Monitoring and reporting for Veeam Data Platform
Post Reply
lando_uk
Veteran
Posts: 377
Liked: 32 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

Security Q: Connecting Veeam One to a hardened VBR install

Post by lando_uk »

I've setup a hardened VBR system, off the domain etc.

My Veeam One is on a domain server. I've added the local usernames/pw's of the VBR servers for the Data Protection view. Are these credentials safe and encrypted on the VONE or could a compromised admin account harvest them?

- I read somewhere that the credentials saved on the VBR server are easily hacked if you have local admin, is this true on vone?
HannesK
Product Manager
Posts: 14648
Liked: 2990 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Security Q: Connecting Veeam One to a hardened VBR install

Post by HannesK »

Hello,
It's the same with every software that stores credentials: an administrator can decrypt them. It's not "hacked" :-) It's just how storing, encrypting and using passwords works. It's the same with every software that stores credentials (e.g. your browser saved credentials)

We documented that in https://www.veeam.com/kb4349 (it's actually in the security section user guide since "always")

Best regards
Hannes
PS: in V12 we change authentication to certificate-based. So there are no passwords stored anymore
lando_uk
Veteran
Posts: 377
Liked: 32 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

Re: Security Q: Connecting Veeam One to a hardened VBR install

Post by lando_uk »

Just to confirm, I'm not talking about the VBR Database, I'm talking about the Veeam One config - The username/pw you use to connect to the VBR, is that stored in the vone DB using the same method?
HannesK
Product Manager
Posts: 14648
Liked: 2990 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Security Q: Connecting Veeam One to a hardened VBR install

Post by HannesK »

yes, the concept is everywhere the same... whether you take Google Chrome, VBR or ONE or any other software that is using Microsoft's data protection API (dpapi)
lando_uk
Veteran
Posts: 377
Liked: 32 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

Re: Security Q: Connecting Veeam One to a hardened VBR install

Post by lando_uk »

So to connect to the VBR for monitoring, rather than using the VBR admin user, can i setup a new non-admin user on VBR that only allows ONE read-only access to data too keep the backup files safe?
HannesK
Product Manager
Posts: 14648
Liked: 2990 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Security Q: Connecting Veeam One to a hardened VBR install

Post by HannesK » 1 person likes this post

you need the permissions described in the user guide https://helpcenter.veeam.com/docs/one/d ... ml?ver=110

In V12, you enter the credentials once for the initial connections. The password is not stored and certificate based authentication is used between ONE and VBR
Post Reply

Who is online

Users browsing this forum: No registered users and 8 guests