Skip to main content

MFA with Veeam B&R


wolff.mateus
Forum|alt.badge.img+11

Hello everybody!

 

I’d like to know if is possible to have a Multi-Factor Authentication to access Veeam Backup & Replication console?

Do we have something native on Veeam about it?

 

 

24 comments

MicoolPaul
Forum|alt.badge.img+23

Hey! Great question.

 

I’ve not seen anything that interfaces natively with the Veeam console for B&R, the AWS/Azure platforms support MFA (haven’t tested on GCP yet). You can however limit access to a Veeam console jumpbox that you RDP onto and use something such as Duo to secure that client.

 

Be interesting if anyone has done something clever to make it work and what Veeam’s stance would be on this!


coolsport00
Forum|alt.badge.img+20
  • Veeam Legend
  • 4145 comments
  • July 23, 2021

Hey there @wolff.mateus ...appears nothing native to the VBR server, but does look like for VCSP and Azure/AWS products, MFA is available. I would make a comment in the Veeam Forums so a Product Manager can give more details on if this will be a capability in future releases. If not, maybe they will add one.

Cheers!


MicoolPaul
Forum|alt.badge.img+23
coolsport00 wrote:

Hey there @wolff.mateus ...appears nothing native to the VBR server, but does look like for VCSP and Azure/AWS products, MFA is available. I would make a comment in the Veeam Forums so a Product Manager can give more details on if this will be a capability in future releases. If not, maybe they will add one.

Cheers!

Great shout on the Veeam R&D Forum!


Mildur
Forum|alt.badge.img+12
  • Influencer
  • 1035 comments
  • July 23, 2021

Chris.Childerhose
Forum|alt.badge.img+21
Mildur wrote:

Great request since now in v11 the Administrator rights are not needed anymore now.


Rick Vanover
Forum|alt.badge.img+10

I see a lot of people using Duo for the Windows authentication, I like that. 

Though Gostev’s answer in the Forum is not “No” but “Not Now” so - my advice is use Duo (or similar) for now, maybe more options will be in place.


MicoolPaul
Forum|alt.badge.img+23

Whilst we’re speaking about Duo I just want to highlight one setting that can dramatically impact the effectiveness of the solution. You can choose whether to bypass Duo when the device is offline.

 

I wouldn’t recommend this as then if the server can’t communicate with the cloud auth service there is no second factor challenge, achievable via breaking communication such as forcing NTP time drift, DNS poisoning etc. Offline auth via Duo app generated OTPs is supported and makes far more sense in this scenario. This feature became available in 2018 so depending on when people have used Duo they may not be aware!


Mildur
Forum|alt.badge.img+12
  • Influencer
  • 1035 comments
  • January 7, 2022

Update from Anton :-)

 

MFA for the VBR console is coming with V12 this year.

https://forums.veeam.com/post440238.html#p440238


Chris.Childerhose
Forum|alt.badge.img+21
  • Veeam Legend, Veeam Vanguard
  • 8502 comments
  • January 7, 2022
Mildur wrote:

Update from Anton :-)

 

MFA for the VBR console is coming with V12 this year.

https://forums.veeam.com/post440238.html#p440238

That is awesome.  Cannot wait to test this.


MicoolPaul
Forum|alt.badge.img+23
  • 2361 comments
  • January 7, 2022
Mildur wrote:

Update from Anton :-)

 

MFA for the VBR console is coming with V12 this year.

https://forums.veeam.com/post440238.html#p440238

Thanks for sharing @Mildur, that’s brilliant news!


Mildur
Forum|alt.badge.img+12
  • Influencer
  • 1035 comments
  • January 7, 2022
MicoolPaul wrote:
Mildur wrote:

Update from Anton :-)

 

MFA for the VBR console is coming with V12 this year.

https://forums.veeam.com/post440238.html#p440238

Thanks for sharing @Mildur, that’s brilliant news!

Your welcome, @MicoolPaul :)


regnor
Forum|alt.badge.img+14
  • Veeam MVP
  • 1352 comments
  • January 7, 2022

Great news @Mildur! This will certainly take the security  to the next level 🥳


marcofabbri
Forum|alt.badge.img+13
  • On the path to Greatness
  • 990 comments
  • January 8, 2022

Sincere question, is MFA really necessary for a VB&R server?

Couldn't it be more useful to have some sort of sandbox system (inside a Windows Server) that is untouchable from the outside?

No polemic, just to talk about :)


Mildur
Forum|alt.badge.img+12
  • Influencer
  • 1035 comments
  • January 8, 2022
marcofabbri wrote:

Sincere question, is MFA really necessary for a VB&R server?

There are companies with security regulations to have MFA on each critical system, or the software cannot be implemented.

Besides that, yes, MFA is better than no MFA.

Backups can be protected by immutability.

But how do you protect unauthorized access to the protected data in the backup? 


marcofabbri
Forum|alt.badge.img+13
  • On the path to Greatness
  • 990 comments
  • January 8, 2022
Mildur wrote:
marcofabbri wrote:

Sincere question, is MFA really necessary for a VB&R server?

There are companies with security regulations to have MFA on each critical system, or the software cannot be implemented.

Besides that, yes, MFA is better than no MFA.

Backups can be protected by immutability.

But how do you protect unauthorized access to the protected data in the backup? 

Strong physical and virtual security permission policy and encryption policy.

But absolutely right, MFA is better than no MFA.


regnor
Forum|alt.badge.img+14
  • Veeam MVP
  • 1352 comments
  • January 8, 2022

MFA will very much increase the security of your backup environment. Even if you harden your environment, do 3-2-1, etc., an attacker could cause high damage when accessing your Veeam console; besides the obvious cases, where backups and tapes are deleted. Think about someone altering your jobs so that nothing gets backed up, changing Encryption keys or something more malicious like overwriting your production VMs.


marcofabbri
Forum|alt.badge.img+13
  • On the path to Greatness
  • 990 comments
  • January 8, 2022

What you say is true @regnor , thanks for posting this examples. MFA will then increase security a lot, very very well.

 

 


MicoolPaul
Forum|alt.badge.img+23
  • 2361 comments
  • January 8, 2022

@marcofabbri another point highlighted is this is MFA within the application vs on the server itself, so wherever the console is installed and can access the B&R server, stealing credentials is no longer sufficient.


JMeixner
Forum|alt.badge.img+17
  • On the path to Greatness
  • 2650 comments
  • January 8, 2022

Depends on the implementation.

For MFA you need some connection to the Veeam server. Hopefully this is an internal secure connection only….


vNote42
Forum|alt.badge.img+13
  • On the path to Greatness
  • 1246 comments
  • January 10, 2022

Indeed, great news! But keep in mind, forum talks about MFA for console. No word about Rest and PowerShell. Without that, MFA for the management system/server should be implemented too!


vAdmin
Forum|alt.badge.img+2
  • Influencer
  • 168 comments
  • November 10, 2022
Mildur wrote:

Update from Anton :-)

 

MFA for the VBR console is coming with V12 this year.

https://forums.veeam.com/post440238.html#p440238

Is it this year or Q1 next year for the GA ?

 

vNote42 wrote:

Indeed, great news! But keep in mind, forum talks about MFA for console. No word about Rest and PowerShell. Without that, MFA for the management system/server should be implemented too!

Yes, more support for the PowerShell or REST APIwould be great. 


regnor
Forum|alt.badge.img+14
  • Veeam MVP
  • 1352 comments
  • November 10, 2022
vAdmin wrote:
Mildur wrote:

Update from Anton :-)

 

MFA for the VBR console is coming with V12 this year.

https://forums.veeam.com/post440238.html#p440238

Is it this year or Q1 next year for the GA ?

At the time of that post it was this year. But now the current schedule for v12 is January or Q1 2023.

 


vAdmin
Forum|alt.badge.img+2
  • Influencer
  • 168 comments
  • November 10, 2022
regnor wrote:
vAdmin wrote:
Mildur wrote:

Update from Anton :-)

 

MFA for the VBR console is coming with V12 this year.

https://forums.veeam.com/post440238.html#p440238

Is it this year or Q1 next year for the GA ?

At the time of that post it was this year. But now the current schedule for v12 is January or Q1 2023.

 

Yes, that is true, better be late than never.


BertrandFR
Forum|alt.badge.img+8
  • Influencer
  • 528 comments
  • November 13, 2022

I will prefer the use of a bastion with MFA everywhere than on a Veeam console, but it’s betther than nothing 🤓


Comment