Showing posts with label Veeam Backup Security Best Practices. Show all posts
Showing posts with label Veeam Backup Security Best Practices. Show all posts

Secure Veeam Backup & Replication Login v13– Complete Guide to VBR Authentication

Secure Veeam Backup & Replication Login – Complete Guide to VBR Authentication


Introduction

Among the new features in v13, the most important are the security enhancements. Starting from this installment, I will provide a detailed introduction to the new security functions launched in v13 through practical application examples.

As cyberattacks and ransomware threats increase, securing Veeam Backup & Replication (VBR) login is more important than ever. VBR is often the last line of defense for enterprise data, making it a prime target for hackers.

This guide provides a step-by-step approach to securing VBR authentication, including multi-factor authentication (MFA), account protection, and best practices to prevent unauthorized access.

Today, let's start with identity authentication. In enterprise backup architectures, the security of management console accounts and access governance is crucial. Veeam Backup & Replication (VBR) now supports SAML-based single sign-on (SSO) in v13, which means you can centralize identity authentication to your organization's existing identity provider (IdP)—such as Azure EntraID. Through SAML integration, you can manage VBR logins alongside your company's account lifecycle, group policies, MFA, and auditing: operations become clearer, permission revocation is more timely, and higher compliance is achieved. This article uses Azure EntraID as an example to show you the specific methods for this integration in detail. For other similar solutions, such as Authing domestically or Okta and Auth0 internationally, you can try them yourself, following the Azure method.


Configuration Prerequisites

The prerequisites for configuring and using SAML integration are very simple; just install VBR using the latest Veeam Software Appliance. Of course, because network services are involved, there are still some necessary conditions for configuring SSO:


The VBR server must be able to access Azure EntraID's relevant endpoints.

Time synchronization: NTP servers must be correctly configured on VBR, and the time cannot be out of sync. SAML is timestamp-based, and authentication will fail if there is a deviation.

An Azure EntraID administrator account with permissions to create enterprise applications and assign users.

VBR administrator permissions, which are the foundation for configuring VBR accounts and identity integration.

The Windows machine where VBR Console is installed must correctly resolve the VBR hostname or FQDN; otherwise, the URLs in the SP/IdP Metadata won't match.

Why VBR Login Security Matters

If attackers gain access to Veeam Backup & Replication, they can delete backups or alter configurations, leaving businesses vulnerable.

📌 According to CISA Cybersecurity Guidelines, securing backup solutions is critical in mitigating ransomware risks

Configuration Method

The following configuration is divided into Azure and VBR parts and must be done in a specific order, so it is recommended to proceed sequentially.


Generate SP Information in VBR and Export Metadata

  1. First, log in to the VBR console using the veeamadmin account. In VBR, open the hamburger icon (three horizontal lines) in the upper left corner and select Users and Roles from the dropdown menu.
    screenshot of VBR Users and Roles

  2. Switch to the new Identity Provider interface in v13. By default, the Enable SAML Authentication option here is unchecked. Check it to enable it, and then look at the Service Provider (SP) Information section below. In identity authentication, VBR now acts as the service provider (SP) for the application, so we first need to install a certificate for VBR here. Click Install.
  3. You can choose one from the local certificate store. Select an existing certificate from the certificate store and click Next.
  4. In the certificate store, find the certificate with the Friendly Name Veeam Backup Server Certificate, then click Finish to complete.
  5. At this point, you will see that the Certificate field in the SP Information section now has information, CN=<Backup Server FQDN>. The next step is to click the Download button below Install to download the XML file from the SP side and save it. This file will be used later during the Azure configuration.


Upload SP Metadata in Azure EntraID and Assign Users.


  1. First, create a security group for VBR named VBR Users. Add a user to this group, for example, I added my own account.
  2. In EntraID, find Enterprise apps. We need to create a new Application for VBR's identity authentication. Click New Application to create it.
  3. When creating, do not choose from the catalog. Click Create your own application, then in the pop-up on the right, enter the app name and select Integrate any other application you don't find in the gallery (Non-gallery). For example, mine is called vbrsso.
    screenshot of Create your own application

  4. After this Application is created, you will automatically be taken to the Application Overview interface. The Getting Started section clearly lists the next steps. You can configure them one by one as needed, following steps 1, 2, 3, 4, and 5. For VBR, we only need to configure two: Assign users and groups, and set up single sign-on.
  5. After assigning the group created in the first step, VBR Users, to this application, click the second step, Set up single sign-on. This will take you to the single sign-on configuration interface. Here, we select the SAML option to integrate with VBR.
  6. After entering the SAML configuration interface, steps 1-2-3-4 are clearly listed. However, we don't need to edit each item here individually. Just find the Upload metadata file option at the top, click it, and upload the XML file we just exported from VBR. Save it to complete the single sign-on configuration here. After uploading, you can see that the URLs in Basic SAML Configuration have been correctly updated to my VBR's FQDN.
  7. Next, find the last row in the SAML Certificates box in step 3 above, click the Download button next to Federation Metadata XML, and download another automatically generated XML file from Azure EntraID.

At this point, the setup on Azure is complete.

Return to VBR and update the IdP configuration information.


  1. Go back to the Identity Provider interface under Users & Roles in VBR, find the Identity Provider (IdP) Information settings. This is the information for the identity provider in the single sign-on setup, which in this case is Azure Entra ID acting as the identity provider. Click Browse next to it and upload the XML file you just downloaded from Azure. After the upload is complete, you will see that all the IdP information below has been correctly updated to Microsoft's URLs.
  2. After clicking OK to complete the setup, we can reopen Users and Roles to add a user. Click Add..., and the External user or group option will appear; select it.
  3. In the pop-up Add User dialog box, enter the complete Azure Entra ID email address.
  4. With this, the entire configuration is complete. Let's test the login. Open the VBR client, and you will see that the Sign in with SSO option has appeared. Click on it directly.
  5. After clicking, the login window will automatically pop up with the standard Microsoft login interface. After entering the password, the Microsoft MFA approval for login will also pop up. After approving it on the mobile Authenticator app, the VBR Console will successfully redirect and log in.
  6. Let's also try the web interface. In the WebUI, we can similarly see the new Sign in With SSO option.
    screenshot of VBR Sign in With SSO option

  7. Likewise, after approving the login, we can access the Web UI with Veeam permissions. In the upper right corner of the Web UI, we can see that the accessing user's account and email are correctly displayed.


Viewing login audit information in Azure

In the Azure Entra ID management audit interface, you can clearly see the login information from VBR.

👉 Related reading: Veeam File-Level Recovery Guide

Conclusion

By following the above method, the integration between VBR and Azure Entra ID can be easily configured. It is important to note that users configured this way are only backup system users. They cannot log in to the Appliance's Veeam Management Console like the veeamadmin and veeamso accounts can; this SSO account cannot manage the Appliance.

From a security perspective, this configuration effectively separates backup system permissions. The authentication for the backup system is completely separated from the accounts for the backup infrastructure, which better complies with the usage standards of large enterprises and organizations.

Posted by at No comments:
Tags , , , , , ,
Subscribe to: Posts (Atom)