Availability for the Always-On Enterprise
audax
Novice
Posts: 7
Liked: never
Joined: Jan 25, 2017 9:07 am
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by audax » Dec 29, 2017 8:58 am

+1

ggrice
Influencer
Posts: 10
Liked: 3 times
Joined: Aug 16, 2013 8:19 am
Full Name: Geoff Grice
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by ggrice » Dec 29, 2017 11:46 am

RADIUS 2fa would be a nice addition!

ChrisGundryCEGA
Enthusiast
Posts: 82
Liked: 5 times
Joined: Aug 26, 2015 2:56 pm
Full Name: Chris Gundry
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by ChrisGundryCEGA » Jan 02, 2018 9:18 am

+1

Strack
Lurker
Posts: 1
Liked: never
Joined: Dec 18, 2017 10:56 am
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by Strack » Jan 02, 2018 12:48 pm

That's exactly what you can hope for in that situation. I'm fully in favor of this suggestion too. We could also use this in our firm.

YouGotServered
Service Provider
Posts: 36
Liked: 6 times
Joined: Mar 11, 2016 7:41 pm
Full Name: Cory Wallace
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by YouGotServered » Feb 05, 2018 4:34 pm

+1

jayscarff
Service Provider
Posts: 80
Liked: 3 times
Joined: Nov 15, 2016 6:56 pm
Location: Cayman Islands
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by jayscarff » Feb 06, 2018 1:09 am

+1 for sure, though will probably try DUO on the VAC!
Jason
VMCE v9

paul777
Novice
Posts: 6
Liked: never
Joined: Feb 21, 2016 9:07 pm
Full Name: Paul
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by paul777 » Mar 23, 2018 2:06 pm

A bit of time has passed since the last post on this thread. I was wondering, I saw one of Gostev's weekend blog emails about maybe 6 months ago that had a good story/review of a Ransomware attack. Then Gostev goes on to talk about two factor authentication for the Veeam BU server it self. I can't find that blog! If anyone remembers this and/or can point me toward it I'd appreciate it. I've got a lot of other material about this but I want to find that one excellent post if possible. Thanks in advance.

nitramd
Expert
Posts: 136
Liked: 21 times
Joined: Feb 16, 2017 8:05 pm
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by nitramd » Mar 23, 2018 2:42 pm 1 person likes this post

Perhaps this is it:

Another attack story from one of our customers, who hired a security firms post attack to investigate this attack thoroughly – thus all the scary details. Cryptomix Arena made it's way into the network and started encrypting Windows file servers and Hyper-V VMs. Once VHDs were encrypted, the ransomware deleted the original VHDs and ran a disk scrubber. Next, actual hackers appeared (feels like just like sharks sensing blood in the water, doesn't it – but what really happens is ransomware "phones home"). After failing to connect to the Veeam backup server through PowerShell, hackers managed to instead logon to one locally by brute forcing RDP, and proceeded to delete all backups manually – both those sitting on the local NAS, and their copies in Cloud Connect. They also manually ran a disk scrubber to ensure those local backups could not be recovered. Finally, they accessed Hyper-V management console and deleted the backup server VM entirely. The only way customer managed to recover some of their data was from storage snapshots.

So if this does not teach you to implement two-factor authentication for RDP access to your critical systems, then I don't know what else will. And naturally, the Insider Protection functionality for Veeam Cloud Connect cannot come fast enough – luckily, Update 3 is just around the corner now. Also, this story confirms the importance of having some sort of air gap – even if it was not true air gap in this case, still the hacker either was completely unaware of the presence of storage snapshots, or simply was not able to break into the storage array management console to delete those. Although I'm guessing the disk scrubbing probably overfilled snapshot storage location, so most snapshots were lost anyway.

By the way, another reason to use two-factor authentication and not just use strong password alone is repeating reports on the presence of keyloggers in OEM drivers like Synaptic and Conexant. Which means it's hard to find a modern PC that would not be at risk... the article's name is actually very misleading – not sure why would they pick on HP specifically, when other PC vendors are equally affected. For example, my Lenovo X1 had both Synaptic Touchpad and Conexant Audio drivers preinstalled too.

Blog post from December 11 - December 17, 2017

Please note that this is not the entire content of the post.

paul777
Novice
Posts: 6
Liked: never
Joined: Feb 21, 2016 9:07 pm
Full Name: Paul
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by paul777 » Mar 23, 2018 2:51 pm

Big Thank You nitarmd! This is definitely the one. I'm trying to find the entire post in the Blog Digest. If you have the url could you post it up or pm it to me? Thanks very much, we're in Florida.

nitramd
Expert
Posts: 136
Liked: 21 times
Joined: Feb 16, 2017 8:05 pm
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by nitramd » Mar 23, 2018 3:12 pm

Entire post:
Veeam Community Forums DigestDecember 11 - December 17, 2017

THE WORD FROM GOSTEV
vSphere users, note that VMware Tools 10.2.0 is now generally available, and there are two major new features that make it quite a significantly release – so much I decided to highlight one here. First, this release finally adds offline bundles VIB which can be deploying using vSphere Update Manager to vSphere 5.5 and later ESXi hosts. Woohoo! Second, it brings support for Microsoft System Center Configuration Manager (SCCM) for distributing and updating VMware Tools on your VMs. Which will also be appreciated by many! Here are the direct links to Release Notes and the actual bits for your convenience.
Release notes link: https://docs.vmware.com/en/VMware-Tools ... notes.html
Actual tidbits link: https://my.vmware.com/group/vmware/deta ... ductId=614

Another attack story from one of our customers, who hired a security firms post attack to investigate this attack thoroughly – thus all the scary details. Cryptomix Arena made it's way into the network and started encrypting Windows file servers and Hyper-V VMs. Once VHDs were encrypted, the ransomware deleted the original VHDs and ran a disk scrubber. Next, actual hackers appeared (feels like just like sharks sensing blood in the water, doesn't it – but what really happens is ransomware "phones home"). After failing to connect to the Veeam backup server through PowerShell, hackers managed to instead logon to one locally by brute forcing RDP, and proceeded to delete all backups manually – both those sitting on the local NAS, and their copies in Cloud Connect. They also manually ran a disk scrubber to ensure those local backups could not be recovered. Finally, they accessed Hyper-V management console and deleted the backup server VM entirely. The only way customer managed to recover some of their data was from storage snapshots.

So if this does not teach you to implement two-factor authentication for RDP access to your critical systems, then I don't know what else will. And naturally, the Insider Protection functionality for Veeam Cloud Connect cannot come fast enough – luckily, Update 3 is just around the corner now. Also, this story confirms the importance of having some sort of air gap – even if it was not true air gap in this case, still the hacker either was completely unaware of the presence of storage snapshots, or simply was not able to break into the storage array management console to delete those. Although I'm guessing the disk scrubbing probably overfilled snapshot storage location, so most snapshots were lost anyway.

By the way, another reason to use two-factor authentication and not just use strong password alone is repeating reports on the presence of keyloggers in OEM drivers like Synaptic and Conexant. Which means it's hard to find a modern PC that would not be at risk... the article's name is actually very misleading – not sure why would they pick on HP specifically, when other PC vendors are equally affected. For example, my Lenovo X1 had both Synaptic Touchpad and Conexant Audio drivers preinstalled too.
Keyloggers in OEM drivers link: http://www.zdnet.com/article/keylogger- ... of-hp-pcs/

To those using Data Domain as a target for Veeam: according to DELL EMC, close to a thousand of your systems are still running DD OS 5.4 and 5.5. Please, schedule the upgrade in the next few months, as we're planning to end support for these DD OS versions in the next update. With the real reason being the DDBoost SDK required by the upcoming DD OS version supporting 5.6 and later only.

Did you know the biggest bubble in the human history was with tulips? I was fascinated reading the article, especially that snippet on how much goods you could get for a single bulb. Luckily, the humanity advanced so far in 500 years, and this sort of explainable craziness can never repeat... just kidding, actually I learnt about tulip mania while watching the video on the mother of all bubbles.

gingerdazza
Expert
Posts: 127
Liked: 12 times
Joined: Jul 23, 2013 9:14 am
Full Name: Dazza
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by gingerdazza » Apr 09, 2018 9:45 am

As a Veeam customer, I like the product, but I do feel increasingly disappointed with the lack of built-in security features. It seems to me that Veeam are incredibly keen to keep pushing this 3-2-1 responsibility down to the customer, and whilst that is a perfectly valid principle of backup protection, I think it's pushed hard by Veeam because there's an internal acceptance that the built-in product defence measures are very limited. Please Veeam, start listening to customers and provide this security within the product stack itself... find ways to deliver multi-factor authentication, backup file immutability, etc. Set CloudConnect perhaps to be a pull-only architecture, instead of a push copy job that requires that authentication to be on the Veeam server. Make security your primary focus, built into every piece of functionality within the product. This is where other new-world backup providers have an edge I think (i.e. Rubrik) - they provide a box-solution and own the entire stack, including the file system and the storage - therefore that have greater capacity to affect security end to end within their platform. Veeam's "strength" in it's flexibility to be built into any storage you want, is also it's weakness when on the discussion point of storage.

I'm not Veeam-bashing.... just keen to see a product I like deliver more security to its customers.

adapterer
Expert
Posts: 224
Liked: 42 times
Joined: Oct 12, 2015 11:24 pm
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by adapterer » Apr 10, 2018 6:27 am

I still think this is a silly request (IMHO)

You can still delete backups without the console with PowerShell.

If the bad actor is at the point where they can access your Veeam console, they have likely already breached your network elsewhere which means they can also likely access any SMB or DAS storage available, and happily deploy any malware or backdoor they like.

Wouldn't it make more sense to implement 2FA to stop bad actors getting into your systems in the first place?

Again, just my $0.02 ;)

billcouper
Service Provider
Posts: 59
Liked: 13 times
Joined: Dec 18, 2017 8:58 am
Full Name: Bill Couper
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by billcouper » May 08, 2018 6:39 am

+1

BNJI
Service Provider
Posts: 23
Liked: 4 times
Joined: Jun 20, 2012 11:12 am
Full Name: Benjamin Elveng
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by BNJI » May 08, 2018 7:26 am

+10000
CTO @ revirt.global
@bnjidk

billcouper
Service Provider
Posts: 59
Liked: 13 times
Joined: Dec 18, 2017 8:58 am
Full Name: Bill Couper
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by billcouper » May 30, 2018 8:01 am 1 person likes this post

adapterer wrote:I still think this is a silly request (IMHO)

You can still delete backups without the console with PowerShell.

If the bad actor is at the point where they can access your Veeam console, they have likely already breached your network elsewhere which means they can also likely access any SMB or DAS storage available, and happily deploy any malware or backdoor they like.

Wouldn't it make more sense to implement 2FA to stop bad actors getting into your systems in the first place?

Again, just my $0.02 ;)
No. You are wrong. There are times when security is a priority. Customer data is #1 on that list.
If a "bad actor" can infiltrate any of your systems and from there delete your Veeam backups, then you sir have designed a terrible system. Even worse if they can delete your customer backups!

On top of that certain security certifications require that ALL access to customer data is protected by 2FA. Since you can restore customer data from the Veeam Console it requires 2FA. In my company I am not allowed to give anybody access to it - the Veeam console is locked up in a secure server that can only be accessed after multiple two-factor logins. It's a right PITA being the only person who can work on it, let me tell you!

I round your 2 cents down to 0.


EDIT: -9999 (adjustment)

Post Reply

Who is online

Users browsing this forum: Bing [Bot], opg70, rico.wezenberg and 55 guests