Until now, I've preffered a veeam infrastructure design following the security best practices under https://bp.veeam.com/vbr.
Only exception: the unistall of explorers on the core backup server is no longer faisable since the penultimate update (to 12.1.x).
(The Oracle KVM plug-in needs to be installed on the core backup server.)
The IT-Security team is concerned of the widely used "functional or service accounts" with strong but never changing passwords.
Putting these accounts into the "protected users group" isn't possible for a considerable number of accounts.
That's why I've tried out "group managed service accounts" for e.g. Exchange backups. But for this I had to use ad-integrated proxy servers ...
Now, I'm wondering if it would be better to completely re-join all the infrastructure into the active directory. Why I am asking for this?
Without AD-join I'm "mostly safe" against a complete takeover scenario and ransomware issues on the repository servers.
With AD-join I could get rid of these never changing accounts with very extensive system permissions.
What are You thinking about these two ways to design the backup infrastructure?
Would it be better in Your opinion to stay "stand-alone" for the backup servers, proxies, repositories and to endure the static accounts?
Or do You see a lower security risk using gMSA with ad-integrated veeam components?
What I did never understand is - why some people feel safe with ad-integrated proxies, but non-AD repositories ... imho the proxies have to hold the repo credentials somewhere locally.
So it can't be more safe than a complete AD-Join, isn't it?
Thank You for Your statements!
Stefan
-
- Expert
- Posts: 103
- Liked: 17 times
- Joined: Aug 20, 2009 12:32 pm
- Location: Germany
- Contact:
-
- Veeam Software
- Posts: 852
- Liked: 153 times
- Joined: Feb 16, 2012 7:35 am
- Full Name: Rasmus Haslund
- Location: Denmark
- Contact:
Re: veeam design question - what's more secure: usage of gMSA or Non-AD backup infrastructure?
Create a management/backup domain, create a gMSA service account there. Then set up a one-way trust to your production domain. In the production domain, you can assign local administrator rights to the gMSA account from the backup domain.
This way, if someone owns your production domain, they still can't get to your backup domain (which should obviously be locked down hard), while you enjoy the gMSA benefits of managed password changes.
This way, if someone owns your production domain, they still can't get to your backup domain (which should obviously be locked down hard), while you enjoy the gMSA benefits of managed password changes.
Rasmus Haslund | Twitter: @haslund | Blog: https://rasmushaslund.com
-
- Expert
- Posts: 103
- Liked: 17 times
- Joined: Aug 20, 2009 12:32 pm
- Location: Germany
- Contact:
Re: veeam design question - what's more secure: usage of gMSA or Non-AD backup infrastructure?
That sounds very good - allowing for both: the intended security aspects and gMSA.
Thank You very much!
But will the VMs in the prod domain be able to catch the gMSA password?! I'm afraid, that I'm missing some knowledge here.
Thank You very much!
But will the VMs in the prod domain be able to catch the gMSA password?! I'm afraid, that I'm missing some knowledge here.
Who is online
Users browsing this forum: Bing [Bot] and 25 guests