Credentials - Best practice and security

[jrafter]

Current setup is B&R v9.5 that uses a service account(domain admin) to backup our VM environment. All repos have been added to the console using the same account. All the jobs run under this account as it was for a POC. Now that we have gotten the full install I was looking for a more secure way of managing the whole system with the credentials, I have read some posts using different credentials per repo, different credentials for different jobs etc...but there's nothing definitive besides the permissions KB by VEEAM. We also are attempting to add a DMZ ESXi host to the B&R console as well which also brings up the question about credentials and security. Are the credentials constantly polling the host or is it the initial add of a host/server that they are used?

What are current customers doing right now? Does any one have any recommendations or go to guides?

[s_t]

From a usability perspective: use accounts with as few dependencies as possible (do not use domain credentials to run the Veeam services or to connect to vCenter, so you are able to do restores also if your domain is not operable anymore)

You could find recommendations from a security perspective in the Best Practice guide:
https://bp.veeam.expert/infrastructure_ ... ening.html

[CloudMSP]

Don't you need a domain admin generally to get a proper application aware backup? What are people really doing ? Local accounts? Please give more info Veaam.

[tdewin]

You can use local administrator accounts but in general, this becomes a nightmare to manage if you have more than 20 VM's let's say. That's why I guess most customers are using domain accounts.

FYI, in the applications sections, you can do an overwrite per VM:
https://helpcenter.veeam.com/docs/backu ... tml?ver=95

[s_t]

You have to differentiate between
(1) the account that is used to run Veeam itself
(2) the account that is used for connection to VMware and/or Hyper-V
(3) the Account for application aware guest processing

My recommendation to use local accounts was for (1) and (2)

For application aware processing, local accounts "becomes a nightmare" as Timothy said - I would use domain accounts for this.
You do not need a real domain admin for this, but almost... e.g. application aware handling of domain controllers do not work without a domain admin, as there is no local admin on a domain controller.

https://helpcenter.veeam.com/docs/backu ... tml?ver=95

There is also a restriction if you have no network connection to the guest OS, and you do application aware processing with tunneling through the VMware Tools (UAC problems if you do not use a well-known account, see veeam-backup-replication-f2/backup-fail ... 18-15.html)

[jrafter]

Thanks for all the replies...
For the second part of my predicament I am about to add a standalone DMZ ESXi host which has 2 server 2012 boxes and 2 appliances running. Is one best to create new set of credentials on this host to add it first? Are these credentials being sent over 443 for the initial add of the host or are these credentials continuously polled?

Based on your response above Sebastian, is it safe to use one Veeam account to run Veeam itself for both inside and outside(DMZ)?