Skip to main content

The vision:

For years, I have been deeply involved in security topics, hardening practices, and strategies to make these concepts more practical and accessible in real-world scenarios. The challenge often lies in the high barriers and effort required for implementation, which discourages many customers, IT administrators, and even managed service providers.

 

In the realm of Disaster Recovery, I view security as one of the most critical building blocks. We live in an era where it’s no longer sufficient to simply have a backup; what truly matters is recoverability. To achieve this, it is essential to protect company backups as effectively as possible, ensuring resilience against potential threats.

 

Veeam, in its recent versions, has introduced the Security & Compliance Analyzer, which provides an initial assessment of how an environment is set up. This tool goes beyond technical measures and examines the architecture itself, including adherence to the 3-2-1 rule, the presence of air gaps, and more.

 

My goal is to develop a script that explicitly focuses on the Windows stack under the Veeam installation. A default Windows operating system is not optimized and inherently comes with numerous vulnerabilities that are often overlooked, posing significant risks.

 

To make this solution even more practical and user-friendly, I aim to create an interactive script that guides users step-by-step through the hardening process. The guiding principle for me is “Out-of-the-Box Security for Windows”, empowering users to achieve a secure baseline effortlessly while reducing complexity.

 

CIS Benchmark:

The foundation of my script is aligned with the latest recommendations from the Center for Internet Security (CIS). Specifically, I utilized the CIS Benchmarks, focusing on the guidelines for Windows Server 2022, as of November 2024.

These benchmarks provide a comprehensive framework with over 980 pages of content, detailing measures to harden and protect Windows Server operating systems for various scenarios.

I reviewed the table of contents and noted all rules and guidelines for non-domain-joined systems. In the second step, I converted these rules into a script and tested them.

 

Disclaimer:

Important: I do not provide any guarantees that the script I have successfully tested will run without errors in every environment. The script is solely intended to simplify and standardize hardening standards, which may not be applicable or appropriate for all environments! Furthermore, I do not guarantee the completeness of the tests!

 

Applying the script in existing installations:

I have also conducted the above-mentioned tests on an existing environment that was installed as an Advanced Deployment. I applied the script and verified the functionality of the environment. A clear limitation here is that, for example, a service account for Veeam is created, which may already exist or may not be further utilized after creation, as Veeam is already installed and configured.

 

Prerequisities and procedure:

The script is primarily designed for new installations!

  • The server must not be a domain member
  • Initial login and script execution must be performed with the built-in Administrator
  • OS: Windows Server 2022 Standard oder Datacenter
  1. Install Windows Server (as required).
  2. Install drivers (VMware Tools or vendor-specific drivers).
  3. Set IP configurations (assign IP address, etc.).
  4. Set server name and workgroup, then restart the server.
  5. Create a folder named “Install” on drive C:.
  6. Copy the contents of the ZIP file (script and ntrights.exe) into the Install folder.
  7. Execute the script with administrative privileges (PowerShell).
  8. Allow the server to restart and install Veeam, specifying the service account.
  9. Apply / implement the Veeam Security & Compliance script.

 

Important: I recommend familiarizing yourself with the content listed below, as it introduces changes that may affect the operation of the system!

 

For example, an idle timeout of 15 minutes is configured. This means that an active session will be disconnected after 15 minutes, and all open windows and processes within that session will be terminated.

 

Roadmap:

  1. Extraction of templates, GPOs, and registry keys based on the CIS benchmark
  2. Creation of a comprehensive PowerShell script from the notes with the assistance of AI
  3. Testing the script and its executability
  4. Review and optimization of the script and implemented options
  5. Installation of Veeam Backup & Replication and Veeam Enterprise Manager, followed by production testing
  6. Documentation/commenting of the script
  7. Outlook on further tasks

 

Forecast on further To-Dos:

  • Testing the script with VeeamONE and Veeam Recovery Orchestrator
  • Testing and extending the script for Windows Server 2025
  • Continuous optimization of reporting and output
  • Incorporating feedback from the community

 

Community feedback:

This is a community-driven project initiated by me. Specifically, this means that I not only rely on feedback from the community but actively welcome it. The reasoning behind this is that the Veeam community includes many brilliant minds who are deeply immersed (even more so than I am) in IT security and coding. Their inputs will undoubtedly be highly valuable and will help shape future versions of the script.

 

Testing the script:

I thoroughly tested the script within my lab environment and successfully validated the following scenarios:

  • Installation and configuration of Veeam Backup & Replication v12.3.0.310
  • Installation and configuration of Veeam Enterprise Manager v12.3.0.310
  • Integration of a vSphere environment (vCenter) and creation of backup jobs
  • Integration of a Hyper-V environment (Failover Cluster) and creation of backup jobs
  • Execution of backup jobs using HotAdd transport mode
  • Execution of backup jobs using NBD transport mode
  • Execution of backup jobs using NBD (encrypted) transport mode
  • Execution of Instant VM Recovery jobs with vSphere, including migrate to production
  • Execution of Instant VM Recovery jobs with Hyper-V, including migrate to production
  • Execution of Full Recovery jobs with vSphere
  • Execution of Full Recovery jobs with Hyper-V
  • Testing/application of Veeam Threat Hunters

 

Downloading the script:

Here is the corresponding GitHub link:

lukas-kl/veeam-win-hardening-script: Veeam Hardening Script for Windows (CIS contents)

I also uploaded a ZIP file including the current fileset to this post. Please refer to the GitHub link for the must current updates.

 

Execution & script contents (ReadMe):

The script must be executed with administrative privileges!

The script, including the ntrights.exe file, must be located in and executed from the following path:

C:\Install

 

ntrights.exe

The tool “ntrights.exe” is used to modify the local security policy of the Windows system and set various rules. The required .exe file is provided in a tested version, but it can also be downloaded manually if preferred. This tool is well-known and originates from the Windows Server 2003 Resource Kit.

 

Implemented contents of the script:

Since the content (which is around 1200 lines of code) and detailled policies is too long for this forum post (I now tried to upload this many times), please refer to the PDF file that is inside the .zip or use my blog instead:

 

18 – Veeam Windows Hardening Skript according to CIS defaults – Disaster and Recovery

Well done my friend, as discussed with you the last days, this will really help us a lot. 💚👏
Can’t wait to test this out, appreciate it!


Great looking project here Lukas.  I am going to take a look and possibly try this out in my lab.  Will provide feedback as I go.


Great job in here, Lukas! 


WOW ​@lukas.k 

I haven't seen the script yet or read your article in depth, but it's the same goal I was focusing on.... let's say…. I saved some time... thanks for sharing.


Wow, great effort Lukas!! 👏🏻

It will take some time to verify all these lines of code! 😁


WOW ​@lukas.k 

I haven't seen the script yet or read your article in depth, but it's the same goal I was focusing on.... let's say…. I saved some time... thanks for sharing.

In case you have experience in designing reports in HTML (e.g.) please feel free to reach out, maybe we could collaborate. Based on the amount of policies / keys that are applied this is an own project I’m afraid…😁


This is awesome. Well done ​@lukas.k 


Bi ​@lukas.k , that is brilhant, thank you!
Just a question, your script will replace the  https://www.veeam.com/kb4525 “Script to Automate Implementation of Security & Compliance Analyzer Recommendations”?


Wow, great effort Lukas!! 👏🏻

It will take some time to verify all these lines of code! 😁

Thank you ​@lukas.k for the script, indeed that was a lot! BTW, it is actually great to have an alternative script based on the CIS benchmark for Out-of-the-Box Security for Windows. Do you have a policy to disable the execution policy after applying this script? Or what other strategies do you have in place to mitigate or ensure that only this script is able to run as this will help reduce the risk of running untrusted or harmful scripts on your server. 


> This is a community-driven project initiated by me. Specifically, this means that I not only rely on feedback from the community but actively welcome it.

Here is a scenario I would like you to reproduce to see if it affects your script as well “https://www.veeam.com/kb4698” as reported by ​@vAdmin today. 


Bi ​@lukas.k , that is brilhant, thank you!
Just a question, your script will replace the  https://www.veeam.com/kb4525 “Script to Automate Implementation of Security & Compliance Analyzer Recommendations”?

HI and thank you for the positive feedback! This will not replace the Security & Compliance Script because that script takes the architecture as well (3-2-1 rule, air-gapping, immutability and design topics) besides some technical stuff.

My script is dedicated to the preparation of the underlaying Windows OS. You should run both scripts, first the OS script (my hardening script above), then install Veeam, then run the Security & Compliance script.


Bi ​@lukas.k , that is brilhant, thank you!
Just a question, your script will replace the  https://www.veeam.com/kb4525 “Script to Automate Implementation of Security & Compliance Analyzer Recommendations”?

 

Hi Andre, Lukas script does not replace KB4525. Lukas intend is to help us, harden our Windows based VBR (with focus on CIS). Use it as an additional tool/script to secure your underlying Windows system.

 

edit: Lukas was faster 😅


Wow, great effort Lukas!! 👏🏻

It will take some time to verify all these lines of code! 😁

Thank you ​@lukas.k for the script, indeed that was a lot! BTW, it is actually great to have an alternative script based on the CIS benchmark for Out-of-the-Box Security for Windows. Do you have a policy to disable the execution policy after applying this script? Or what other strategies do you have in place to mitigate or ensure that only this script is able to run as this will help reduce the risk of running untrusted or harmful scripts on your server. 

Thank you for the feedback!

I currently do not have a policy implemented to disable PS in general. I’m still evaluating if Veeam (or upgrades in underlying components or Veeam itself) has dependencies on PS. Keep in mind that depending on the architecture you want to be able to run scripts in general, e.g. the Security & Compliance script has to be executed after the OS hardening script so I can’t trigger that command during my script.

I noted this on my agenda to spend some thoughts on this. Maybe this required some manual advice to disable PS after everything (including both scripts) is done and re-activate it to perform certain actions.

 

Basically the usage of any script doesn’t prevent thoughts on hardened architecture strategies such as disabling internet access, isolating Veeam components from production networks, using PAWs etc.


> This is a community-driven project initiated by me. Specifically, this means that I not only rely on feedback from the community but actively welcome it.

Here is a scenario I would like you to reproduce to see if it affects your script as well “https://www.veeam.com/kb4698” as reported by ​@vAdmin today. 

I noted this on my agenda. I tested the script and made final changes at the end of last week and I’ve used the latest ISO available. Since this is a more recent topic I will test this again and share some feedback asap!

 

Hint: I’m 90% sure there will be no issue, here’s why:

The error seems to be caused by the Windows Script Host disabled. My script does not disable it yet but the Security & Compliance script which should be executed anyways after the initial Veeam installation & configuration will so basically: Yes, you might run into this error when you follow the process from start to finish (which will run the S&C script) but you might not when you still execute my script.

 

I will test it either way and share feedback. 😊


Bi ​@lukas.k , that is brilhant, thank you!
Just a question, your script will replace the  https://www.veeam.com/kb4525 “Script to Automate Implementation of Security & Compliance Analyzer Recommendations”?

HI and thank you for the positive feedback! This will not replace the Security & Compliance Script because that script takes the architecture as well (3-2-1 rule, air-gapping, immutability and design topics) besides some technical stuff.

My script is dedicated to the preparation of the underlaying Windows OS. You should run both scripts, first the OS script (my hardening script above), then install Veeam, then run the Security & Compliance script.

Hi ​@lukas.k , thank you for clarifing.


Bi ​@lukas.k , that is brilhant, thank you!
Just a question, your script will replace the  https://www.veeam.com/kb4525 “Script to Automate Implementation of Security & Compliance Analyzer Recommendations”?

 

Hi Andre, Lukas script does not replace KB4525. Lukas intend is to help us, harden our Windows based VBR (with focus on CIS). Use it as an additional tool/script to secure your underlying Windows system.

 

edit: Lukas was faster 😅

@Dynamic yes, he was faster, thank you !!! ;-)


Hopefully soon the only TCP port to VBR will be 443 😎 !

 

Thank you ​@lukas.k for share you good work !


> This is a community-driven project initiated by me. Specifically, this means that I not only rely on feedback from the community but actively welcome it.

Here is a scenario I would like you to reproduce to see if it affects your script as well “https://www.veeam.com/kb4698” as reported by ​@vAdmin today. 

Hi ​@Iams3le,

As promised I ran some tests and this is the result:

As expected the script does not affect or reproduce the error mention in the KB article. This is because my script does not disable the Windows Script Host service which seems required during the upgrade process.

The Security & Compliance analyzer script does so it does affect the process but I intentionally did not let the S&C script run but just mine (before the installation).

 

Hope that helps! Take care!

Lukas


> This is a community-driven project initiated by me. Specifically, this means that I not only rely on feedback from the community but actively welcome it.

Here is a scenario I would like you to reproduce to see if it affects your script as well “https://www.veeam.com/kb4698” as reported by ​@vAdmin today. 

Hi ​@Iams3le,

As promised I ran some tests and this is the result:

As expected the script does not affect or reproduce the error mention in the KB article. This is because my script does not disable the Windows Script Host service which seems required during the upgrade process.

The Security & Compliance analyzer script does so it does affect the process but I intentionally did not let the S&C script run but just mine (before the installation).

 

Hope that helps! Take care!

Lukas

Thank you very much ​@lukas.k for the exceptional script and tests you have performed so far! Cheers and merry Christmas in advance


Comment