Veeam servers NTLM disable

[meelvi]

As describet here https://helpcenter.veeam.com/docs/backu ... ml?ver=100 NTLM is still needed between servers related with Veeam.
Does this requirement will be also in Veeam 11?

[Gostev]

Yes, no changes in v11.

[dojit]

I can't believe it's 2022 and VEEAM still does not view this issue as a critical security vulnerability let alone fix for customers.

We will not move to VEEAM until its secure by design (e.g. kerberos default OOTB).

[Gostev]

Could you please clarify what specific "critical security vulnerability" you are talking about? Since all known vulnerabilities have CVE assigned to them, please just share the one you're referring to. Thanks!

[dojit]

RE: Could you please clarify what specific critical vulnerability you are talking about? Since all known vulnerabilities have CVE assigned to them, please just share the one you're referring to. Thanks!

We have all OS fully patched on a per-CVE (too numerous to mention) basis. So no problem!?

Please remember NTLM is 20+ years old. Best practice is don't use it. Full Stop.

We only use Kerberos 88 or LDAPs 636 for applications.

We hope for VEEAM to move to Kerberos by end of 2022 at the latest so we can commence using VEEAM everywhere for our entire physical DC/File/Print/ADDS/ADCS Fleet.

There would be substantial sales uptick / incentive for VEEAM to do so ASAP.

It is still very hard to determine what VEEAM products support MSL Tape Libraries with multiple LTO8 drives. If VEEAM were to make this clearer for customers, it would also boost sales uptick.

As always, I look forward to updates in your Veeam R&D Forums Digest!

[awhiting]

I agree that Veeam should look to phase out the use of NTLM asap. Here is a page from Microsft about NTLM. https://learn.microsoft.com/en-us/windo ... mendations. Under security Consideration it states: "NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards." I have seen Internal Security tests, on domains that use the default Windows security settings (which are no longer secure), that successfully use NTLM to obtain Domain admin access to a domain. It seems to me that with how bad actors are going after backups that Veeam would not rely on Microsoft default policies as protection. Since NTLM is vulnerable (From the link above - *Malicious attacks on NTLM authentication traffic resulting in a compromised server or domain controller can occur only if the server or domain controller handles NTLM requests. If those requests are denied, this attack vector is eliminated.") Veeam should work to protect their customers even if it is just protecting the backup environment for their customers. They should find ways to use secure authentication.