I had a request recently from a client to increase the security on the Backup Repositories within Veeam. Hear are simple steps to lock down the Backup Repositories to a Veeam Service account, stopping all other accounts from accessing the data. This is useful is the environment was compromised or a ransomware got loose.

Step 1

Create a new local Administrative Service Account.

The reason for this is to increase the hardening on the repositories by removing the reliance on Active Directory. This is both for Authentication and Security as it also means if Active Directory was compromised, it removes the need for Veeam to Authenticate with an AD account and means the account information isn’t store within or accessible from AD.

If using a local Administrative Service Account isn’t acceptable in your environment, then we can use the existing AD Veeam Service Account.

 Step 2

Amend the NTFS Permissions on the below Backup repositories to change the ownership to the newly created local Veeam Service Accounts and to remove access to all other accounts.

Backup Repositories:

H:\Backups
H:\BackupCopies
H:\Replication MetaData
H:\VeeamConfigBackup

 Step 3

As a result of these permission changes we would need to change the “Log on as” account for all the Veeam backup service to use the Local Veeam Service Account, otherwise the backup jobs will fail as Veeam would use the Local System Account to access the repositories.

 Step 4

Restart all the Veeam Services

You can run the below in Powershell to do this.

Get-process | where {($_.Name -like “Veeam*”)} | stop-process -Force
Get-Service | where {($_.Name -like “Veeam*”)-and ($_.Status -eq “Running”)} | Stop-service -Force
Get-Service | where {($_.Name -like “Veeam*”)-and ($_.Status -eq “Stopped”)} | Start-service

Once these steps are complete, the Veeam Repositories will be locked down to local Veeam Service Account, and inaccessible by other account, including accounts from Active Directory.

Categories: Blog Posts

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *