Last week I visisted a security convention in the Netherlands and attended a seminar about CyberSecurity.
Also Veeam was present on this convention.
One of the things that was really an eye opener was they way penetration testers try to gain access to your network (the ethical hacker you hire to secure your network)
One of the tools that was used was called Mimikatz (https://github.com/gentilkiwi/mimikatz/releases
This tool tries to read user names and passwords from the memory.
I have tried this tool myself on an isolated vanilla windows 7 machine VM and indeed the "admin" password displayed in cleartext.
The tool isself is intercepted by most antivirus scanners and also Windows Defender but in theory this tool could be used to aquire priviledged accounts.
So this started to make me think.
Veeam uses "guest OS credentials" to gain access to the machine when it tries to backup the machine.
This is often an account with many priviledges. You also often use the same account for many machines
What if one machine in your network would be compromised? What if a hacker would have gained access to this one machine and waits for a backup to occur.
Could it, in theory, be possible to read the account using this tool and gain access to more PC's or servers?
To be honest, I didn't have the time yet to test this out.
But.... It made me even wonder some more...
For all our machines we use Microsoft LAPS.
Microsoft LAPS gives every single PC or server its unique local admin account with random password.
We also use this realy nice software deployment program called PDQ Deploy and PDQ Inventory.
Just recently they introduced new functionality to use the LAPS credentials to deploy or inventory the software on each PC.
So basically what it does is use a specific account to read the password for a specific PC from Active Directory and then use these credentials to contact the PC.
So each PC/Server is contacted using their own unique local administrator account
If the account would be compromised, then only the account for that specific PC is compromised.
With this in mind I was wondering if it would be benificial for future releases of Veeam to integrate the use of LAPS to inject for the Guest OS credentials.
Any thoughts people might have on this would be great.
Perhaps there is no need to worry. I do not have enough knowledge on the subject to verify this, but I have seen stuff hapenning on this security convention and its making me nervous. These guys are really really good and I think it will be hard to keep these guys out.