Securing Backup Infrastructure

This section includes recommendations for hardening specific backup infrastructure components in addition to general security considerations.

Infrastructure Planning

For large environments, adding the backup server and other backup infrastructure components to a management domain in a separate Active Directory forest is the best practice for building the most secure infrastructure.

For medium-sized and small environments, backup infrastructure components can be placed to a separate workgroup. If you want to use specific Veeam Backup Enterprise Manager features, for example, SAML authentication or restore of Microsoft Exchange items, you can add this component to the domain.

In both cases, backup infrastructure components should be placed to a separate network where applicable. Also, it is recommended to use the hardened backup repository.

Backup Server

To secure the backup server, consider the following recommendations:

Note

The account used for RDP access must not have local Administrator privileges on the jump server, and you must never use the saved credentials functionality for RDP access or any other remote console connections. To restrict users from saving RDP credentials, you can use Group Policies. For more information, see this article.

  • Encrypt backup traffic. By default, Veeam Backup & Replication encrypts network traffic transferred between public networks. To ensure secure communication of sensitive data within the boundaries of the same network, encrypt backup traffic also in private networks. For more information, see Enabling Traffic Encryption.
  • Use multi-factor authentication. Enable multi-factor authentication (MFA) in the Veeam Backup & Replication console to protect user accounts with additional user verification. For more information, see Multi-Factor Authentication.
  • Use self-signed TLS certificates generated by Veeam Backup & Replication. This type of certificates is recommended for establishing a secure connection from backup infrastructure components to the backup server. For more information, see Generating Self-Signed Certificates.
  • Reduce the number of user sessions opened for a long time. Set the idle timeout to automatically log off users. To do this, go to Users and Roles, select the Enable auto log off after <number> min of inactivity check box, and set the number of minutes.
  • Restrict untrusted Linux VMs and Linux servers to connect to the backup server. Enable a manual SSH fingerprint verification for machines that do not meet specific conditions. For more information, see Linux Host Authentication.
  • Use the recommended Access Control List (ACL) for the custom installation folder. If you specify a custom installation folder for Veeam Backup & Replication, use the recommended ACL configuration to prevent privilege escalation and arbitrary code execution (ACE) attacks. Remove all inherited permissions from this folder. Then, add the following permissions:
    • Administrators: Full control, applies to this folder, subfolders and files
    • SYSTEM: Full control, applies to this folder, subfolders and files
    • CREATOR OWNER: Full control, applies to subfolders and files only
    • Users: Read & Execute, applies to this folder, subfolders and files

Veeam Backup & Replication Database

The Veeam Backup & Replication configuration database stores credentials of user accounts required to connect to virtual servers and other systems in the backup infrastructure. All passwords stored in the database are encrypted. However, a user with administrator privileges on the backup server can decrypt passwords which is a potential threat.

To secure the Veeam Backup & Replication configuration database, consider the following recommendations:

Backup Repositories

To secure data stored in backups and replicas, consider the following recommendations:

Veeam Backup Enterprise Manager

To secure Veeam Backup Enterprise Manager server, consider the following recommendations:

  • Install Veeam Backup & Replication server and Veeam Backup Enterprise Manager on different machines. Deploy Veeam Backup Enterprise Manager on a server different from the Veeam Backup & Replication server to prevent a key change attack. Even if passwords are lost due to unauthorized access, you can restore lost data with the help of Enterprise Manager. For more information, see Decrypting Data Without Password.
  • Enable encryption password loss protection. To improve data loss protection, provide an alternative way to decrypt the data if a password for encrypted backup or tape is lost. For more information, see Managing Encryption Keys.
  • Use the recommended Access Control List (ACL) for the custom installation folder. If you specify a custom installation folder for Veeam Backup Enterprise Manager, use the recommended ACL configuration to prevent privilege escalation and arbitrary code execution (ACE) attacks. Remove all inherited permissions from this folder. Then, add the following permissions:
    • Administrators: Full control, applies to this folder, subfolders and files
    • SYSTEM: Full control, applies to this folder, subfolders and files
    • CREATOR OWNER: Full control, applies to subfolders and files only
    • Users: Read & Execute, applies to this folder, subfolders and files

Veeam Cloud Connect

Veeam Cloud Connect secures communication between the provider side and tenant side with TLS. If an attacker obtains a provider’s private key, backup traffic can be eavesdropped and decrypted. The attacker can also use the certificate to impersonate the provider (man-in-the-middle attack). To mitigate risks, Veeam Cloud Connect providers must ensure that the TLS certificate is kept in a highly secure place and cannot be uncovered by a third-party.

Related Topics

Page updated 10/30/2023

Page content applies to build 12.1.1.56