Veeam VBR Four-Eyes Authorization: How to Enable Dual Control for Backup Security

Veeam VBR Four-Eyes Authorization: How to Enable Dual Control for Backup Security

What Is Four-Eyes Authorization in Veeam VBR?

Veeam VBR Four-Eyes Authorization is a security feature that requires a second administrator’s approval before performing sensitive operations, such as:

  • Deleting backups

  • Modifying backup repositories

  • Changing critical configuration settings

This dual-control mechanism significantly reduces insider threats and ransomware risks.

Why Four-Eyes Authorization Is Critical for Backup Security

Modern ransomware attacks specifically target backup infrastructure.
If attackers gain administrative access, they attempt to delete or encrypt backups first.

With Four-Eyes Authorization enabled:

  • A single compromised account cannot delete backups

  • Malicious configuration changes require approval

  • Audit trails improve compliance and governance

This aligns with Zero Trust and defense-in-depth principles.

Prerequisites and Limitations

1. This feature is only available for Veeam Universal License or Enterprise Plus editions.

2. After a subscription license expires, existing requests can still be processed, but no new requests can be submitted.

3. Sensitive operations cannot be performed on tasks that are currently occupied or running.

4. Files in hardened storage cannot be directly deleted even with Four-Eyes Authorization.

5. At least two users must have Veeam Backup Administrator or Veeam Security Administrator permissions.


Creating Administrator Accounts

1. Create a new local computer account on the backup console server.

2. Open the backup console and select Users & Roles.

3. Click "Add" to add the account.

4. Enter the user account you just created and assign it Veeam Backup Administrator or Veeam Security Administrator permissions.

screenshot of VBR Four-Eyes Authorization Configuration


Enabling Four-Eyes Authorization

1. In the same interface, select Authorization.

2. Check the option; the number 7 indicates that requests will be automatically rejected if not approved within 7 days. (Disabling the Four-Eyes Authorization feature also requires approval from another administrator.)


Verifying Four-Eyes Authorization

The following key operations require Four-Eyes Authorization:

1. Deleting backups.

2. Managing storage infrastructure.

3. User management and authentication.

In this demonstration, we are disabling the MFA (Multi-Factor Authentication) feature. The system will prompt that this change will only be applied after another administrator approves it.


1. After clicking YES, a pending approval will appear in the left taskbar.

2. Click to view details; the event is disabling MFA.

3. Log in with the other administrator account.

4. Once the console is open, the task will be under pending approvals.

5. You can click to Accept or Reject.

6. You can find the relevant record in the History tab.

7. The MFA feature has been successfully disabled.


Summary

Four-Eyes Authorization is a dual-authorization strategy that prevents errors or malicious actions caused by a single person. It effectively reduces the risks associated with the abuse of superuser privileges and human configuration errors. Configuring Four-Eyes Authorization is actually very simple. If you want to test it out, just make sure to check if your Veeam VBR version and license support it.


🔹 Security & Malware Defense

🔹 Installation & Upgrade Context

Posted by at
Tags , , , , , ,

No comments:

Post a Comment

Thank you for your comments.

Subscribe to: Post Comments (Atom)