Our physical Veeam B&R Server (which is also proxy and guest interaction proxy) is in an private VLAN. Guest interaction over RPC is not possible, so we have to use VIX.
As we need to have UAC enabled, we have to use domain\administrator for the guest interaction. Not a big problem, but we have to harden our domain admin accounts.
Guest interaction proxies are no solution as we have dozens of guest VM VLANs. Additionally any communication between backup VLAN and guest VLANs is a no go.
There is a nice little guide from Microsoft “Securing Built-In Administrator Accounts on Active Directory”
https://technet.microsoft.com/en-us/win ... 2147217396
We set the following options for domain\administrator:
- Account is sensitive and cannot be delegated
GPO "Security - domain\administrator hardening"
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies
Deny log on through Remote Desktop Services
Deny log on as a service
Deny log on as a batch job
Deny access to this computer from the network
The result is a secure administrator account, but no more guest interaction….
Is there a list of minimum permissions for VIX guest interaction?