Skip to main content

So i am checking over our security protocols for all out clients,. we are currently using the domain admin for alot of things to which means when i want to reset the domain admin password we have to update everythign (Veeam, SQL databases etc) 

 

I just wanted to confirm a few things before i start change things,

 

I am using the latest version of B&R,. these connect to a host machine,. to which backs up VMS with guest application enabled.

so for B&R to connect to the host,. this can domain user account that has local admin privileges to the host machine to be able to read the VM files? 

additionally,. the guest application processing,. this again can be a domain user account that has local admin priviliages on the local machine,. 

 

and that both do not require domain admin priviliges? 

We use service accounts to facilitate the majority of this.

The Help Center guides provides some great information if you want to go granular with the permissions.

Permissions - User Guide for VMware vSphere (veeam.com)

 

Is it just a single domain/environment you’re backing up or multi-tenanted?

 


The most secure way Is to use a local administrator account on each machine, This would stop any lateral movement If a hacker was able to obtain access to that account.

 

You can use a domain user account for application aware backups, This will need to be a local administrator on the machines It’s backing up, or Use a gMSA account for the securest option.


We use service accounts to facilitate the majority of this.

The Help Center guides provides some great information if you want to go granular with the permissions.

Permissions - User Guide for VMware vSphere (veeam.com)

 

Is it just a single domain/environment you’re backing up or multi-tenanted?

 

I would start here to check permissions.  Connecting to the host assuming you mean the ESXi server you need to use an account with the correct permissions - you can create an account in the vSphere.local domain to use or if you are not using vCenter then an account local to the host.

The application aware account can be a domain account or local machine account, but I would ensure it is the same credentials for each server if you can so that you are not setting an account per server (which is possible).

gMSA accounts are also great to use and secure as well.


Comment