by kkuszek » Fri Mar 27, 2015 3:58 pm people like this post
I am going to bump an old one with a different mindset.
Has anyone looked at or found a way to disable UAC selectively?
I.E. when the veeam service account logs into the machine, do gpo's/login scripts apply to that session? Can UAC be disabled via a gpo or similar at the account and not computer enforcement level so it only compromises during the backup window?
Could VEEAM bypass this limitation on UAC enabled machines by creating a windows task scheduled to run once with elevated permissions and allow task to be run on demand? it could remove the task when quiesced after.
by Vitaliy S. » Sun Mar 29, 2015 4:47 pm people like this post
Haven't tried that, but you can try do that (disable UAC) as a pre-backup job script.
kkuszek wrote:Could VEEAM bypass this limitation on UAC enabled machines by creating a windows task scheduled to run once with elevated permissions and allow task to be run on demand? it could remove the task when quiesced after.
Do you mean Veeam VSS task? No, it cannot be triggered on demand.
by cbrasga » Sun Jan 29, 2017 5:39 pm people like this post
I know Veeam is really proud of their "agentless" backups, but perhaps it should also offer a simple agent as an option to allow for the managing VSS snapshots without requiring using the Administrator account or Disabling UAC. Using either workaround is a security risk. Those environments that want to run their backups with a specific service account while leaving UAC in tact on their VMs can simply deploy an agent while maintaining security.
Veeams backup logic could be to use the agent if it exist, if not use remote execution or VIX.
by DonZoomik » Mon Jan 30, 2017 12:29 pm people like this post
Can't we login via VIX as NT AUTHORITY\SYSTEM? It has network access, a lot of privileges and no password. Or is there an API limitation/feature against that? If we could, it would make things a lot easier (no custom credentials per VM).
by DonZoomik » Wed Mar 01, 2017 10:17 pm people like this post
I was checking out the API a few days ago and thinking about it. Remotely, sure you can't. But from OS perspective VIX login should be local... https://forum.sysinternals.com/best-pra ... 92099.html If VixVM_LoginInGuest uses Win32 LogonUser, it might work as VMWare Tools as calling process has quite high privileges. VixVM_LoginInGuest of course doesn't have flags to set LOGON32_LOGON_SERVICE...
Or are you just saying that you've tried that and it doesn't work?
by DonZoomik » Thu Mar 02, 2017 9:04 am people like this post
To quote Raymond Chen, you're already on the other side of the airtight hatchway. With access to VMWare, you pretty much have full control of the Guest OS one way or the other and Tools do run under SYSTEM. But fine, I presume it doesn't work.