How to Harden Veeam Backup & Replication 12.1 According to Security & Compliance Analyzer Verifications
Purpose
This article provides information regarding automating the configuration of the Veeam Backup Server server according to practices suggested in the Security & Compliance Analyzer when using Veeam Backup & Replication 12.1.
This article documents actions that the provided automation script performs and how to execute the script. For details on Security & Compliance Analyzer verifications, please review the Technical Documentation page.
Solution
Read Entire Article Closely
We strongly encourage you to read all of the information below before executing the provided automation script. It is critical that you understand what this script does and the impact it will have.
Automated Script Limitations and Considerations
- The script only applies missing security best practices found on the machine where Veeam Backup & Replication is installed, where the script is run from. The script will not apply security best practices to any other machine.
- Some of the practices apply security settings that might affect other applications. For example, the script will attempt to disable SSL2.0 on a server, which will cause other applications that depend on SSL 2.0 to fail.
- Some of the practices apply security settings that might cause server lockdown. For example, the script may attempt to disable Remote Desktop Services (TermService), restricting RDP access to the server; it may also disable Windows Remote Management (WinRM service), which, when disabled, may cause problems with external management of the server.
- The script will not process Suppressed entries within the Security & Compliance Analyzer UI. Before using the apply option within the script, compare the report output of the script to the entries within the UI and suppress any security recommendations you do not want the script to attempt to remediate.
- This script does not have an undo option. Once changes are made, if you wish to revert those changes, you must do so manually.
Automated Script Usage
The PowerShell script must be run in an elevated PowerShell console on the Veeam Backup Server using an account with local administrator permissions.
Script Explanation
- The script will connect to the local instance of Veeam Backup & Replication.
- The script will trigger a new session of the Security & Compliance Analyzer.
- The script will wait 10 seconds and then collect verification statuses.
- The script will determine the status for each of the suggested configurations and find which suggested best practices require remediation that the script can assist with.
- The script will output the results in the PowerShell console.
- The script will prompt the user to select a course of action:
- 1: Refresh compliance report
- 2: Apply recommended security & compliance configurations
- 0: Exit
- Selecting option #2 will cause the script to attempt automatic remediation of all entries listed as:
Not implemented (Use 'Apply Configurations' option to fix)
Note: Entries that are suppressed within the Security & Compliance Analyzer UI will be listed as "Not implemented" but will NOT be fixed using the script. - After applying remediation actions, results will be displayed in the console.
Example Screenshots
Note how 9 entries have (Use 'Apply configurations' option to fix), but only 8 are corrected.
This is due to the Security alert regarding Remote Desktop Services (TermService) being Suppressed in the UI (see screenshot below).
This is due to the Security alert regarding Remote Desktop Services (TermService) being Suppressed in the UI (see screenshot below).
Example of Suppressed Entry
Download Information
Unsupported Script
This script is provided as a courtesy and is not supported by Veeam Technical Support. Use it at your own risk.
Veeam Technical Support will not assist in using or troubleshooting this tool.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.