To ensure that RMAD continues to be a secure solution, we have updated our implementation based on the changes Microsoft has made and ensure our product continues to support the usage of gMSA accounts:
Recovery Manager for Active Directory has deprecated support for a group managed service account (gMSA) to be specified as the account to connect to the backup agent for manually triggered backups. Managed service accounts will continue to be supported for scheduled backup tasks. In accordance with Microsoft®, it is recommended to not use a group managed service account (gMSA) for interactively initiated network connections such as Recovery Manager for Active Directory manually triggered backups. To enforce this recommendation and to address the vulnerability CVE-2023-21524 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21524), Microsoft has limited the usages of managed service accounts with a Windows Update.
By removing support for a gMSA to connect to the backup agent, this ensures an attacker does not exploit the RMAD backup agent to perform actions or access resources over the network. To utilize the benefits and security provided by a group managed service account (gMSA), we highly recommend that a gMSA account is used for the scheduled backup task.
When upgrading to Recovery Manager for Active Directory 10.2.2 Hotfix 3, if a gMSA is currently configured in computer collection properties as an account to connect to the backup agent (see Agent tab), it will automatically be removed to ensure security of the backup agent and your installation of RMAD. You can then configure a standard domain account in the computer collection properties as the account to connect to the backup agent. If not configured, the scheduled backup task account or the logged on user account will be used instead.
For information about managed service accounts and their usage in Recovery Manager for Active Directory see the section [Using Managed Service Accounts] in the Recovery Manager for Active Directory User Guide.
You can also configure Recovery Manager for Active Directory (RMAD) to back up data in an Active Directory® domain under a least-privileged user account and create a group named RMAD Backup Operators that will automatically grant the necessary permissions to back up data. See [Using a least-privileged user account to backup data] in the User Guide.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center