Credentials - Best practice and security

Availability for the Always-On Enterprise

Credentials - Best practice and security

Veeam Logoby jrafter » Fri Dec 29, 2017 8:33 pm

Current setup is B&R v9.5 that uses a service account(domain admin) to backup our VM environment. All repos have been added to the console using the same account. All the jobs run under this account as it was for a POC. Now that we have gotten the full install I was looking for a more secure way of managing the whole system with the credentials, I have read some posts using different credentials per repo, different credentials for different jobs etc...but there's nothing definitive besides the permissions KB by VEEAM. We also are attempting to add a DMZ ESXi host to the B&R console as well which also brings up the question about credentials and security. Are the credentials constantly polling the host or is it the initial add of a host/server that they are used?

What are current customers doing right now? Does any one have any recommendations or go to guides?
jrafter
Novice
 
Posts: 6
Liked: never
Joined: Fri Dec 02, 2016 3:12 pm
Full Name: John R

Re: Credentials - Best practice and security

Veeam Logoby s_t » Fri Dec 29, 2017 10:17 pm 1 person likes this post

From a usability perspective: use accounts with as few dependencies as possible (do not use domain credentials to run the Veeam services or to connect to vCenter, so you are able to do restores also if your domain is not operable anymore)

You could find recommendations from a security perspective in the Best Practice guide:
https://bp.veeam.expert/infrastructure_ ... ening.html
--Sebastian
s_t
Service Provider
 
Posts: 14
Liked: 7 times
Joined: Mon Apr 06, 2015 8:14 pm
Location: Germany
Full Name: Sebastian Talmon

Re: Credentials - Best practice and security

Veeam Logoby CloudMSP » Sat Dec 30, 2017 7:45 pm 1 person likes this post

Don't you need a domain admin generally to get a proper application aware backup? What are people really doing ? Local accounts? Please give more info Veaam.
CloudMSP
Service Provider
 
Posts: 26
Liked: 10 times
Joined: Sun Jul 16, 2017 5:39 am
Full Name: Veeam MSP

Re: Credentials - Best practice and security

Veeam Logoby tdewin » Sun Dec 31, 2017 10:24 am 1 person likes this post

You can use local administrator accounts but in general, this becomes a nightmare to manage if you have more than 20 VM's let's say. That's why I guess most customers are using domain accounts.

FYI, in the applications sections, you can do an overwrite per VM:
https://helpcenter.veeam.com/docs/backu ... tml?ver=95
tdewin
Veeam Software
 
Posts: 1272
Liked: 418 times
Joined: Fri Mar 02, 2012 1:40 pm
Full Name: Timothy Dewin

Re: Credentials - Best practice and security

Veeam Logoby s_t » Mon Jan 08, 2018 9:08 am 1 person likes this post

You have to differentiate between
(1) the account that is used to run Veeam itself
(2) the account that is used for connection to VMware and/or Hyper-V
(3) the Account for application aware guest processing

My recommendation to use local accounts was for (1) and (2)

For application aware processing, local accounts "becomes a nightmare" as Timothy said - I would use domain accounts for this.
You do not need a real domain admin for this, but almost... e.g. application aware handling of domain controllers do not work without a domain admin, as there is no local admin on a domain controller.

https://helpcenter.veeam.com/docs/backu ... tml?ver=95

There is also a restriction if you have no network connection to the guest OS, and you do application aware processing with tunneling through the VMware Tools (UAC problems if you do not use a well-known account, see veeam-backup-replication-f2/backup-failing-due-to-uac-t13018-15.html)
--Sebastian
s_t
Service Provider
 
Posts: 14
Liked: 7 times
Joined: Mon Apr 06, 2015 8:14 pm
Location: Germany
Full Name: Sebastian Talmon

Re: Credentials - Best practice and security

Veeam Logoby jrafter » Tue Jan 09, 2018 9:33 pm

Thanks for all the replies...
For the second part of my predicament I am about to add a standalone DMZ ESXi host which has 2 server 2012 boxes and 2 appliances running. Is one best to create new set of credentials on this host to add it first? Are these credentials being sent over 443 for the initial add of the host or are these credentials continuously polled?

Based on your response above Sebastian, is it safe to use one Veeam account to run Veeam itself for both inside and outside(DMZ)?
jrafter
Novice
 
Posts: 6
Liked: never
Joined: Fri Dec 02, 2016 3:12 pm
Full Name: John R


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Google [Bot] and 32 guests