Skip to main content

Update: Veeam Windows Hardening Script v1.1 - Win Server 2025 and Veeam ONE

lukas.k
Forum|alt.badge.img+10

Preface:

As mentioned in the past, I have made it my mission to continuously develop my Veeam Windows Hardening script. To fulfill this commitment, I have now completed and released version 1.1 of the script.

 

The changes compared to the previous version can be found in the change log below!

 

Disclaimer:

Important: I do not provide any guarantee that the script, which has been successfully tested by me, will run without errors in every environment. The script is intended solely to simplify and standardize hardening standards, which may not be suitable for every environment! Additionally, I do not guarantee the completeness of the tests!

 

Requirements and procedure:

The script is primarily designed for new installations!

  • The server must not be a domain member
  • Initial login and script execution must be performed with the built-in Administrator
  • OS: Windows Server 2022 or 2025 Standard oder Datacenter
  1. Install Windows Server (as required).
  2. Install drivers (VMware Tools or vendor-specific drivers).
  3. Set IP configurations (assign IP address, etc.).
  4. Set server name and workgroup, then restart the server.
  5. Create a folder named “Install” on drive C:.
  6. Copy the contents of the ZIP file (script and ntrights.exe) into the Install folder.
  7. Execute the script with administrative privileges (PowerShell).
  8. Allow the server to restart and install Veeam, specifying the service account.
  9. Apply / implement the Veeam Security & Compliance script

 

Important: I recommend familiarizing yourself with the content listed below, as it introduces changes that may affect the operation of the system!

For example, an idle timeout of 15 minutes is configured. This means that an active session will be disconnected after 15 minutes, and all open windows and processes within that session will be terminated.

 

Windows Server 2025 - CIS Benchmark

The contents of the script are still based on the CIS Benchmark, which my employer has kindly provided access to.

Unfortunately, as of the release of version 1.1 of the script, no benchmark for Windows Server 2025 has been published yet, so I was unable to add any additional content.

Nevertheless, I have extensively tested the script’s compatibility with Windows Server 2025 and can therefore approve its use. I have conducted the same tests as for Windows Server 2022.

 

Veeam ONE:

To expand the scope of the script to include additional Veeam products and components, I have successfully tested this version with Veeam ONE. During the tests, no limitations, restrictions, or errors were observed.

 

Downloading the script:

Within the Veeam Community, the script, including all related information, is available for download at:

lukas-kl/veeam-win-hardening-script: Veeam Hardening Script for Windows (CIS contents)

 

To not put single files (that might get outdated) into the Hub I decided to only publish the GitHub link.

 

Execution & script contents (ReadMe):

The script must be executed with administrative privileges!

The script, including the ntrights.exe file, must be located in and executed from the following path: C:\Install

 

ntrights.exe

The tool “ntrights.exe” is used to modify the local security policy of the Windows system and set various rules. The required .exe file is provided in a tested version, but it can also be downloaded manually if preferred. This tool is well-known and originates from the Windows Server 2003 Resource Kit.

 

Change Log v1.1 (as of 03/03/2025):

  • Correction of various spelling errors and optimization of outputs
  • Renaming the system disk from "Local Disk" to "OSDisk"
  • Adding input and implementation for NTP/NTP servers (multiple entries possible)
  • Disabling Automount
  • Deleting the Windows Recovery Partition and disabling dependent services
  • Expanding system drive C: using the space freed by the Recovery Partition
  • Successfully tested the script for Windows Server 2025
  • Successfully tested the script with Veeam ONE
  • Adding an input option to add multiple local administrators
  • Adding an input option to add multiple service accounts with custom labels
  • Optimization of script logic in multiple areas
  • Adding a status bar for the main parts (categories)
  • Optimization of the output file

As always - feedback and suggestions are welcome anytime!

LK | Veeam Vanguard | VUG Leader - Cyber Security Space | Security Specialist

5 comments

Chris.Childerhose
Forum|alt.badge.img+21

Great to see this script evolving Lukas.  Will give it a test run and provide feedback. 👍🏼

 
 
 
Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Link State
Tommy O'Shea
lukas.k
3 people like this
  • Link State
    Link State
  • Tommy O'Shea
    Tommy O'Shea
  • lukas.k
    lukas.k
lukas.k
Forum|alt.badge.img+10
  • lukas.k
  • Author
  • Veeam Vanguard
  • 198 comments
  • March 6, 2025
Chris.Childerhose wrote:

Great to see this script evolving Lukas.  Will give it a test run and provide feedback. 👍🏼

 
 
 

Thank you Chris, looking forward to your feedback!

LK | Veeam Vanguard | VUG Leader - Cyber Security Space | Security Specialist
Chris.Childerhose
Link State
Tommy O'Shea
4 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Link State
    Link State
  • Tommy O'Shea
    Tommy O'Shea
  • matheusgiovanini
    matheusgiovanini
matheusgiovanini
Forum|alt.badge.img+5

Great update to the Veeam Windows Hardening Script! The addition of support for Windows Server 2025 and Veeam ONE makes the solution even more robust. I’ll be testing it soon to check out the improvements in practice. Excellent content and work! 

Matheus Giovanini | Senior Backup & Data Protection Analyst
Link State
Tommy O'Shea
lukas.k
3 people like this
  • Link State
    Link State
  • Tommy O'Shea
    Tommy O'Shea
  • lukas.k
    lukas.k
vAdmin
Forum|alt.badge.img+2
  • vAdmin
  • Influencer
  • 168 comments
  • March 20, 2025

Thank you ​@lukas.k for organizing and creating this script.

Can we run the script for the Veeam Backup Proxy (Server Core Windows VM)?

Microsoft Azure Solutions Architect Expert, VMware Certified Professional - DCV 7, Citrix Certified Professional Virtualization (CCP-V), ITIL Practitioner
Chris.Childerhose
Tommy O'Shea
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Tommy O'Shea
    Tommy O'Shea
lukas.k
Forum|alt.badge.img+10
  • lukas.k
  • Author
  • Veeam Vanguard
  • 198 comments
  • March 20, 2025
vAdmin wrote:

Thank you ​@lukas.k for organizing and creating this script.

Can we run the script for the Veeam Backup Proxy (Server Core Windows VM)?

Thank you!

The script can be run on component servers such as proxies as well. I honestly didn’t test it on Win Server Core edition since I don’t have customers in the field that use Server core.

 

When I think about the contents and Server core I basically don’t see an issue so it should (!) work.

 

In case you’d like to test it - on your own risk as always - it would be great if you can share an outcome. To have a valid scenario please refer to the ReadMe to comply to all requirements.

LK | Veeam Vanguard | VUG Leader - Cyber Security Space | Security Specialist
Chris.Childerhose
vAdmin
Tommy O'Shea
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • vAdmin
    vAdmin
  • Tommy O'Shea
    Tommy O'Shea

Comment


Terms & Conditions