Skip to main content

I know theres immutable backups but i dont have that repo right now. How can i prevent admins from them inadvertently in 2 clicks delete an entire decade worth of backups ? 

From Veeam: change their roles so they’re not backup administrators and also enable four eyes for good measure.

 

You should also not give them any access to the backup repos if they don’t need it, and limited permissions where they do that don’t include any full control type permissions on the disk used as a repository.


side note make sure you have added some other admins before turning on four eyes 🙂. I have heard of a few Veeam cases already when Admins turned this on but only had 2 eyes in their systems. 


VBR 12.1 introduced Four Eyes Authentication which will help you with your concern of a rogue admin deleting backups.

 


As everyone else noted here, Four Eyes is the way to go.  That said, you’ll want to make sure that nobody has access to the back-end storage as well to where the actual backup files can be deleted behind the scenes.


As everyone else noted here, Four Eyes is the way to go.  That said, you’ll want to make sure that nobody has access to the back-end storage as well to where the actual backup files can be deleted behind the scenes.

You are correct that the data needs to be protected as well.  That is why you should use immutability via hardened Linux repositories and/or S3 object lock.  Immutability + four eyes authentication will help protect the data from the rogue administrator.


side note make sure you have added some other admins before turning on four eyes 🙂. I have heard of a few Veeam cases already when Admins turned this on but only had 2 eyes in their systems. 

Yes, you MUST do this and have at least 2 admins before turning this on.  Otherwise, nothing you do will be applied with only one administrator.


I am not seeing the 4 eyes authorization tab in my user role options. Upon checking the feature is only in the latest Veeam 12.1 release which I do not have. Unfortunately since the rest of admins are all domain admins, so they have full access and its not possible to restrict them in Veeam.


I am not seeing the 4 eyes authorization tab in my user role options. Upon checking the feature is only in the latest Veeam 12.1 release which I do not have. Unfortunately since the rest of admins are all domain admins, so they have full access and its not possible to restrict them in Veeam.

You must remove the veeam server from the domain.
create a Local Administrator with stron passphrase and create users with RBAC role on O.S. Windows side. and then assign Veeam roles.
In addition if you have repository backups on Windows you need (as per best practice) to limit permissions on the volume of repository backups to only one veeam administrator user performing backups.


This way you can limit possible erroneous deletion.

Regards.


I am not seeing the 4 eyes authorization tab in my user role options. Upon checking the feature is only in the latest Veeam 12.1 release which I do not have. Unfortunately since the rest of admins are all domain admins, so they have full access and its not possible to restrict them in Veeam.

You need to upgrade to the latest for 4 eyes. 

 

It’s not really common to have Veeam on the domain.  I don’t have any of my Veeam infrastructure domain joined. Create a separate VLAN, Non domain joined, and local accounts.  Depending on peoples roles having ALL admins as domain admins my not be ideal either, but that depends on your organization.  Granular permissions can be created for doing things with AD, users, groups, computers that don’t require DA access.

 

 


4 eyes for sure, @Arin . There are a lot of contend and demonstration in this community!

Demonstration of Four-Eyes Authorization | Veeam Community Resource Hub

However, as colleagues warned, it is necessary to upgrade to v12.1. The functionality is very simple to  implement and use - another layer of protection in the environment.


Hi @Arin -

I am just following up on your post to see if one of the comments made answered your question? If so, please select one as a ‘Best Answer’ so others may benefit from your post. Please let us know if you have further quesitons.

Thank you.


Comment