I am looking for some guidance/advice on protecting the Veeam B&R v12 console by enabling MFA for the interactive logon account. I have installed both Veeam B&R and Veeam ONE (on separate servers) using the default installation options for both. The end result is that both applications are running under the domain administrator account (Windows session authentication), which is granted the Veeam Backup Administrator role. Since MFA is not supported for connections between the Veeam ONE agent for communication with the Veeam B&R server, it is therefore not currently possible to enable MFA for the interactive logon account I am using (I have tried and it breaks).
So the plan would then be to run the Veeam ONE agent under a standard domain account and configure permissions to connect to the Veeam B&R server, but since MFA cannot be enabled for service accounts (or for connections between the Veeam ONE agent and the Veeam B&R server) I am concerned that the account password could be reset, allowing interactive logon under this account, which would also have the Veeam Backup Administrator role assigned. This would then permit the compromised account to delete all backups from disk that are visible through the console.
Is this a valid concern or have I not thought it through correctly?
Hello,
I've checked with QA last week, sorry for the late response. So if I have understood all correctly.
We can't change the Veeam ONE agent service's account and it's the same as for VBR monitoring. VBR monitoring account must have a Veeam Backup Administrator role, so if you want to use Veeam ONE agent you shouldn't enable MFA for this account and can't prevent interactive logins by this VBR admin account.
If you want to prevent interactive logons you can enable MFA, but the VONE agent won't work correctly in this case, but VBR data collection should work.
So, if you are not using the Veeam ONE Agent to collect logs, and do VID. You should be able to enable VBR MFA without problems.
I hope it helps. Let me know if I miss understood the question.
Thank you!
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software
Many thanks for the reply. I would prefer not to miss out on Veeam Intelligent Diagnostics as I want to be notified of known issues raised by alarms in Veeam ONE that would otherwise not be brought to my attention.
My preference would therefore be to use a separate service account for the connection between Veeam ONE and VBR, however since the service account requires the Backup Administrator role within the VBR console then surely this removes the benefit of using MFA since it cannot be used to protect the account. Are there any deployment scenarios that get around this problem?
after talking with support about this, it seems that still there is no way to avoid having an administrator user without MFA activated if you want to use Veeam Intelligent Diagnostics. Please count this message as a feature request.
