Hello everybody!
I’d like to know if is possible to have a Multi-Factor Authentication to access Veeam Backup & Replication console?
Do we have something native on Veeam about it?
MFA with Veeam B&R
+11
+23Hey! Great question.
I’ve not seen anything that interfaces natively with the Veeam console for B&R, the AWS/Azure platforms support MFA (haven’t tested on GCP yet). You can however limit access to a Veeam console jumpbox that you RDP onto and use something such as Duo to secure that client.
Be interesting if anyone has done something clever to make it work and what Veeam’s stance would be on this!
Michael Paul - Opinions are my own and do not necessarily reflect the opinion of Veeam | https://micoolpaul.com | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.com
+20Hey there
Cheers!
Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
+23coolsport00 wrote:
Hey there
Cheers!
Great shout on the Veeam R&D Forum!
Michael Paul - Opinions are my own and do not necessarily reflect the opinion of Veeam | https://micoolpaul.com | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.com
+12You can find the feature request here in the forum:
Product Management Analyst @ Veeam Software
+21Mildur wrote:
You can find the feature request here in the forum:
Great request since now in v11 the Administrator rights are not needed anymore now.
Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
+10I see a lot of people using Duo for the Windows authentication, I like that.
Though Gostev’s answer in the Forum is not “No” but “Not Now” so - my advice is use Duo (or similar) for now, maybe more options will be in place.
Twitter @RickVanover | Email: rick.vanover@veeam.com
+23Whilst we’re speaking about Duo I just want to highlight one setting that can dramatically impact the effectiveness of the solution. You can choose whether to bypass Duo when the device is offline.
I wouldn’t recommend this as then if the server can’t communicate with the cloud auth service there is no second factor challenge, achievable via breaking communication such as forcing NTP time drift, DNS poisoning etc. Offline auth via Duo app generated OTPs is supported and makes far more sense in this scenario. This feature became available in 2018 so depending on when people have used Duo they may not be aware!
Michael Paul - Opinions are my own and do not necessarily reflect the opinion of Veeam | https://micoolpaul.com | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.com
+12Update from Anton :-)
MFA for the VBR console is coming with V12 this year.
Product Management Analyst @ Veeam Software
+21Mildur wrote:
Update from Anton :-)
MFA for the VBR console is coming with V12 this year.
That is awesome. Cannot wait to test this.
Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
+23Mildur wrote:
Update from Anton :-)
MFA for the VBR console is coming with V12 this year.
Thanks for sharing
Michael Paul - Opinions are my own and do not necessarily reflect the opinion of Veeam | https://micoolpaul.com | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.com
+12MicoolPaul wrote:
Mildur wrote:
Update from Anton :-)
MFA for the VBR console is coming with V12 this year.
Thanks for sharing
Your welcome,
Product Management Analyst @ Veeam Software
+14Great news
Max M. | Systems Engineer @Veeam | VMCE/VMCA | VeeaMVP 2023 | former Legend & Vanguard
+13Sincere question, is MFA really necessary for a VB&R server?
Couldn't it be more useful to have some sort of sandbox system (inside a Windows Server) that is untouchable from the outside?
No polemic, just to talk about :)
Backups are like pizza, I love them. | Linkedin: @marco-fabbri-it
+12marcofabbri wrote:
Sincere question, is MFA really necessary for a VB&R server?
There are companies with security regulations to have MFA on each critical system, or the software cannot be implemented.
Besides that, yes, MFA is better than no MFA.
Backups can be protected by immutability.
But how do you protect unauthorized access to the protected data in the backup?
Product Management Analyst @ Veeam Software
+13Mildur wrote:
marcofabbri wrote:
Sincere question, is MFA really necessary for a VB&R server?
There are companies with security regulations to have MFA on each critical system, or the software cannot be implemented.
Besides that, yes, MFA is better than no MFA.
Backups can be protected by immutability.
But how do you protect unauthorized access to the protected data in the backup?
Strong physical and virtual security permission policy and encryption policy.
But absolutely right, MFA is better than no MFA.
Backups are like pizza, I love them. | Linkedin: @marco-fabbri-it
+14MFA will very much increase the security of your backup environment. Even if you harden your environment, do 3-2-1, etc., an attacker could cause high damage when accessing your Veeam console; besides the obvious cases, where backups and tapes are deleted. Think about someone altering your jobs so that nothing gets backed up, changing Encryption keys or something more malicious like overwriting your production VMs.
Max M. | Systems Engineer @Veeam | VMCE/VMCA | VeeaMVP 2023 | former Legend & Vanguard
+13What you say is true
Backups are like pizza, I love them. | Linkedin: @marco-fabbri-it
+23Michael Paul - Opinions are my own and do not necessarily reflect the opinion of Veeam | https://micoolpaul.com | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.com
+17Depends on the implementation.
For MFA you need some connection to the Veeam server. Hopefully this is an internal secure connection only….
Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2024 | Veeam Certified Architect (VMCA) | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
+13Indeed, great news! But keep in mind, forum talks about MFA for console. No word about Rest and PowerShell. Without that, MFA for the management system/server should be implemented too!
Wolfgang | vnote42.net | @vNote42
+2Mildur wrote:
Update from Anton :-)
MFA for the VBR console is coming with V12 this year.
Is it this year or Q1 next year for the GA ?
vNote42 wrote:
Indeed, great news! But keep in mind, forum talks about MFA for console. No word about Rest and PowerShell. Without that, MFA for the management system/server should be implemented too!
Yes, more support for the PowerShell or REST APIwould be great.
Microsoft Azure Solutions Architect Expert, VMware Certified Professional - DCV 7, Citrix Certified Professional Virtualization (CCP-V), ITIL Practitioner
+14vAdmin wrote:
Mildur wrote:
Update from Anton :-)
MFA for the VBR console is coming with V12 this year.
Is it this year or Q1 next year for the GA ?
At the time of that post it was this year. But now the current schedule for v12 is January or Q1 2023.
Max M. | Systems Engineer @Veeam | VMCE/VMCA | VeeaMVP 2023 | former Legend & Vanguard
+2regnor wrote:
vAdmin wrote:
Mildur wrote:
Update from Anton :-)
MFA for the VBR console is coming with V12 this year.
Is it this year or Q1 next year for the GA ?
At the time of that post it was this year. But now the current schedule for v12 is January or Q1 2023.
Yes, that is true, better be late than never.
Microsoft Azure Solutions Architect Expert, VMware Certified Professional - DCV 7, Citrix Certified Professional Virtualization (CCP-V), ITIL Practitioner
+8I will prefer the use of a bastion with MFA everywhere than on a Veeam console, but it’s betther than nothing 🤓
1 person likes this
Comment
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.