Backup administrators spend a lot of time making sure data is protected, setting up jobs, configuring retention, testing restores. But there is one threat that often goes underestimated: a backup deletion triggered from within. Whether it is a misconfigured automation, an impatient colleague, or a ransomware operator who has already compromised an admin account, a single authorized user can wipe out backups in minutes.
Veeam Backup & Replication v12.1 introduced Four-Eyes Authorization to address exactly this scenario. The principle is simple: certain sensitive operations require a second administrator to explicitly approve them before anything is executed. No approval, no action.
This article walks through how the feature works, what it protects, and how to enable it in your environment.
What is Four-Eyes Authorization?
Four-Eyes Authorization is a security control built into Veeam Backup & Replication that prevents a single administrator from executing sensitive operations unilaterally. When enabled, any protected action enters a pending state and cannot proceed until a second user with the appropriate role approves it.
What operations require approval?
Once enabled, the following actions will be blocked until a second administrator approves them:
- Purge backup files and snapshots from disk and the c onfiguration database
- Delete information about unavailable backups from the configuration database
- Remove backup repositories and storage from the infrastructure
- Create, modify, or remove users and groups
- Reset MFA for a specific user
- Manage global automatic logoff settings
How it works
The workflow is straightforward. When a protected operation is initiated, it enters a pending state and must be reviewed by another administrator with either the Veeam Backup Administrator or Veeam Security Administrator role.
Walkthrough: removing an orphaned backup
Step 1: Initiate the operation
Navigate to Home, then Backups, then Disk (Orphaned). Right-click the backup you want to remove and select Remove from, then Disk.
A warning dialog will appear, informing you that the operation requires approval from another administrator. Click Yes to submit the request.
Step 2: Request enters pending state
The request appears under Home, section Pending Approvals. Administrators configured in global email notification settings will also receive an email alert, make sure this is set up in advance, otherwise the approver may not know a request is waiting.
Step 3: Approve or reject
A second administrator logs into the Veeam console, navigates to Pending Approvals, right-clicks the operation, and selects Approve or Reject.
A confirmation dialog will appear. Click Yes to finalize the decision.
Step 4a: Approved: operation executes
Once approved, the system executes the operation immediately. Multiple pending requests can be approved in a single action. Email notifications are sent to configured recipients.
Step 4b: Rejected: operation is cancelled
If the request is rejected, the operation is cancelled and no data is affected. The orphaned backup remains intact.
Enabling Four-Eyes Authorization
Before enabling this feature, ensure that at least two Backup or Security Administrators are already configured in Veeam VBR. If not, you will see an error when trying to enable it.
To configure: open the hamburger menu (three lines) and select Users and Roles. Go to the Authorization tab, enable the option “Require additional approval for sensitive operations”, set the number of days after which pending approvals expire automatically, and click OK.
Reviewing the authorization history
All Four-Eyes Authorization events (approvals, rejections, and feature changes) are logged under History, section Authorization Events. This provides a clear audit trail for compliance and incident investigation.
Conclusion
Four-Eyes Authorization is a simple but effective layer of protection for your backup infrastructure. It guards against both accidental deletions and malicious actions under compromised credentials. Combined with immutable or air-gapped repositories, it forms a solid defense against ransomware targeting your backups.
Veeam Backup & Replication is available as a 30-day trial.
from StarWind Blog https://bit.ly/413P5dI
via IFTTT
No comments:
Post a Comment