Securing Backup Infrastructure

This section includes recommendations for hardening specific backup infrastructure components in addition to general security considerations.

Infrastructure Planning

For large environments, adding the backup server and other backup infrastructure components to a management domain in a separate Active Directory forest is the best practice for building the most secure infrastructure.

For medium-sized and small environments, backup infrastructure components can be placed to a separate workgroup. If you want to use specific Veeam Backup Enterprise Manager features, for example, SAML authentication or restore of Microsoft Exchange items, you can add this component to the domain.

In both cases, backup infrastructure components should be placed to a separate network where applicable. Also, it is recommended to use the hardened backup repository.

Backup Server

To secure the backup server, consider the following recommendations:

Restrict outbound connections. To enable product update check, automatic license update, and license usage reporting, the backup server must be connected to the internet and be able to send requests to servers on the internet. Allow only HTTPS connections to the Veeam Update Notification Server (dev.veeam.com), Veeam License Update Servers (vbr.butler.veeam.com, autolk.veeam.com), and Microsoft WSUS servers or Microsoft Update sites.
Restrict inbound connections. Inbound connectivity to backup servers from the internet must not be allowed. If you want to manage backup servers remotely over the Internet, you can deploy the Veeam Backup & Replication console on a jump server. Service providers who want to manage backup servers remotely can use the Veeam Backup Remote Access functionality. For more information, see the Using Remote Access Console section in the Veeam Cloud Connect Guide.

Note

The account used for RDP access must not have local Administrator privileges on the jump server, and you must never use the saved credentials functionality for RDP access or any other remote console connections. To restrict users from saving RDP credentials, you can use Group Policies. For more information, see this article.

Encrypt backup traffic. By default, Veeam Backup & Replication encrypts network traffic transferred between public networks. To ensure secure communication of sensitive data within the boundaries of the same network, encrypt backup traffic also in private networks. For more information, see Enabling Traffic Encryption.

Use multi-factor authentication. Enable multi-factor authentication (MFA) in the Veeam Backup & Replication console to protect user accounts with additional user verification. For more information, see Multi-Factor Authentication.

Use self-signed TLS certificates generated by Veeam Backup & Replication. This type of certificates is recommended for establishing a secure connection from backup infrastructure components to the backup server. For more information, see Generating Self-Signed Certificate.
Reduce the number of user sessions opened for a long time. Set the idle timeout to automatically log off users. To do this, go to Users and Roles, select the Enable auto log off after <number> min of inactivity check box, and set the number of minutes.
Restrict untrusted Linux VMs and Linux servers to connect to the backup server. Enable a manual SSH fingerprint verification for machines that do not meet specific conditions. For more information, see Linux Hosts Authentication.
Use the recommended Access Control List (ACL) for the custom installation folder. If you specify a custom installation folder for Veeam Backup & Replication, use the recommended ACL configuration to prevent privilege escalation and arbitrary code execution (ACE) attacks. Remove all inherited permissions from this folder. Then, add the following permissions:

Administrators: Full control, applies to this folder, subfolders and files
SYSTEM: Full control, applies to this folder, subfolders and files
CREATOR OWNER: Full control, applies to subfolders and files only
Users: Read & Execute, applies to this folder, subfolders and files

Veeam Backup & Replication Database

The Veeam Backup & Replication configuration database stores credentials of user accounts required to connect to virtual servers and other systems in the backup infrastructure. All passwords stored in the database are encrypted. However, a user with administrator privileges on the backup server can decrypt passwords which is a potential threat.

To secure the Veeam Backup & Replication configuration database, consider the following recommendations:

Restrict user access to the database. Check that only authorized users can access the backup server and the server that hosts the Veeam Backup & Replication configuration database (if the database runs on a remote server).
Encrypt data in configuration backups. Enable data encryption for configuration backup to secure sensitive data stored in the configuration database. For details, see Creating Encrypted Configuration Backups. Also, ensure that the repository for configuration backups is not located in the same network with the backup server.

Backup Repositories

To secure data stored in backups and replicas, consider the following recommendations:

Follow the 3-2-1 rule. To build a successful data protection, use the 3-2-1 rule when designing your backup infrastructure. For more information, see Plan How Many Copies of Data You Need (3-2-1 rule).
Ensure physical security of all data storage components. All devices including backup repositories, proxies, and gateway servers must be physically located in an access-controlled area.
Restrict user access to backups and replicas. Check that only authorized users have permissions to access backups and replicas on target servers.
Encrypt data in backups. Use Veeam Backup & Replication built-in encryption to protect data in backups. For more information, see Encryption Best Practices.
Encrypt SMB traffic. If you use SMB shares in your backup infrastructure, enable SMB signing to prevent NTLMv2 relay attacks. Also, enable SMB encryption.
Enable immutability for backups. To protect backup files from being modified or deleted, you can make them immutable. The feature is supported for any tier of scale-out backup repository.
Use offline media to keep backup files in addition to virtual storage. For more information, see Backup Repositories with Rotated Drives and Tape Devices Support.
Ensure security of mount servers. Machines performing roles of mount servers have access to the backup repositories and ESXi hosts which make them a potential source of vulnerability. Check that all required security recommendations are applied to these backup infrastructure components.

Veeam Backup Enterprise Manager

To secure Veeam Backup Enterprise Manager server, consider the following recommendations:

Install Veeam Backup & Replication server and Veeam Backup Enterprise Manager on different machines. Deploy Veeam Backup Enterprise Manager on a server different from the Veeam Backup & Replication server to reduce the risk of a key change attack.
Enable encryption password loss protection. This provides an alternative way to decrypt the data if a password for encrypted backup or tape is lost. Even if passwords are lost due to unauthorized access, you can restore lost data using Veeam Backup Enterprise Manager. For more information, see Decrypting Data Without Password and Managing Encryption Keys.
Use the recommended Access Control List (ACL) for the custom installation folder. If you specify a custom installation folder for Veeam Backup Enterprise Manager, use the recommended ACL configuration to prevent privilege escalation and arbitrary code execution (ACE) attacks. Remove all inherited permissions from this folder. Then, add the following permissions:

Administrators: Full control, applies to this folder, subfolders and files
SYSTEM: Full control, applies to this folder, subfolders and files
CREATOR OWNER: Full control, applies to subfolders and files only
Users: Read & Execute, applies to this folder, subfolders and files

Veeam Cloud Connect

Veeam Cloud Connect secures communication between the provider side and tenant side with TLS. If an attacker obtains a provider’s private key, backup traffic can be eavesdropped and decrypted. The attacker can also use the certificate to impersonate the provider (man-in-the-middle attack). To mitigate risks, Veeam Cloud Connect providers must ensure that the TLS certificate is kept in a highly secure place and cannot be uncovered by a third-party.