General Security Considerations
General security considerations include best practices which help you to harden backup infrastructure, build a more secure environment, and mitigate risks of being compromised. Ensure that your backup infrastructure meet the common recommendations described in this section. For more information about hardening specific backup infrastructure components, see Securing Backup Infrastructure.
To secure the communication channel for backup traffic, consider the following recommendations:
- Use network segmentation. Create network segmentation policies to define network boundaries, control traffic between subnets and limit access to security-sensitive backup infrastructure components. Also, ensure that only ports used by backup infrastructure components are opened.
- Isolate backup traffic. Use an isolated network to transport data between backup infrastructure components — backup server, backup proxies, repositories and so on.
- Disable outdated network protocols. Check that the following protocols are disabled:
- SSL 2.0 and 3.0 as they have well-known security vulnerabilities and are not NIST-approved. For more information, see NIST guidelines.
- TLS 1.0 and 1.1 if they are not needed. For more information, see NIST guidelines.
- LLMNR and NetBIOS broadcast protocols to prevent spoofing and man-in-the-middle (MITM) attacks.
- SMB 1.0 protocol as it has a number of serious security vulnerabilities including remote code execution. For more information, see this Microsoft article.
User Roles and Permissions
Administrator privileges on a backup server or a backup proxy allow the user to access other backup infrastructure components. If an attacker gains such permissions, they can destroy most of the production data, backups, and replicas, as well as compromise other systems in your environment. To mitigate risks, use the principle of the least privilege. Provide the minimal required permissions needed for the accounts to run. For more information, see Permissions.
Perform regular security audits to estimate your backup infrastructure by security criteria and understand if it is compliant with best practices, industry standards, or federal regulations.
The most possible causes of a credential theft are missing operating system updates and use of outdated authentication protocols. To mitigate risks, ensure that all software and hardware running backup infrastructure components are updated regularly. If the latest security updates and patches are installed on backup infrastructure servers, this will reduce the risk of exploiting vulnerabilities by attackers. Note that you should work out an update management strategy without a negative impact on production environment.
You can subscribe to Veeam security advisories published in the Veeam Knowledge Base to stay up to date with the latest security updates.
To secure Microsoft Windows-based backup infrastructure components, consider the following recommendations:
- Use operating system versions with Long Term Servicing Channel (LTSC). For these versions Microsoft provides extended support including regular security updates. For more information, see this Microsoft article.
- Turn on Microsoft Defender Firewall with Advanced Security. Set up rules for inbound and outbound connections according to your infrastructure and Microsoft best practices. For more information, see this Microsoft article.
- Disable remote services if they are not needed:
- Remote Desktop Service
- Remote Registry service
- Remote PowerShell
- Windows Remote Management service
A backup server also requires additional configuration described in section Securing Backup Infrastructure.
To secure Linux-based backup infrastructure components, consider the following recommendations:
- Use operating system versions with long-term support (LTS). LTS versions of popular community-based and commercial Linux distributions have extended support including regular security updates.
- Choose strong encryption algorithms for SSH. To communicate with Linux servers deployed as a part of the backup infrastructure, Veeam Backup & Replication uses SSH. Make sure that for the SSH tunnel you use a strong and proven encryption algorithm, with sufficient key length. For more information, see this section. Also, ensure that private keys are kept in a highly secure place and cannot be uncovered by a third-party.
For the Linux hardened repository, instead of SSH Veeam Backup & Replication uses SHA256RSA self-signed certificates with 2048-bit RSA key.
- Avoid using password authentication to connect to remote servers over SSH. Using key-based SSH authentication is generally considered more secure than using password authentication and helps averting man-in-the-middle (MITM) attacks. The private key is not passed to the server and cannot be captured even if a user connects to a fake server and accepts a bad fingerprint.
A Linux hardened repository requires a specific security configuration described section Hardened Repository.