Comprehensive data protection for all workloads
skrause
Veteran
Posts: 487
Liked: 106 times
Joined: Dec 08, 2014 2:58 pm
Full Name: Steve Krause
Contact:

Feature Request: Two-factor auth support for Veeam Console MFA 2FA

Post by skrause » 4 people like this post

At my organization we are in the nascent stages of requiring 2-factor auth on all of our systems (we currently have DuoRDP on about 75% of our production servers) and it would be nice to have two factor be available in the Veeam Console at some point. Sure, we could RDP into our B&R server with 2FA and launch the console from there, but that is so version 8 :P

Some form of integration with a widely available 2FA solution would be a useful addition for us.

Not a high priority or anything, just something that I was thinking of.
Steve Krause
Veeam Certified Architect
Dima P.
Product Manager
Posts: 14652
Liked: 1678 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by Dima P. » 1 person likes this post

Hi Steve,

Interesting request - thanks for sharing. We will discuss it with the team for sure.
lando_uk
Veteran
Posts: 377
Liked: 32 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by lando_uk »

+1 for this, our place is also looking at making all admin related activities require MFA.
CarlMcDade
Enthusiast
Posts: 62
Liked: 20 times
Joined: Jul 08, 2013 1:47 pm
Full Name: Carl McDade
Location: Leeds, UK
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by CarlMcDade » 1 person likes this post

Quick thought on this

If you use Veeam Availability Console, technically you could install the 2FA agent for webserver on the IIS App. That would then give you 2FA whilst accessing VAC

I've only used RSA, and ive used their webserver agent for RDS/Sharepoint/internal sites.

Cheers
mail@carlmcdade.com
http://twitter.com/CarlMcDade
http://www.carlmcdade.com
nathan.mcclintock
Influencer
Posts: 10
Liked: 2 times
Joined: Jul 07, 2016 8:26 pm
Full Name: Nathan McClintock
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by nathan.mcclintock »

+1
Tim783
Influencer
Posts: 15
Liked: never
Joined: Jul 20, 2012 2:05 pm
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by Tim783 »

Would be interested in this as well
nitramd
Veteran
Posts: 298
Liked: 85 times
Joined: Feb 16, 2017 8:05 pm
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by nitramd »

+1 for 2FA
nunciate
Veteran
Posts: 253
Liked: 40 times
Joined: May 21, 2013 9:08 pm
Full Name: Alan Wells
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by nunciate »

+1 on the 2FA. Please give an ETA ASAP. :-)
jazzoberoi
Enthusiast
Posts: 96
Liked: 24 times
Joined: Oct 08, 2014 9:07 am
Full Name: Jazz Oberoi
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by jazzoberoi »

+1

This could also mitigate the scenario where the attacker could log into VEEAM and delete all the backups from there.
adapterer
Expert
Posts: 227
Liked: 46 times
Joined: Oct 12, 2015 11:24 pm
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by adapterer » 1 person likes this post

Surely you have bigger security problems if someone has got to the point where they can login to the Veeam console?
drichman
Influencer
Posts: 19
Liked: never
Joined: Jan 24, 2011 5:22 pm
Full Name: Dean Richman
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by drichman »

+1
onthax
Service Provider
Posts: 40
Liked: 1 time
Joined: May 13, 2013 2:32 am
Location: Brisbane
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by onthax »

+1
yasuda
Enthusiast
Posts: 64
Liked: 10 times
Joined: May 15, 2014 3:29 pm
Full Name: Peter Yasuda
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by yasuda »

adapterer wrote:Surely you have bigger security problems if someone has got to the point where they can login to the Veeam console?
Sure, but anything you can put into place to slow an attacker post-breach gives you more time to (let's hope) detect the breach before irreparable harm is done.
bpayne
Enthusiast
Posts: 55
Liked: 12 times
Joined: Jan 20, 2015 2:07 pm
Full Name: Brandon Payne
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by bpayne »

+1. In healthcare, we are also being pushed to implement MFA wherever possible.
soehl
Enthusiast
Posts: 57
Liked: 8 times
Joined: May 09, 2011 12:43 pm
Full Name: Sebastian
Location: Germany
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by soehl »

+1
audax
Novice
Posts: 9
Liked: never
Joined: Jan 25, 2017 9:07 am
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by audax »

+1
ggrice
Influencer
Posts: 10
Liked: 3 times
Joined: Aug 16, 2013 8:19 am
Full Name: Geoff Grice
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by ggrice »

RADIUS 2fa would be a nice addition!
ChrisGundry
Veteran
Posts: 259
Liked: 40 times
Joined: Aug 26, 2015 2:56 pm
Full Name: Chris Gundry
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by ChrisGundry »

+1
Strack
Lurker
Posts: 1
Liked: never
Joined: Dec 18, 2017 10:56 am
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by Strack »

That's exactly what you can hope for in that situation. I'm fully in favor of this suggestion too. We could also use this in our firm.
YouGotServered
Service Provider
Posts: 176
Liked: 53 times
Joined: Mar 11, 2016 7:41 pm
Full Name: Cory Wallace
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by YouGotServered »

+1
jayscarff
Service Provider
Posts: 114
Liked: 12 times
Joined: Nov 15, 2016 6:56 pm
Location: Cayman Islands
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by jayscarff »

+1 for sure, though will probably try DUO on the VAC!
Jason
VMCE
paul777
Novice
Posts: 9
Liked: never
Joined: Feb 21, 2016 9:07 pm
Full Name: Paul
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by paul777 »

A bit of time has passed since the last post on this thread. I was wondering, I saw one of Gostev's weekend blog emails about maybe 6 months ago that had a good story/review of a Ransomware attack. Then Gostev goes on to talk about two factor authentication for the Veeam BU server it self. I can't find that blog! If anyone remembers this and/or can point me toward it I'd appreciate it. I've got a lot of other material about this but I want to find that one excellent post if possible. Thanks in advance.
nitramd
Veteran
Posts: 298
Liked: 85 times
Joined: Feb 16, 2017 8:05 pm
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by nitramd » 2 people like this post

Perhaps this is it:

Another attack story from one of our customers, who hired a security firms post attack to investigate this attack thoroughly – thus all the scary details. Cryptomix Arena made it's way into the network and started encrypting Windows file servers and Hyper-V VMs. Once VHDs were encrypted, the ransomware deleted the original VHDs and ran a disk scrubber. Next, actual hackers appeared (feels like just like sharks sensing blood in the water, doesn't it – but what really happens is ransomware "phones home"). After failing to connect to the Veeam backup server through PowerShell, hackers managed to instead logon to one locally by brute forcing RDP, and proceeded to delete all backups manually – both those sitting on the local NAS, and their copies in Cloud Connect. They also manually ran a disk scrubber to ensure those local backups could not be recovered. Finally, they accessed Hyper-V management console and deleted the backup server VM entirely. The only way customer managed to recover some of their data was from storage snapshots.

So if this does not teach you to implement two-factor authentication for RDP access to your critical systems, then I don't know what else will. And naturally, the Insider Protection functionality for Veeam Cloud Connect cannot come fast enough – luckily, Update 3 is just around the corner now. Also, this story confirms the importance of having some sort of air gap – even if it was not true air gap in this case, still the hacker either was completely unaware of the presence of storage snapshots, or simply was not able to break into the storage array management console to delete those. Although I'm guessing the disk scrubbing probably overfilled snapshot storage location, so most snapshots were lost anyway.

By the way, another reason to use two-factor authentication and not just use strong password alone is repeating reports on the presence of keyloggers in OEM drivers like Synaptic and Conexant. Which means it's hard to find a modern PC that would not be at risk... the article's name is actually very misleading – not sure why would they pick on HP specifically, when other PC vendors are equally affected. For example, my Lenovo X1 had both Synaptic Touchpad and Conexant Audio drivers preinstalled too.

Blog post from December 11 - December 17, 2017

Please note that this is not the entire content of the post.
paul777
Novice
Posts: 9
Liked: never
Joined: Feb 21, 2016 9:07 pm
Full Name: Paul
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by paul777 »

Big Thank You nitarmd! This is definitely the one. I'm trying to find the entire post in the Blog Digest. If you have the url could you post it up or pm it to me? Thanks very much, we're in Florida.
nitramd
Veteran
Posts: 298
Liked: 85 times
Joined: Feb 16, 2017 8:05 pm
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by nitramd »

Entire post:
Veeam Community Forums DigestDecember 11 - December 17, 2017

THE WORD FROM GOSTEV
vSphere users, note that VMware Tools 10.2.0 is now generally available, and there are two major new features that make it quite a significantly release – so much I decided to highlight one here. First, this release finally adds offline bundles VIB which can be deploying using vSphere Update Manager to vSphere 5.5 and later ESXi hosts. Woohoo! Second, it brings support for Microsoft System Center Configuration Manager (SCCM) for distributing and updating VMware Tools on your VMs. Which will also be appreciated by many! Here are the direct links to Release Notes and the actual bits for your convenience.
Release notes link: https://docs.vmware.com/en/VMware-Tools ... notes.html
Actual tidbits link: https://my.vmware.com/group/vmware/deta ... ductId=614

Another attack story from one of our customers, who hired a security firms post attack to investigate this attack thoroughly – thus all the scary details. Cryptomix Arena made it's way into the network and started encrypting Windows file servers and Hyper-V VMs. Once VHDs were encrypted, the ransomware deleted the original VHDs and ran a disk scrubber. Next, actual hackers appeared (feels like just like sharks sensing blood in the water, doesn't it – but what really happens is ransomware "phones home"). After failing to connect to the Veeam backup server through PowerShell, hackers managed to instead logon to one locally by brute forcing RDP, and proceeded to delete all backups manually – both those sitting on the local NAS, and their copies in Cloud Connect. They also manually ran a disk scrubber to ensure those local backups could not be recovered. Finally, they accessed Hyper-V management console and deleted the backup server VM entirely. The only way customer managed to recover some of their data was from storage snapshots.

So if this does not teach you to implement two-factor authentication for RDP access to your critical systems, then I don't know what else will. And naturally, the Insider Protection functionality for Veeam Cloud Connect cannot come fast enough – luckily, Update 3 is just around the corner now. Also, this story confirms the importance of having some sort of air gap – even if it was not true air gap in this case, still the hacker either was completely unaware of the presence of storage snapshots, or simply was not able to break into the storage array management console to delete those. Although I'm guessing the disk scrubbing probably overfilled snapshot storage location, so most snapshots were lost anyway.

By the way, another reason to use two-factor authentication and not just use strong password alone is repeating reports on the presence of keyloggers in OEM drivers like Synaptic and Conexant. Which means it's hard to find a modern PC that would not be at risk... the article's name is actually very misleading – not sure why would they pick on HP specifically, when other PC vendors are equally affected. For example, my Lenovo X1 had both Synaptic Touchpad and Conexant Audio drivers preinstalled too.
Keyloggers in OEM drivers link: http://www.zdnet.com/article/keylogger- ... of-hp-pcs/

To those using Data Domain as a target for Veeam: according to DELL EMC, close to a thousand of your systems are still running DD OS 5.4 and 5.5. Please, schedule the upgrade in the next few months, as we're planning to end support for these DD OS versions in the next update. With the real reason being the DDBoost SDK required by the upcoming DD OS version supporting 5.6 and later only.

Did you know the biggest bubble in the human history was with tulips? I was fascinated reading the article, especially that snippet on how much goods you could get for a single bulb. Luckily, the humanity advanced so far in 500 years, and this sort of explainable craziness can never repeat... just kidding, actually I learnt about tulip mania while watching the video on the mother of all bubbles.
gingerdazza
Expert
Posts: 206
Liked: 14 times
Joined: Jul 23, 2013 9:14 am
Full Name: Dazza
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by gingerdazza »

As a Veeam customer, I like the product, but I do feel increasingly disappointed with the lack of built-in security features. It seems to me that Veeam are incredibly keen to keep pushing this 3-2-1 responsibility down to the customer, and whilst that is a perfectly valid principle of backup protection, I think it's pushed hard by Veeam because there's an internal acceptance that the built-in product defence measures are very limited. Please Veeam, start listening to customers and provide this security within the product stack itself... find ways to deliver multi-factor authentication, backup file immutability, etc. Set CloudConnect perhaps to be a pull-only architecture, instead of a push copy job that requires that authentication to be on the Veeam server. Make security your primary focus, built into every piece of functionality within the product. This is where other new-world backup providers have an edge I think (i.e. Rubrik) - they provide a box-solution and own the entire stack, including the file system and the storage - therefore that have greater capacity to affect security end to end within their platform. Veeam's "strength" in it's flexibility to be built into any storage you want, is also it's weakness when on the discussion point of storage.

I'm not Veeam-bashing.... just keen to see a product I like deliver more security to its customers.
adapterer
Expert
Posts: 227
Liked: 46 times
Joined: Oct 12, 2015 11:24 pm
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by adapterer »

I still think this is a silly request (IMHO)

You can still delete backups without the console with PowerShell.

If the bad actor is at the point where they can access your Veeam console, they have likely already breached your network elsewhere which means they can also likely access any SMB or DAS storage available, and happily deploy any malware or backdoor they like.

Wouldn't it make more sense to implement 2FA to stop bad actors getting into your systems in the first place?

Again, just my $0.02 ;)
billcouper
Service Provider
Posts: 153
Liked: 34 times
Joined: Dec 18, 2017 8:58 am
Full Name: Bill Couper
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by billcouper »

+1
BNJI
Service Provider
Posts: 25
Liked: 4 times
Joined: Jun 20, 2012 11:12 am
Full Name: Benjamin Elveng
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by BNJI »

+10000
Anycloud.dk
billcouper
Service Provider
Posts: 153
Liked: 34 times
Joined: Dec 18, 2017 8:58 am
Full Name: Bill Couper
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by billcouper » 1 person likes this post

adapterer wrote:I still think this is a silly request (IMHO)

You can still delete backups without the console with PowerShell.

If the bad actor is at the point where they can access your Veeam console, they have likely already breached your network elsewhere which means they can also likely access any SMB or DAS storage available, and happily deploy any malware or backdoor they like.

Wouldn't it make more sense to implement 2FA to stop bad actors getting into your systems in the first place?

Again, just my $0.02 ;)
No. You are wrong. There are times when security is a priority. Customer data is #1 on that list.
If a "bad actor" can infiltrate any of your systems and from there delete your Veeam backups, then you sir have designed a terrible system. Even worse if they can delete your customer backups!

On top of that certain security certifications require that ALL access to customer data is protected by 2FA. Since you can restore customer data from the Veeam Console it requires 2FA. In my company I am not allowed to give anybody access to it - the Veeam console is locked up in a secure server that can only be accessed after multiple two-factor logins. It's a right PITA being the only person who can work on it, let me tell you!

I round your 2 cents down to 0.


EDIT: -9999 (adjustment)
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 42 guests