Veeam and zero trust security

[HansMeiser]

Hello,

currently we are in the process of hardening our AD infrastructure following the zero trust infrastructure model.
https://en.wikipedia.org/wiki/Zero_trust_architecture

I try to figure out how veeam is involved in this topic, because veeam obviously uses login credentials with highest security privileges. Part of our process is to disable domainadmins login by username+password and replace it with login by smartcard and certificate.
We already moved our domaincontrollers into separate backupjobs (with application awareness), so only in that position the highest privileges are needed. I also read that Veeam is supporting ManagedServiceAccounts which would be great i think to backup domaincontrollers, but there is still the security-gap while restoring AD Objects. This process requires username+password of an domainadministrator. So i think this is needed in case your AD is recreated from backup after disaster. But in most cases, so my experience, restorefunction is just used to restore some specific AD Objects which were deleted by mistake. Would it be possible or practicable to support login by smartcard+certificate+pin in this scenario? Of course the backupserver has to be part of the domain in this case.
What are your general experiences in a zero trust environment?

Thank you,
Hans

[M.Escobar]

Hi Hans,
Thanks for asking about setting up Veeam in a zero trust environment. About your specific questions:

Managed Service Accounts (gMSA): Yes, Veeam works with gMSAs for backups, which is much safer since you don't need to use static passwords for these processes.
AD Object Restoration: When you need to restore specific AD objects (not doing a full disaster recovery), you might want to:

• Use a special account with just enough permissions for AD restorations

• Set up Just-In-Time (JIT) access for this account

• Make sure you have good monitoring and alerts whenever these credentials are used

Zero Trust Environment Experience: From what I have seen, it really helps to use multiple layers of protection:

• Separate your backup servers from other networks

• Require multi-factor authentication for all admin consoles

• Encrypt your data both when it's moving and when it's stored

• Give all service accounts only the minimum permissions they need

• Enable 4-eyes authorization for critical system changes

• Always follow the Security Guidelines: https://helpcenter.veeam.com/docs/backu ... ml?ver=120

• Customers are using Just-In-Time (JIT) access for restore AD objects

As for smartcard, certificate, and PIN support, for restore using Veeam Explorer for AD, we'll consider it a feature request and investigate whether it would be feasible to add this capability.

Thanks!
Marco