Comprehensive data protection for all workloads
Rik
Service Provider
Posts: 7
Liked: never
Joined: Aug 02, 2012 10:19 pm
Full Name: Rik Bruins
Contact:

Backup failing due to UAC?

Post by Rik » Aug 02, 2012 10:52 pm

Hi,

I'm using Veeam B&R 6.1 to backup our vSphere VM's, but all backups are failing with the error:

Code: Select all

Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors: 'Cannot connect to the host's administrative share. Host: [xx.xx.xx.xx]. Account: [xxx\xxx]. Win32 error:The network path was not found. Code: 53
I noticed this line in the release notes:

Network-less interaction with Microsoft Windows guests having UAC enabled (Vista or later) requires that Local Administrator (MACHINE\Administrator) or Domain Administrator (DOMAIN\Administrator) account is provided on Guest Processing step.

Our backup servers only have a connection to vSphere and storage. They can't access the guest networks. Also, due to security reasons, the 'default' DOMAIN\Administrator account is disabled so I entered another domain administrator account. Is there any way to enable Application-aware backups without disabling UAC or altering the reg key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy?

Thanks.

Rik Bruins

Gostev
SVP, Product Management
Posts: 24939
Liked: 3622 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Backup failing due to UAC?

Post by Gostev » Aug 02, 2012 11:38 pm

Hi Rik, no it's not possible. You need to either use administrator account (domain, or local machine), or disable UAC. Can you use local Administrator account on those VMs? Also, note that backup server does not need to be able to access guess networks. Thanks!

Rik
Service Provider
Posts: 7
Liked: never
Joined: Aug 02, 2012 10:19 pm
Full Name: Rik Bruins
Contact:

Re: Backup failing due to UAC?

Post by Rik » Aug 02, 2012 11:44 pm

Hi Gostev,

What's so special about the dedault Administrator account? Why can't I use a self created local/domain administrator account with a different name than 'Administrator?

Regards,
Rik

Gostev
SVP, Product Management
Posts: 24939
Liked: 3622 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Backup failing due to UAC?

Post by Gostev » Aug 03, 2012 12:03 am

Because of how Microsoft designed UAC. And I don't really understand the reasoning behind this design decision either, although I am sure there is one probably...

tsightler
VP, Product Management
Posts: 5448
Liked: 2263 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Backup failing due to UAC?

Post by tsightler » Aug 03, 2012 12:33 am 1 person likes this post

Rik wrote:What's so special about the dedault Administrator account? Why can't I use a self created local/domain administrator account with a different name than 'Administrator?
Because the "built-in" administrator accounts use well-known security descriptors that are completely exempted from UAC by the default security policy. If you open the Local Security Policy editor, and navigate to Local Policies...Security Options, you will find a policy as follows:

User Access Control: Admin Approval Mode for the Built-in Administrator account: Disabled

Basically this means that the built-in accounts technically have UAC enabled, but are automatically approved for escalation rather than prompted. If you set this policy to enabled, then the built-in accounts are not treated any differently than other admins and they ALL require approval for escalation.

You can read more about well know security principals in Windows here. For anyone super interested, I strongly recommend watching Raiders of the Elevated Token.

Rik
Service Provider
Posts: 7
Liked: never
Joined: Aug 02, 2012 10:19 pm
Full Name: Rik Bruins
Contact:

Re: Backup failing due to UAC?

Post by Rik » Aug 06, 2012 9:31 am

I disabled UAC and also added the reg key, but application aware backups are still not working:

Code: Select all

6-8-2012 11:29:01 :: Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors:
'Cannot connect to the host's administrative share. Host:  [xx.xx.xx.xx]. Account: [xxx\xxx].
Win32 error:The network path was not found.
 Code: 53
Cannot connect to the host's administrative share. Host:  [x::x:x:x:x]. Account: [xxx\xxx].
Win32 error:The network path was not found.
 Code: 53
Cannot connect to the host's administrative share. Host:  [x::x:x:x:x]
There is no network connection between vmware/veeam and the guest networks. Any ideas?

foggy
Veeam Software
Posts: 18366
Liked: 1575 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Backup failing due to UAC?

Post by foggy » Aug 06, 2012 9:54 am

Rik, I would suggest to open a case for further investigation as the problem seems to lie a bit deeper.

Gostev
SVP, Product Management
Posts: 24939
Liked: 3622 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Backup failing due to UAC?

Post by Gostev » Aug 06, 2012 9:56 am

Something is still missing, and preventing network-less operation from functioning. Please include support case ID for this issue on this topic.

Rik
Service Provider
Posts: 7
Liked: never
Joined: Aug 02, 2012 10:19 pm
Full Name: Rik Bruins
Contact:

Re: Backup failing due to UAC?

Post by Rik » Aug 06, 2012 10:57 am

It seems that UAC can't be disabled. It is enforced within the group policies. But I also added the regkey. Is this not enough, or is this only working when there is a network connection between vmware/veeam and the guest VM?

Rik
Service Provider
Posts: 7
Liked: never
Joined: Aug 02, 2012 10:19 pm
Full Name: Rik Bruins
Contact:

Re: Backup failing due to UAC?

Post by Rik » Aug 06, 2012 11:17 am

In another post I read something about manually installing a Veeam Proxy Agent. Could this work? If so, how do I install this thing?

Gostev
SVP, Product Management
Posts: 24939
Liked: 3622 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Backup failing due to UAC?

Post by Gostev » Aug 06, 2012 3:20 pm

Actually, there is no "thing" you can install in this case... we do not use persistent agents inside guest, so there is no installation package available.

If you change a Group Policy controlled registry setting, it will be over-written by the policy... I believe, registry keys like the above one work if there are no group policy in play that involves it. Otherwise, group policy would be to easy to hack around.

Rik
Service Provider
Posts: 7
Liked: never
Joined: Aug 02, 2012 10:19 pm
Full Name: Rik Bruins
Contact:

Re: Backup failing due to UAC?

Post by Rik » Aug 06, 2012 3:32 pm

Yes, I know that I can change the GPO, but this is not allowed in the security policy. That's why UAC is enforced through a GPO.
So, there is no way we can make an application aware (VSS) backup with Veeam when UAC is enabled? That's a huge disappointment!

Gostev
SVP, Product Management
Posts: 24939
Liked: 3622 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Backup failing due to UAC?

Post by Gostev » Aug 06, 2012 3:39 pm

Of course you can make an application aware (VSS) backup with Veeam when UAC is enabled, you just need to provide the account that meets the above-mentioned requirements.

Rik
Service Provider
Posts: 7
Liked: never
Joined: Aug 02, 2012 10:19 pm
Full Name: Rik Bruins
Contact:

Re: Backup failing due to UAC?

Post by Rik » Aug 06, 2012 4:02 pm

Yes, by using the builtin\administrator or domain\administrator account.
I feel that if you're taking security seriously, disabling these account is one of the first things everyone should be doing when deploying a new environment.

Our security policy is very strict. It's a shame we can't use Veeam as an enterprise backup solution. If there would be a solution for this, Veeam would be perfect!

Gostev
SVP, Product Management
Posts: 24939
Liked: 3622 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Backup failing due to UAC?

Post by Gostev » Aug 06, 2012 4:06 pm

No other solution for this at this time, unfortunately. The only two are disabling UAC, or using account that can bypass it.

tsightler
VP, Product Management
Posts: 5448
Liked: 2263 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Backup failing due to UAC?

Post by tsightler » Aug 06, 2012 4:19 pm 1 person likes this post

Rik wrote:In another post I read something about manually installing a Veeam Proxy Agent. Could this work? If so, how do I install this thing?
No, this is only for installing the Veeam Installer and Transport agent services, it has nothing to do with VMs that are being backed up.

tsightler
VP, Product Management
Posts: 5448
Liked: 2263 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Backup failing due to UAC?

Post by tsightler » Aug 06, 2012 4:27 pm 3 people like this post

You can use VMware tools quiescence, instead of Veeam application aware processing. Assuming you are using recent VMware tools this will work and will provide application consistency, although not at the level that Veeam AAP can provide.

Unfortunately the issue that you are seeing is not something that is easy to overcome since it is simply the way that UAC works. With a direct network connection it works because UAC is not enforced on network connections, however, when using "connectionless" mode we are leveraging the VIX API to connect locally to the host. In this case UAC will block any attempts to escalate except for the "built-in" administrator. With UAC local connections attempting to perform administrative task require interactive approval to escalate privileges.

"Security" is all about having balance. You have to decide if having such strict "security" is better than having slightly less than ideal backups (note that VSS isn't required for taking a backup, your backups will be "crash consistent" even without them which is likely all you need in 99% of cases, and if you use recent VMware tools and VMware tools quiescence then you will still have consistent backups). However, it could be argued that not having a 100% consistent backup isn't very good "security" either.

Of course, you may point out that other products that leverage agents can provide backups without this restriction, but that's not really a fair comparison. These agents generally run as a service with privileged status, and then provide an open connection to the world on which the backup server connects, in many cases provided their own, quite weak, authentication. One of the most common methods used by penetration testers is the compromise of these "agents" that are deployed on servers.

dellock6
Veeam Software
Posts: 5753
Liked: 1644 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: Backup failing due to UAC?

Post by dellock6 » Aug 06, 2012 9:53 pm 2 people like this post

Oh Tom, your post reminds me of my past activities in the security field, when I was actually using for real my CISSP certification :)

Well, the issue is basically security means different things. You can have Confidentiality, Integrity, or Availability (known as the CIA triad). You can't have all of them at the highest level at the same time, so you need to evaluate what is more important for you. Often in backups, integrity is the first goal (be sure your data are the same as you saved them, when you restore them), but then you choose between availability and confidentiality. Encrypted backups are the best example, you prefer to be fast on restores (availability) or be sure only authorized people can restore data?
Everything in a design exercise is about balancing and choosing options...

Luca.
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2019
Veeam VMCE #1

brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Application Aware Backup of 2008 R2 Domain Controller

Post by brupnick » Aug 22, 2012 4:07 pm

[merged]

Good afternoon-

I'm having trouble running an application aware backup of my Windows Server 2008 R2 domain controller. The error that I'm receiving is:

Code: Select all

Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors: 'Cannot connect to the host's administrative share. Host: [A.B.50.50]. Account: [DOMAIN\domainadmin]. Win32 error:The network name cannot be found. Code: 67 '
There are firewalls between my VBR server and these two DCs, so RPC fails. This is the case with all VMs in my environment, but the failover to VIX works everywhere else.

As far as I can tell, this issue is related to UAC. If I disable UAC on my DC, the backup is successful. If UAC is anything but disabled, it fails. Disabling UAC is not an option, so are there any ways to get around this? Has anyone else experienced this issue? My support ticket is ID#5210282.

Thanks in advance,
Brian

chrisdearden
Expert
Posts: 1530
Liked: 225 times
Joined: Jul 21, 2010 9:47 am
Full Name: Chris Dearden
Contact:

Re: Application Aware Backup of 2008 R2 Domain Controller

Post by chrisdearden » Aug 22, 2012 4:15 pm

try using the actual administrator account for the application aware permissions. ( it has some hard coded bypass for UAC )

brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: Application Aware Backup of 2008 R2 Domain Controller

Post by brupnick » Aug 22, 2012 4:17 pm

Please correct me if I'm wrong, but because it's a DC, there are no local accounts to use. On my non-DC 2008 R2 machines, using a local admin rather than a domain admin was the fix.

Vitaliy S.
Product Manager
Posts: 23070
Liked: 1582 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Backup failing due to UAC?

Post by Vitaliy S. » Aug 23, 2012 10:03 am

Hi Brian,

Yes, you're right there are no local accounts to use, but what account are you using to backup your DC VM? Is it a default domain administrator?

Thanks!

brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: Backup failing due to UAC?

Post by brupnick » Aug 23, 2012 11:36 am

Good morning Vitaliy-

Could you please clarify what you mean by a "default domain administrator?" As opposed to a...?

Thanks!
Brian

foggy
Veeam Software
Posts: 18366
Liked: 1575 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Backup failing due to UAC?

Post by foggy » Aug 23, 2012 1:14 pm

Built-in vs the one that is created manually and made a member of the Domain Admins group.

Gostev
SVP, Product Management
Posts: 24939
Liked: 3622 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Backup failing due to UAC?

Post by Gostev » Aug 23, 2012 1:22 pm

DOMAIN\Administrator account

brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: Backup failing due to UAC?

Post by brupnick » Aug 23, 2012 1:28 pm

For security purposes, we rename all of our administrator accounts, both local and domain. Is there a way for me to know if one of my renamed accounts was at one point the built-in?

Gostev
SVP, Product Management
Posts: 24939
Liked: 3622 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Backup failing due to UAC?

Post by Gostev » Aug 23, 2012 1:34 pm

The account you are looking for will have well known SID.

dellock6
Veeam Software
Posts: 5753
Liked: 1644 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: Backup failing due to UAC?

Post by dellock6 » Aug 23, 2012 3:09 pm

SID: S-1-5-21domain-500.

You can check all the well-known SID here:
http://support.microsoft.com/kb/243330/en-us
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2019
Veeam VMCE #1

brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: Backup failing due to UAC?

Post by brupnick » Aug 23, 2012 3:33 pm

That's very interesting. The account that I'm using does not end in -500, so it is not the default domain administrator account. The account that does end in -500 has been disabled and replaced with a new account (the one that I'm trying to use).

Vitaliy S.
Product Manager
Posts: 23070
Liked: 1582 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Backup failing due to UAC?

Post by Vitaliy S. » Aug 23, 2012 6:14 pm

Seems like we've nailed it, you should be using account which ends in -500 to bypass the UAC built-in policies.

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 12 guests