[GUIDE] VBR 12. 1 How to pass all Security & Compliance Part 02

WDigest credentials caching should be disabled – Passed

Web Proxy Auto-Discovery service (WinHttpAutoProxySvc) should be disabled - passed

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc -Name Start -Value 4

and CHECK

Service (WinHttpAutoProxySvc) does not have the ability to be disabled.

MS recommends not dusabling it could cause malfunctions, proceed as follows to disable WPAD without disabling the service.

Microsoft Security Bulletin MS16-077 - Important | Microsoft Learn
How to disable HTTP proxy features - Windows Server | Microsoft Learn

The Web Proxy Auto-Discovery service (WinHttpAutoProxySvc) is a service in Windows that facilitates the discovery of proxy servers in an enterprise environment. In some security configurations, it might be recommended to disable this service, especially in scenarios where explicit proxy configuration is preferred over automatic discovery.

Workarounds

The following workarounds may be helpful in your situation.

Disable WINS/NetBT name resolution

In the list of components, click Internet Protocol (TCP/IP), and then click Properties.

Click Advanced, click the WINS tab, and then click Disable NetBIOS over TCP/IP.

Optionally, you can select the Use NetBIOS setting on the DHCP server if you are using a DHCP server that can selectively enable and disable NetBIOS configuration through DHCP option types.

Stop WPAD using a host file entry

Open the host file located at following location as an administrator: %systemdrive%\Windows\System32\Drivers\etc\hosts

Create the following entry for WPAD in the host file: 255.255.255.255 wpad.

Hardened repositories should not be hosted in virtual machines – Passed

Self Explened

Deprecated versions of SSL and TLS should be disabled - passed

Disable TLS 1.0 and TLS 1.1 on Windows Server using CMD

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

Disable SSL2 & SSL3 on Windows Server using CMD

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server /v Enabled /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

save in reg file

Windows Registry Editor Version 5.00
iHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
lHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
eHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
lHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
bHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
aHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
nHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
EHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

Network traffic encryption should be enabled in the backup network – Passed

Enabling Traffic Encryption - User Guide for VMware vSphere (veeam.com)

Linux servers should have password-based authentication disabled – Passed

linux - Disabling password authentication - Server Fault

Disabling password-based authentication and using key-based authentication is generally considered a more secure practice for accessing Linux servers. Key-based authentication, often implemented using SSH (Secure Shell), provides a stronger level of security compared to password-based authentication. Veeam may recommend this security measure to enhance the protection of Linux servers in your environment.

SSH Configuration File:

On the Linux server, open the SSH configuration file in a text editor. The location of the file may vary but is often found at /etc/ssh/sshd_config.

bash

sudo nano /etc/ssh/sshd_config

Edit Configuration:

Find the line that starts with PasswordAuthentication and set its value to no. If the line is commented out with a #, remove the # to uncomment it.

PasswordAuthentication no

Save and Close:

Save the changes to the configuration file and exit the text editor.

Restart the SSH service to apply the changes.

bash

sudo systemctl restart sshd
(UBUNTU) Or enable firewall & Deny SSH
sudo ufw enable
sudo ufw deny ssh

Windows Script Host should be disabled - passed

HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\

HKEY_CURRENT_MACHINE\Software\Microsoft\Windows Script Host\Settings\

Create a new REG_DWORD key, call it Enabled and assign a value of 0 (zero) to it.

SMBv1 protocol should be disabled – Passed

How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn

Detect:

Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Get-SmbServerConfiguration | select EnableSMB1Protocol,EnableSMB2Protocol

Disable:

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Enable:

Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Link-Local Multicast Name Resolution (LLMNR) should be disabled - passed

Using Local Group Policy (for standalone machines):

Navigate to Computer Configuration -> Administrative Templates -> Network -> DNS Client.

Find the policy named "Turn off Multicast Name Resolution" and set it to "Enabled."

Using the Registry Editor:

Navigate to the following registry key:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient

If the "DNSClient" key doesn't exist, you may need to create it.

Create a DWORD value named " EnableMulticast " and set its value to 0.

Backup services should be running under the LocalSystem account – Passed

By default, many Veeam services run under the "Local System" account, which is a built-in Windows account that has a high level of privileges on the local machine. Running services under the "Local System" account can provide the necessary permissions for backup and recovery tasks, but it's important to understand the implications and to follow best practices for security and access control.

Sufficient Permissions: The "Local System" account has extensive local privileges, which are often sufficient for backup and recovery tasks. However, this can be a double-edged sword, as it also means that these services have a high level of access to the local system. It's important to ensure that these permissions are not abused or exploited.

Lack of Network Access: Services running under the "Local System" account typically do not have network access permissions. If Veeam Backup needs to access network resources, you may need to configure the necessary permissions or use a different service account that has the required network access.

Security Implications: Running services under the "Local System" account may expose your system to certain security risks, especially if the backup server is compromised. It's crucial to harden your system's security and follow best practices for securing your Veeam environment.

Service Account Best Practices: If you decide to use a dedicated service account for Veeam services, ensure that it has the necessary permissions to perform backup and recovery operations and access network resources. Follow best practices for securing and managing service accounts, such as regularly updating their passwords and limiting their scope of access.

Credentials and encryption passwords should be rotated at least annually – Passed

Rotating the Veeam encryption key - R&D Forums

Rotating credentials and encryption passwords at least annually is a good security practice to help protect sensitive data, including backups, and reduce the risk of unauthorized access. It's positive that this requirement has passed, as it demonstrates your organization's commitment to maintaining strong security practices with your Veeam Backup & Replication setup.

Hardened repositories should have the SSH Server disabled – Passed

Disabling SSH (Secure Shell) on hardened repositories used in conjunction with Veeam Backup & Replication is a security best practice. It's positive that this requirement has passed, as it reduces the attack surface and minimizes potential security vulnerabilities on these repositories. Here are some key points to consider:

• Reject empty passwords (PermitEmptyPasswords no)

• Reject root login (PermitRootLogin no)

• Set a session time out limit for SSH sessions (ClientAliveINterval 300)

• Limit the number of authentication attempts (MaxAuthTries 3)

• Limit the maximum number of unauthenticated connections (MaxStartups 3:50:XX)

• Reduce the maximum amount of time allowed to successfully login (LoginGraceTime 60)

• Limit the users on the server and those allowed to login via SSH ((AllowUsers User1 User2)All

• Consider installing failban and whitelisting the know IP addresses that may log in.

sudo /etc/init.d/ssh restart

sudo service sshd restart

disable

sudo systemctl disable ssh.service

stop

sudo systemctl stop ssh.service

completely disable

sudo systemctl mask ssh.service

S3 Object Lock in the Governance mode doesn't provide true immutability – Passed

Which means it does not offer a complete guarantee against the deletion or modification of objects during a retention period. Object Lock in the Governance mode is designed to provide a level of data protection but with certain limitations compared to the Compliance mode.

The Hardened Linux Server repository from best practice must be physical.

ADDON

Enable backup job encryption

Enable Backup Repository Encryption

Backup Repository Encryption | Veeam Backup & Replication Best Practice Guide

Let me know if you find any typos.
Have fun

Page 1 / 1

Great finish to the second post. Nice job.

Great work @Link State

Another big ups for @Link State !

update powershell command disable WinHttpAutoProxySvc disable HKLM:\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc -Name Start -Value 4

just a note.

For Deprecated versions of SSL and TLS section - TLS1.2 is missing in the “using CMD section” .

the keys exist in the registry file

For Windows Script Host section - CURRENT_USERS didn’t work for me - changing to LOCAL_MACHINE does.

Ok thanks for the feedback, I also added the HKEY_LOCAL_MACHINE register.

just a note.

For Deprecated versions of SSL and TLS section - TLS1.2 is missing in the “using CMD section” .

the keys exist in the registry file

I know if I also added the TLS1.2 registry CMD commands I would overrun the character length of the post. Sorry

Great series of posts. This will be helpful after I fail the tests :)

Great article!

Be careful with this recommendation:

Windows Script Host should be disabled - passed

If you are using Surebackup (one of the coolest arguments for VEEAM!) with SQL-checks: They will fail after setting the recommendation. (Just learned it from a support-ticket).

nice! Thanks!

Many thanks again for this part 02

Tiny error, on Deprecated versions of SSL and TLS should be disabled I copy/pasted this section and there are missing quotes at the end of the path :

Disable SSL2 & SSL3 on Windows Server using CMD

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server /v Enabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server /v DisabledByDefault /t REG_DWORD /d 1 /f

Some Heroes Do not wear Capes. Thank you Sir.

Stop WPAD using a host file entry
Open the host file located at following location as an administrator: %systemdrive%\Windows\System32\Drivers\etc\hosts

Create the following entry for WPAD in the host file: 255.255.255.255 wpad.

Some clarification, please. I know this was taken directly from the MS KB article, and I should probably pose this question there. But I know I’ll get a better and faster response here.

Regarding the host file entry, does a period p.] actually need to be present after “wpad”, or was the author just being mindful of punctuation and ending his/her statement?

Should these best practices also be put in place on any Windows backup repository servers? What about other Veeam infrastructure components (mount servers, transports, backup proxies)?

And the same question for a Veeam ONE server or Veeam Recovery Orchestrator server?

There’s two new checks on v12.2

For disabling NetBIOS, disabling it under the WINS tab on the network adapter in use in control panel wasn’t enough to get the check for me. It had to be disabled on unused hidden adapters as well. I ran this in PowerShell:

$i = 'HKLM:\SYSTEM\CurrentControlSet\Services\netbt\Parameters\interfaces'  
Get-ChildItem $i | ForEach-Object {  
    Set-ItemProperty -Path "$i\$($_.pschildname)" -name NetBiosOptions -value 2
}

Credit to dstroupe on Stackoverflow

For the LSASS setting, some versions of Windows have a switch in Windows Security > Device Security > Core Isolation > Enable Local Security Authority Protection.

You might also be able to enable it in group policy:

Computer Configuration > Administrative Templates > System > Local Security Authority

Configure LSASS to run as a protected process → Enabled

These options don’t appear on the version I’m on, Server 2022 21H2 latest build. I had to open regedit and create the following subkeys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa:

DWORD RunAsPPL = 2

DWORD RunAsPPLBoot = 2

Hi @jcy , you are right, there are two additional security check.

If you want to apply best practices in a more simple way, you can use the official script described here: https://www.veeam.com/kb4525

In particular, this is the section regarding new checks:

Hi @jcy , you are right, there are two additional security check.

If you want to apply best practices in a more simple way, you can use the official script described here: https://www.veeam.com/kb4525

In particular, this is the section regarding new checks:

This script is probably the easiest way to get things done. Used it for a new 12.2 and worked like a charm after suppressing alerts I need.

Problem is that script is not signed and can not be run in some environments.

Problem is that script is not signed and can not be run in some environments.

That is why you need to modify the Execution Policy for PS before running it. You can always reduce it then put it back if security is a concern.

Thanks Chris.

Running PS with user not using MFA and execute PS command “Set-ExecutionPolicy unrestricted” enabled excecution of the script.

Thanks Chris.

Running PS with user not using MFA and execute PS command “Set-ExecutionPolicy unrestricted” enabled excecution of the script.

Yes MFA will prohibit as well. A pain that I have learned well too. LOL

Comment

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded