[What (else) is new in v12 - VI] Two-factor authentication for VBR console


Userlevel 7
Badge +13

Quite a cool new feature is the ability to enable Multi-factor authentication (MFA) for the VBR console login.

 

With this a user has to enter username, password and an additional confirmation code that comes from a Authenticator app like Google Authenticator.

At first login, User can add VBR to his Authenticator app.

It is really simple to use.

BUT: 2FA works only for VBR console, NOT for PowerShell!

Another security improvement is the option for Automatic Session logoff:

 


19 comments

Userlevel 7
Badge +12

Yes, that a must have feature in case you use the console on a management host to access the VBR server on another machine. :)

Userlevel 7
Badge +20

Really liking this feature to come in v12 as it will help us with further security enhancement for access. 😎

Userlevel 7
Badge +12

Yes, that a must have feature in case you use the console on a management host to access the VBR server on another machine. :)

Exactly, for those cases MFA was the last missing piece. Can't wait for v12 to implement it.

Userlevel 7
Badge +17

Super feature.

This is one of the first changes we will make after installing V12...

Userlevel 7
Badge +7

Nice feature, but the MFA will be usable only for the remote console, not directly on the VBR server.

Userlevel 7
Badge +17

Nice feature, but the MFA will be usable only for the remote console, not directly on the VBR server.

I have activated the 2FA directly on my V12 test server… Works without problems...

Userlevel 7
Badge +20

Nice feature, but the MFA will be usable only for the remote console, not directly on the VBR server.

You can use it on the VBR server with a user account just not Administrator or anyone in Admin group.  I did test this and it worked.

Userlevel 7
Badge +7

Nice feature, but the MFA will be usable only for the remote console, not directly on the VBR server.

You can use it on the VBR server with a user account just not Administrator or anyone in Admin group.  I did test this and it worked.

Ok good to know, during a presentation I understood that. After on the VBR server the usage is less cause the powershell still accessible...

Userlevel 7
Badge +11

Nice feature! I notice that admin users are not asked for MFA.

It makes senses, but I don't know…

There are some cases that admin users' access VBR server/console.

Userlevel 7
Badge +12

Change after Beta2, MFA can also be enabled for an admin account.

Thanks
Fabian

Userlevel 7
Badge +20

Change after Beta2, MFA can also be enabled for an admin account.

Thanks
Fabian

Ooh nice!  That will be another great add for this. 👍🏼

Userlevel 7
Badge +7

Yay, this is going to be a great feature! 

Is there a way to reset access in case someone loses their phone for example?

Userlevel 7
Badge +17

Yay, this is going to be a great feature! 

Is there a way to reset access in case someone loses their phone for example?

You can reset the MFA for any user

 

Userlevel 7
Badge +7

Yay, this is going to be a great feature! 

Is there a way to reset access in case someone loses their phone for example?

You can reset the MFA for any user

 

Ah thank you! I hope to give it a spin soon but really looking forward to this. 

Userlevel 7
Badge +9

Great feature! Recently, a lot attacks have been perpetrated on 2FA. Here is a link for this. 

Note: Despite the hacks etc, I still highly recommend it (far better than the alternative of simply relying on a username and strong password), and also recommend user awareness training whenever possible… 

I like MFA for security but I have some issues with the way this is implemented. 

It forces on individual accounts and cannot be enabled if a group has been provided for Administrator Access, so if there is only one administrator and the MFA isn't working you are locked out. If the device that MFA is used it not available you cannot get logged in.

If you have multiple admin accounts.... one user could delete the other and than you are at the mercy of the single account again.

From what I can see you can only turn off MFA from inside VEEAM so if you are locked out you are screwed.

Userlevel 7
Badge +12

From what I can see you can only turn off MFA from inside VEEAM so if you are locked out you are screwed.

There are ways outside of Veeam. But you need to have local admin permission and you must be logged in on the backup server to use this methods :) Therefore it’s important to protect your backup server from any unauthorized access.

 

Best,

Fabian

From what I can see you can only turn off MFA from inside VEEAM so if you are locked out you are screwed.

There are ways outside of Veeam. But you need to have local admin permission and you must be logged in on the backup server to use this methods :) Therefore it’s important to protect your backup server from any unauthorized access.

 

Best,

Fabian

Please provide the documentation - I would not want to implement MFA if I do not know how to get around this limitation.

If a support ticket is required to do this than it’s still something I would not recommend. I would rather put an MFA solution on the server that is more manageable and has better options for adding and removing user access.

Regards,

Reid

Userlevel 7
Badge +12

Here is one of those methods: https://forums.veeam.com/post480878.html#p480878

Please remember, a local administrator can always do anything with the server. You cannot protect the server and its applications from a logged in account with local administrative permissions. There is always a way. Some are easy, some require additional tools.

It’s important to protect access to those servers. Outside of Veeam. Disable RDP and other remote management tools. Or leave them enabled, but implement MFA for those remote management protocols.
Use a jump server to open the console and manage your backup server. Monitor who has accessed your systems. 

 

Best,

Fabian

Comment