Yesterday, Veeam released version 12 of its Backup and Replication (VBR) product.
This version is a huge milestone for the company as it contains no less than 585 new and improved features, when compared to VBR version 11, released on March 23rd, 2021. In these (almost) two years, Veeam has done a lot of work to make sure VBR works securely and stable in any environment, whether it's IPv6-only, Kerberos-only or doesn't allow the use of SQL Server databases… It's all documented in Veeam's official What's New in V12? document.
Not every feature is as interesting as other features, so I decided to provide you with the five features that sparked my interest as an Identity admin:
Multi-factor Authentication
Veeam introduced the Multi-factor authentication feature as part of the Cyber Resiliency pilar of VBR v12:
Secure access to the backup console with optional two-factor authentication (2FA) that’s based on Time-Based One-Time Passwords (TOTP) as per RFC 6238. You can enable 2FA for individual accounts in the Users and Roles settings of your backup server and enroll in an authenticator application of your choice to receive these one-time codes.
To access the Veeam Backup & Replication console interactively, multi-factor authentication can be required. In VBR v11, multi-factor authentication could not be required. In VBR v12, multi-factor authentication can be required per user or per group, assigned roles in VBR through the Require two-factor authentication for interactive logon option.
After entering the username and password, this feature supports multi-factor authentication based on a time-based one-time passcode (TOTP) from apps like the Google Authenticator and Microsoft Authenticator app. However, beyond the rolling code, there are no possibilities to use phishing-resistant multi-factor authentication or go passwordless…
Automatic Console Lockouts
Also part of the Cyber resiliency pilar, are automatic console lockouts:
A configurable console lockout/timeout has been added to automatically close idle backup console sessions. Worry not if picking up that coffee is taking longer than expected!
In the same screen where you assign users and groups to roles, and where you configure multi-factor authentication requirements, there is also the option to configure idle session logoffs. In VBR v12, idle session logoff can be configured per user or per group and for assigned roles in VBR through the Enable auto logoff after x min of inactivity option.
gMSA support
In the Cyber Resiliency pilar, the technical text of the gMSA accounts for windows feature shines bright:
Perform application-aware processing of Microsoft Windows guests through password-less group Managed Service Accounts (gMSA) without having to store full credentials, including passwords in the backup server configuration. In Microsoft’s own words, “Group Managed Service Accounts are the most secure type of service account for on-premises needs. If you can move to one, you should!"
In VBR v12, it is now supported to use group Managed Service Accounts (gMSAs) for user credentials. This drastically improves security as gMSAs automatically change passwords every 30 days.
Kerberos-only support
Under Cyber Resiliency we also find the long-awaited Kerberos-only authentication feature:
V12 can be deployed in environments with NTLM authentication disabled for enhanced security. This includes all backup infrastructure components, backup agents, enterprise application plug-ins and proxy appliances. Kerberos-only authentication is supported by V12 right out of the box as long as managed servers and protected machines are registered with the backup server through valid, resolvable DNS names (IP addresses are not supported by Kerberos). NFS workloads require additional NFS Server and Client configurations, please refer to the User Guide for more information.
Note: If you have already been using our existing capability that allows application-aware guest processing in a network with NTLM disabled, please refer to the KB4393 before performing the upgrade.
Many IT environments still feature a lot of NTLM authentication traffic. With VBR v12, all components and backup tasks work using Kerberos only. NTLM is no longer required for creating application-aware backups of virtual machines, like (oh irony…) Domain Controllers.
OAuth 2.0 support for email notifications
In terms of Backup Infrastructure, Veeam now offers Modern authentication for email notifications:
In addition to basic SMTP authentication, V12 now supports secure authorization and access-token-based authentication for Google Gmail and Microsoft 365 through the modern OAuth 2.0 protocol.
Notifications help backup admins to quickly identity backup, replication and/or restore job failures. However, Microsoft 365 no longer supports SMTP with basic authentication as a protocol to send mail through. The S in SMTP does not stand for Secure, so Microsoft also recommends disabling the protocol on on-premises and self-hosted Exchange Server implementations. In VBR v11, SMTP was the only supported option to e-mail notifications. In VBR v12, modern authentication to Microsoft 365 and Google Gmail are now also options.
Login