Application aware processing questions

[cosmik]

First, let me lay out the backup job details I'm using: all my VMs (both Windows and Linux) are on an ESXi cluster. I created the backup job stating that I want the entire cluster backed-up, with the exception of certain machines. "Enable VMWare Tools quiescence" is enabled and "Enable application-aware processing" is disabled (meaning that Windows based backups are basically crash level backups).

Now, I've been trying hard to decide whether I should use application aware processing on my Windows AD servers or not. The reason is that I do not feel very comfortable providing a domain account to the veeam BR server: if the server is compromised, the attacker could connect to my domain as admin...

So, one question is whether I could specify a non-domain-admin account for this purpose. For example "backup operators"? Something else? What we are basically looking is an account have the privilege of creating and deleting VSS snapshots?

My second question comes with how one should setup AAP, when the entire job lists the cluster itself? Specifically, how should I specify that, say, a MachineA and MachineA alone should have AAP enabled? I'm thinking that perhaps one could click on "Applications..." whereas the cluster is already listed and then edit it, disable all AAP for it, save the change and then add a new item, only MachineA and enable AAP for it alone. Would that work?

Thanks in advance for any info provided.

[LickABrick]

Commenting on your comment about providing credentials for your AD. You have already provided credentials for your VMWare environment, once someone is in there they could get local administrator permissions on your VM's and pretty much get Domain Admin credentials if they wanted to (i.e. with a pass-the-hash attack). Secondly once they are in your VMWare environment they can just encrypt the datastore or delete the VM's, and since they are in your Veeam server already they can just delete the backups (except for immutable backups if you have those).

I think securing your Veeam environment and having immutable backups is something you should care more about.

Also, see here for required permission for AAP: https://helpcenter.veeam.com/docs/backu ... processing

[cosmik]

That was fast!

I've got immutable backups on a Linux hardened repo, so that's a plus. Your link about required permissions points out that for AD data backup the user should be a member of the administrators group. Therefore I definitely have to use one admin account from there.

Things look bleak the way you've described them, but do make sense. I'm especially curious on how they can get local admin permissions if they get access to my vmware environment.

The Veeam BR server itself is fully patched, but I have not succeeded in making console listen to localhost only (access to the system is via RDP). The built-in administrator account is configure to lock after X tries and I'm using another for all work. I guess there's somewhere a howto to harden the BR server itself.

Thanks for your info mate!

[LickABrick]

If someone get's in your VMWare environment they can upload a bootable ISO image which includes tools to reset Local Administrator passwords. These are usually used for recovery/troubleshooting purposes but can certainly used by an attacker.

[cosmik]

I see, perhaps mitigate with bitlocker encrypting the boot disk...