Removing the Commvault servers from the AD

Last post 10-08-2020, 10:34 PM by Anthony.Hodges. 6 replies.
Sort Posts: Previous Next
  • Removing the Commvault servers from the AD
    Posted: 09-23-2020, 5:44 AM
    • JesWagner is not online. Last active: 30 Sep 2020, 3:29 AM JesWagner
    • Not Ranked
    • Joined on 03-01-2018
    • Danish Broadcasting Corporation, Copenhagen
    • Newcomer
    • Points 20

    We are working on hardening our Commvault environment. One of our options is to remove the Commvault servers from the AD and use local accounts only. Has anyone tried this?


    I'm aware there is a "Changing a System Account Name or Password Used in the Commvault Software" procedure, but I wonder if there are any caveats or gotcha's.

  • Re: Removing the Commvault servers from the AD
    Posted: 09-24-2020, 4:14 AM

    Hi JesWagner 

    Not too sure if there are any specific caveats with "Changing a System Account Name or Password Used in the Commvault Software"

    However if you are planning to harden the Commvault environment you can also consider setting up 2Factor Authentication - https://documentation.commvault.com/commvault/v11/article?p=7887.htm 

    Regards

    Winston

  • Re: Removing the Commvault servers from the AD
    Posted: 09-24-2020, 5:03 AM
    • JesWagner is not online. Last active: 30 Sep 2020, 3:29 AM JesWagner
    • Not Ranked
    • Joined on 03-01-2018
    • Danish Broadcasting Corporation, Copenhagen
    • Newcomer
    • Points 20

    Thank you, but that doesn't protect against ransomware having aquired domain administrator priviledges?

  • Re: Removing the Commvault servers from the AD
    Posted: 09-25-2020, 5:14 AM

    We considered doing the same thing but decided against it for sake of User-convenience (Endusers use SSO to logon and Restore). 

    Instead we created stripped down Roles for the AD-Users/Groups, including Backup-Admins. Users can only see (CV_RestrictedVisibility) and restore their own Machines/DBs but not change Configs, Schedules or delete anything. Same with AD-Account of Backup-Admins, can do most of what master-role does, but explicit denies on everything nasty like delete data or libraries or changing groups and roles prevents bad-admin behavior. 

    master-role/group is assigned to Commserve local Accounts only and that Group additionally secured with 2FA (https://documentation.commvault.com/commvault/v11/article?p=107052_1.htm). Ensure to edit the E-Mail Templates to prevent spoofing the OTP from E-Mail. Unfortunately no FIDO2 Support yet.

    Another Option to prevent the worst actions within Commvault are BusinessLogic Workflows, Store has some prepared samples, search for GetAndProcessAuthorization or check the last Section in Security Assessment Healthcard in CloudDashboard to download and install them directly.

    Hope that Helps

    Stefan

  • Re: Removing the Commvault servers from the AD
    Posted: 10-07-2020, 12:16 PM

    Commvault Roles will not protect you from a compromised high level domain account messing around with the underlying files in your disk pool.

  • Re: Removing the Commvault servers from the AD
    Posted: 10-08-2020, 3:53 AM
    true, that's what the FileSystem-FilterDriver from Ransomware Protection should be for, as well as secondary copies to immutable Storage.
    If you start fresh keep the Backup-Systems out of the AD (and away from Windows). Trying to get them out can be a pain in the butt, for us that means loosing management capability, software deployment and updates, monitoring, analytics and lot more that would need to be managed via shadow-IT somehow.
    Intention was to suggest a balanced option.
  • Re: Removing the Commvault servers from the AD
    Posted: 10-08-2020, 10:34 PM

    If you do make the switch to going off the domain, I'd at least make sure a local account has the sysadmin role for the CommServe DB (in addition with renaming the sa account).  Schedules associated with domain users can fail too, so change them beforehand.  2-FA authentication for the CommServe should suffice though and if you are super concerned about the mount paths (even with CVDLP protection) then you can consider taking the MA's off the domain.

The content of the forums, threads and posts reflects the thoughts and opinions of each author, and does not represent the thoughts, opinions, plans or strategies of Commvault Systems, Inc. ("Commvault") and Commvault undertakes no obligation to update, correct or modify any statements made in this forum. Any and all third party links, statements, comments, or feedback posted to, or otherwise provided by this forum, thread or post are not affiliated with, nor endorsed by, Commvault.
Commvault, Commvault and logo, the “CV” logo, Commvault Systems, Solving Forward, SIM, Singular Information Management, Simpana, Commvault Galaxy, Unified Data Management, QiNetix, Quick Recovery, QR, CommNet, GridStor, Vault Tracker, InnerVault, QuickSnap, QSnap, Recovery Director, CommServe, CommCell, SnapProtect, ROMS, and CommValue, are trademarks or registered trademarks of Commvault Systems, Inc. All other third party brands, products, service names, trademarks, or registered service marks are the property of and used to identify the products or services of their respective owners. All specifications are subject to change without notice.
Close
Copyright © 2020 Commvault | All Rights Reserved. | Legal | Privacy Policy