Application Aware via VIX with UAC + Microsoft LAPS

VMware specific discussions

Application Aware via VIX with UAC + Microsoft LAPS

Veeam Logoby chjones » Mon Jan 02, 2017 8:53 pm

Hi all,

We use Application Aware Processing wherever possible. We have many networks that are firewalled and rely on VIX integration to perform this for us. We are required to adhere to Defence Security Guidelines with regard to locking down our Windows Servers. Part of this requires us to enable UAC on all servers and to also regularly change the local administrator account password.

In the past this wasn't a big issue as we could use Group Policy to change the password for the administrator account on all servers and then update the account in the Veeam Console and it would take affect on all jobs.

Microsoft have since disabled the ability to control user account passwords via Group Policy as there was a security flaw with the method. They have since released the Local Administrator Password Solution, LAPS. This has a plugin on every server that is instructed by a GPO to change the password for the local administrator account to a randomly generated value after a certain number of days. The new password is then written a new attribute on the server's computer object in Active Directory, which is only viewable to Domain Admins. Every server has a different password. This solution works really well, however, it causes issues with VIX Integration for AAIP as every server has a different administrator password.

Just wondering if anyone has any solutions they've come up with for this?

The simplest solution I can think of is to not use LAPS and use powershell scripts to change the password on every server to the same one every x number of days and then we continue to manually update Veeam. Is this the only option?

Thanks.
chjones
Enthusiast
 
Posts: 83
Liked: 25 times
Joined: Tue Oct 30, 2012 7:53 pm
Full Name: Chris Jones

Re: Application Aware via VIX with UAC + Microsoft LAPS

Veeam Logoby Dima P. » Mon Jan 02, 2017 9:19 pm

Hi Chris,

I might be wrong but PowerShell is the only way to automate the password reset for guest processing in conjunction with LAPS. It should be possible to get a password for every client computer you want to backup (google gave me this example, end of the blog post) and then set password via PS to guest processing options in the job.
Dima P.
Veeam Software
 
Posts: 6253
Liked: 440 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Application Aware via VIX with UAC + Microsoft LAPS

Veeam Logoby foggy » Tue Jan 03, 2017 3:10 pm

Hi Chris, not sure whether it is applicable in your environment, but take a look at the guest interaction proxies, they would allow to get rid of using built-in administrator account for application-aware processing.
foggy
Veeam Software
 
Posts: 14743
Liked: 1081 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Application Aware via VIX with UAC + Microsoft LAPS

Veeam Logoby chjones » Wed Jan 11, 2017 1:29 am

Thanks for the responses.

Wouldn't specifying guest interaction proxies still have the same limitations caused by UAC being enabled? Or are you saying if we ensure the interaction proxy has network access to the Virtual Machine, then it doesnt have to use VIX and therefore won't have the UAC issues?
chjones
Enthusiast
 
Posts: 83
Liked: 25 times
Joined: Tue Oct 30, 2012 7:53 pm
Full Name: Chris Jones

Re: Application Aware via VIX with UAC + Microsoft LAPS

Veeam Logoby Mike Resseler » Wed Jan 11, 2017 6:15 am

Chris,

Correct, that is indeed what foggy is saying.
Mike Resseler
Veeam Software
 
Posts: 3161
Liked: 362 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler


Return to VMware vSphere



Who is online

Users browsing this forum: Bing [Bot] and 12 guests