Hardening Backup

[Bulldogg]

We would like to harden our backup env.

Our current architecture implements several Veeam components like: backup proxies, gateway servers and is across 2 datacenters. The backup env is part of our production windows domain. Which is not best practice.

Problem:
So currently the production servers and the veeam servers are in the same windows domain.
If the production domain is compromised (Hacked)than the backup veeam servers can also be compromised by GPO for example.

The backup solution is already in a separate vlan (vlan05) with firewall rules
Production domain is in (vlan02) with firewall rules

Attempt to separate the backup env from the production env.

We started to make a new management domain in a sperate forest. That is placed in another spererate vlan (vlan06).
Then we made an onewaytrust between the management domain en production domein.
So you can use management credentials to login on production domain and not the other way around.

Then we made a new veeam backup proxy in the vlan05 which is member of the management domain.
When we tried to make an a backup an vm in the production domain but we needed to add management domain credentials to the local administrators of the vm we would like to backup.

To make that work we needed to edit firewall rules between the management domain controller and de production machine to validate the credentials.

We would like to make use off the existing production credentials to make the backup.
But the veeam backup proxy is not a member off the production domain so it can’t use those credentials.

Personal I think we over complicated the backup env with separate vlans, with firewall rules, 2 domains etc.

The goal is separate the backup from the production domain.
Another solution is that the backup env is in a separate workgroup.

What are the necessary steps to move the current backup env. to a workgroup?
Do we then also need to change the backup credentials to backup production vms to local credentials. Or can we use the existing production domain credentials?

[HannesK]

Hello,
and welcome to the forums.

But the veeam backup proxy is not a member off the production domain so it can’t use those credentials.

what is the source for this statement? If you see that in your environment, can you please post the support case number, because that sounds wrong to me.

Personal I think we over complicated the backup env with separate vlans, with firewall rules, 2 domains etc.

I think you did a good job

Another solution is that the backup env is in a separate workgroup.

also fine. depends on the size of the environment (management overhead can be annoying with many standalone hosts)

What are the necessary steps to move the current backup env. to a workgroup?

adjust in Windows & VBR and fix things if something broke Some customers manually change service accounts for no good reasons, so that's common thing to check. LOCAL SYSTEM should be used. DNS names probably need to be adjusted. There is KB1905 for that. After changing the domain, rescan everything and check whether it works.

Or can we use the existing production domain credentials?

yes

Best regards,
Hannes

[Bulldogg]

Thnx for comments. Much appreciated
We will discuss today the next steps. If we have more questions ill leave a reply.