Implement Security and Compliance by adding more security controls.
Each time a change is applied take a snapshot, restart the server, and run propaedeutic tests to verify that the change did not cause a failure.
- Remote Desktop Service (TermService) should be disabled – passed
While not always necessary, consider restarting the server to ensure that the changes take effect.
# Stop the Remote Desktop Services (TermService)
Stop-Service -Name TermService -Force
# Disable the Remote Desktop Services (TermService)
Set-Service -Name TermService -StartupType Disabled
- Remote Registry service (RemoteRegistry) should be disabled – Passed
Get-service "RemoteRe*" | Sort-Object "status,service name" | ft -autosize
Set-Service RemoteRegistry -startuptype "disabled"
- Windows Remote Management (WinRM) service should be disabled - Not implemented
Get-Service -Name WinRM -DependentServicesStop-Service -Name WinRM -Force -Verbose
Stop-Service -Name Winrm
Set-Service WinRM -startuptype "Disabled"Change the startup type of services
Set-Service WinRM -startuptype "Automatic"
- Windows Firewall should be enabled - Passed
Get-NetFirewallProfile | Format-Table Name, Enabled
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled true
- MFA for the backup console should be enabled - passed
Multi-Factor Authentication - User Guide for VMware vSphere (veeam.com)
From the architect’s desk - Multi-factor authentication how-to | Veeam Community Resource Hub
Create Local User on Computer manager, Users group member
Add user to enable MFA Auth:
before you can enable MFA you need to remove the builtin\Administrators group, insert Local Administrator then add the user for whom you want to enable MFA and carry out the activation procedure.
Configured configuration backup encryption.
Next , I show how to configure it
Close Console and proced to enable MFA
Scan QR on my Google Auth
- Immutable or offline (air gapped) media should be used - passed
Implement Linux Hardened Repository
Implement Tape Library (Air-gapped)
The recommendation to use immutable or offline (air-gapped) media in the context of Veeam or any backup solution is part of a best practice for enhancing the security and integrity of your backup data. This practice is especially relevant in the context of protecting against ransomware and other forms of malicious attacks that could compromise your backup infrastructure.
- Password loss protection should be enabled - Passed
Log on on Enterprise Manager and enable it, add vbr to backup Servers on EM.
- Email notifications should be enabled - passed
- Configuration backup should be enabled and use encryption - passed
- Backup server should not be a part of the production domain – Passed
Do not join Veeam servers to the production domain
- All backups should have at least one copy (the 3-2-1 backup rule) - passed
Backup Copy Job - Veeam ONE Reporting Guide
Having only one copy of a backup file does not provide the level of security needed. To create an effective data protection and disaster recovery plan, you must have at least one independent copy of a backup file offsite, such as at the remote site.
- Reverse incremental backup mode is deprecated and should be avoided – Passed
Self Explaining
- Backup jobs to cloud repositories should use encryption – Passed
If you use a cloud-based backup repository encrypt backups
- Unknown Linux servers should not be trusted automatically - Passed
- The configuration backup must not be stored on the backup server - Passed
KB2645: Protecting the Veeam Backup & Replication server
Create one new backup repo dedicate to save “condfiguration backup on another server”
- Host to proxy traffic encryption should be enabled for the Network transport mode – Passed
- SMBv3 signing and encryption should be enabled - passed
Securing Backup Infrastructure - User Guide for VMware vSphere (veeam.com)
Configure SMB Signing with Confidence - Microsoft Community Hub
SMB security enhancements | Microsoft Learn
Enabling SMBv3 (Server Message Block version 3) signing and encryption is a best practice for enhancing the security of file and printer sharing in Windows environments. SMB is a network file-sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. SMBv3 is the latest version of this protocol and includes features like signing and encryption to improve data security.
Here's how to enable SMBv3 signing and encryption on Windows:
Enabling SMBv3 Signing:
Type gpedit.msc and press Enter to open the Group Policy Editor.
Navigate to the Policy:
In the left pane, go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
Enable "Microsoft network client: Digitally sign communications (always)":
Find the policy named "Microsoft network client: Digitally sign communications (always)" and set it to "Enabled."
Enable "Microsoft network server: Digitally sign communications (always)":
Similarly, find the policy named "Microsoft network server: Digitally sign communications (always)" and set it to "Enabled."
Restart the Computer:
Changes to Group Policy may require a restart for the settings to take effect.
Enabling SMBv3 Encryption:
Open PowerShell as Administrator:
Right-click on the Start button and choose "Windows PowerShell (Admin)" or "Command Prompt (Admin)."
Run the following command:
powershell
Set-SmbServerConfiguration -EncryptData $true
Restart the Server service:
Run the following command to restart the Server service:
powershell
Restart-Service LanmanServer
Enabling encryption for SMBv3 ensures that data transferred between clients and servers is encrypted, providing an additional layer of security
[GUIDE] VBR 12. 1 How to pass all Security & Compliance Part 02 | Veeam Community Resource Hub
;)
