Comprehensive data protection for all workloads
Post Reply
ksl28
Enthusiast
Posts: 64
Liked: 13 times
Joined: Sep 21, 2016 8:31 am
Contact:

Service accounts hardening

Post by ksl28 » 1 person likes this post

Hi,

We are using a range of service accounts, based on what role they want to administer (repo, proxies, etc), for security reasons.
Im planning on adding the accounts to Protected Users (https://docs.microsoft.com/en-us/previo ... dfrom=MSDN), and based on what i have read, then it should be fine.

But i cant find any documention from Veeam, if this is supported or not.

Can anyone help clarify?
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Service accounts hardening

Post by Mildur » 1 person likes this post

Hi Kristian

Looks like NTLM authentication will be disabled for the service accounts in the "Protected Users" group, which is currently not supported with Veeam V11.
https://docs.microsoft.com/en-us/previo ... dfrom=MSDN
The member of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP.

NTLM authentication is still mandatory for the communication between all veeam infrastructure servers.
https://helpcenter.veeam.com/docs/backu ... ml?ver=110
However NTLM authentication is still required for communication between Veeam backup infrastructure servers (backup server, backup proxies, backup repositories, guest interaction proxies, log shipping servers, mount servers).
Kerberos only will be supported with Veeam Backup & Replication V12. V12 will also allow using gMSA Accounts for application aware processing. This two new features should help you to get better security for all service accounts.

Thanks
Fabian
Product Management Analyst @ Veeam Software
ksl28
Enthusiast
Posts: 64
Liked: 13 times
Joined: Sep 21, 2016 8:31 am
Contact:

Re: Service accounts hardening

Post by ksl28 »

Hi Fabian,

Thanks for the update - you are correct regarding the NTLM part.

If i read it correctly then we need to keep NTLM open internally at our backup AD domain (its seperated from the production).
But the service accounts we use for Guest indexing / Application-aware in the production AD domains, could be added to the protected users in the production AD domain.
Correct?

Do you have any other suggestions / guides how to harden the Windows infrastructure that hosts Veeam?
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Service accounts hardening

Post by Mildur » 1 person likes this post

Hi Kristian

You are very welcome.

There is another limitation. Guest Application Aware Processing must run temporarily a small service todo it's work:
Accounts for services and computers should never be members of the Protected Users group. This group provides incomplete protection anyway, because the password or certificate is always available on the host. Authentication will fail with the error "the user name or password is incorrect" for any service or computer that is added to the Protected Users group.
I suggest to run a test with a single VM and a test service account.

We have some recommendations in our best practice guide:
https://bp.veeam.com/vbr/Security/

For me, one important thing is that you do not log in to the VBR server via remote or physical console.
No user should work directly on the VBR server. If you need to manage the VBR environment or perform a restore, use the VBR console on a dedicated jump host. Should have a windows version with the same or higher patch level as your backed up server, or you could face issues with restoring certain backups (VB365 Jet DB, reFS filesystems, deduplication).
Product Management Analyst @ Veeam Software
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Baidu [Spider], Semrush [Bot] and 54 guests