• EN
Question

prevent admins from deleting backups

A
Userlevel 5
Badge
  • Arin
  • Comes here often
  • 21 comments

I know theres immutable backups but i dont have that repo right now. How can i prevent admins from them inadvertently in 2 clicks delete an entire decade worth of backups ? 

11 comments

MicoolPaul
Userlevel 7
Badge +20

From Veeam: change their roles so they’re not backup administrators and also enable four eyes for good measure.

 

You should also not give them any access to the backup repos if they don’t need it, and limited permissions where they do that don’t include any full control type permissions on the disk used as a repository.

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
Geoff Burke
Userlevel 7
Badge +22

side note make sure you have added some other admins before turning on four eyes :). I have heard of a few Veeam cases already when Admins turned this on but only had 2 eyes in their systems. 

VMCA2022, VMCE2023, CKA, CKAD, KCNA, LFCS, PCA,TARS
SteveF
Userlevel 6
Badge +2

VBR 12.1 introduced Four Eyes Authentication which will help you with your concern of a rogue admin deleting backups.

 

Twitter @sfirmes | Email: steve.firmes@veeam.com
dloseke
Userlevel 7
Badge +6

As everyone else noted here, Four Eyes is the way to go.  That said, you’ll want to make sure that nobody has access to the back-end storage as well to where the actual backup files can be deleted behind the scenes.

Derek M. Loseke, Senior Systems Engineer | Veeam Legend 2022-2023 | VMSP/VMTSP | VCP6-DCV | VSP/VTSP | CCNA | https://technotesanddadjokes.com | @dloseke
SteveF
Userlevel 6
Badge +2

As everyone else noted here, Four Eyes is the way to go.  That said, you’ll want to make sure that nobody has access to the back-end storage as well to where the actual backup files can be deleted behind the scenes.

You are correct that the data needs to be protected as well.  That is why you should use immutability via hardened Linux repositories and/or S3 object lock.  Immutability + four eyes authentication will help protect the data from the rogue administrator.

Twitter @sfirmes | Email: steve.firmes@veeam.com
Chris.Childerhose
Userlevel 7
Badge +20

side note make sure you have added some other admins before turning on four eyes :). I have heard of a few Veeam cases already when Admins turned this on but only had 2 eyes in their systems. 

Yes, you MUST do this and have at least 2 admins before turning this on.  Otherwise, nothing you do will be applied with only one administrator.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
A
Userlevel 5
Badge

I am not seeing the 4 eyes authorization tab in my user role options. Upon checking the feature is only in the latest Veeam 12.1 release which I do not have. Unfortunately since the rest of admins are all domain admins, so they have full access and its not possible to restrict them in Veeam.

Link State
Userlevel 7
Badge +8

I am not seeing the 4 eyes authorization tab in my user role options. Upon checking the feature is only in the latest Veeam 12.1 release which I do not have. Unfortunately since the rest of admins are all domain admins, so they have full access and its not possible to restrict them in Veeam.

You must remove the veeam server from the domain.
create a Local Administrator with stron passphrase and create users with RBAC role on O.S. Windows side. and then assign Veeam roles.
In addition if you have repository backups on Windows you need (as per best practice) to limit permissions on the volume of repository backups to only one veeam administrator user performing backups.


This way you can limit possible erroneous deletion.

Regards.

Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104 - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)
Scott
Userlevel 7
Badge +8

I am not seeing the 4 eyes authorization tab in my user role options. Upon checking the feature is only in the latest Veeam 12.1 release which I do not have. Unfortunately since the rest of admins are all domain admins, so they have full access and its not possible to restrict them in Veeam.

You need to upgrade to the latest for 4 eyes. 

 

It’s not really common to have Veeam on the domain.  I don’t have any of my Veeam infrastructure domain joined. Create a separate VLAN, Non domain joined, and local accounts.  Depending on peoples roles having ALL admins as domain admins my not be ideal either, but that depends on your organization.  Granular permissions can be created for doing things with AD, users, groups, computers that don’t require DA access.

 

 

leduardoserrano
Userlevel 7
Badge +6

4 eyes for sure, @Arin . There are a lot of contend and demonstration in this community!

Demonstration of Four-Eyes Authorization | Veeam Community Resource Hub

However, as colleagues warned, it is necessary to upgrade to v12.1. The functionality is very simple to  implement and use - another layer of protection in the environment.

Luiz Eduardo Serrano. Cloud Architect, Systems Engineer for Veeam and Object First. Veeam Vanguard/VMCA 2024/VMCE. VMware Tanzu Vanguard 2024/VCP Security/VMware User Group, 4xHPE Master ASE/Instructor, RedHat Ansible SE/Instructor, AWS Architect, Nutanix NCA, Cisco-HPE Cloud & DC champion. My blog: https://cloudnroll.com
coolsport00
Userlevel 7
Badge +17

Hi @Arin -

I am just following up on your post to see if one of the comments made answered your question? If so, please select one as a ‘Best Answer’ so others may benefit from your post. Please let us know if you have further quesitons.

Thank you.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

Comment


Terms & Conditions