I hope it is not a stupid question. It is written about somewhere but with all the info overload I can´t find the proper answer.
It is best practice to keep the B&R Server out of domain, secured by firewall, have an immutable storage... so attackers from internal network have a harder time getting TO the Backup area
But the other way around? For example for backup an AD Domain Server VM, you need to provide "Domain Admin" credentials to the B&R server so it can fully process it. for example written here: https://helpcenter.veeam.com/docs/backu ... =120#rptcb
especially:
Meaning, there is no better practice (BP) to resolve it by lesser permissions? What if attackers infiltrate the Veeam B&R server ( beats me - in any unimaginable way... doesn´t matter..) then they get hold of full Domain Admin privilegesTo process a Domain Controller server, make sure that you are using an account that is a member of the DOMAIN\Administrators group.
Is this still how it is supposed to be?
With a dedicated User with "Domain admin" rights, which only serves as a "service account", complex password and is never used to logon, of course.
Or would it be better to create (if not existing) an RODC for this purpose and have Veeam only access this one with RODC account permissions?
Sorry for stupid questions, but I try to think about holes in the system right now / kind of Audit.
Thanks!
David