Forum Discussion

mhdganji's avatar
mhdganji
Level 3
5 months ago

Two different credentials for vCenter

Hi

Using Netbackup 10 I create backup of my virtual hosts via connecting to vSphere vCenter infrastructure.

As we all know It is not safe to use a user with full permission (Write permission) to create backups while it is mandatory to use a write-enabled user for restoring backups.

The problem is every time I need to do a restore I should change the credentials added to Netbackup to another user. Isn't it possible to add two different credentials for one vCenter and choose which one to use in backup and restore operations?

 

Regards,

 

 

 

  • quebek's avatar
    quebek
    5 months ago

    Hello

    Well maybe you have to take out one ESXi server of vSphere management and use it as stand alone ESXi for restores. Then you can have this limited account tight to vSphere for backups and full account configured against ESXi for restores. Can you afford to dedicate one ESXi sitting idle waiting for eventual restore? Maybe it can be really small machine. These are my two cents...

     

    I am unsure how this bad actor gained access to vmware from NBU? All the stored passwords are encrypted.. And from NBU I cannot see an option to do what you've described. Maybe there was a file with user/pwd stored out there? Also how come you can tell it was taken from NBU server?

  • Hello,

    you cannot define 2 accounts for the same VC in Credentials\Virtual Servers. But you can try the following:

    - for backups, use the "weak" account from Credentials.

    - for restore, connect directly to VC with the 2nd account and use vSphere plugin for restores

    But I did  not personally tested, maybe that the account from Credentials will by also involved in the vSphere plugin restore anyway.

    BTW I dont think that using an account with strong permissions for backups is "not safe". I am using them for years. You need strong accounts for providing maximally correct backups.

    Regards

    Michal

    • mhdganji's avatar
      mhdganji
      Level 3
      Hi Michal

      I think that credential will be used in restore too.

      And about the account permission let me strongly be opposing.

      When someone attacks the netbackup server and gain access, using that strong account he/she can have access to your vcenter infra and delete all your vdisks, make any changes and so on.

      I’ve experienced such a nightmare…

      • quebek's avatar
        quebek
        Moderator

        Hello

        Well maybe you have to take out one ESXi server of vSphere management and use it as stand alone ESXi for restores. Then you can have this limited account tight to vSphere for backups and full account configured against ESXi for restores. Can you afford to dedicate one ESXi sitting idle waiting for eventual restore? Maybe it can be really small machine. These are my two cents...

         

        I am unsure how this bad actor gained access to vmware from NBU? All the stored passwords are encrypted.. And from NBU I cannot see an option to do what you've described. Maybe there was a file with user/pwd stored out there? Also how come you can tell it was taken from NBU server?