Veeam Console Access Groups

[ratkinsonuk]

A strange thing just happened! I logged onto our Veeam application server using an account that isn't explicitly defined in the Veeam console roles, but the account was able to connect and manage the B&R environment.

Is there an explicit rule in Veeam that allows Admin level access using the GUI from the B&R application server? I can't think of any other way this account would gain access.

Thanks, Rob.

[MarkBoothmaa]

https://helpcenter.veeam.com/docs/backu ... ml?ver=110
Built-in administrator accounts (Domain\Administrator and Machine\Administrator) always have full access to Veeam Backup & Replication, even if you exclude them from all Veeam Backup & Replication roles. If you delete the Administrators group from the Veeam Backup & Replication roles, the users who are added to this group will still have access to Veeam Backup & Replication.

[ratkinsonuk]

Thanks for the help Mark - something I'd never come across before.

I really do wish Veeam would change their stance on console security. I agree if a hacker has managed to log onto the application server, then he/she is probably far enough in to get around console security. But there are many other scenarios where administrators need to lock down Veeam B&R without denying admin access to the server. It's exactly the same problem with Veeam AWS and Veeam 365.

Cheers, Rob.