Two-Factor Authentication on Veeam Components
Updated: Aug 23, 2021
There are a number of features Veeam offers to both detect and protect against ransomware, but hardening your Veeam infrastructure is the first and most important step to a proper ransomware strategy. Sophisticated attackers know to target the backup software before requesting a ransom and encrypting files on the network. There are a number of recommendations that you can read through in Veeam's Best Practice Guide to harden your infrastructure, but if there is one key takeaway it is to setup two-factor authentication (2FA) on your Veeam backup server and other Veeam components.
Setting up 2FA on your Veeam servers (backup server, proxy and repository) should help you sleep at night, assuming you have your phone nearby. Even if attackers access the proper credentials to your Veeam server, they will be prompted to approve or enter in a code that was sent to the Veeam admin's phone. Unless the hackers also social engineered their way into your life to the point where they know the passcode on your phone (which at that point kudos to them considering my fiance doesn't even know mine), they'll be stopped dead in their tracks.
Some of you might be rolling your eyes at me right about now because 2FA on your Veeam servers will be very annoying if your security team has a policy to lockout RDP sessions every 10-15 minutes. But you know what is more annoying? A ransomware attack that deletes all your backups and costs your company thousands if not millions of dollars. Plus, your job to boot most likely. We at Veeam talk about 2FA all the time, but in all my posts I try to walk the talk. Let's get into the how-to.
How-to Setup 2FA on Veeam Servers
In this example, we are going to use Duo as our MFA software, but there are many other vendors that offer the same service to enable your RDP sessions with 2FA. Why I chose Duo? The same reason people at home or small companies use Veeam. It's free for up to 10 users.
First, I create a Duo account by just going to Duo.com. Then you select an application to configure 2FA on. They have just about every application you can think of. AWS, Oracle, Palo Alto and of course RDP as well as hundreds of others. In the example below, I am setting up 2FA for my Veeam server logins. When you create 2FA for RDP sessions an integration key and secret key is provided which will be used during the installation of Duo.
During the application setup you can attach a policy to define the requirements for 2FA. There are a number options from blocking a specific OS, browser or network to defining the location logins are permitted. Most importantly though, you can enforce 2FA in all scenarios which I recommend.
You then download Duo software to your Veeam server and enter in the keys created in your Duo account for Veeam RDP sessions. I recommend doing this for your backup servers and repositories at minimum.
When you first attempt to login to your Veeam server the below message will appear. The next step is to create a user in the Duo admin console that is permitted to access this machine.
Enter in the username that will access the Veeam servers and their email (don't use the email in the image). The user(s) will receive a registration email from Duo to create an account. They can choose to download the app for push notifications or enter their phone number to be texted a code or called.
Now, when the Veeam admin RDP's to their servers the below image will popup.
And if they downloaded the Duo app and selected push notifications for 2FA, they will get the below notification that someone is attempting to login. They can approve or deny the request.
Lastly, as a security admin or diligent backup admin, you can monitor the login activity for this user and RDP sessions.
There are a number of Veeam hardening recommendations such as taking the backup server off domain, having an immutable backup copy, limiting who has access to the backup server and many others. In addition, Veeam offers a number of ransomware detection and protection options from immutability to scanning backup files for malware. None of this matters though if an attacker gains access to your backup server. 2FA is the single best way to stop an attack and make him/her realize they picked the wrong person and company to mess with.