Availability for the Always-On Enterprise
Post Reply
jrafter
Novice
Posts: 6
Liked: never
Joined: Dec 02, 2016 3:12 pm
Full Name: John R
Contact:

Credentials - Best practice and security

Post by jrafter » Dec 29, 2017 8:33 pm

Current setup is B&R v9.5 that uses a service account(domain admin) to backup our VM environment. All repos have been added to the console using the same account. All the jobs run under this account as it was for a POC. Now that we have gotten the full install I was looking for a more secure way of managing the whole system with the credentials, I have read some posts using different credentials per repo, different credentials for different jobs etc...but there's nothing definitive besides the permissions KB by VEEAM. We also are attempting to add a DMZ ESXi host to the B&R console as well which also brings up the question about credentials and security. Are the credentials constantly polling the host or is it the initial add of a host/server that they are used?

What are current customers doing right now? Does any one have any recommendations or go to guides?

s_t
Service Provider
Posts: 14
Liked: 7 times
Joined: Apr 06, 2015 8:14 pm
Full Name: Sebastian Talmon
Location: Germany
Contact:

Re: Credentials - Best practice and security

Post by s_t » Dec 29, 2017 10:17 pm 1 person likes this post

From a usability perspective: use accounts with as few dependencies as possible (do not use domain credentials to run the Veeam services or to connect to vCenter, so you are able to do restores also if your domain is not operable anymore)

You could find recommendations from a security perspective in the Best Practice guide:
https://bp.veeam.expert/infrastructure_ ... ening.html
--Sebastian

CloudMSP
Service Provider
Posts: 30
Liked: 11 times
Joined: Jul 16, 2017 5:39 am
Full Name: Veeam MSP
Contact:

Re: Credentials - Best practice and security

Post by CloudMSP » Dec 30, 2017 7:45 pm 1 person likes this post

Don't you need a domain admin generally to get a proper application aware backup? What are people really doing ? Local accounts? Please give more info Veaam.

tdewin
Veeam Software
Posts: 1301
Liked: 426 times
Joined: Mar 02, 2012 1:40 pm
Full Name: Timothy Dewin
Contact:

Re: Credentials - Best practice and security

Post by tdewin » Dec 31, 2017 10:24 am 1 person likes this post

You can use local administrator accounts but in general, this becomes a nightmare to manage if you have more than 20 VM's let's say. That's why I guess most customers are using domain accounts.

FYI, in the applications sections, you can do an overwrite per VM:
https://helpcenter.veeam.com/docs/backu ... tml?ver=95

s_t
Service Provider
Posts: 14
Liked: 7 times
Joined: Apr 06, 2015 8:14 pm
Full Name: Sebastian Talmon
Location: Germany
Contact:

Re: Credentials - Best practice and security

Post by s_t » Jan 08, 2018 9:08 am 1 person likes this post

You have to differentiate between
(1) the account that is used to run Veeam itself
(2) the account that is used for connection to VMware and/or Hyper-V
(3) the Account for application aware guest processing

My recommendation to use local accounts was for (1) and (2)

For application aware processing, local accounts "becomes a nightmare" as Timothy said - I would use domain accounts for this.
You do not need a real domain admin for this, but almost... e.g. application aware handling of domain controllers do not work without a domain admin, as there is no local admin on a domain controller.

https://helpcenter.veeam.com/docs/backu ... tml?ver=95

There is also a restriction if you have no network connection to the guest OS, and you do application aware processing with tunneling through the VMware Tools (UAC problems if you do not use a well-known account, see veeam-backup-replication-f2/backup-fail ... 18-15.html)
--Sebastian

jrafter
Novice
Posts: 6
Liked: never
Joined: Dec 02, 2016 3:12 pm
Full Name: John R
Contact:

Re: Credentials - Best practice and security

Post by jrafter » Jan 09, 2018 9:33 pm

Thanks for all the replies...
For the second part of my predicament I am about to add a standalone DMZ ESXi host which has 2 server 2012 boxes and 2 appliances running. Is one best to create new set of credentials on this host to add it first? Are these credentials being sent over 443 for the initial add of the host or are these credentials continuously polled?

Based on your response above Sebastian, is it safe to use one Veeam account to run Veeam itself for both inside and outside(DMZ)?

Post Reply

Who is online

Users browsing this forum: Bing [Bot], ctalbot, DGrinev and 54 guests