Comprehensive data protection for all workloads
Post Reply
StoopidMonkey
Enthusiast
Posts: 39
Liked: 4 times
Joined: Nov 14, 2019 7:12 pm
Full Name: Chris Lukowski
Contact:

V12 update to the Veeam Backup & Replication Best Practice Guide?

Post by StoopidMonkey » 1 person likes this post

Hi, I'm wondering if the new security features found in V12 will be included in an update to the Security section of the Veeam Backup & Replication Best Practice Guide at https://bp.veeam.com/vbr/Security/

I imagine that features such as MFA, gMSA, and Kerberos support will affect this guidance. Of particular interest is the recommendation to install the certain VBR management components in a separate Active Directory security domain than the one the production servers are joined to. We are about to embark on a redesign of our infrastructure and would like to have this information sooner rather than later. Especially since, in my experience, the Veeam support team seldom delves into the nitty-gritty of security best practices.
Gostev
Chief Product Officer
Posts: 31780
Liked: 7280 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: V12 update to the Veeam Backup & Replication Best Practice Guide?

Post by Gostev » 1 person likes this post

I'm sure they will. But just like with all previous versions, I expect it will take some time for the field folks who manage this document to actually establish best practices first, by observing the GA build in real-world environments. In other words, actual Practice by trial and error is required before the Best of those practices can be determined. As until every practice is proven in the field, it's not a best practice - but merely a theory.
gummett
Veteran
Posts: 405
Liked: 106 times
Joined: Jan 30, 2017 9:23 am
Full Name: Ed Gummett
Location: Manchester, United Kingdom
Contact:

Re: V12 update to the Veeam Backup & Replication Best Practice Guide?

Post by gummett » 1 person likes this post

I expect it to always remain a best practice not to make your recovery tool dependent on something you would need that tool to recover, even if you're comfortable from a security perspective.
Ed Gummett (VMCA)
Senior Specialist Solutions Architect, Storage Technologies, AWS
(Senior Systems Engineer, Veeam Software, 2018-2021)
StoopidMonkey
Enthusiast
Posts: 39
Liked: 4 times
Joined: Nov 14, 2019 7:12 pm
Full Name: Chris Lukowski
Contact:

Re: V12 update to the Veeam Backup & Replication Best Practice Guide?

Post by StoopidMonkey »

Would you say it's better to set up this separate server in a standalone workgroup or another AD domain?
Gostev
Chief Product Officer
Posts: 31780
Liked: 7280 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: V12 update to the Veeam Backup & Replication Best Practice Guide?

Post by Gostev » 1 person likes this post

Another AD forest for the infrastructure servers with one way incoming forest trust seems like a good idea if you can afford the management overhead of another AD forest. This way Infrastructure forest accounts will be able to access resources in a Production forest, but not the other way around (no Production forest accounts will be able to access Infrastructure forest resources).
Post Reply

Who is online

Users browsing this forum: No registered users and 92 guests