Hello everyone,
I'm currently in the process of planning the implementation of Veeam Backup & Replication for our company's backup needs. We have around 150 PCs primarily running on Windows, and I'm seeking some guidance on how to integrate this solution safely with Active Directory (AD).
In my testing phase using the Community edition, I've utilized the main Administrator account with all privileges. However, I'm concerned about potential unauthorized access to our AD environment. Could anyone provide insights into how I can mitigate this risk and ensure a secure integration with AD?
Please send me some documentation or guideline about it.
Your expertise and advice would be greatly appreciated. Thank you in advance for your assistance!
Best regards,
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Aug 09, 2023 7:11 am
- Full Name: Grzegorz Kalinowski
- Contact:
-
- Product Manager
- Posts: 10104
- Liked: 2696 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Veeam Backup & Replication
Hello Grzegorz
Welcome to the forum. First I want to suggest to use a trial license instead of community edition.
With the trial license, you get the complete feature set to test.
https://www.veeam.com/kb1191
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
The permissions required for service accounts are documented here:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
The most important thing is to protect your server from any unauthorized access. An attacker with administrative access to the backup server can export saved credentials, delete mutable backups, change all settings, .....
Use a workgroup or dedicated active directory for the backup server components. Never install the backup server in your production domain. Don't let your helpdesk/backup operators directly connect to the backup server. Install the backup console on a jump server and use that one to manage the backup server remotely. Additionally enable MFA for those logins.
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
Best,
Fabian
Welcome to the forum. First I want to suggest to use a trial license instead of community edition.
With the trial license, you get the complete feature set to test.
https://www.veeam.com/kb1191
Some backup operations such as application aware processing of your domain controller will require a service account with full administrative permissions. Veeam Backup & Replication v12 allows you to use gMSA accounts for your VM backups. With gMSA, you don't have to store this service accounts on the backup server -->In my testing phase using the Community edition, I've utilized the main Administrator account with all privileges. However, I'm concerned about potential unauthorized access to our AD environment. Could anyone provide insights into how I can mitigate this risk and ensure a secure integration with AD?
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
The permissions required for service accounts are documented here:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
Protecting your 150 PCs can be done by our Veeam Agent. For the deployment, a service account with administrative permissions is required. Or you use a protection group from type "Computers with pre-installed agents". With pre-installed agents, you must deploy the agent by yourself. With such a protection group, Credentials are not stored in the backup server and therefore cannot be exported by an attacker.We have around 150 PCs primarily running on Windows, and I'm seeking some guidance on how to integrate this solution safely with Active Directory (AD).
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
The most important thing is to protect your server from any unauthorized access. An attacker with administrative access to the backup server can export saved credentials, delete mutable backups, change all settings, .....
Use a workgroup or dedicated active directory for the backup server components. Never install the backup server in your production domain. Don't let your helpdesk/backup operators directly connect to the backup server. Install the backup console on a jump server and use that one to manage the backup server remotely. Additionally enable MFA for those logins.
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
Best,
Fabian
Product Management Analyst @ Veeam Software
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Aug 09, 2023 7:11 am
- Full Name: Grzegorz Kalinowski
- Contact:
-
- Product Manager
- Posts: 10104
- Liked: 2696 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Veeam Backup & Replication
You're most welcome.
Best practice is to not add the windows server where you install Veeam Backup & Replication to the same active domain you need to protect.
Deploy the windows server in a Windows workgroup or Management Domain. You can read more about it in our best practice guide (not updated yet for V12):
https://bp.veeam.com/vbr/Security/Security_domains.html
Best,
Fabian
Best practice is to not add the windows server where you install Veeam Backup & Replication to the same active domain you need to protect.
Deploy the windows server in a Windows workgroup or Management Domain. You can read more about it in our best practice guide (not updated yet for V12):
https://bp.veeam.com/vbr/Security/Security_domains.html
Best,
Fabian
Product Management Analyst @ Veeam Software