Blogs and podcasts
Bring your knowledge and expertise while creating blogs and podcasts
- 642 Topics
- 5,014 Comments
Comparison of vSphere Transport Modes
Each time I talk to customers at installation dates or health-checks, I spend some time talking about vSphere transport modes. These are: Direct Storage Access, Storage Integration (I take this as a separate mode), Virtual Appliance and Network mode. This is a topic with a lot of facets still not widely known. Here I will try to compare these transport modes on the basis of some characteristics. Direct Storage AccessSecurity Honestly rather bad. Since production volumes are presented to a Veeam proxy host, a local admin/root can easily delete all volumes within seconds. Much better if the storage system is able to present volumes in read-only mode. Network As the name suggests, backup traffic is kept in storage network. Configuration Effort It is more complex to configure than other modes. This is also because you need to configure different layers like storage switches and arrays. You may have to configure the array with each new volumes for backup too. It could be more tricky to
Be aware: SteelSeries bug grants Windows 10 administrative rights plugging in a device
It is being found that the official app used in installing SteelSeries devices on Windows 10 can be exploited to grant Admin rights as discovered by some security research “Lawrence Amer“. As stated by BleepingComputers, the bug can be leveraged during the device startup process using a link in the License Agreement screen that is opened with SYSTEM privileges. A real SteelSeries device is not necessary to exploit the bug. Also, a bug was discovered in the Razer Synapse software that granted unauthorised admin access. Now, a similar bug was found in SteelSeries software that gives anyone who plugs in a device complete control over a Windows 10 PC with admin rights. Emulating a device also works: This discovery became known after news broke out about the Razer Synapse software as it was able to grant administrative privileges when connecting a Razer mouse or keyboard. This motivated the research from Jorhat, offensive security researcher Lawrence Amer (research team leader at 0xsp) foun
3 cloud monte
Another video from the quick and nerdy series. This video is half how-to half showcase of the true flexibility of Veeam and cloud data protection. It starts with taking a backup of an EC2 instance with VBAWS, using a VBR server to backup copy job to a SOBR with Wasabi and finally using that Wasabi bucket to Natively restore to Azure. This one had a lot of moving parts so it went a little over the 10-15 minute structure but it’s worth a watch!
Monitoring of Capacity Tier Jobs and Tasks
Greetings Community,I have been working for a few weeks on parsing all things Veeam Logs, deep stuff that is for sure. On this specific Post I want to cover the Monitoring of the Capacity Tier Jobs and Tasks.This is work in progress, so I am writing this post seeking help from you, to try it on your lab, or on your environments (always remembering it is Community Stuff and not supported)System RequirementsYou should have Telegraf+InfluxDB+Grafana installed Grafana should be the version 8.0.2 - In case you have an inferior version, or superior, please just run this sudo apt-get install grafana=8.0.2 You should have telegraf installed on the VBR, I hope properly configured sending metrics to your InfluxDB. Ping me if need anything. But it is really simple. The telegraf.conf at the end should contain this at the end of the file (this is the fairy dust that makes us fly :))# Offload Job - ID and final status[[inputs.tail]] files = ["C:\\ProgramData\\Veeam\\Backup\\*\\Offload*.log"] from_
Yet another Windows print spooler zero-day Vulnerability: Mitigate Windows Print Spooler Remote Code Execution – CVE-2021-36958
Microsoft has issued an advisory for another zero-day Windows print spooler vulnerability tracked as CVE-2021-36958 that allows local attackers to gain SYSTEM privileges on a computer. As stated by Microsoft, an attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges.I you wish to have more detailed information on the development of this vulnerability, when it was first discovered, its workaround and patches released so far, please visit the following links.Unlike the previous exploits, this vulnerability affects for the Windows print spooler, Windows print drivers, and Windows Point and Print. For a detailed guide, please refer to this link. Here is a link to the video (Twitter trend) as discovered by Benjamin Delpy. How do you mitigate this issue? There isn’t a patch (update) as at the time of this writing. The good thing is, there is always a workaround.– You can disable the Print Spooler service or allow your device to install printers
NKGG decides to dump AUTH0 and leverage a home grown Keycloak deployment for Kasten Authentication
Big News compliance Junkies have taken over NKGG’s and JuniorJoe’s company!!NKGG’s and JuniorJoe’s company was grabbed in a hostile takeover. A group of venture compliance junkies are now at the helm. The firm is now call Drdisasters.com. They specialize in taking DR testing to the limit so that it conforms completely with a compliance junkie’s dream, that is, Drdisasters.com will test your DR Plan by creating real life DR situations for your company. The next time an auditor asks, “how sure are you that the DR plan will work?” you can answer well we burned down our server room and implemented our DR plan and it worked wonderfully!!Now more than ever NKGG had to finalize his Kasten authorization setup. Come audit time the compliance gang would surely drill him on every aspect and he needed full control. Time to ditch the external authentication service and create his own.After some research he decided on using keycloak and the bitnami helm chart: https://bitnami.com/stack/keycloak/helm
Automatically create vSphere roles to use with Veeam Backup & Replication V11
Good day everyone !In November 2020 I created a PowerCLI script which creates a vSphere role with cumulative permissions for Veeam Backup & Replication version 10.In the meantime VBR v11 was released and I needed to update that script and wanted to create “new awareness” of it. The fact that I see A LOT of Administrator@vsphere.local users being used with adding the vCenter to Veeam makes me nervous, that’s why I wanted to fight against this with a simple script so no one needs to manually go through the privileges. Now there is no excuse to use highly privileged user accounts !This PowerShell / PowerCLI script lets you create a new vCenter server role with all the cumulative privileges and permissions to use them with Veeam Backup & Replication V11.The privileges used are based on the recommendations out of the Veeam Help Center which you can find here: Cumulative Permission for VMware vSphere – Veeam Help CenterSimply execute the script and follow the steps to fill in the rel
Live-experience : restore guest files with Veeam vs competitor
This is a short story I recently experienced with a customer of mine…Some months ago we got a request from Veeam 😉 with an opportunity for a new customer. This customer was using a lot of standalone Hyper-V hosts in combination with Oracle databases and was using a competitor software as their backup solution.They were not happy about the stability of the product and neither about the delivered support of the backup-vendor. Therefore they were searching for other backup-vendors and of course they ended up at Veeam.They contacted Veeam because they wanted more information about the product and if Veeam could deliver a design that perfectly matches the requirements of the customer. Veeam transferred this opportunity to my company (being a gold MSP).The accountmanager of my company and myself had a meeting with this customer to know what their requirements were. Afterwards I created a design that perfectly matched all their requirements and even more 😉. The customer was very happy with
Veeam - Hitachi Storage Plugin Installation How-To
Recently on July 21st, there was a new storage plugin release by @Veeam for the Hitachi storage arrays. It can be found here - Veeam - Hitachi Plugin. This plugin allows you to connect Veeam to your Hitachi storage arrays to leverage the SAN-based snapshots for your backups. Hitachi has also released documentation which can be found here - Hitachi - Veeam Plugin.Hitachi Plug-In for Veeam Backup & Replication supports integration with the following storage systems:VSP E590, E790, E990 (93-03-01-60/00 or later), VSP F350, F370, F700, F900 (88-07-01-x0/00 or later), VSP G350, G370, G700, G900 (88-07-01-x0/00 or later), VSP 5000 series (90-05-01-00/00 or later)Today I am going to walk through the installation and configuration of the plugin within the Veeam software. This will show how easy the plugin is to install and configure within the Veeam environment. One thing to note is that you need to take a look at the Hitachi documentation so that you can configure the access for the
Migrate VMs using Advanced Cross vCenter Server vMotion
A few days ago @Link State posted how to migrate MS AD-controllers using Veeam Replication. Therefore I thought it would be interesting to get to know the new vSphere Advanced Cross vCenter Server vMotion (XVM).What is Cross vMotion about?First, there is a difference between Cross vCenter Server vMotion (xvMotion) and Advanced xvMotion. xvMotion was already introduced (and supported) for migration of VMs between vCenters within the same Single-SignOn (SSO) Domain in vSphere 6.0. With Advanced xvMotion it is possible to migrate VMs between vCenters in different SSO Domains!Advanced xvMotion is not completely new. Actually it exists for about 5 years as a fling. Now it is introduced in the latest version of vSphere: 7.0 U1c (notice the "c"!) How does it work?For demo I use a vCenter 6.7 U3 as source and a 7.0 U1c vCenter as destination.To start the wizard, right click the resource, you want to move VM(s) to and select Import VMs. Provide data of source vCenter. And press Login. When cre
BitLocket Back Door: TPM Only
This is a recent research by security specialists of the Dolos Group to determine if an attacker can access the organisation network from a stolen device and also perform lateral network movement.They were handed a Levovo Laptop preconfigured with the standard security stack for this organization. No prior information about the laptop, test credentials, configuration details, etc were given. They stated it was a 100% blackbox test.Once the got hold of the device, they headed straight to work and performed some reconnaissance of the laptop (BIOS settings, normal boot operation, hardware details, etc) and noted a lot of best practices were being followed, negating many common attacks. For example:Pcileech/DMA attacks were blocked because Intel’s VT-d BIOS setting was enabled. All BIOS settings were locked with a password. The BIOS boot order was locked to prevent booting from USB or CD. Secureboot was fully enabled and prevented any non-signed operating systems. Kon-boot auth bypass did
NKGG leverages AUTH0 external authentication to protect the Kasten setup from Junior Joe!
The Notorious Kube Genius Geoff had a problem.After saving the company's Kasten setup by doing a DR restore he was told that Junior Joe’s full access to the cluster would be removed but he still needed access to Kasten to perform his duties which involved only certain functions with policies. NKGG referenced the Kasten documentation concerning Authentication and decided it was time to leverage Open ID connect to do this and in that manner limit Junior Joe’s access.https://docs.kasten.io/latest/access/authentication.html#openid-connect-authenticationThis was going to be no walk in the park. NKGG had never ventured into this area of IT before so he decided to read up on the protocol itself and found a great free resource:https://auth0.com/resources/ebooks/the-openid-connect-handbookThe handbook was offered by Auth0 and they had a free plan to start out with so NKGG decided to give their service a try. You can sign up for free here:http://Auth0: Secure access for everyone. But not just a
How to install Veeam Backup and Replication 11 Community Edition with a dedicated SQL Server
Veeam Backup and Replication is comprehensive data protection and disaster recovery solution which is capable of creating image-level backups of virtual, physical servers, cloud machines, and restoration as well. The technology used in the product optimizes data transfer and resource consumption, which helps to minimize storage costs and the recovery time in case of a disaster. Veeam Backup and Replication provides a centralized console for administering backup, restore, and replication operations in all supported platforms (virtual, physical, and cloud environments). The prerequisite requires you to have a SQL Server already running in your environment. Please see "how to download and install Microsoft SQL Server 2019 Express Edition and Microsoft Management Studio on Windows Server", how to install Microsoft SQL Server 2019 and MsSQL Command line tools on Ubuntu Linux, and how to install MSSQL Server 2019 Developer Edition and SQL Server Management Studio on Windows. With Veeam Back
PetitPotam attack on Active Directory Certificate Services: How to mitigate NTLM Relay PetitPotam attacks on AD CS
Recently, Lionel Gilles, a French-based Offensive Computer Security researcher based in Paris, France published a PoC tool on NTLM Relay Attack known as PetitPotam that exploits the MS-EFSRPC (Encrypting File Services Remote Protocol). PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect users. Here is an example of such documents: NT LAN Manager: How to prevent NTLM credentials from being sent to remote servers. Below are some related guides: Active Directory Authentication methods: How do Kerberos and NTLM work? how does cached domain logon work?, and What is Pass the Hash Attack and how to mitigate the attack. PetitPotam takes advantage of servers where the Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. The mitigations below outline to customers how to protect their AD CS servers from such attacks and help in mitigating the W
Why does Microsoft require additional system requirements? How to check if you have Secure Boot and TPM enabled
Windows 11 enables security by design from the chip to the cloud. Recently, Windows 11 was announced to raise security baselines with new built-in hardware security requirements that will give customers the confidence that they are even more protected from the chip to the cloud on certified devices. Windows 11 is redesigned for hybrid work and security with built-in hardware-based isolation, proven encryption, and our strongest protection against malware. Also, Windows 11 makes it easier for customers to get the most protection from these advanced attacks out of the box with the requirement of a TPM 2.0 chip to help ensure they benefit from security backed by a hardware root-of-trust. You may want to see Measured Boot, Secure Boot, Trusted Boot, and Early Launch Anti-Malware: How to secure the Windows 10 boot process, and Windows 11 Feature-specific, Hardware and Software Requirements: How to upgrade to Windows 11 from Windows 10 as a Windows Insider. Windows 11 focuses on increasing
Demystifying Veeam’s Backup Copy Feature – Part III, Long-Term (GFS) Retention
If you missed the first part of this 3-part series, you can read it here. For the 2nd part, go here. This 3rd and final part in the Blog series will be a bit lengthier than the previous 2, but the extra content is worth the read. In this 3rd post, I’ll be discussing the Backup Copy Job Long-Term (or GFS) Retention Policy. For the remainder of this post, I’ll just refer to this as ‘GFS Policy’. Over the years, I’ve generally felt Veeam’s User Guides have been fantastic. The best out there, in my opinion, are the VMware User Guides, with Veeam a close 2nd. Since about Veeam v9, when Veeam really started gaining steam implementing some of their best features to date – Storage Integration, expanding their Veeam Agent offering, etc, their User Guides have seemed to start lacking some needed information. I think part of the reason is they were jamming everything into one Guide and possibly cutting some corners. They really needed to start separating some features out of the main User Guide t
Backup Policy, what is it for?
Much has been said about backup and data protection. However, little is said about Backup Policy. In today's post I decided to address what are the aspects that surround a backup policy and why it is important to have one. What is Backup Policy?The backup policy is nothing more than a document that gathers all aspects related to the workload that the backup exerts on an IT environment. On this document we can gather all the information that is considered useful during the backup process or even during a moment of disaster that involves the failure of one or more IT services to operate. So I decided to talk about some topics that I consider important to include in any backup policy. Forget TemplatesA backup policy is a document about your backup routine. So, forget about any kind of templates or pre-made documents about backup policy. You are responsible for the backup. So, no one better than you to understand the data protection environment and landscape. Write a document from scratch
CVE-2021-36934 "HiveNightmare" Serious SAM - Windows 10/11 Elevation of Privilege Vulnerability
Hi all,a new 0Day vulnerability for Windows 10 clients has been released, the article also recommends deleting all the vss restore points and recreating themSecurity Update Guide - Loading - MicrosoftCheck Windows 10 for SeriousSAM and HiveNightmare Vulnerability Fix - Virtualization Howtohttps://github.com/GossiTheDog/HiveNightmarecommad check : icacls c:\windows\system32\config\samWorkaroundsRestrict access to the contents of %windir%\system32\configCommand Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:eWindows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:eDelete Volume Shadow Copy Service (VSS) shadow copiesDelete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config. Create a new System Restore point (if desired).Impact of workaround Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backu
Does ESXi host survive persistent boot device loss?
Yes, it is no backup topic. But because we discussed a reason for my testing here already:I thought it could be interesting. In this post I investigate what happens when a VMware vSphere ESXi host loses its boot device. This device is meant to be a persistent device. For non-persistent devices like USB- and SD-card, behavior is quite clear: whole ESXi OS runs in memory, no mass-write operations should be directed to the device. When it breaks, ESXi isn’t missing it and keeps running.With a persistent device I was convinced that ESXi would die when it broke. BUT: ESXi survives. Not such a clean behavior like with non-persistent devices, but it survived. Reason for testingThere is a concrete reason for this testing. I want to answer the question, if it is safe to boot a ESXi host from a single disk. No Raid, just a single disk connected to a HBA. This would be an additional option for ESXi boot device. Why? Because VMware and other server vendors do not recommend to use non-persistent bo
V.E.E.A.M. : What does it mean - where it stands for ?
Hi all,We all love VEEAM .But why is it called like that?Originally Ratmir Timashev and Andrei Baronov founded Veeam in 2006.They called their company from the phonetic pronunciation of the letters VM (stands for Virtual Machine)!In the meanwhile everybody knows that the company is owned by US Insight Partners and has it’s headquarters in Baar (Switzerland) and in Columbus, Ohio (US). I think that this is too simple, the name V.E.E.A.M. stands for much more... VVirtual Machines / Virtualization. Yes correct, it all started at the beginning with monitoring and reporting for a virtual infrastructure.Virtual machines and virtualization is probably still the most used asset with the veeam products.Versatile. It’s more than clear that Veeam tries to have a solution for every demand, so it has definitely versatile products.Vision. Veeam has a great vision : To be the most trusted provider of Backup solutions that deliver Cloud Data Management! EEliminate Data Loss. VBR brings balance to you
Build Your Own View With Veeam ONE Dashboards
Veeam ONE provides visibility into data protection and virtual environments. Alarms, reports, and dashboards provide real-time monitoring, documentation, and at-a-glance views of your environment. Veeam ONE is known for its proactive alarms and detailed reports, but there are also valuable dashboards that can be used by every business. Dashboards visualize various aspects of your environment, including resource utilization, performance issues and top trends. Dashboards can be viewed in a web browser, delivered to your email, or even integrated into web portals.There are pre-defined dashboards available immediately at your fingertips, but you can create your own dashboard views within Veeam ONE as well. The aim of this blog post is to walk-through the steps taken to create customized dashboard views. Getting startedThe first step is to decide what you want to see in your environment. Do you want to get granular and only see updates on certain machines? Or maybe only certain backup serve
How to size for NAS/File share backups?
Sizing for NAS/file share backup can appear difficult initially, but with the help of the unofficial NAS Calculator by Hal Yaman it definitely will be a bit easier.As you can see from the screenshot below you need to know roughly how much source data in TB your file share(s) contain, how many files and directories. In case you are wondering what is primary vs secondary repository? Primary is for your short term retention (newest version) and secondary is for long term retention (older versions than newest).The user guide has some good info on the secondary copy settings.Once you have filled all out, just click the Calculate button to get full sizing for all components:Cache repository File Proxy Primary repository Secondary RepositoryHope this was useful and please do post any questions or comments.
[Quicktip] Show jobs a login account is used in
In this quick quicktip I show how it is easily possible to show all jobs, a specific login account is used in. This can be very useful if you want to change the password or permissions of an account - to check involved jobs - or if you just want to clean up your configuration.To do so, open the Manage CredentialsTo show all jobs, just mouseover the account name. You see all jobs in popup: If account is used for no job, you see similar popup: There is also a popup, when mouseover the selected credentials in job:
Already have an account? Login
Login to the community
Log in with your Veeam account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.