Dec 26

Kerberos Authentication with Veeam v12

Kerberos Authentication with Veeam v12. NTLM authentication is still mandatory for communication between all Veeam infrastructure servers in v11. However, NTLM authentication is still required for communication between Veeam backup infrastructure servers (backup server, backup proxies, backup repositories, guest interaction proxies, log shipping servers, and mount servers). NTLM was subject to several known security vulnerabilities related to password hashing and salting. Kerberos only will be supported with Veeam Backup & Replication version 12. Veeam B&R v12 will also allow using gMSA Accounts for application-aware processing. These two new features should help you to get better security for all service accounts.

Veeam

Veeam is upping its security game by implementing Multi-Factor Authentication (MFA) and Group Managed Service Accounts (gMSA).

With v12 it will be supported to use group Managed Service Account (gMSA) for user credentials. Only the guest interaction proxy has to be in the domain. The Veeam B&R server can be outside of the domain. It is going to solve many things. Due to security requirements, enterprises must transition to all Kerberos (from NTLM).

More Kerberos Support:

  • AAIP VMware VM (already suported),
  • AAIP Hyper V VM,
  • All Veeam B&R components,
  • Windows Agents,
  • Linux Agents,
  • Storage Plug-ins: depending on storage vendor support,
  • NFS 4.1 (repository and source share),
  • SMB 3 (repository and source share).

Kerberos Requirements:

  • All machines must be in Active Directory,
  • All machines must be added to VBR via FQDN,
  • All services run as LOCAL SYSTEM (default).
  • How to Test,
  • Put accounts into “Protected Users” Active Directory group.

 
 

NTLM Security Options (when required):

The setting that has been marked with * needs more attention because it can break things, which means that it needs to be tested very well, before deploying it in production. There are two NTLM audit settings that need to be enabled to track down the use of NTLM.

NTLM

  • Network security – Restrict NTLM: Audit In-coming NTLM Traffic: Enable auditing for domain accounts
  • Network security – Restrict NTLM: Audit NTM authentication in this domain: Enable all

Event 4624 with data fields like “Authentication Package” and “Package name (NTLM only)” needs to be filtered. If you see something like NTLMV1 at Package Name. It shows you that there is an application still using NTLMv1. Disabling NTLM immediately can have broken an application. Make sure this is tested properly.

NTLM Recommendation (when required):

Configure all those recommended settings, but keep a sharp eye on the “LAN Manager Authentication Level”. It is recommended to use Send NTLMv2 response only and refusing LM & NTLM, but to test this properly.

Start the following test phase:

  • Enable the two NTLM auditing policies and start monitoring to see if there are applications using NTLMv1. If you are confident that there are no legacy apps anymore.
  • Start changing the policy to: “Send NTLMv2 response only and Refuse LM“.
  • Now keep monitoring and if you are confident to make the step.
  • Change the policy to: “Send NTLMv2 response only. Refuse LM & NTLM“.

 

For me, one important thing is that you do not log in to the Veeam B&R server via remote or physical console. No user should work directly on the Veeam B&R server. If you need to manage the Veeam B&R environment or perform a restore, use the Veeam B&R console on a dedicated jump host (bastion). Should have a windows version with the same or higher patch level as your backed-up server, or you could face issues with restoring certain backups (VB365 Jet DB, reFS filesystems, deduplication).

 
 

Critical Fortigate VPN SSL Vulnerability – CVE-2022-42475: Blog Post
The core function of a SOC: Blog Post
Play ransomware infection routine: Blog Post
Identify a piece of malware with Yara: Blog Post
New Veeam v12 Platform Overview: Blog Post
OpenSSL patch (v3.0.7) for Vulnerability 2022: Blog Post
Building a SOC: Blog Post
List of vendors and software affected by the OpenSSL vulnerability: Blog Post
Critical OpenSSL Vulnerability version 3.0: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] VeeamUser Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post

Please follow and like us:
fb-share-icon
Tweet

Christopher GLEMOT

CTO | Technical specialist around Data Management, Security, Cyber Security, Cyber Resilience, Backup, Disaster Recovery, Multi-Cloud, and Storage | Veeam Vanguard | Varonis Elite | Owner of original-network.com

Advertisement
error

Enjoy this blog? Please spread the word :)