Best approach veeam backup & account permission

Availability for the Always-On Enterprise

Best approach veeam backup & account permission

Veeam Logoby mcz » Wed May 10, 2017 11:49 am

Hello everybody,

in the section "guest OS credentials" (backup or replication job) I have selected the domain-admin-account which has per default access to any machine. Of course, this configuration works since a while.

I have now changed the admin-password, waited for the next pass of the backupjob, logged in (as a local admin) to a vm that has been backed up by veeam and dumped the lsass.exe process. After that I took a look at it using mimikatz (sekurlsa::minidump dump.dmp and sekurlsa::logonpasswords) and there I found the new password in plain text.

I know that there are solutions to prevent windows storing plain text pwd's in lsass.exe and prevent dumping the process but of course it would be better to not use the domain-admin-account for backup jobs. So the real question is: What is the best approach for using accounts for veeam purposes like stopping services via script, doing indexing, enable explorers for exchange, ad and so on? What is the minimum permission a account must have that the job will be successful? Is it better to use a local admin account or how should it be handled?

Thanks in advance!
mcz
Enthusiast
 
Posts: 48
Liked: 3 times
Joined: Tue Jul 19, 2016 8:39 am
Full Name: Michael

Re: Best approach veeam backup & account permission

Veeam Logoby DGrinev » Wed May 10, 2017 3:38 pm

Hi Michael,

mcz wrote:What is the best approach for using accounts for veeam purposes like stopping services via script

The recommended way for stopping services via script described in the article called "Pre-Freeze and Post-Thaw Scripts".
Detailed description of all required permissions for the different accounts described in the User Guide. Thanks!
DGrinev
Veeam Software
 
Posts: 317
Liked: 38 times
Joined: Thu Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev

Re: Best approach veeam backup & account permission

Veeam Logoby mcz » Wed May 17, 2017 8:44 am

Hi Dmitry,

thanks for the answer but I still couldn't get the information I needed. Basically I just wannted to know which local permissions the user needs to have for indexing and executing the scripts for starting and stopping services. So which usergroup do I have to choose for the user?
mcz
Enthusiast
 
Posts: 48
Liked: 3 times
Joined: Tue Jul 19, 2016 8:39 am
Full Name: Michael

Re: Best approach veeam backup & account permission

Veeam Logoby DGrinev » Wed May 17, 2017 12:08 pm

Hi Michael,

The user should have local administrator permissions for indexing, managing services by using scripts or any other interactions with guest OS.
For the explorers of exchange, AD and so on, you can find required permissions in the UG.

Thanks!
DGrinev
Veeam Software
 
Posts: 317
Liked: 38 times
Joined: Thu Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: No registered users and 14 guests