Host-based backup of VMware vSphere VMs.
Post Reply
mma
Service Provider
Posts: 111
Liked: 21 times
Joined: Dec 22, 2011 9:12 am
Full Name: Marcel
Location: Lucerne, Switzerland
Contact:

VIX Guest interaction - permissions?

Post by mma »

Hello Veeam

Our physical Veeam B&R Server (which is also proxy and guest interaction proxy) is in an private VLAN. Guest interaction over RPC is not possible, so we have to use VIX.
As we need to have UAC enabled, we have to use domain\administrator for the guest interaction. Not a big problem, but we have to harden our domain admin accounts.
Guest interaction proxies are no solution as we have dozens of guest VM VLANs. Additionally any communication between backup VLAN and guest VLANs is a no go.

There is a nice little guide from Microsoft “Securing Built-In Administrator Accounts on Active Directory”
https://technet.microsoft.com/en-us/win ... 2147217396

We set the following options for domain\administrator:
  • Account is sensitive and cannot be delegated

    GPO "Security - domain\administrator hardening"
    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies

    Deny log on through Remote Desktop Services
    Deny log on as a service
    Deny log on as a batch job
    Deny access to this computer from the network
The result is a secure administrator account, but no more guest interaction….
Is there a list of minimum permissions for VIX guest interaction?

Thanks
Marcel
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: VIX Guest interaction - permissions?

Post by foggy »

Hi Marcel, I don't think we have such a granular permissions list. Have you tried backing up using such somewhat restricted administrator account or just curious whether it should work?
mma
Service Provider
Posts: 111
Liked: 21 times
Joined: Dec 22, 2011 9:12 am
Full Name: Marcel
Location: Lucerne, Switzerland
Contact:

Re: VIX Guest interaction - permissions?

Post by mma »

Hi foggy

Guest interaction is no longer possible with those setting.
Will do some try and error and let you know.

Regards
Marcel
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: VIX Guest interaction - permissions?

Post by foggy »

Thanks, will appreciate sharing your findings.
mma
Service Provider
Posts: 111
Liked: 21 times
Joined: Dec 22, 2011 9:12 am
Full Name: Marcel
Location: Lucerne, Switzerland
Contact:

Re: VIX Guest interaction - permissions?

Post by mma » 1 person likes this post

So, the show stopper is the "Deny access to this computer from the network" option.
The other settings have no influence on guest interaction.

Regards
Marcel
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 76 guests