Regularly update Veeam components
Keeping Veeam backup servers, management consoles, and other components up to date with the latest patches and updates to address any security vulnerabilities is an absolute must when it comes to security hygiene.
Security Patches
Both operating systems and software applications are susceptible to vulnerabilities exploited by malicious actors. These bad actors can leverage weaknesses in the software's code, libraries, or other components to compromise the security of the operating system and/or software, granting them unauthorized access. CVE, which stands for Common Vulnerabilities and Exposures, serves as a standardized reference method for publicly disclosing and tracking known vulnerabilities and exposures in information security.
After a CVE is publicized, it is expected that software vendors will make available solutions to address the vulnerability. These solutions may involve providing instructions on how to fix the issue or releasing a new version of the software that includes a patch to fix the security flaw.
To ensure the security of your system, it is advisable to subscribe to the product bulletin or regularly monitor any CVE fix announcements by Veeam Software and constantly monitor security updates of the operating system.
To ensure ongoing support, security updates, software enhancements, and the introduction of new features, it is highly recommended to utilize Veeam products that have not yet reached their end of fix and end of support lifecycles. Regularly checking the Veeam Product Lifecycle web page ensures you're aware of any changes or updates to the products.
Windows and Linux Backup Infrastructure Components
Windows and Linux proxies and repositories are essential components of the Veeam Backup Infrastructure, serving as crucial elements for efficient backup and recovery operations. In the event that those components are compromised, this could lead to a compromise of the backups infrastructure. To enhance infrastructure security, it is recommended to utilize operating system versions that offer long-term servicing channels (LTSC) for Windows or long-term support (LTS) for Linux. This is because these versions provide extended security updates, crucial for maintaining a secure environment.
Least Privilege Access
Auto Log Off
The auto log off configuration defines the duration of inactivity before the Veeam console automatically logs you out. This feature is recommended because it automatically closes the console after a specified amount of time, which is beneficial for users who access the Veeam console remotely from a server, personal computer, or even the Veeam server itself. In a scenario where the backup administrator leaves the console open, a malicious user who has already breached one of the previously mentioned servers could easily access the Veeam console without any additional steps, potentially compromising the entire backup infrastructure. This could lead to devastating consequences such as the deletion of backup files, the removal of essential components, and the manipulation of retention policies, to name a few.
Users & Groups
When Veeam Backup & Replication is installed, the Veeam Backup Administrator role is automatically given to all users who are members of the Administrators group on the machine where the software is being installed. Veeam Backup Administrators have full control over all administrative tasks in Veeam Backup & Replication and access to all files on servers and hosts within the backup infrastructure.
The Veeam server offers the flexibility to assign one or more roles to either individual users or groups. Enabling multifactor authentication is only possible by adding individual users; if a group is configured, multifactor authentication cannot be activated.
Adhering to the principle of least privilege, it's recommended to create individual user accounts with specific permissions, like a Security Administrator who can add, edit, and delete all types of credentials for managing servers, guest connections, and other related tasks. Another potential role could be a Backup Viewer, restricted to viewing existing job lists and session reviews, vital for the backup monitoring team's responsibilities.
Windows Veeam Services Account
To maintain security, the account designated for running Veeam services should be a LocalSystem account. If a Veeam service is configured to run under a user account other than the LocalSystem account, that user will automatically inherit full administrative privileges over Veeam Backup & Replication, even if they are not explicitly granted those permissions through the Users and Roles > Security settings.
Please review the list of security aspects provided below to ensure proper protection:
- Ensuring the firewall is active and properly maintained on both operating systems is crucial for granting access to the required Veeam components while blocking access to non-required connections.
-
Disabling remote access to Windows proxy and repository components, such as Remote Desktop Service, Remote Registry Service, Remote PowerShell, and Windows Remote Management Service, is recommended to reduce the attack surface. If disabling remote access is not an option, it is recommended to manage access through the use of a firewall.
-
For enhanced security when configuring Linux proxies or repositories, it is advisable to employ key-based SSH authentication, which is widely considered a more secure alternative to password authentication and serves to prevent man-in-the-middle (MITM) attacks. The private key stays secure, even against fake servers and bad fingerprints.
Other Security Considerations
Enterprise Manager
With Veeam Backup Enterprise Manager, you can centrally manage and monitor numerous Veeam Backup & Replication installations from one web interface, simplifying your backup and recovery operations but crucially, by enabling encryption password loss protection, users are given an alternate method to decrypt the data in the case that the password for an encrypted backup or tape is lost.
To enhance the security of your Veeam Backup Enterprise Manager server, it is highly advisable to deploy it on a server that is distinct from the Veeam Backup & Replication server. By doing so, you can significantly minimize the risk of a key change attack.
Veeam Database
During Veeam installation, you can choose to connect to a remote database server or install the database on the same machine as Veeam Server. The Veeam database acts like a secure vault, storing the sensitive credentials of user accounts needed to access virtual servers and other systems within the backup infrastructure. The passwords stored in the database are securely encrypted. However, an administrator on the backup server could potentially decrypt passwords, posing a significant security risk.
To ensure the security of your Veeam Backup & Replication configuration database, follow these guidelines:
- To ensure security, verify that only authorized users can access the backup server and the server hosting the Veeam Backup & Replication configuration database, especially if the database is located on a separate server.
-
To protect sensitive information in the configuration database, enable data encryption for configuration backups. Additionally, avoid placing the repository for configuration backups in the same network as the backup server.
Network Time Server
The Network Time Protocol (NTP) is a networking protocol used to synchronize computer clocks to be within a few milliseconds of Coordinated Universal Time (UTC). This protocol can be manipulated by intruders to overwhelm the network with excessive responses, manipulate timestamps, and interfere with time-sensitive critical services, like the immutability settings of the Linux hardened repository.
To safeguard your NTP server, it is crucial to follow these security guidelines:
- By implementing NTP authentication between the server and client, you can guarantee the reception of accurate time updates from reliable sources.
-
Secure your NTP server by allowing time synchronization requests only from authorized IP addresses or networks.
-
Always keep your NTP software patched and updated to ensure you are protected from known vulnerabilities.
-
When configuring your NTP Server, it's crucial to select secure and reputable external NTP servers to ensure accurate time synchronization. Avoid using public NTP servers.