Account to use for non domain joined server

[jguillot]

Hello,

I have a question about which user account to use as a service account for a repository in a non-domain joined server.

From a security point of view for the server, is it better to use the local builtin administrator or a local account in the administrator group ne by disabling the Remote UAC (LocalAccountFikterToken registry at 1)?

and depending on the answer, why?

Thank you for your answers.

Jeremy

[Egor Yakovlev]

Hi J!

Check out Veeam Best Practices "Security" part.
That answers questions above and has more insights to strengthen the infrastructure and choose best approach to configure Veeam with.

/Thanks!

[jguillot]

thanks for the reply but i have already looked at the best practices and it is not clear.

it says that the easiest way is to use the built-in local administrator account and that UAC should be disabled as a last resort.

and it also says that we can use another local user account by disabling Remote UAC.

But that doesn't say from an overall security point of view which solution is best.

thank you.

Jeremy

[Egor Yakovlev]

Well, best from security standpoint would be separate forest with domain trust. It is also hardest to implement.
If you are 100% sure you want standalone Workstation you will have to deal with NTLM(Kerberos won't be with you), local account(which makes it more vulnerable) and disabled UAC(to bypass the way domain joined machines filter out non-domain requests) - these are main downsides of it.

[jguillot]

In case offre separate forest with domain trust, how veeam works if ad servers is down/compromised if full infrastructure restore is required ?

[Egor Yakovlev]

You will have to restore domain controllers first in this case.
By default, a non-authoritative restore of DCs is performed, which can be followed by authoritative SYSVOL promotion, all by Microsoft guide on how to restore a domain in case of a complete loss.