05-23-2024 04:10 AM
Hi
Using Netbackup 10 I create backup of my virtual hosts via connecting to vSphere vCenter infrastructure.
As we all know It is not safe to use a user with full permission (Write permission) to create backups while it is mandatory to use a write-enabled user for restoring backups.
The problem is every time I need to do a restore I should change the credentials added to Netbackup to another user. Isn't it possible to add two different credentials for one vCenter and choose which one to use in backup and restore operations?
Regards,
Solved! Go to Solution.
05-24-2024 02:47 AM
Hello
Well maybe you have to take out one ESXi server of vSphere management and use it as stand alone ESXi for restores. Then you can have this limited account tight to vSphere for backups and full account configured against ESXi for restores. Can you afford to dedicate one ESXi sitting idle waiting for eventual restore? Maybe it can be really small machine. These are my two cents...
I am unsure how this bad actor gained access to vmware from NBU? All the stored passwords are encrypted.. And from NBU I cannot see an option to do what you've described. Maybe there was a file with user/pwd stored out there? Also how come you can tell it was taken from NBU server?
05-23-2024 08:11 AM
Hello,
you cannot define 2 accounts for the same VC in Credentials\Virtual Servers. But you can try the following:
- for backups, use the "weak" account from Credentials.
- for restore, connect directly to VC with the 2nd account and use vSphere plugin for restores
But I did not personally tested, maybe that the account from Credentials will by also involved in the vSphere plugin restore anyway.
BTW I dont think that using an account with strong permissions for backups is "not safe". I am using them for years. You need strong accounts for providing maximally correct backups.
Regards
Michal
05-23-2024 10:12 AM
05-24-2024 02:47 AM
Hello
Well maybe you have to take out one ESXi server of vSphere management and use it as stand alone ESXi for restores. Then you can have this limited account tight to vSphere for backups and full account configured against ESXi for restores. Can you afford to dedicate one ESXi sitting idle waiting for eventual restore? Maybe it can be really small machine. These are my two cents...
I am unsure how this bad actor gained access to vmware from NBU? All the stored passwords are encrypted.. And from NBU I cannot see an option to do what you've described. Maybe there was a file with user/pwd stored out there? Also how come you can tell it was taken from NBU server?
05-24-2024 03:57 AM
Hello
Using a Host for restore is some how a good idea but you know if there's not any chance for my request, I prefer changing accounts manually as there is not so many restore operations, it seems better to me.
And about the attack, first of all it was not NBU but another backup solution which also encrypts credentials for vCenter but any way, you know, there is a path to vCenter with highest privileges which is dangerous.
Let's assume that instead of finding the password, attacker uses the encrypted credentials, connects to vCenter and restores a very old backup to an existing virtual machine (overwrites it) and similar methods. Am I right here?
Regards
05-24-2024 10:01 AM
05-24-2024 10:46 AM