If an admin has full privileges to a backup infrastructure such as Veeam servers, then technically a VM could be backed up to a place it shouldn't be, or a restore job could be done to a place where it shouldn't be, so that virtual machines could be compromised. As a reference point, for the Vmware infrstructure my target security level is risk profile 2. What do I need to do and how far do I need to go to secure backup infrastructure?
Hello,
THe only way to gain control is to limit what the admin account can do on restore. I.e. read from anywhere pretty much but write to specific datastores. That you can do and gain control. This way there is no way to restore without going to specific locations.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
Hello,
Your backup service account used by things like Veeam need to be restricted. Please follow your backup tools, security considerations. If they say to grant Admin access, do not use that product, it is incorrect. :} Here is how I see these tools being used:
User logs into Backup server, backup server auth is in use. Backup server talks to vCenter (vCenter auth is in use, yes this is a service account). Restrict per backup documentation and then restrict further as necessary. Limit to where a restore could take place for example. I would limit to a staging area but that is just me using permission on datastores.
You need to secure your backup infrastructure as it if was your production environment as it contains your entire environment. Encryption, user auth, and service level auth. Use a separate user for each service account (including backup), and monitor what that user does, etc.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
Edward, here are needed permissions for Veeam B&R 8 http://helpcenter.veeam.com/backup/80/vsphere/required_permissions.html
Veeam requires Administrator permissions at VC (for connection, it's not the account used for running B&R services) in order to use full features of software. It's kinda normal.
Thanks for the input. What I am concerned about primarily is not so much the service account that is used to access vCenter. I'm assuming all of my jobs are using that service account regardless of who configured them, the destination of the backup or the destination of the restore. But different people with permissions inside Veeam can use their user account to make Veeam hit vCenter with that same service account to restore a VM to a non-approved location, or to backup a VM to a non approved location, just by the privileges they have inside of Veeam itself. vCenter only sees the service account used, and only veeam sees the admin account used to modify the backup job details.
Hello,
THe only way to gain control is to limit what the admin account can do on restore. I.e. read from anywhere pretty much but write to specific datastores. That you can do and gain control. This way there is no way to restore without going to specific locations.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
thanks again
Hello,
One other thing, make sure your backup server and tools have some really good security in place. For example, if your vSphere backup tool runs on windows, harden that windows server and limit access to it. Ensure encryption is used as well.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast