An AD "Veeam" Service Account - What Privilege?

Availability for the Always-On Enterprise

An AD "Veeam" Service Account - What Privilege?

Veeam Logoby nitramd » Mon Jun 12, 2017 7:04 pm

Suppose you create a Veeam service in Active Directory and provide this account with sufficient admin credentials for application-aware processing and guest file system indexing.

Would it be better to add this service account to the Local Administrators group on all of your servers or would it be better to add the Domain Admin group only to this service account?

-MD
nitramd
Enthusiast
 
Posts: 26
Liked: 2 times
Joined: Thu Feb 16, 2017 8:05 pm

Re: An AD "Veeam" Service Account - What Privilege?

Veeam Logoby haslund » Mon Jun 12, 2017 11:26 pm

I think that comes down to your local policies. Making an account domain admin could cause issues with audits, so setting a GPO to assign local admin rights on VM's only where needed might be better - but also mean much more management overhead.
Rasmus Haslund
Principal Technologist, Global Education Services @ Veeam Software
Veeam Certified Architect #1 | Veeam Certified Trainer #4 [v7,v8,v9] | Veeam Certified Trainer Mentor #1
Twitter: @haslund
Blog: www.perfectcloud.org
haslund
Veeam Software
 
Posts: 262
Liked: 49 times
Joined: Thu Feb 16, 2012 7:35 am
Location: Denmark
Full Name: Rasmus Haslund

Re: An AD "Veeam" Service Account - What Privilege?

Veeam Logoby nitramd » Tue Jun 13, 2017 7:10 pm

Thank you for the reply.

So let me put pose another scenario using the Veeam service account as mentioned above.

Suppose that the Veeam service account has been breached.

Which admin group strategy, Local Admin or Domain Admin, would cause the least damage?
nitramd
Enthusiast
 
Posts: 26
Liked: 2 times
Joined: Thu Feb 16, 2017 8:05 pm

Re: An AD "Veeam" Service Account - What Privilege?

Veeam Logoby coolsport00 » Tue Jun 13, 2017 7:50 pm 1 person likes this post

Anytime a domain account is breached, that is more critical than local.
Shane Williford
Sr. Systems Engineer

VMware vExpert 2011-17
Cisco CCENT, VCAP5-DCA, VCP-DCV/DT/Cloud
Twitter: @coolsport00
coolsport00
Influencer
 
Posts: 17
Liked: 1 time
Joined: Tue Sep 11, 2012 12:00 pm
Location: Kansas City, MO
Full Name: Shane Williford

Re: An AD "Veeam" Service Account - What Privilege?

Veeam Logoby nitramd » Wed Jun 14, 2017 1:45 pm

Thanks for the input - great information and a good sanity check.
nitramd
Enthusiast
 
Posts: 26
Liked: 2 times
Joined: Thu Feb 16, 2017 8:05 pm

Re: An AD "Veeam" Service Account - What Privilege?

Veeam Logoby YoMarK » Thu Jun 15, 2017 3:24 pm

Something to keep in mind: a domain admin should have never been called "domain admin". The name *should* have been "domain controller admin".
So best practice is to never use a domain admin account for anything other then to logon on to domain controllers.
YoMarK
Enthusiast
 
Posts: 35
Liked: 2 times
Joined: Mon Jul 13, 2009 12:50 pm
Location: The Netherlands
Full Name: Mark

Re: An AD "Veeam" Service Account - What Privilege?

Veeam Logoby skrause » Thu Jun 15, 2017 3:54 pm

One of the security best practices (at least around here where the AD is used by multiple organizations and managed centrally) is to remove the Domain Admins from your server local administrators group and have a different AD group with the accounts you need to have admin access (super-user accounts, service accounts that need admin access, etc.) added to the local administrators group on your servers through a GPO.
Steve Krause
Veeam Certified Architect
skrause
Expert
 
Posts: 292
Liked: 43 times
Joined: Mon Dec 08, 2014 2:58 pm
Full Name: Steve Krause

Re: An AD "Veeam" Service Account - What Privilege?

Veeam Logoby iftikarsaeedi » Mon Jun 19, 2017 6:00 am 1 person likes this post

Veeam admin account recommendation will be from security and auditing point of view to use local admin.
Scenario for different organization needs:

Small organization: Then we can use single domain user account and add to local admin on servers from were backup has to be done.

Medium and big organization: In medium and big organization where there is more security concern and many more administrators involved you should have multiple accounts created and added to local admin depending on application group, database group, and critical server group. If any one account is compromised also then it won’t affect all servers.
iftikarsaeedi
Novice
 
Posts: 9
Liked: 1 time
Joined: Tue Oct 27, 2015 9:57 am
Full Name: IWS

Re: An AD "Veeam" Service Account - What Privilege?

Veeam Logoby iftikarsaeedi » Mon Jun 19, 2017 6:10 am

Please check this article from Microsoft about "Securing Critical and Service Accounts" this will explain in detail "Service Account Vulnerability Scenarios"
https://msdn.microsoft.com/en-us/library/cc875826.aspx
iftikarsaeedi
Novice
 
Posts: 9
Liked: 1 time
Joined: Tue Oct 27, 2015 9:57 am
Full Name: IWS

Re: An AD "Veeam" Service Account - What Privilege?

Veeam Logoby Hoegimator » Mon Jun 19, 2017 8:17 am

Hi Community

I have asked that question about 3 years ago in a support ticket and the answer I got is this:

Unfortunately it is impossible - we need access to ADMIN$ of the guest VM in order to upload VSS agents, and for generic VM you can you can use local admin, but it is disabled on DCs.
Another solution would be to backup this machine without VSS, but you would have to create DC DB using some other tool as it will be inconsistent without VSS.


I guess, if you want to have an consistent domaincontroller backup you need full administrator right on it.
Hoegimator
Enthusiast
 
Posts: 31
Liked: 3 times
Joined: Fri Aug 23, 2013 1:06 pm
Location: Switzerland
Full Name: Joerg Renggli

Re: An AD "Veeam" Service Account - What Privilege?

Veeam Logoby Kraken » Mon Jun 19, 2017 11:09 am

In AD environment, you can also use Restricted groups feature in Group Policy to add/remove Veeam account to local administrators group on machines you want to backup. It makes the whole process much easier and the "backup admin account" is locked within the specific group of machines.

It's a bit tricky though, because in case of Restricted groups you need "Force this group to be part of that group" which means to have security group only with the "Veeam admin" and the policy enforces membership of this group in local administrators. I tried also other approaches, but so far this one proved to be "not interfering, working and easy-to-maintain" one.
Kraken
Influencer
 
Posts: 10
Liked: never
Joined: Mon Jul 30, 2012 8:23 am
Full Name: Jaroslav Haken

Re: An AD "Veeam" Service Account - What Privilege?

Veeam Logoby nmdange » Mon Jun 19, 2017 1:51 pm

Hoegimator wrote:Hi Community

I have asked that question about 3 years ago in a support ticket and the answer I got is this:

Unfortunately it is impossible - we need access to ADMIN$ of the guest VM in order to upload VSS agents, and for generic VM you can you can use local admin, but it is disabled on DCs.
Another solution would be to backup this machine without VSS, but you would have to create DC DB using some other tool as it will be inconsistent without VSS.

I guess, if you want to have an consistent domaincontroller backup you need full administrator right on it.


This is incorrect. You can use VMTools (for VMWare) or Hyper-V Native Quiescence which means VMWare or Hyper-V will inform the guest to take a VSS snapshot rather than Veeam. This removes the need for Veeam to have admin access to the VM. I use this method for all of my VMs except for SQL Server VMs where I want Veeam to truncate the SQL transaction logs. I also use an admin accounts to do guest file system indexing on our file server VMs, but most VMs don't need this. Using native quiescing does not prevent you from doing app-aware restores using the Veeam Explorer tool for AD/Exchange/SQL/Oracle either.
nmdange
Expert
 
Posts: 178
Liked: 52 times
Joined: Thu Aug 20, 2015 9:30 pm


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 18 guests