit - Veeam ONE Reporting Guide
https://helpcenter.veeam.com/docs/one/r ... it&ver=120
Backup Infrastructure Audit - Veeam ONE Reporting Guide
https://helpcenter.veeam.com/docs/one/r ... ml?ver=120
Backup Objects Change Tracking - Veeam ONE Reporting Guide
https://helpcenter.veeam.com/docs/one/r ... ml?ver=120

This combined with proper securing of the Roles and Users will help to ensure you have monitoring on changes in your environment. Such changes are also reported with our Syslog Event Forwarding, and can send events to a syslog server or Veeam App for Splunk or Veeam App for Palo Alto XSOAR for monitoring.

3. Reporting on Backup Deletion

I suggest enable Four-eyes Authorization -- this will prevent all manual deletion of backup files from the Veeam Console without approval from multiple Backup Administrators. Remember, it's still important to limit access for the Veeam server to only those who truly need it, and be judicious on who you grant Backup Administrator role to.

[PeterC]

Hi David,

Thank you very much for your answer.
We have our backup environment in an isolated backup domain with only 2 named accounts who have access to the VBR server and console. So unauthorized users won't be able to access the console. (Or the named accounts have to be compromised).

All file restores are performed using Enterprise Manager with accounts who are restore operator, no admin accounts or rights here.

We have all backups stored on immutable backup storage, there is no access to this storage through ssh, rdp, etc.
So deleting backup files should (almost) be impossible. I don't know if it would still be necessary to implement Four-eyes Authorization.
But maybe this could be a good thing to take a look at.

[david.domask]

Hi Peter,

Glad I could help share some information here.

Sounds like you've already got a lot of the best practices in place, this is very pleasant to read Seems you're on the right track then, and the reporting options I mentioned will help you further ensure the environment is secured.

As for Four-Eyes, it's largely a matter of preference. Given your set up with only two accounts accessing the Veeam server, if you're comfortable without Four Eyes then I think it's fine. Four-Eyes is useful in all situations if you have a need to ensure backups cannot be deleted from the console without authorization, but if your current scheme works for you and the other administrators, then no need for Four-Eyes, but it's there if you want it and it always is a good layer of protection for the backups.