Single user account to access Veeam B&R console

[gabbas]

Hi, we are a small cloud team and historically we have been using a single dedicated account to access and manage our different Veeam backup & replication server (we have 6 VBR in total). We also sometime login using our individual domain account to access these servers but don't have the visibility of what other team member might be doing at the same time unless we get a confirmation from them. As an example, a team member logs in using his domain account and started a restore that might take a very long time or maybe due to some issues the task is stuck and we need to either stop the backup service or reboot the server but we have no visibility of the progress of this restore window unless this team member returns to work and login to look into this. We generally receive restore requests and using a dedicated account has been working well for us as we can log in using this account, can see the progress and any warnings/ errors etc and take actions if needed. My question is that can we keep using this dedicated domain admin account to access and manage our Veeam servers or is it the best practice to login using our individual domain account to manage Veeam B&R. Thanks

[Mildur]

Hi Ghulam

Welcome to the forum.
I recommend to use different accounts. If you have to analyze the audit logs of your backup server and want to know, which person accessed the data in the backup, you require different accounts.

but we have no visibility of the progress of this restore window unless this team member returns to work and login to look into this.

You can see all running restore sessions in the Veeam console, that the FLR explorer is open and if restore of files is running or not. Also you will see the user, which started the restore. You can get in contact with the user and ask him, if he has finished the restore.

login using our individual domain account to access these servers

Is the VBR Server in the production domain? If yes, than you should remove the VBR components from the production domain and use local windows users to access the Veeam Console. If you have a AD forest just for the backup server, than it's ok to use the domain accounts.

Thanks
Fabian

[gabbas]

Thanks Mildur, the VBR servers are not in the prod domain and there is a dedicated domain just for Veeam environment.

[soncscy]

My input, I'd strongly recommend relegate as much as you can through Enterprise Manager as you can with the requests. It's another installation of course, but keep people off the VBR server is the strategy I've been using with my clients for awhile -- only 1-3 people should ever need to be on the VBR server in my opinion and it should only be for maintenance reasons once you're set up. Everything else can be relegated to the EM server and keep the VBR server safe.

The advantage of this is the accountability you desire without the complexity of more accounts; they can auth on the Enterprise Manager server however you want (SAML support was an amazing improvement here) and it sounds like you just have needs for people to be doing restore requests, so I think it can help a ton.

Treat your backup application with the importance it carries and set up heavy auditing for logins to the server. It doesn't _stop_ malicious activities, but it sure makes it easier to realize when someone is doing something naughty.

[gabbas]

Thanks soncscy, yes it makes sense.