Application Aware via VIX with UAC + Microsoft LAPS

[chjones]

Hi all,

We use Application Aware Processing wherever possible. We have many networks that are firewalled and rely on VIX integration to perform this for us. We are required to adhere to Defence Security Guidelines with regard to locking down our Windows Servers. Part of this requires us to enable UAC on all servers and to also regularly change the local administrator account password.

In the past this wasn't a big issue as we could use Group Policy to change the password for the administrator account on all servers and then update the account in the Veeam Console and it would take affect on all jobs.

Microsoft have since disabled the ability to control user account passwords via Group Policy as there was a security flaw with the method. They have since released the Local Administrator Password Solution, LAPS. This has a plugin on every server that is instructed by a GPO to change the password for the local administrator account to a randomly generated value after a certain number of days. The new password is then written a new attribute on the server's computer object in Active Directory, which is only viewable to Domain Admins. Every server has a different password. This solution works really well, however, it causes issues with VIX Integration for AAIP as every server has a different administrator password.

Just wondering if anyone has any solutions they've come up with for this?

The simplest solution I can think of is to not use LAPS and use powershell scripts to change the password on every server to the same one every x number of days and then we continue to manually update Veeam. Is this the only option?

Thanks.

[Dima P.]

Hi Chris,

I might be wrong but PowerShell is the only way to automate the password reset for guest processing in conjunction with LAPS. It should be possible to get a password for every client computer you want to backup (google gave me this example, end of the blog post) and then set password via PS to guest processing options in the job.

[foggy]

Hi Chris, not sure whether it is applicable in your environment, but take a look at the guest interaction proxies, they would allow to get rid of using built-in administrator account for application-aware processing.

[chjones]

Thanks for the responses.

Wouldn't specifying guest interaction proxies still have the same limitations caused by UAC being enabled? Or are you saying if we ensure the interaction proxy has network access to the Virtual Machine, then it doesnt have to use VIX and therefore won't have the UAC issues?

[Mike Resseler]

Chris,

Correct, that is indeed what foggy is saying.

[Seb.pythoud]

Hi Chris, not sure whether it is applicable in your environment, but take a look at the guest interaction proxies, they would allow to get rid of using built-in administrator account for application-aware processing.

Hi,
i'm not sure to really understand : you are saying that using guest interaction proxy within the same network as vm to be backed up would allow to keep UAC enable AND avoid the usage of built-in administrator ?
This KB is telling the other way (see more information, at the bottom) :

https://www.veeam.com/kb1788

Thx.
Seb

[Andreas Neufert]

No the idea is to place the guest interaction proxies in the VM networks and then use the network based processing instead of VIX. Then you could avoid to disable VIX or usage of the Administrator (written like that) account.

[Seb.pythoud]

The kb, is clearly saying that with UAC enabled, you'll need to use built-in administrator account (SID-500), whether the GIP is in the same network or not. Is this correct ?

[foggy]

Disabling UAC or using built-in account is a VIX-specific requirement. Probably KB needs clarification.

[Andreas Neufert]

This one should explain all the current options:
https://www.veeambp.com/job_configurati ... ng-options

[skrause]

I can confirm that using Interaction proxies with network access to the machines (need SMB and RPC ports open on Windows firewall) works with an AD account on machines with UAC enabled.

We had intermittent issues with VIX even before we turned UAC on for all our servers and this solved both problems.