VMware Cloud Community
TheVMinator
Expert
Expert
Jump to solution

Security risks associated with backups

If an admin has full privileges to a backup infrastructure such as Veeam servers, then technically a VM could be backed up to a place it shouldn't be, or a restore job could be done to a place where it shouldn't be, so that virtual machines could be compromised.  As a reference point, for the Vmware infrstructure my target security level is risk profile 2.  What do I need to do and how far do I need to go to secure backup infrastructure?

Reply
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
Jump to solution

Hello,

THe only way to gain control is to limit what the admin account can do on restore. I.e. read from anywhere pretty much but write to specific datastores. That you can do and gain control. This way there is no way to restore without going to specific locations.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Reply
0 Kudos
6 Replies
Texiwill
Leadership
Leadership
Jump to solution

Hello,

Your backup service account used by things like Veeam need to be restricted. Please follow your backup tools, security considerations. If they say to grant Admin access, do not use that product, it is incorrect. :} Here is how I see these tools being used:

User logs into Backup server, backup server auth is in use. Backup server talks to vCenter (vCenter auth is in use, yes this is a service account). Restrict per backup documentation and then restrict further as necessary. Limit to where a restore could take place for example. I would limit to a staging area but that is just me using permission on datastores.

You need to secure your backup infrastructure as it if was your production environment as it contains your entire environment. Encryption, user auth, and service level auth. Use a separate user for each service account (including backup), and monitor what that user does, etc.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Netwrix
Enthusiast
Enthusiast
Jump to solution

Edward, here are needed permissions for Veeam B&R 8 http://helpcenter.veeam.com/backup/80/vsphere/required_permissions.html

Veeam requires Administrator permissions at VC (for connection, it's not the account used for running B&R services) in order to use full features of software. It's kinda normal.

TheVMinator
Expert
Expert
Jump to solution

Thanks for the input. What I am concerned about primarily is not so much the service account that is used to access vCenter.  I'm assuming all of my jobs are using that service account regardless of who configured them, the destination of the backup or the destination of the restore.  But different people with permissions inside Veeam can use their user account to make Veeam hit vCenter with that same service account to restore a VM to a non-approved location, or to backup a VM to a non approved location, just by the privileges they have inside of Veeam itself.  vCenter only sees the service account used, and only veeam sees the admin account used to modify the backup job details.

Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

THe only way to gain control is to limit what the admin account can do on restore. I.e. read from anywhere pretty much but write to specific datastores. That you can do and gain control. This way there is no way to restore without going to specific locations.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
TheVMinator
Expert
Expert
Jump to solution

thanks again

Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

One other thing, make sure your backup server and tools have some really good security in place. For example, if your vSphere backup tool runs on windows, harden that windows server and limit access to it. Ensure encryption is used as well.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill