Roles and Users
Deploy an Access Control policy, managing access to management components is crucial for good protection. Use the principle of least privilege. Provide the minimal privilege needed for some operation to occur. An attacker who gained high-privilege access to backup infrastructure servers can get credentials of user accounts and compromise other systems in your environment (Refer to Veeam kb 4349 for more information). Make sure that all accounts have a specific role and that they are added to that specific group.
Enforce containment to keep the attackers from moving around too easily. Some standard measures and policies are:
- Do not use user accounts for admin access, reducing incidents and accidents
- Give every Veeam admin his own admin account or add their admin account to the appropriate security group within Veeam, for traceability and easy adding and removal
- Remove default “Veeam Backup Administrator” role from local Administrators group
- Only give out access to what is needed for the job
- Strictly limit users who can log in using Veeam Console
- Add 2-factor authentication to highly valuable assets
- Monitor your accounts for suspicious activity
A role assigned to the user defines the user activity scope: what operations in Veeam Backup & Replication the user can perform.
Anonymization
Many companies follow the best practices and use dedicated accounts for administrators to execute priviledged tasks, aside to their user account allowing for basic office duties. These accounts are often pre-pended with “adm_” which can be convenient, but helps attackers in priviledged accounts identification. Try to use “adm_” accounts for honeypot users only and choose another strategy for real admin accounts. Social networks may also help in identification of a potential priviledged account owner inside a company, so using anything that is not a user’s name will add complexity into identification of priviledged accounts and slow down attackers.
Password management policy
Use a clever Password management policy, which works for your organization. Enforcing the use of strong passwords across your infrastructure is a valuable control. It’s more challenging for attackers to guess passwords/crack hashes to gain unauthorized access to critical systems.
Selecting passwords of 10 characters with a mixture of upper and lowercase letters, numbers and special characters is a good start for user accounts.
Make sure default accounts and passwords have been modified on all your assets.
For Admin accounts adding 2-factor authentication is also a must to secure the infrastructure.
For service accounts use 25+ characters combined with a password tool for easier management. An Admin can copy and paste the password when needed, increasing security of the service accounts.
Make sure the password tool and database are available from a recovery site in order to have it available in case a disaster occurs. Keep in mind that a recent backup of your password tool and database must reside on an air-gapped media, such as DVD, CD-ROM, tape. The most crucial is the Veeam Repository password that will allow to restore from the backup files.
Access to production systems from the backup infrastructure can rely on Group Managed Service Accounts (gMSA) to make it easier to achieve a good security level, as complex passwords are set and rotated automatically in that case. Group Managed Service Accounts can be used with Veeam Backup and Replication since version 12.
Lockout policy
Use a Lockout policy that complements a clever password management policy. Accounts will be locked after a small number of incorrect attempts. This can stop password guessing attacks dead in the water. But be careful that this can also lock everyone out of the backup & replication system for a period! For service accounts, sometimes it is better just to raise alarms fast. Instead of locking the accounts. This way you gain visibility into suspicious behavior towards your data/infrastructure.
Required Permissions
Use the principle of least privilege. Provide the minimal required permissions needed for the accounts to run.
Notes:
- The accounts used for installing and using Veeam Backup & Replication must have the permissions detailed in user’s guide.
- If VMware vCenter Server is added to the backup infrastructure, an account with reduced permissions can be used. Use the minimum permissions for your use-case. For example Hot-Add backup requires the “delete disk” permission. You can also consider elevating permissions for restores. See details here.