Are "management domain" console servers obsolete now that MFA can be enforced?

[StoopidMonkey]

Before the ability to enforce MFA for logins to the Veeam Console, the best practice advise was to create a separate Active Directory management domain where a server joined to that domain would host the Veeam Console program which would control the VBR server that remained in the production domain. The idea was that if a domain admin account was compromised then an attacker still wouldn't be able to log into Veeam because it would need credentials from the uncompromised management domain. Now that we can prevent logins unless MFA is presented, does that make this advice obsolete?

[vcharlie]

Hi there. In short, no the advice still stands. Having the VBR server in a separate domain (or workgroup) makes sense. Although a compromised domain admin may not be able to log in to the Veeam console they can still do plenty of nefarious things, like stop Veeam services, break firewall rules, maybe even get access to the Veeam database. I've even seen folks attempt to DCpromo to get a copy of an AD database they can exfiltrate and crack at their leisure (not a Veeam server specific issue, mind you)! Keeping your get-out-of-jail card (or part of it - secure repo's are really where the buck stops) in a separate authentication realm is still a good idea.
Hope that helps
C