Comprehensive data protection for all workloads
randy.belbin
Lurker
Posts: 1
Liked: 1 time
Joined: Sep 05, 2018 6:01 am
Full Name: Randy Belbin
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by randy.belbin » Sep 05, 2018 6:20 am 1 person likes this post

Hey there Veeam team!

I'm currently playing around with Backup and Replication in my home lab and I have to say that so far, I'm pretty impressed. Truly great work!
On the 2FA front, I have to say that backups (should) contain every piece of critical and sensitive data that a company owns. It seems really silly to go through all the trouble of putting 2FA on servers only to have the backups accessible with just a password. File level browsing and restores are great until they make their way into the wrong hands.

I'll be the first one to admit that access to the Veeam Console should be very tightly controlled. As in the only access should be from an admin workstation which is protected with 2FA. However, I think it would be awesome to have native 2FA support in the console for that extra piece of mind or for those folks who can't properly segment their networks.

Now for the full disclosure part - I work for RSA and we have a phenomenal partner engineering team that would be more than happy to work with your devs to implement our REST APIs into your products. 2FA is quickly becoming ubiquitous or table stakes or whatever we want to call it and we'd love to help you make strong auth another awesome feature of the Veeam console.

crackocain
Service Provider
Posts: 145
Liked: 9 times
Joined: Dec 14, 2015 8:20 pm
Full Name: Mehmet Istanbullu
Location: Turkey
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by crackocain » Jan 11, 2019 2:50 pm

+1.

Actually great fit "Veeam Authenticator" app iOS and Android :)

Escapo IT
Influencer
Posts: 11
Liked: 4 times
Joined: May 29, 2012 6:05 pm
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by Escapo IT » Feb 27, 2019 8:15 am

+1

olavl
Influencer
Posts: 11
Liked: 1 time
Joined: Jan 23, 2018 8:21 am
Full Name: OL
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by olavl » Mar 19, 2019 8:54 pm

+1 for MFA - integrate with Azure MFA, Google Auth, MS Auth, Duo etc.
+1 for console authentication with Radius/LDAPS

Gostev
SVP, Product Management
Posts: 25576
Liked: 3891 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by Gostev » Mar 20, 2019 12:04 am

@Olav I am just curios, are you using all these MFA systems at once?

For example, why would you use both MS Auth and Duo at the same time? We were just evaluating both for the internal use, and it seems like a binary choice: you either go with one or the other - not both.

Also, from the same evaluation I believe Azure MFA and MS Auth is the same thing, no?

Also, I believe Google MFA is for Google Accounts only - so, how are you using it for Windows infrastructure (logging on to Active Directory etc.)?

olavl
Influencer
Posts: 11
Liked: 1 time
Joined: Jan 23, 2018 8:21 am
Full Name: OL
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by olavl » Jun 12, 2019 10:39 pm

@Gostev: missed this post, but I'll throw in some thoughts now.

A Veeam customer should protect the console and repository through firewall, zoning etc. But having multiple MFA for console access should be part of a enterprise backup system in 2019.

I listed a couple of alternatives for MFA as an example, if Veeam will implement MFA for console and powershell access you might consider having multiple alternatives to suit your customers needs.
A Microsoft/Azure shop might be on Microsoft Radius or Azure MFA, some on Google Auth and others on Duo or Authy.

Using Google Authenticator requires the app installed on android or IOS, but logging in can be any account since you only add the code-generating to the Auth app. See panda/commvault for examples.

Some examples:

amarshall
Service Provider
Posts: 3
Liked: never
Joined: Jun 02, 2016 12:28 am
Full Name: Adam Marshall
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by amarshall » Jun 21, 2019 10:50 am

We have a client requesting this for Cloud Connect - it's a deal breaker for them, part of the requirements from global HQ for any Cloud/SaaS service. Either using an authenticater fob/app or OTP.

What are Veeams thoughts here? I didn't hear anything about any sort of MFA at VeeamON?

ferrus
Veeam ProPartner
Posts: 250
Liked: 31 times
Joined: Dec 03, 2015 3:41 pm
Location: UK
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by ferrus » Jun 21, 2019 11:59 am

Adding my name to the request for 2FA access for Veeam.
This should become more standard across most applications TBH - and since Veeam potentially holds ALL data for all applications ...

We use Google authenticator across all our 2FA systems. I don't believe the MS/Google authenticator apps are vendor locked at all.


One question though. From a security perspective, have you improved much by introducing 2FA to the console - when most actions are available through powershell?

sswayd
Lurker
Posts: 1
Liked: never
Joined: Sep 04, 2019 1:00 pm
Full Name: SWAYD ALSWAYD
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by sswayd » Sep 04, 2019 1:02 pm

+1

tomnewman
Enthusiast
Posts: 50
Liked: 5 times
Joined: Oct 14, 2015 10:12 pm
Full Name: Tom Newman
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by tomnewman » Sep 14, 2019 10:02 pm

+1

ShawnKPERS
Enthusiast
Posts: 55
Liked: 4 times
Joined: Apr 29, 2011 3:55 pm
Full Name: Shawn Nix
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by ShawnKPERS » Sep 17, 2019 7:29 pm

+1

riahc3
Enthusiast
Posts: 85
Liked: 4 times
Joined: Oct 21, 2015 10:01 am
Full Name: John
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by riahc3 » Sep 18, 2019 1:12 am 1 person likes this post

skrause wrote:
Sep 28, 2016 2:22 pm
Sure, we could RDP into our B&R server with 2FA
There you go; You have 2FA to the console already.

I dont understand why people have a unhealthy obsession with 2FA. Not everything needs 2FA and things can be put before that SHOULD require 2FA.

Are you going to want that UAC uses 2FA as well? Or Powershell commands?

soncscy
Enthusiast
Posts: 61
Liked: 23 times
Joined: Aug 04, 2019 2:57 pm
Full Name: Harvey Carel
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by soncscy » Sep 18, 2019 4:26 pm

While I agree, keep in mind, often Security Requirements aren't a choice, they're a mandate. Think like PCI DSS which, thankfully, isn't too ridiculous in and of itself, but those tasked with enforcing it often haven't read the material, or lack the ability to understand what is being required.

Cargo Cult Security is an awful practice, but that doesn't mean that everyone doing it does so willingly; sometimes you just gotta check that box in order to get home by 6 pm that night. 2FA probably won't save most people if they're really hit by some new ransomware (hell, last time we had a site get hit, the local admin had 2FA enabled, and went ahead and authenticated something from an unknown process anyways figuring it was some cronjob he forgot about)

I always tell people, the biggest threats are craft hackers or cleverly disguised packages with malicious payloads; it's the emails that go "Hey Bob! Look at this!" and Bob blindly clicks through.

skrause
Expert
Posts: 450
Liked: 93 times
Joined: Dec 08, 2014 2:58 pm
Full Name: Steve Krause
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by skrause » Sep 19, 2019 1:45 pm

riahc3 wrote:
Sep 18, 2019 1:12 am
There you go; You have 2FA to the console already.

I dont understand why people have a unhealthy obsession with 2FA. Not everything needs 2FA and things can be put before that SHOULD require 2FA.

Are you going to want that UAC uses 2FA as well? Or Powershell commands?
My Backup system which gives access to literally ALL of my sensitive data isn't something that should have 2FA?

Veeam created the remote console for a reason, having to stop using it because I need 2FA instead of it being integrated into the product is what the request is about.
Steve Krause
Veeam Certified Architect

JamesMcG
Influencer
Posts: 17
Liked: 2 times
Joined: Jul 11, 2012 3:39 pm
Full Name: James McGuinness
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by JamesMcG » Sep 20, 2019 5:57 pm

+1. Come on, all arguments aside there's no reason Veeam shouldn't have this as an option.

Gostev
SVP, Product Management
Posts: 25576
Liked: 3891 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by Gostev » Sep 21, 2019 9:47 pm

skrause wrote:
Sep 19, 2019 1:45 pm
My Backup system which gives access to literally ALL of my sensitive data isn't something that should have 2FA?
So are your domain controllers and Domain Admin accounts. Do they have 2FA enabled for every logon? And I'm not necessarily talking about modern factors everyone is so excited about lately. For example, smart cards have been around for as long as I remember myself, and are not uncommon among Veeam users.

And if you do use 2FA on accounts used for managing other equally sensitive parts of your infrastructure, then what exactly prevents you from enabling 2FA on Veeam administrator accounts too?

Gostev
SVP, Product Management
Posts: 25576
Liked: 3891 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by Gostev » Sep 21, 2019 10:26 pm

JamesMcG wrote:
Sep 20, 2019 5:57 pm
Come on, all arguments aside there's no reason Veeam shouldn't have this as an option.
The main question here is how useful this option will be in the real world. I would hate to postpone other, potentially more valuable features to build a lonely steel door in the park - if you know what I mean. Which is why it is so important for me to ensure we're not wasting time on building a "checkbox feature".

The main argument against is that implementing 2FA in the backup console alone is useless, because hackers can use the same compromised Veeam admin account to connect directly to the backup server instead (via KVM, RM, RDP, WMI, PowerShell, etc.)

So, until your implement global 2FA on all your sensitive infrastructure management accounts, there's no point to individually secure different consoles and remote access methods that these accounts can potentially be used through. Because a chain is only as strong as the weakest link.

However, as soon as you do implement global 2FA on those accounts, securing individual consoles is no longer required at all. Does it make sense?

In other words: what is the point of installing a bunker door in the fence, when a door made of fence's material will provide equal overall protection? However, in these circumstances, the whole area should definitely be surrounded by a proper stone wall with the manned checkpoint (global 2FA).

skrause
Expert
Posts: 450
Liked: 93 times
Joined: Dec 08, 2014 2:58 pm
Full Name: Steve Krause
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by skrause » Sep 23, 2019 2:04 pm

The issue is that I can run the remote console on a system (like my workstation) where I use a different account to log into the backup console. I can easily set up 2FA on the server itself (and I do for the vast majority of our server infrastructure) that isn't the issue, really.

Right now, it is a situation where if someone wants 2FA on the application administration they need to have the users RDP into a system protected by 2FA rather than be able to have it integrated into the remote console which can be run from anywhere.

Of course, I may move that direction anyway simply due to wanting to limit network access (even more) to the backup infrastructure, but it would still be nice to see Veeam implement some form of 2FA on the application interfaces for B&R, Enterprise Manager, and maybe even VeeamONE.

There are other features that I would consider a much higher priority though :)
Steve Krause
Veeam Certified Architect

unsichtbarre
Expert
Posts: 132
Liked: 24 times
Joined: Mar 08, 2010 4:05 pm
Full Name: John Borhek
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by unsichtbarre » Sep 23, 2019 3:48 pm 1 person likes this post

I am also -1 on this.

Two-factor is an infrastructure/directory issue and should be implemented at that level! It's just like overly complex passwords and password aging (ideas disproved recently by NIST), implementing two-factor at the level of an application that should ideally run UNDER a two-factor authentication DIRECTORY will lead to all kinds of problems and unwanted loss of data. Even allowing it is a BAD IDEA!

Here's my vision/fear (from the service provider/support perspective): If customers are able to enable two-factor directly on Veeam they will. Inevitably situations will occur where the authorized user is unavailable - or worse yet (think hurricane Sandy), where the two-factor SYSTEM is unavailable. Sure, there are always around - but do you want to be able to rapidly recover/fail-over your data or many authentication-based steps away from even starting the recovery process?

Don't lock the lock!
-The Invisible Admin-
http://www.johnborhek.com

tstarken
Novice
Posts: 7
Liked: 1 time
Joined: Dec 27, 2017 10:47 pm
Full Name: Tim Starkenburg
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by tstarken » Nov 25, 2019 3:40 pm

We have non-domain joined repositories so that if we are compromised a hacker would not gain credentials to connect to the off-domain repository. However, all this is for not if a hacker could simply log into the Veeam Console and remove backup data through the console which has the stored credentials to the off-domain storage. Please - we need 2FA to secure the console to prevent this from happening. Only other option is tapes, but the amount of data that we have would take days to write vs. drive write speed on our NAS.

Gostev
SVP, Product Management
Posts: 25576
Liked: 3891 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by Gostev » Nov 25, 2019 3:56 pm

Hello, did you consider installing Veeam console on Windows 10, and using its built-in 2FA? Because even if the console is locked out with 2FA, there is still PowerShell and internal APIs that can be used to remove backup data. Which is exactly why it is important to lock down the machine as a whole (as opposed to individual apps). Thanks!

Post Reply

Who is online

Users browsing this forum: Google [Bot], IvanK, mkh, rold, Steve-nIP, tdewin and 47 guests