Backup failing due to UAC?

Availability for the Always-On Enterprise

Re: Backup failing due to UAC?

Veeam Logoby kkuszek » Fri Mar 27, 2015 3:58 pm

I am going to bump an old one with a different mindset.

Has anyone looked at or found a way to disable UAC selectively?

I.E. when the veeam service account logs into the machine, do gpo's/login scripts apply to that session? Can UAC be disabled via a gpo or similar at the account and not computer enforcement level so it only compromises during the backup window?

Could VEEAM bypass this limitation on UAC enabled machines by creating a windows task scheduled to run once with elevated permissions and allow task to be run on demand? it could remove the task when quiesced after.
kkuszek
Enthusiast
 
Posts: 92
Liked: 5 times
Joined: Fri Mar 13, 2015 3:12 pm
Full Name: Kurt Kuszek

Re: Backup failing due to UAC?

Veeam Logoby Vitaliy S. » Sun Mar 29, 2015 4:47 pm

Haven't tried that, but you can try do that (disable UAC) as a pre-backup job script.

kkuszek wrote:Could VEEAM bypass this limitation on UAC enabled machines by creating a windows task scheduled to run once with elevated permissions and allow task to be run on demand? it could remove the task when quiesced after.

Do you mean Veeam VSS task? No, it cannot be triggered on demand.
Vitaliy S.
Veeam Software
 
Posts: 19709
Liked: 1117 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Backup failing due to UAC?

Veeam Logoby cbrasga » Sun Jan 29, 2017 5:39 pm

I know Veeam is really proud of their "agentless" backups, but perhaps it should also offer a simple agent as an option to allow for the managing VSS snapshots without requiring using the Administrator account or Disabling UAC. Using either workaround is a security risk. Those environments that want to run their backups with a specific service account while leaving UAC in tact on their VMs can simply deploy an agent while maintaining security.

Veeams backup logic could be to use the agent if it exist, if not use remote execution or VIX.
cbrasga
Influencer
 
Posts: 11
Liked: never
Joined: Sat Apr 27, 2013 2:09 am
Full Name: Cazi Brasga

Re: Backup failing due to UAC?

Veeam Logoby Vitaliy S. » Mon Jan 30, 2017 9:24 am

Managing and troubleshooting these agents might be painful, but thanks for the feedback. As a solution for now, you may want to try to use pre-freeze and post-thaw scripts.
Vitaliy S.
Veeam Software
 
Posts: 19709
Liked: 1117 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Backup failing due to UAC?

Veeam Logoby DonZoomik » Mon Jan 30, 2017 12:29 pm

Can't we login via VIX as NT AUTHORITY\SYSTEM? It has network access, a lot of privileges and no password.
Or is there an API limitation/feature against that? If we could, it would make things a lot easier (no custom credentials per VM).
DonZoomik
Influencer
 
Posts: 20
Liked: 8 times
Joined: Fri Nov 25, 2016 1:56 pm

Re: Backup failing due to UAC?

Veeam Logoby Vitaliy S. » Wed Mar 01, 2017 2:53 pm

Not sure about this, but you can give it a try.
Vitaliy S.
Veeam Software
 
Posts: 19709
Liked: 1117 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Backup failing due to UAC?

Veeam Logoby Gostev » Wed Mar 01, 2017 7:23 pm

If you know the password ;)
Gostev
Veeam Software
 
Posts: 21442
Liked: 2362 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: Backup failing due to UAC?

Veeam Logoby DonZoomik » Wed Mar 01, 2017 8:29 pm

You can't set an empty string for password in Veeam. SYSTEM is not supposed to have a password.
DonZoomik
Influencer
 
Posts: 20
Liked: 8 times
Joined: Fri Nov 25, 2016 1:56 pm

Re: Backup failing due to UAC?

Veeam Logoby Gostev » Wed Mar 01, 2017 9:34 pm

Exactly, which is why you can't logon to a computer with this account ;)
Gostev
Veeam Software
 
Posts: 21442
Liked: 2362 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: Backup failing due to UAC?

Veeam Logoby DonZoomik » Wed Mar 01, 2017 10:17 pm

I was checking out the API a few days ago and thinking about it. Remotely, sure you can't. But from OS perspective VIX login should be local...
https://forum.sysinternals.com/best-pra ... 92099.html
If VixVM_LoginInGuest uses Win32 LogonUser, it might work as VMWare Tools as calling process has quite high privileges. VixVM_LoginInGuest of course doesn't have flags to set LOGON32_LOGON_SERVICE...

Or are you just saying that you've tried that and it doesn't work?
DonZoomik
Influencer
 
Posts: 20
Liked: 8 times
Joined: Fri Nov 25, 2016 1:56 pm

Re: Backup failing due to UAC?

Veeam Logoby Gostev » Wed Mar 01, 2017 11:12 pm

If anything like this was possible, it would be a huge security flaw...
Gostev
Veeam Software
 
Posts: 21442
Liked: 2362 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: Backup failing due to UAC?

Veeam Logoby DonZoomik » Thu Mar 02, 2017 9:04 am

To quote Raymond Chen, you're already on the other side of the airtight hatchway. With access to VMWare, you pretty much have full control of the Guest OS one way or the other and Tools do run under SYSTEM.
But fine, I presume it doesn't work.
DonZoomik
Influencer
 
Posts: 20
Liked: 8 times
Joined: Fri Nov 25, 2016 1:56 pm

Previous

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Bing [Bot] and 12 guests