Two different credentials for vCenter

Question

HiUsing Netbackup 10 I create backup of my virtual hosts via connecting to vSphere vCenter infrastructure.As we all know It is not safe to use a user with full permission (Write permission) to create backups while it is mandatory to use a write-enabled user for restoring backups.The problem is every time I need to do a restore I should change the credentials added to Netbackup to another user. Isn't it possible to add two different credentials for one vCenter and choose which one to use in backup and restore operations?&nbsp;Regards,&nbsp;&nbsp;&nbsp;

quebek · Accepted Answer

Hello
Well maybe you have to take out one ESXi server of vSphere management and use it as stand alone ESXi for restores. Then you can have this limited account tight to vSphere for backups and full account configured against ESXi for restores. Can you afford to dedicate one ESXi sitting idle waiting for eventual restore? Maybe it can be really small machine. These are my two cents...
&nbsp;
I am unsure how this bad actor gained access to vmware from NBU? All the stored passwords are encrypted.. And from NBU I cannot see an option to do what you've described. Maybe there was a file with user/pwd stored out there? Also how come you can tell it was taken from NBU server?

michal_mikulik1 · Answer

Hello,you cannot define 2 accounts for the same VC in Credentials\Virtual Servers. But you can try the following:- for backups, use the "weak" account from Credentials.- for restore, connect directly to VC with the 2nd account and use vSphere plugin for restoresBut I did&nbsp; not personally tested, maybe that the account from Credentials will by also involved in the vSphere plugin restore anyway.BTW I dont think that using an account with strong permissions for backups is "not safe". I am using them for years. You need strong accounts for providing maximally correct backups.RegardsMichal

mhdganji · Answer

Hi MichalI think that credential will be used in restore too.And about the account permission let me strongly be opposing.When someone attacks the netbackup server and gain access, using that strong account he/she can have access to your vcenter infra and delete all your vdisks, make any changes and so on.I’ve experienced such a nightmare…

mhdganji · Answer

HelloUsing a Host for restore is some how a good idea but you know if there's not any chance for my request, I prefer changing accounts manually as there is not so many restore operations, it seems better to me.&nbsp;And about the attack, first of all it was not NBU but another backup solution which also encrypts credentials for vCenter but any way, you know, there is a path to vCenter with highest privileges which is dangerous.Let's assume that instead of finding the password, attacker uses the encrypted credentials, connects to vCenter and restores a very old backup to an existing virtual machine (overwrites it) and similar methods. Am I right here?&nbsp;Regards

quebek · Answer

HiHmm... Than maybe you should consider implementing MFA in NBU!https://www.veritas.com/support/en_US/article.100060168

mhdganji · Answer

ThanksAlthough I think the better workaround is to put vCenter MFA and other methods in place.Meanwhile the suggestion you made was a good one. Keeping one mid-powerful host with some dedicated data store and non-vip machines to do restores on.Regards

Forum Discussion

Two different credentials for vCenter

6 Replies

Related Content

How are vCenter credentials stored in NB?

Restore to a different location

Adding 6.7 Vcenter credential in netbackup 7.6.1

Installing VMware Plugin on VCenter 8 failing

Re: (4239) Unable to find the virtual machine

Recent Discussions

MS-SharePoint policy restore error (2804) .

How to restore a backup

How to configure RBAC

command: bperror

10 years old netbackup appliance database service down, ssl certification out date