[GUIDE] VBR 12. 1 How to pass all Security & Compliance Part 02

•  
• WDigest credentials caching should be disabled – Passed

• Web Proxy Auto-Discovery service (WinHttpAutoProxySvc) should be disabled - passed

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc -Name Start -Value 4

and CHECK

Service (WinHttpAutoProxySvc) does not have the ability to be disabled.

MS recommends not dusabling it could cause malfunctions, proceed as follows to disable WPAD without disabling the service.

Microsoft Security Bulletin MS16-077 - Important | Microsoft Learn
How to disable HTTP proxy features - Windows Server | Microsoft Learn

​​​​​The Web Proxy Auto-Discovery service (WinHttpAutoProxySvc) is a service in Windows that facilitates the discovery of proxy servers in an enterprise environment. In some security configurations, it might be recommended to disable this service, especially in scenarios where explicit proxy configuration is preferred over automatic discovery.

Workarounds

The following workarounds may be helpful in your situation.

Disable WINS/NetBT name resolution

In the list of components, click Internet Protocol (TCP/IP), and then click Properties.

Click Advanced, click the WINS tab, and then click Disable NetBIOS over TCP/IP.

Optionally, you can select the Use NetBIOS setting on the DHCP server if you are using a DHCP server that can selectively enable and disable NetBIOS configuration through DHCP option types.

Stop WPAD using a host file entry

Open the host file located at following location as an administrator: %systemdrive%\Windows\System32\Drivers\etc\hosts

Create the following entry for WPAD in the host file: 255.255.255.255 wpad.

• Hardened repositories should not be hosted in virtual machines – Passed

Self Explened

• Deprecated versions of SSL and TLS should be disabled - passed

Disable TLS 1.0 and TLS 1.1 on Windows Server using CMD

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

Disable SSL2 & SSL3 on Windows Server using CMD

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server /v Enabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server /v DisabledByDefault /t REG_DWORD /d 1 /f

 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

save in reg file

Windows Registry Editor Version 5.00

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

• Network traffic encryption should be enabled in the backup network – Passed

Enabling Traffic Encryption - User Guide for VMware vSphere (veeam.com)

• Linux servers should have password-based authentication disabled – Passed

linux - Disabling password authentication - Server Fault

Disabling password-based authentication and using key-based authentication is generally considered a more secure practice for accessing Linux servers. Key-based authentication, often implemented using SSH (Secure Shell), provides a stronger level of security compared to password-based authentication. Veeam may recommend this security measure to enhance the protection of Linux servers in your environment.

SSH Configuration File:

On the Linux server, open the SSH configuration file in a text editor. The location of the file may vary but is often found at /etc/ssh/sshd_config.

bash

sudo nano /etc/ssh/sshd_config

Edit Configuration:

Find the line that starts with PasswordAuthentication and set its value to no. If the line is commented out with a #, remove the # to uncomment it.

PasswordAuthentication no

Save and Close:

Save the changes to the configuration file and exit the text editor.

Restart the SSH service to apply the changes.

bash

sudo systemctl restart sshd

• (UBUNTU) Or enable firewall & Deny SSH

sudo ufw enable

sudo ufw deny ssh

 

• Windows Script Host should be disabled - passed

HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\

or

HKEY_CURRENT_MACHINE\Software\Microsoft\Windows Script Host\Settings\

Create a new REG_DWORD key, call it Enabled and assign a value of 0 (zero) to it.

• SMBv1 protocol should be disabled – Passed

How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn

Detect:

Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Get-SmbServerConfiguration | select EnableSMB1Protocol,EnableSMB2Protocol

Disable:

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Enable:

Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

• Link-Local Multicast Name Resolution (LLMNR) should be disabled - passed

Using Local Group Policy (for standalone machines):

Navigate to Computer Configuration -> Administrative Templates -> Network -> DNS Client.

Find the policy named "Turn off Multicast Name Resolution" and set it to "Enabled."

     Using the Registry Editor:

Navigate to the following registry key:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient

If the "DNSClient" key doesn't exist, you may need to create it.

Create a DWORD value named " EnableMulticast " and set its value to 0.

• Backup services should be running under the LocalSystem account – Passed

By default, many Veeam services run under the "Local System" account, which is a built-in Windows account that has a high level of privileges on the local machine. Running services under the "Local System" account can provide the necessary permissions for backup and recovery tasks, but it's important to understand the implications and to follow best practices for security and access control.

Sufficient Permissions: The "Local System" account has extensive local privileges, which are often sufficient for backup and recovery tasks. However, this can be a double-edged sword, as it also means that these services have a high level of access to the local system. It's important to ensure that these permissions are not abused or exploited.

Lack of Network Access: Services running under the "Local System" account typically do not have network access permissions. If Veeam Backup needs to access network resources, you may need to configure the necessary permissions or use a different service account that has the required network access.

Security Implications: Running services under the "Local System" account may expose your system to certain security risks, especially if the backup server is compromised. It's crucial to harden your system's security and follow best practices for securing your Veeam environment.

Service Account Best Practices: If you decide to use a dedicated service account for Veeam services, ensure that it has the necessary permissions to perform backup and recovery operations and access network resources. Follow best practices for securing and managing service accounts, such as regularly updating their passwords and limiting their scope of access.

• Credentials and encryption passwords should be rotated at least annually – Passed

Rotating the Veeam encryption key - R&D Forums

Rotating credentials and encryption passwords at least annually is a good security practice to help protect sensitive data, including backups, and reduce the risk of unauthorized access. It's positive that this requirement has passed, as it demonstrates your organization's commitment to maintaining strong security practices with your Veeam Backup & Replication setup.

• Hardened repositories should have the SSH Server disabled – Passed

Disabling SSH (Secure Shell) on hardened repositories used in conjunction with Veeam Backup & Replication is a security best practice. It's positive that this requirement has passed, as it reduces the attack surface and minimizes potential security vulnerabilities on these repositories. Here are some key points to consider:

•             Reject empty passwords (PermitEmptyPasswords no)

•             Reject root login (PermitRootLogin no)

•             Set a session time out limit for SSH sessions (ClientAliveINterval 300)

•             Limit the number of authentication attempts (MaxAuthTries 3)

•             Limit the maximum number of unauthenticated connections (MaxStartups 3:50:XX)

•             Reduce the maximum amount of time allowed to successfully login (LoginGraceTime 60)

•             Limit the users on the server and those allowed to login via SSH ((AllowUsers User1  User2)All

•             Consider installing failban and whitelisting the know IP addresses that may log in.

sudo /etc/init.d/ssh restart

sudo service sshd restart

disable

sudo systemctl disable ssh.service

stop

sudo systemctl stop ssh.service

completely disable 

sudo systemctl mask ssh.service

• S3 Object Lock in the Governance mode doesn't provide true immutability – Passed

Which means it does not offer a complete guarantee against the deletion or modification of objects during a retention period. Object Lock in the Governance mode is designed to provide a level of data protection but with certain limitations compared to the Compliance mode.

The Hardened Linux Server repository from best practice must be physical.

ADDON

• Enable backup job encryption

• Enable Backup Repository Encryption

Backup Repository Encryption | Veeam Backup & Replication Best Practice Guide

Let me know if you find any typos.
Have fun