Security Guideline - Service Account usage

[Lukas-K]

Hi all,

We are currently discussing if we recommend using the local system account for Veeam services or if we should switch to dedicated and customized service accounts (local account, no domain access of course).

The reason is that both our CEH colleagues and our security team is strongly recommending the usage of a service account and NOT the local system. The reasons are as follows (as per input from our security team):

In a hardened environment, it is recommended to use a dedicated service account instead of the Local System Account for Veeam Backup & Replication on a Windows Server. Here are several reasons why this is preferable:

Security Principles:
The principle of least privilege states that user accounts should have only the minimum rights necessary to perform their tasks. A dedicated service account can be assigned exactly the permissions needed for Veeam Backup & Replication, whereas the Local System Account has very extensive rights.

Control and Monitoring:
Using a dedicated service account allows for better monitoring and tracking of the actions performed by the backup service. This is more challenging when using the Local System Account since it is also utilized by other system services.

Permissions Management:
The permissions of the service account can be specifically adjusted and restricted. For instance, you can configure the account to only access the directories and resources necessary for backup and restore operations.

Isolation:
A dedicated service account isolates the backup service from other services and system components. If a security issue arises in the Veeam service, the potential damage is limited because the account does not possess comprehensive system rights.

Compromise:
If the service account is compromised, the impact is more contained compared to a compromise of the Local System Account, which has full system rights.

Recommended Steps for Setting Up a Service Account:

• Creating the Service Account: Create a new user account in your Active Directory domain or locally on the server, depending on your environment.

• Assigning Necessary Permissions: Ensure that the service account has the necessary permissions for the Veeam components. This includes read permissions on the backup storage locations and write permissions when backups need to be created.

• Configuration in Veeam: Go to the service settings in the Veeam Backup & Replication console and configure the services to run with the newly created service account.

• Review and Monitoring: Regularly review the activities of the service account and adjust permissions as necessary.

By using a dedicated service account, you can significantly enhance the security and management of your backup environment.

How comes that Veeam recommends the usage of the local system account both with the AI assistant, the installation wizard and the security analyzer?
As far as I remember from my own CEH course the local system account is a pre-defined, highly privileged account without a password from that a CMD prompt can be opened easily.

Thank you for some imput, maybe there are some reasons we have not thought about. Of course we assume that in case of a service accounting the service account is set up correctly and only with the necessary permissions.

Best regards
Lukas

[david.domask]

Hi Lukas,

I think nothing is missed, it's mostly about how you want to handle the security and monitoring within your environment. I don't mean to just throw a link at you but we have a fairly extensive Best Practices guide, which includes a section discussing security considerations for your Backup environment including account security but also many other security consideration outside of accounts: https://bp.veeam.com/security

I would give it a read through, but ultimately to your question/commentary, SYSTEM is not a requirement, but it does simply management considerably, and usually, once an attacker has credentials and reaches the backup environment, typically they already have pretty full access. So worrying about the service accounts when an attacker already has full access via other means isn't irrelevant, but typically the situation is already pretty bad if they're in the backup environment. Naturally this is not the only scenario, but it's a common story we hear that attacks happened when attackers already have privileged credentials by the time they got to the backup environment.

You should pick what is most secure and sensible and maintainable for your team, following security best practices and reviewing the design of the environment for security. The link I provided before is a good resource from our field teams, and combined with your own security practices hopefully will assuage your concerns. But SYSTEM is not _required_ for the accounts, but again, consider the above link

[SnakeSK]

If you can open cmd or any interactive process under system context (psexec etc.) You have much bigger problem than worrying about service accounts.

In that case, separate account or system account wont really matter, because in case of a breach, the attacker is just changing the account they are interested in.

Solve your attack surface reduction first, then this question will become irrelevant.

I dont know if veeam currently supports gMSAs for running the services, but still, its just an account wih different icon

[Stabz]

Hello,

Veeam doesn't support gMSA account for running the Veeam Backup Service.

It's a pretty good question cause in terms of cybersecurity risk, you should assign only the roles needed to the account.
But if you look the Veeam documentation the account for the service must be a member of the Administrators group on the machine where Veeam Backup & Replication is installed.

So what is more secure an account with privilege access with a big password or the local system?

[Maurice]

Hello,

are there any new information about this? Especially with the "Security & Compliance Analyzer" stating "Backup services should be running under the LocalSystem account".


Regards
Maurice

[Lukas-K]

Hi Maurice,

To conclude the thread / the replies above I think the situation is the following:
The usage of Local System is easier to setup and easier to troubleshoot so Veeam declares this as default.

Since we are using service accounting in the contect of Active Directory for years I personally recommend using local service accounts for Veeam services (and other local running service as well). This is supported but obviously a slightly higher workload to set this up.

Both is supported and the final decision should be made in cooperation / agreement with the customer.

Best
Lukas