-
- Enthusiast
- Posts: 39
- Liked: 4 times
- Joined: Nov 14, 2019 7:12 pm
- Full Name: Chris Lukowski
- Contact:
V12 update to the Veeam Backup & Replication Best Practice Guide?
Hi, I'm wondering if the new security features found in V12 will be included in an update to the Security section of the Veeam Backup & Replication Best Practice Guide at https://bp.veeam.com/vbr/Security/
I imagine that features such as MFA, gMSA, and Kerberos support will affect this guidance. Of particular interest is the recommendation to install the certain VBR management components in a separate Active Directory security domain than the one the production servers are joined to. We are about to embark on a redesign of our infrastructure and would like to have this information sooner rather than later. Especially since, in my experience, the Veeam support team seldom delves into the nitty-gritty of security best practices.
I imagine that features such as MFA, gMSA, and Kerberos support will affect this guidance. Of particular interest is the recommendation to install the certain VBR management components in a separate Active Directory security domain than the one the production servers are joined to. We are about to embark on a redesign of our infrastructure and would like to have this information sooner rather than later. Especially since, in my experience, the Veeam support team seldom delves into the nitty-gritty of security best practices.
-
- Chief Product Officer
- Posts: 31780
- Liked: 7280 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: V12 update to the Veeam Backup & Replication Best Practice Guide?
I'm sure they will. But just like with all previous versions, I expect it will take some time for the field folks who manage this document to actually establish best practices first, by observing the GA build in real-world environments. In other words, actual Practice by trial and error is required before the Best of those practices can be determined. As until every practice is proven in the field, it's not a best practice - but merely a theory.
-
- Veteran
- Posts: 405
- Liked: 106 times
- Joined: Jan 30, 2017 9:23 am
- Full Name: Ed Gummett
- Location: Manchester, United Kingdom
- Contact:
Re: V12 update to the Veeam Backup & Replication Best Practice Guide?
I expect it to always remain a best practice not to make your recovery tool dependent on something you would need that tool to recover, even if you're comfortable from a security perspective.
Ed Gummett (VMCA)
Senior Specialist Solutions Architect, Storage Technologies, AWS
(Senior Systems Engineer, Veeam Software, 2018-2021)
Senior Specialist Solutions Architect, Storage Technologies, AWS
(Senior Systems Engineer, Veeam Software, 2018-2021)
-
- Enthusiast
- Posts: 39
- Liked: 4 times
- Joined: Nov 14, 2019 7:12 pm
- Full Name: Chris Lukowski
- Contact:
Re: V12 update to the Veeam Backup & Replication Best Practice Guide?
Would you say it's better to set up this separate server in a standalone workgroup or another AD domain?
-
- Chief Product Officer
- Posts: 31780
- Liked: 7280 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: V12 update to the Veeam Backup & Replication Best Practice Guide?
Another AD forest for the infrastructure servers with one way incoming forest trust seems like a good idea if you can afford the management overhead of another AD forest. This way Infrastructure forest accounts will be able to access resources in a Production forest, but not the other way around (no Production forest accounts will be able to access Infrastructure forest resources).
Who is online
Users browsing this forum: No registered users and 92 guests