cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Two different credentials for vCenter

Go to solution
mhdganji
Level 3

4 weeks ago

Hi

Using Netbackup 10 I create backup of my virtual hosts via connecting to vSphere vCenter infrastructure.

As we all know It is not safe to use a user with full permission (Write permission) to create backups while it is mandatory to use a write-enabled user for restoring backups.

The problem is every time I need to do a restore I should change the credentials added to Netbackup to another user. Isn't it possible to add two different credentials for one vCenter and choose which one to use in backup and restore operations?

 

Regards,

 

 

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
quebek
Moderator
Moderator
   VIP    Certified
In response to mhdganji

4 weeks ago

Hello

Well maybe you have to take out one ESXi server of vSphere management and use it as stand alone ESXi for restores. Then you can have this limited account tight to vSphere for backups and full account configured against ESXi for restores. Can you afford to dedicate one ESXi sitting idle waiting for eventual restore? Maybe it can be really small machine. These are my two cents...

 

I am unsure how this bad actor gained access to vmware from NBU? All the stored passwords are encrypted.. And from NBU I cannot see an option to do what you've described. Maybe there was a file with user/pwd stored out there? Also how come you can tell it was taken from NBU server?

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
Michal_Mikulik1
Moderator
Moderator
Partner    VIP    Accredited Certified

4 weeks ago

Hello,

you cannot define 2 accounts for the same VC in Credentials\Virtual Servers. But you can try the following:

- for backups, use the "weak" account from Credentials.

- for restore, connect directly to VC with the 2nd account and use vSphere plugin for restores

But I did  not personally tested, maybe that the account from Credentials will by also involved in the vSphere plugin restore anyway.

BTW I dont think that using an account with strong permissions for backups is "not safe". I am using them for years. You need strong accounts for providing maximally correct backups.

Regards

Michal

0 Kudos

Go to solution
mhdganji
Level 3
In response to Michal_Mikulik1

4 weeks ago

Hi Michal

I think that credential will be used in restore too.

And about the account permission let me strongly be opposing.

When someone attacks the netbackup server and gain access, using that strong account he/she can have access to your vcenter infra and delete all your vdisks, make any changes and so on.

I’ve experienced such a nightmare…

0 Kudos

Go to solution
quebek
Moderator
Moderator
   VIP    Certified
In response to mhdganji

4 weeks ago

Hello

Well maybe you have to take out one ESXi server of vSphere management and use it as stand alone ESXi for restores. Then you can have this limited account tight to vSphere for backups and full account configured against ESXi for restores. Can you afford to dedicate one ESXi sitting idle waiting for eventual restore? Maybe it can be really small machine. These are my two cents...

 

I am unsure how this bad actor gained access to vmware from NBU? All the stored passwords are encrypted.. And from NBU I cannot see an option to do what you've described. Maybe there was a file with user/pwd stored out there? Also how come you can tell it was taken from NBU server?

0 Kudos

Go to solution
mhdganji
Level 3
In response to quebek

4 weeks ago

Hello

Using a Host for restore is some how a good idea but you know if there's not any chance for my request, I prefer changing accounts manually as there is not so many restore operations, it seems better to me.

 

And about the attack, first of all it was not NBU but another backup solution which also encrypts credentials for vCenter but any way, you know, there is a path to vCenter with highest privileges which is dangerous.

Let's assume that instead of finding the password, attacker uses the encrypted credentials, connects to vCenter and restores a very old backup to an existing virtual machine (overwrites it) and similar methods. Am I right here?

 

Regards

0 Kudos

Go to solution
quebek
Moderator
Moderator
   VIP    Certified
In response to mhdganji

4 weeks ago

Hi
Hmm... Than maybe you should consider implementing MFA in NBU!
https://www.veritas.com/support/en_US/article.100060168
0 Kudos

Go to solution
mhdganji
Level 3
In response to quebek

4 weeks ago

Thanks
Although I think the better workaround is to put vCenter MFA and other methods in place.

Meanwhile the suggestion you made was a good one. Keeping one mid-powerful host with some dedicated data store and non-vip machines to do restores on.

Regards
0 Kudos