Comprehensive data protection for all workloads
Post Reply
ferrus
Veeam ProPartner
Posts: 299
Liked: 43 times
Joined: Dec 03, 2015 3:41 pm
Location: UK
Contact:

Veeam on Workgroup, or separate AD Domain

Post by ferrus »

I'm planning the rebuild of our Veeam infrastructure, and one of the issues that was raised was our lack of an air gap to protect against ransomware attacks - between the production VMs and backup infrastructure.

We don't use Tapes and have no plans to return to using them - so I was planning on widening the gap by isolating the network as much as possible, and putting the Veeam servers on their own AD domain, connecting back to the corporate domain with a one way AD trust.

Recently, we've been using a placeholder Veeam server for the migration, which just exists on a standard Workgroup.
So far, everything has worked well on this server, which has made me reconsider if a separate domain is required.

Are there any benefits or drawbacks from using Veeam on a Workgroup vs Domain? Particularly with regard to security.
lando_uk
Veteran
Posts: 371
Liked: 32 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by lando_uk »

The simpler the better imo. If i was rebuilding, I'd use workgroup - then it would all still work and you'd be able to login/restore etc should your whole domain be unavailable. Consider firewall/access lists too.
rsomby
Lurker
Posts: 2
Liked: never
Joined: Feb 26, 2018 12:56 pm
Full Name: Ronny Somby
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by rsomby »

Going non-itegrated could actually save it from beeing attacked in a bitlocker attack.
ferrus
Veeam ProPartner
Posts: 299
Liked: 43 times
Joined: Dec 03, 2015 3:41 pm
Location: UK
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by ferrus »

Seems that Workgroup isn't that bad an option.
I still have to work out some details regarding access to the SQL server for staging etc.

Most of the posts I've found regarding Workgroup vs Domain are years old, but mention issues using Sharepoint/SQL Explorers etc.
The recommendations seemed to go in favour of staying on the production domain (in happier times before ransomware attacks).
frankive
Service Provider
Posts: 1092
Liked: 134 times
Joined: May 14, 2013 8:35 pm
Full Name: Frank Iversen
Location: Norway
Contact:

[MERGED] Move server from domain to workgroup

Post by frankive »

Hi.
We want to move our veeamserver out of our domain and into workgrop mode.
Will this affect anything on the Veeam server when we log in with the new workgroup user?
DGrinev
Veteran
Posts: 1943
Liked: 247 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: Move server from domain to workgroup

Post by DGrinev »

Hi Frank,

It shouldn't affect anything, also it gives you a certain opportunities like the possibility to use the server even if the DC is down.
Please review the existing discussion as it contains useful considerations. Thanks!
unsichtbarre
Service Provider
Posts: 226
Liked: 39 times
Joined: Mar 08, 2010 4:05 pm
Full Name: John Borhek
Contact:

[MERGED] Veeam B&R Server joined to domain?

Post by unsichtbarre » 1 person likes this post

Should Veeam be joined to a production/user domain?

I advocate for a Veeam B&R installation where the Veeam server is either:

A) Not joined to the domain (Workgroup)
B) Joined to a dedicated Veeam/vSphere (non-user) AD deployment (if this environment will require directory authentication for Compliance)

My logic is based primarily on ransomware, but also on availability as the Veeam Server (and dedicated Veeam/vSphere AD, if created) will be located at the DR site.

Thoughts?
THX
John Borhek, Solutions Architect
https://vmsources.com
DGrinev
Veteran
Posts: 1943
Liked: 247 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: Veeam B&R Server joined to domain?

Post by DGrinev »

Hi John,

You can choose any option that's best fit your needs, since both variants will work properly and have pros and cons.
Please review the existing discussion, it might help you to make a choice. Thanks!
frankive
Service Provider
Posts: 1092
Liked: 134 times
Joined: May 14, 2013 8:35 pm
Full Name: Frank Iversen
Location: Norway
Contact:

[MERGED] change from domain to workgroup veeam server

Post by frankive »

Hi.
We need due to new polcy settings to move a veeam server from domain joined to workgroup.
My approach is to just take the server out of the domain to the workgroup directly.
What issues should I expect to see?
The Veeam server host all the role, f.ex. the sql express database for itself etc.
andreas2012
Veeam ProPartner
Posts: 114
Liked: 5 times
Joined: Jun 11, 2013 11:27 am
Full Name: Andreas
Contact:

[MERGED] Hardening infrastructure

Post by andreas2012 »

Hi,

We are looking into hardening our backup infrastructure and have bought a new windows server with a lot of disks that we are going to use as a staging server. This server is a repository server, so we have left it in a workgroup.
Then we have the main backup and replication server that has the console, could we also move this server out to a workgroup ?
And we also have 4 veeam proxy servers, could we also move these out to a workgroup ?

Thanks for reply.
Andreas
DGrinev
Veteran
Posts: 1943
Liked: 247 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: change from domain to workgroup veeam server

Post by DGrinev »

frankive wrote:What issues should I expect to see?
Hi Frank,

You shouldn't face any issues switching from domain to workgroup.
Please review the existing discussion. Thanks!
ejenner
Veteran
Posts: 636
Liked: 100 times
Joined: Mar 23, 2018 4:43 pm
Full Name: EJ
Location: London
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by ejenner »

There are some things to think about if you're putting in a maximum resistance to nasty malware.

You could use 'rotating disks' on your repository. So you take disks out and put other disks in. A bit like tape, but using disks instead.

Another option is to use a mixture of Windows and Linux repositories. Where you have different flavors of OS it's less likely your whole organization could be taken out with one version of a malware infection.

You can do cloud connect as well. So put your Veeam system on an entirely different network and use the cloud connect functionality. But you must have 'Enterprise Plus' license for that.

Lastly, I'd say if you were unlucky enough to have something that nasty on your internal network that I doubt it would be playing fair and only using Microsoft Windows domain or non-domain access methods for getting to your data. If I were writing some nasty code I think I'd probably have it as a design parameter to treat all computers the same rather than trying to distinguish between domained and non-domained machines.
andreas2012
Veeam ProPartner
Posts: 114
Liked: 5 times
Joined: Jun 11, 2013 11:27 am
Full Name: Andreas
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by andreas2012 »

Hi,

Thanks for reply. Everything has gone almost ok.. last thing was to move out the main b&r server, but the SQL server that contains the b&r database is still in the domain, so it will fail. How do I change the configuration of Veeam to use the SA account on the SQL server, because i used a domain account under the installation.... and i don`t figure out how to change it :o

Regards
Andreas
ASG
Enthusiast
Posts: 75
Liked: 5 times
Joined: Aug 08, 2018 10:19 am
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by ASG »

ejenner wrote:Lastly, I'd say if you were unlucky enough to have something that nasty on your internal network that I doubt it would be playing fair and only using Microsoft Windows domain or non-domain access methods for getting to your data. If I were writing some nasty code I think I'd probably have it as a design parameter to treat all computers the same rather than trying to distinguish between domained and non-domained machines.
The point in non-domain is: You'll have to get credentials to access the Server. No SSO, and if you do non-domain servers for backup these (usually) have another admin password (and some even don't use the "administrator" which is deactivated but use a rather generic username. Former employee for example set r3h24bs as admin-account username for one of the non-domain server...
ejenner
Veteran
Posts: 636
Liked: 100 times
Joined: Mar 23, 2018 4:43 pm
Full Name: EJ
Location: London
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by ejenner »

ASG wrote:The point in non-domain is: You'll have to get credentials to access the Server. No SSO, and if you do non-domain servers for backup these (usually) have another admin password (and some even don't use the "administrator" which is deactivated but use a rather generic username. Former employee for example set r3h24bs as admin-account username for one of the non-domain server...
That protects against one kind of attack where the malware has obtained domain credentials. If a different attack vector were in play having those servers non-dom'ed would provide no protection at all. 'Air-gap' is the wrong way to describe what you've configured.

I see what you're saying though. It depends on how much you want to protect your data. These days I'd say the 3-2-1 rule is more important than ever given the frequency of disclosure sub-OS level vulnerabilities.
ASG
Enthusiast
Posts: 75
Liked: 5 times
Joined: Aug 08, 2018 10:19 am
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by ASG »

ejenner wrote:That protects against one kind of attack where the malware has obtained domain credentials. If a different attack vector were in play having those servers non-dom'ed would provide no protection at all. 'Air-gap' is the wrong way to describe what you've configured.

I see what you're saying though. It depends on how much you want to protect your data. These days I'd say the 3-2-1 rule is more important than ever given the frequency of disclosure sub-OS level vulnerabilities.
That's not at all 'Air-gap' (I'm pretty sure I didn't imply that because our Air-gap Backup is Offline Tape) - it's an added layer that has to be breached to gain control of the backups (to delete or encrypt them). It targeted the fact that it's not about malware acting different for domain vs. non-domain. And I didn't mean the malware "obtained domain credentials" - I mean SSO (as in Single Sign On). As in "Oh, someone with domain admin rights is running my malware, I don't have to re-authenticate on any other workstation or server since I'm domain admin" type that this should protect againt
ejenner
Veteran
Posts: 636
Liked: 100 times
Joined: Mar 23, 2018 4:43 pm
Full Name: EJ
Location: London
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by ejenner »

ASG wrote:That's not at all 'Air-gap' (I'm pretty sure I didn't imply that because our Air-gap Backup is Offline Tape) - it's an added layer that has to be breached to gain control of the backups (to delete or encrypt them). It targeted the fact that it's not about malware acting different for domain vs. non-domain. And I didn't mean the malware "obtained domain credentials" - I mean SSO (as in Single Sign On). As in "Oh, someone with domain admin rights is running my malware, I don't have to re-authenticate on any other workstation or server since I'm domain admin" type that this should protect againt
The issue is that the original post said 'lack of an air-gap' was a problem. You've answered several months later explaining how you resolved the problem of a lack of an air gap with a strategy of non-domaining... which is not an air-gap. :D
ASG
Enthusiast
Posts: 75
Liked: 5 times
Joined: Aug 08, 2018 10:19 am
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by ASG »

ejenner wrote:The issue is that the original post said 'lack of an air-gap' was a problem. You've answered several months later explaining how you resolved the problem of a lack of an air gap with a strategy of non-domaining... which is not an air-gap. :D
So your posting on 10 Sep 2018 17:38 was not several months before my posting, please stop posting such nonsense. And if you care to read the OP which states as the last question "Are there any benefits or drawbacks from using Veeam on a Workgroup vs Domain? Particularly with regard to security." which my answer was perfectly fine with.

The word air-gap is first mentioned in your reply to MY answer... In the OP there is talk about widening the gap, not air-gap'ing (since he stated that he DON'T want to use tapes). And I even didn't want to say this is air-gap - AND I DIDN'T DO IT. I just can't find anything in my post that let's you consider I said this is air-gap.

ffs

Edit:
And just to repeat it so you MIGHT understand it: IT'S NOT AIR-GAP and it's not my way of air-gap. You didn't seem to read my posts clearly. My air-gap is offline-tape (LTO-8) so "explaining how you resolved the problem of a lack of an air gap with a strategy of non-domaining" is just wrong.
ejenner
Veteran
Posts: 636
Liked: 100 times
Joined: Mar 23, 2018 4:43 pm
Full Name: EJ
Location: London
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by ejenner »

ferrus wrote:I'm planning the rebuild of our Veeam infrastructure, and one of the issues that was raised was our lack of an air gap to protect against ransomware attacks
I can see why you're getting frustrated. Go back to the first line of the first post. The whole topic is about air gap.

So my first posting is in response to that. You've then followed up with a strategy, which by being documented here on a topic about air gap... is by implication an air gap strategy. Except what you wrote on a topic about air gap does not describe an air gap. Which is what I said. :lol:
ASG
Enthusiast
Posts: 75
Liked: 5 times
Joined: Aug 08, 2018 10:19 am
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by ASG »

Somewhat picky about replying, eh? No word on the 'several months later' part :D :D :D

And you're still wrong - I'm answering on the last question in OP, and now go play somewhere else :mrgreen:
RockemSockem
Novice
Posts: 9
Liked: 1 time
Joined: Aug 28, 2018 4:39 pm
Full Name: Phil Jochum
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by RockemSockem » 1 person likes this post

andreas2012 wrote: Sep 11, 2018 10:17 pm How do I change the configuration of Veeam to use the SA account on the SQL server, because i used a domain account under the installation.... and i don`t figure out how to change it :o
Andreas, I highly recommend that you create a separate SQL login mapped with dbo access to the VeeamBackup database rather than just using the sa login - even if it's a standalone SQL instance with no other databases. There's simply no reason for any application to be using the sa login. Period. If I had $100 for every time I've had that conversation with an ISV, I wouldn't have to work again! :D

To change the connection string, Veeam has a UI utility for that - Veeam.Backup.DBconfig.exe (Start > Veeam > Configuration Database Connection Settings).

Cheers!
StevenMeier
Enthusiast
Posts: 72
Liked: 30 times
Joined: Apr 22, 2016 1:06 am
Full Name: Steven Meier
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by StevenMeier »

I used the workgroup model at a cloud Service provider I worked for and it worked great.

I am at a new company now and just starting to install veeam in a greenfields setup and I am having discussions about this at the moment using a workgroup model to provide a extra level of security.
ferrus
Veeam ProPartner
Posts: 299
Liked: 43 times
Joined: Dec 03, 2015 3:41 pm
Location: UK
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by ferrus »

In the end, we did stay with the Workgroup-design, for the backup infrastructure.
So far everything seems to be fine.

Stories like the one in this weeks digest e-mail from Gostev, still fills me with fears about our setup.

I don't hold out much hope that our first tier of backups (on Windows repositories) would survive a complex ransomware attack, even without being domain-joined.
I just hope there's enough of a gap (not air-gap admittedly) on our Data Domains.

I've disabled CIFS entirely, restricted NFS to a single Mtree - from a single Linux VM, and DDBoost to the main VM backup Mtrees.
It's a gamble trying to second guess the reach of malware that still hasn't been created.
lando_uk
Veteran
Posts: 371
Liked: 32 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by lando_uk »

For a sudu-air gap, having hardware based snapshots of the underlying storage that triggers on completion of the copy job is a good solution.
I realise this needs a SAN/NAS and not cheapo x86 server repositories, but it seems like a pretty good option.

Just don't have your SANs AD authenticated, limit their network access and use local accounts with MFA if possible.
jwillis1204
Lurker
Posts: 1
Liked: 1 time
Joined: Dec 26, 2018 5:23 pm
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by jwillis1204 » 1 person likes this post

ferrus wrote: Dec 10, 2018 9:49 am In the end, we did stay with the Workgroup-design, for the backup infrastructure.
So far everything seems to be fine.

Stories like the one in this weeks digest e-mail from Gostev, still fills me with fears about our setup.

I don't hold out much hope that our first tier of backups (on Windows repositories) would survive a complex ransomware attack, even without being domain-joined.
I just hope there's enough of a gap (not air-gap admittedly) on our Data Domains.

I've disabled CIFS entirely, restricted NFS to a single Mtree - from a single Linux VM, and DDBoost to the main VM backup Mtrees.
It's a gamble trying to second guess the reach of malware that still hasn't been created.
Could you forward me that digest? We're in the middle of a big worm resiliency push--definitely want to make sure I'm factoring in everything I can.

Sidebar, I had no idea the digests were a thing. Definitely an awesome perk.
ferrus
Veeam ProPartner
Posts: 299
Liked: 43 times
Joined: Dec 03, 2015 3:41 pm
Location: UK
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by ferrus »

jwillis1204 - check your PM for the digest.
stryker54141
Influencer
Posts: 21
Liked: 1 time
Joined: Aug 08, 2016 4:13 pm
Contact:

[MERGED] VBR on domain or workgroup?

Post by stryker54141 »

Everyone:

The subject line says it all. Do you install your VBR on your domain or by itself in a workgroup?

David
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by foggy » 1 person likes this post

Hi David, you can review some considerations above. Thanks!
bdufour
Expert
Posts: 206
Liked: 41 times
Joined: Nov 01, 2017 8:52 pm
Full Name: blake dufour
Contact:

Re: Veeam on Workgroup, or separate AD Domain

Post by bdufour »

AD/domain authentication everywhere possible, with MFA set up at the AD level - at least, on highly privileged accounts. Azure seems good.
I don’t like the workgroup idea that much after thinking about it. I think AD MFA, if everything is authenticating through AD, solves the backup appliance and veeam B&R console potential deletion\encryption issue if a privileged account is compromised and gains access to an administrative console. We’ve enabled MFA everywhere possible, but still we see many vendors don’t support it, not just veeam - simple solution is to enable it at the AD level. If you were so unlucky as to have a compromised privileged AD account on your network, having MFA set up on that account would drastically limit the attack vector or thwart it completely. MFA also solves key loggers too..Then you have disgruntled employees! it’s actually a real threat, being able to disable a single AD account to restrict access to critical infrastructure is a great benefit to an institution. Having several separate local accounts, would benefit a disgruntled employee ..that’s why it’s so important for compliance!
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 281 guests