Veeam Protect Backups From Ransomware

Ransomware is every admin’s worst nightmare. When one strikes, everyone blames someone else. The network admin is blamed by the security admin for allowing the attack on the network. The storage admin is accused by the network administrator of not having secure write access to their storage. The business will want their data back, regardless of who is responsible. Guess who is in charge of backing up that data? The backup administrator. You may have several roles in your infrastructure but when ransomware hits, the backup admin is at the front of the line to get the data restored as quickly and with as little loss as possible. This series will provide insight into the new and existing features Veeam has to make this a heroic event.

Protect your Veeam Backup & Replication console

Protecting your Veeam Backup & Replication Console is something that you may not always consider. Even the server that backs up your environment must be protected against ransomware attacks and malicious intent. You could protect your Veeam server by encrypting backups and taking storage off your domain. But that is not enough. Domain administrators have access to the console, but you need to think about who is a domain administrator within your organization. Consider that not everyone who has access to the Veeam server needs to be able to modify jobs or retrieve sensitive information. When it comes to Veeam, and its components, we would like to encourage the concept of least privilege. This article will show you how to protect your Veeam server from external and internal forces.

Separate password policies and user accounts

Although Veeam requires that the user opening the console must be a local administrator it doesn’t have to be all local administrators. Veeam defaults to give anyone in the local administrator group full access to the Veeam console. Windows machines that are added to a domain automatically add domain administrators to their local administrator group. This is useful when Veeam is installed for the first time. Next, you will need to set up the console. Next, you need to decide who has access and why. Veeam allows users to be assigned different roles depending on the job they are performing. You should also ensure that you follow the proper password change policies when accessing Veeam accounts. This is especially true if someone leaves the company.

Users should be assigned the correct Veeam roles

Any user or group can assign five roles: backup viewer, restore operator, backup operator tape operator, backup administrator, and tape operator. A user can restore from existing backups and replicas by taking the restore operator role. The backup viewer can view existing jobs and see session details, but cannot restore. Backup operators can create VeeamZIP backups and can initiate or stop jobs. Tape operator roles allow the user to perform the following actions: tape inventory, tape export, and tape eject. The backup administrator can perform any action within the console without restrictions. This is why it is important to limit who has this role.

This can be a way to split the work of users who don’t need access to modify jobs. You don’t need to give access to sensitive company data to an employee who has to remove the tape to be exported off-site on weekends. External auditors will appreciate the backup viewer role. This allows them to not modify your jobs while verifying that the console configuration is compliant with regulatory requirements. You should not give generic administrator accounts to any role. If everyone logs in as the same user, it is impossible to retroactively determine who made changes to the console.

Click on the dropdown menu at the upper left-hand side and select Users or Roles to change the user’s roles. You can add, edit, and remove users from this page.

Local service accounts are a great benefit

IT administrators have been wrestling with the question of whether to place a machine on the domain. It doesn’t matter whether a Veeam Backup and Replication machine is on the domain or not. However, there are additional configuration steps to take if the Veeam backup or replication software is installed. The registry stores the configuration files of the software. When a machine is added to or removed from a domain, the machine name changes. These registry keys must be manually updated.

Veeam Backup and Replication machines can be added to a domain. It provides a central credential manager that integrates with Active Directory. Users can also group roles easily, have access to domain resources without additional steps, and are quick to decommission accounts for employees who leave. Administrators will find it easier to add the Veeam Backup &Replication server to their domain. It also makes it easier for them to decommission accounts. A domain account has the greatest disadvantage: it is used to sign in to more authentication forms. This increases the chance that it will be compromised, which can lead to ransomware spreading through the environment. You can mitigate this problem by using strong passwords and the concept of least privilege. Keep in mind that even though the Veeam Backup server may be located on a domain, it does not necessarily mean that domain credentials are required to gain access to the repository. Local service accounts can be used to authenticate backups and store them in a repository. Backups can be protected by importing any Veeam backup chains into another console to restore.

Granularly assign responsibility

Veeam Backup Enterprise Manager is a web-based management console for your Veeam Server. Users can assign the enterprise manager three roles: portal administrator, portal users, and restore operator. The portal administrator has full access to the Veeam server portal. Portal users can only access machines that are within their scope for backups or restores. Only machines that are within the restore scope can be restored by the restore operator. This portal has the advantage of assigning roles to users. They do not have full access to the infrastructure and can only manage or restore what they are assigned. Users can delegate tasks to others without having to compromise the backup and restore capabilities of other departments. This type of least privilege protects the Veeam server against the need for an additional login access point, which could compromise it.


By limiting the access of the Veeam Server to multiple credentials, you can limit the potential for ransomware and other malicious attacks to infect the Veeam servers. If a credential is compromised, diversifying the credentials that have access can help reduce the spread of the damage. Next in this series, we will discuss the 3-2-1 Rule and its importance.