Configuring Security Settings
Configuring security settings in Veeam Backup & Replication is essential to protect your data and maintain a secure environment. You can set up role-based access control to define permissions for different users and restrict access to sensitive data. Additionally, you can enable encryption settings to safeguard data during transmission and storage, ensuring a secure backup environment.
During the Veeam Backup & Replication infrastructure configuration, you can designate the TLS certificate for secure connections between backup infrastructure components and the backup server. Veeam Backup & Replication presents various options for TLS certificates, ensuring a secure communication environment. Veeam Backup & Replication offers the following options for TLS certificates:
Backup Server Certificate
- Keep the default self-signed TLS certificate generated by Veeam Backup & Replication at the process of upgrading to a new version of Veeam Backup & Replication.
-
Use Veeam Backup & Replication to generate a new self-signed TLS certificate. To learn more, see Generating Self-Signed Certificate.
-
Select an existing TLS certificate from the certificates store. To learn more, see Importing Certificate from Certificate Store.
-
Import a TLS certificate from a file in the PFX format. To learn more, see Importing Certificate from PFX Files.
Configure robust security settings to ensure data protection and prevent unauthorized access in Veeam Backup & Replication.
Linux Hosts Authentication
Within the Linux hosts authentication section of Veeam Backup & Replication settings, you have the capability to define SSH fingerprint verification settings for safeguarded Linux machines. You can choose from the following options:
Add all discovered hosts to the list automatically — with this option enabled, Veeam Backup & Replication allows all Linux servers added to the protection group and all Linux VMs to be connected to the backup server.
Add unknown hosts to the list manually (more secure) — with this option enabled, only the following Linux machines can connect to the backup server:
-
Protected machines with established connections to the backup server and stored fingerprints in the Veeam Backup & Replication database are displayed in the Trusted Hosts field. To export the list of trusted machines to the known_hosts file, click Export and specify the file path where it should be saved.
-
Protected machines specified in the known_hosts file are imported to Veeam Backup & Replication by clicking Import and providing the file path. Untrusted machines will be displayed under the Untrusted node in the inventory, and their fingerprint must be manually validated in the console for management. Learn more about validating SSH fingerprints in the Veeam Backup & Replication documentation.
Continue to discover further options for configuring your security settings:
| FIPS Compliance | The Veeam backup infrastructure components are designed to adhere to the NIST CMVP cryptographic and security requirements by utilizing platform-provided cryptographic APIs and the FIPS-compliant Veeam Cryptographic Module. Moreover, users can enable the FIPS-compliant operation mode, which further strengthens security by restricting connections to non-FIPS-compliant platforms and performing self-tests to validate and ensure the proper functioning of encryption modules. |
| Audit Logs Location | Veeam Backup & Replication ensures comprehensive logging of various activities, including data protection and disaster recovery tasks, such as File-Level Restore sessions listing restored files. These audit logs are saved as .csv files, providing valuable insights into operations. Users can define the folder for storing these logs in the "Audit Logs Location" field, with the default location being %ProgramData%\Veeam\Backup\Audit. For SMB (CIFS) folder usage, it is essential to grant write access to the VBR Server Active Directory computer account, as the default service account (Local System) requires appropriate access to the specified SMB (CIFS) folder. |
| Multifactor Authentication | Multi-factor Authentication (MFA) is a security feature in Veeam Backup & Replication that provides enhanced protection by requiring users to provide multiple verification forms when logging in. It ensures security by adding layers of authentication beyond just a username and password. Only when both factors are successfully authenticated can users gain access to their Veeam accounts. MFA significantly bolsters security by making it much more challenging for unauthorized users to access your Veeam environment, even if they possess a user's login credentials. It's a vital security measure to safeguard sensitive data and maintain the integrity of your backup and replication operations. |
| Best Practice Analyzer | The Veeam Best Practice Analyzer (BPA) is a crucial tool for maintaining the health and efficiency of your Veeam Backup & Replication environment. It scans your Veeam infrastructure to pinpoint configuration issues or deviations from best practices. Once identified, it provides actionable recommendations to optimize your setup, ensuring it operates efficiently and securely. By following the BPA's guidance, you can enhance your backup and replication processes' reliability while reducing the data loss risk. It's a valuable resource for aligning your Veeam environment with industry best practices, resulting in improved data protection and operational reliability. |
Other Courseware
It's worth mentioning, if you want to dig deeper into Veeam Security you can look for our series Veeam Technical Specialist - Cyber Security & Disaster Recovery courses in the course catalog.