Veeam V12 – Top Security Features

On February 14th, 2023, Veeam launched its most comprehensive release, version 12.

With this massive release, we saw 500+ new features and enhancements. Most of them are really powerful, waited, and requested by the IT community worldwide.

I believe there are tons of articles talking about this major release. see What’s new and Release note. But in this article, I will talk about security features I have been playing with for in the last couple of months.

One of the most important new security features in Veeam v12 is immutable backups. Immutable backups are backups that cannot be modified or deleted after they are created. This makes them resistant to ransomware attacks, which often involve encrypting or deleting data. Veeam v12 supports immutable backups on a variety of storage media, including on-premises object storage, cloud object storage, and tape.

Another important new security feature in Veeam v12 is multi-factor authentication (MFA). MFA adds an additional layer of security to Veeam by requiring users to enter a code from their phone in addition to their password when logging in. This makes it much more difficult for attackers to gain unauthorized access to Veeam.

In addition to immutable backups and MFA, Veeam v12 also includes a number of other security features, such as:

• gMSA support
• Automatic console lockouts
• Kerberos-only support
• OAuth 2.0 support for email notifications

Group Managed Service Accounts (gMSAs) are a feature of Active Directory that allow you to create and manage service accounts centrally. gMSAs can be used to simplify the management of service accounts and improve security.

Veeam v12 supports the use of gMSAs for application-aware processing of Windows guest VMs. This means that you can use a gMSA to authenticate to a Windows guest VM and perform application-aware processing tasks such as backup and restore.

To use a gMSA for application-aware processing, you will need to:

1. Create a gMSA in Active Directory.
2. In the Veeam Backup & Replication console, right-click the Windows guest VM that you want to process and select “Configure Application-Aware Processing”.
3. In the “Configure Application-Aware Processing” wizard, select the “Use a Group Managed Service Account” checkbox.
4. Enter the name of the gMSA that you created in step 1.
5. Click “Next” and complete the wizard.

Once you have configured application-aware processing to use a gMSA, Veeam will use the gMSA to authenticate to the Windows guest VM and perform application-aware processing tasks.

Using gMSAs for application-aware processing can help to simplify the management of service accounts and improve security. By using a gMSA, you can centralize the management of service accounts and avoid the need to store service account passwords in the Veeam console. This can help to improve the security of your Veeam environment.

Automatic console lockouts are a security feature in Veeam v12 that helps to protect your Veeam console from unauthorized access. When this feature is enabled, Veeam will automatically lock the console after a certain number of incorrect login attempts. This makes it much more difficult for an attacker to gain unauthorized access to your Veeam console.

Kerberos-only support in Veeam v12 is a feature that allows you to configure Veeam to only use Kerberos authentication for communication between Veeam components. This can help to improve the security of your Veeam environment by making it more difficult for attackers to gain unauthorized access to Veeam.

Kerberos is a network authentication protocol that uses tickets to authenticate users and services. Kerberos is considered to be a more secure authentication protocol than NTLM, which is the default authentication protocol used by Veeam.

To enable Kerberos-only support in Veeam v12, you will need to:

1. In the Veeam Backup & Replication console, go to “Administration” > “Security”.
2. In the “Security” tab, select the “Enable Kerberos-only authentication” checkbox.
3. Click “OK” to save your changes.

OAuth 2.0 support for email notifications in Veeam v12 is a feature that allows you to configure Veeam to send email notifications using OAuth 2.0 instead of Basic Authentication. This can help to improve the security of your Veeam environment by making it more difficult for attackers to gain unauthorized access to your email notifications.

OAuth 2.0 is an open standard for authorization that allows users to grant third-party applications access to their data without sharing their passwords. When you use OAuth 2.0 to send email notifications, Veeam will obtain an access token from your email provider, which it will use to send email notifications. This means that Veeam will not need to store your email password, which can help to improve the security of your email notifications.

To enable OAuth 2.0 support for email notifications in Veeam v12, you will need to:

1. In the Veeam Backup & Replication console, go to “Administration” > “Email Notifications”.
2. In the “Email Notifications” tab, select the “Use OAuth 2.0” checkbox.
3. Enter the client ID and client secret for your email provider.
4. Click “Test” to verify that Veeam can connect to your email provider.
5. Click “OK” to save your changes.

Over the years, Veeam becomes not just a most advanced backup and replication product, but also a complete data protection platform that you can rely on.

Muhammad Adel

Former Nuclear Engineer | University Lecturer | Technology Advisor | Digital Transformation evangelist | FinTech | Blockchain | Podcaster | vExpert ⭐️⭐️⭐️⭐️ | VeeamVanguard ⭐️⭐️ | Nutanix SME | MBA | AWS ABW Grant’23

www.archtonic.net