Feature Request - Restrict permission for local admins

[MorNor]

Recently had a case where I had misunderstood the permission guide, https://helpcenter.veeam.com/docs/backu ... ml?ver=120 .
I thought that if we had enabled MFA in Veeam B&R Console the local administrators on the Veeam B&R server wouldn't have administrator access inside Veeam B&R anymore.
I am shocked now that I have learned that local administrators have full administrator access inside Veeam despite what you set in Users & Roles!

Imagine a malicious user getting a foothold in your domain, it only requires to get local admin access on the server to access the entire backup environment.
It doesn't matter if you have hardened immutable repositories with encrypted backups. All this malicous user has to do is set retention to minimum, turn off encryption and wait it out.

I can see that you may have use for this "all local admins are gods inside Veeam" if you loose the password, but why not have some kind of emergency code for that situation? And give the user the ability to disable the Administrator access for all local administrators if they want to?
I certainly do not want my backups to be trusted by the domain and can see a high security risk here.

The Veeam support engineer confirmed this and agreed that it should be addressed!

[Mildur]

Hello Morgan

How would you restrict a local admin from doing something? Accounts with local admin permissions have always a technical way to get access to the entire backup server and configuration database.

Let's assume you disable local admin access to the backup console.
As a local administrator you can still decrypt the database connection credentials and then connect to the configuration database to reconfigure access for any user account you like. There other "hacking" technologies like monitoring backup servers memory. I don't know the specifics about them (I'm not a security specialist), but they exist.

A local administrator can never be limited. As soon the attacker is on the backup server with local administrative permissions, your backup server is lost.
There is only one effective solution. Make sure that the backup server is protected by unauthorized access.
A few examples:
- Use MFA for local windows and RDP logins.
- Use MFA for the backup console. Backup console should be used from a jump server and not directly on the backup server
- Use a firewall to close any unnecessary network ports

Best,
Fabian

[MorNor]

This malicious user is not necessarily a hacker, it could be a vengeful employee seeking to do damage and don't have much knowledge about decrypting database encryption strings and such.
Or let's say the IT infrastructure department consist of 15 system engineers, where about 10 administers Windows servers but only 2-3 should administer the Veeam application.
You only want the other 12 engineers to be able to create backup jobs, run backups, restore in any way but not be able to change administrative settings.

I don't understand why you would want all accounts with local admin permission to automatically be given administrative access inside the Veeam application?

[Gostev]

Because administrative access inside the Veeam application (or any other application running on the server) is trivial to obtain for any account with local admin permission, while as you correctly mentioned they might have a malicious or vengeful intent. So we don't want to create a false impression of security by not explicitly giving such accounts administrative access right away. This makes customers think about the whole problem - just like it forced you to think about this - and restrict the number of users with local admin permission for backup server comparing to their usual practices.

[LickABrick]

Would it be an idea to show a little message with some explanation of this or make the local admins group non removable? I understand your point and agree but currently the users page is ‘lying’ by saying local admins are not allowed to login while they still are if you remove them.

[Gostev]

currently the users page is ‘lying’ by saying local admins are not allowed to login while they still are if you remove them

We can correct however may I ask where do you see this? As I see exactly the opposite in the User Guide:
Local and domain members of the Administrators group will still have full access to Veeam Backup & Replication even if you delete this group in the Users and Roles > Security window

[LickABrick]

@Gostev, I do see it is mentioned in the User Guide. But not in the UI of Veeam itself:


The user added here is not a local admin, but local admins not in this list can still login to Veeam.

[jeremyrogers]

There seems to be some confusion between the Best Practices docs, the Help Center and common wisdom on this.

For grins I set up local admin accounts "localhost\10001" and "localhost\10002" on a lab instance of 12.1.0.172 and granted "10001" the Backup Administrator role in VBR. The second account "10002" has no rights assigned in VBR.
(Note: the default Builtin\Administrator role has been deleted for an internal compliance/audit requirement of only named users having access.)

Logging into the VBR console works fine for account 10001 but account 10002 gets a "failed to connect to Veeam Backup & Replication server: Access is denied" desite having admin rights on the local VBR server.

To the OP's original concern, enabling Four-eyes authentication can sorta mitigate this, and having VeeamOne real-time alerts flag events like retention/immutability state changes can make other team members or compliance officers aware that something shady is going on.

NOW that said:
A local admin can do anything they want with the database (is using local SQL or PostgreSQL), retrieve valid credentials from remote SQL/PostgreSQL instances and/or reset other local account credentials after determining which have access. Someone having local admin rights on your backup infrastructure means all bets are off from a practical standpoint, even if the easy attempts to do wrong fail.