Veeam Windows Hardening Script - one-click hardening with CIS contents

The vision:

For years, I have been deeply involved in security topics, hardening practices, and strategies to make these concepts more practical and accessible in real-world scenarios. The challenge often lies in the high barriers and effort required for implementation, which discourages many customers, IT administrators, and even managed service providers.

In the realm of Disaster Recovery, I view security as one of the most critical building blocks. We live in an era where it’s no longer sufficient to simply have a backup; what truly matters is recoverability. To achieve this, it is essential to protect company backups as effectively as possible, ensuring resilience against potential threats.

Veeam, in its recent versions, has introduced the Security & Compliance Analyzer, which provides an initial assessment of how an environment is set up. This tool goes beyond technical measures and examines the architecture itself, including adherence to the 3-2-1 rule, the presence of air gaps, and more.

My goal is to develop a script that explicitly focuses on the Windows stack under the Veeam installation. A default Windows operating system is not optimized and inherently comes with numerous vulnerabilities that are often overlooked, posing significant risks.

To make this solution even more practical and user-friendly, I aim to create an interactive script that guides users step-by-step through the hardening process. The guiding principle for me is “Out-of-the-Box Security for Windows”, empowering users to achieve a secure baseline effortlessly while reducing complexity.

CIS Benchmark:

The foundation of my script is aligned with the latest recommendations from the Center for Internet Security (CIS). Specifically, I utilized the CIS Benchmarks, focusing on the guidelines for Windows Server 2022, as of November 2024.

These benchmarks provide a comprehensive framework with over 980 pages of content, detailing measures to harden and protect Windows Server operating systems for various scenarios.

I reviewed the table of contents and noted all rules and guidelines for non-domain-joined systems. In the second step, I converted these rules into a script and tested them.

Disclaimer:

Important: I do not provide any guarantees that the script I have successfully tested will run without errors in every environment. The script is solely intended to simplify and standardize hardening standards, which may not be applicable or appropriate for all environments! Furthermore, I do not guarantee the completeness of the tests!

Applying the script in existing installations:

I have also conducted the above-mentioned tests on an existing environment that was installed as an Advanced Deployment. I applied the script and verified the functionality of the environment. A clear limitation here is that, for example, a service account for Veeam is created, which may already exist or may not be further utilized after creation, as Veeam is already installed and configured.

Prerequisities and procedure:

The script is primarily designed for new installations!

The server must not be a domain member
Initial login and script execution must be performed with the built-in Administrator
OS: Windows Server 2022 Standard oder Datacenter

Install Windows Server (as required).
Install drivers (VMware Tools or vendor-specific drivers).
Set IP configurations (assign IP address, etc.).
Set server name and workgroup, then restart the server.
Create a folder named “Install” on drive C:.
Copy the contents of the ZIP file (script and ntrights.exe) into the Install folder.
Execute the script with administrative privileges (PowerShell).
Allow the server to restart and install Veeam, specifying the service account.
Apply / implement the Veeam Security & Compliance script.

Important: I recommend familiarizing yourself with the content listed below, as it introduces changes that may affect the operation of the system!

For example, an idle timeout of 15 minutes is configured. This means that an active session will be disconnected after 15 minutes, and all open windows and processes within that session will be terminated.

Roadmap:

Extraction of templates, GPOs, and registry keys based on the CIS benchmark
Creation of a comprehensive PowerShell script from the notes with the assistance of AI
Testing the script and its executability
Review and optimization of the script and implemented options
Installation of Veeam Backup & Replication and Veeam Enterprise Manager, followed by production testing
Documentation/commenting of the script
Outlook on further tasks

Forecast on further To-Dos:

Testing the script with VeeamONE and Veeam Recovery Orchestrator
Testing and extending the script for Windows Server 2025
Continuous optimization of reporting and output
Incorporating feedback from the community

Community feedback:

This is a community-driven project initiated by me. Specifically, this means that I not only rely on feedback from the community but actively welcome it. The reasoning behind this is that the Veeam community includes many brilliant minds who are deeply immersed (even more so than I am) in IT security and coding. Their inputs will undoubtedly be highly valuable and will help shape future versions of the script.

Testing the script:

I thoroughly tested the script within my lab environment and successfully validated the following scenarios:

Installation and configuration of Veeam Backup & Replication v12.3.0.310
Installation and configuration of Veeam Enterprise Manager v12.3.0.310
Integration of a vSphere environment (vCenter) and creation of backup jobs
Integration of a Hyper-V environment (Failover Cluster) and creation of backup jobs
Execution of backup jobs using HotAdd transport mode
Execution of backup jobs using NBD transport mode
Execution of backup jobs using NBD (encrypted) transport mode
Execution of Instant VM Recovery jobs with vSphere, including migrate to production
Execution of Instant VM Recovery jobs with Hyper-V, including migrate to production
Execution of Full Recovery jobs with vSphere
Execution of Full Recovery jobs with Hyper-V
Testing/application of Veeam Threat Hunters

Downloading the script:

Here is the corresponding GitHub link:

lukas-kl/veeam-win-hardening-script: Veeam Hardening Script for Windows (CIS contents)

I also uploaded a ZIP file including the current fileset to this post. Please refer to the GitHub link for the must current updates.

Execution & script contents (ReadMe):

The script must be executed with administrative privileges!

The script, including the ntrights.exe file, must be located in and executed from the following path:

C:\Install

ntrights.exe

The tool “ntrights.exe” is used to modify the local security policy of the Windows system and set various rules. The required .exe file is provided in a tested version, but it can also be downloaded manually if preferred. This tool is well-known and originates from the Windows Server 2003 Resource Kit.

Implemented contents of the script:

Since the content (which is around 1200 lines of code) and detailled policies is too long for this forum post (I now tried to upload this many times), please refer to the PDF file that is inside the .zip or use my blog instead:

18 – Veeam Windows Hardening Skript according to CIS defaults – Disaster and Recovery

Page 2 / 2

Great script @lukas.k! I’m testing it now and it works great.

Question: When configuring Veeam software, like B&R, is it best practice to use your local admin account as the account to manage the server (both Windows and B&R), and configure the service account user as a “service account” in B&R and disable MFA for that user?

i love CIS thing

This is awesome!

Great script @lukas.k! I’m testing it now and it works great.

Absolutely not. The goal is to split the Windows layer from the Veeam layer as best as you can so I never configure local admins to have any right within Veeam.

In case an attacker gets access to your Windows OS (which can be quite easy) the attacker would also have right within Veeam and that’s what we try to avoid.

Thanks @lukas.k! For your tips and the scripts!!

Awesome job @lukas.k

Has anyone used this on a backup proxy? I’m running into issues where after backing up 3 or 4 machines, the Veeam Service account on my backup proxy is locking out. Once I unlock it, I can retry the job and it runs for another few machines (the ones that failed originally) and then locks again. Can’t figure this out.

I did multiple times but without issues so far.

Since when does this occur? From the beginning on after using the script?

And did you run the script on a clean installation?

Weird. Yes, this was a brand new Server 2025 install. VMware VM, installed the OS, ran Windows Updates, installed Duo, then ran the script. Then installed the proxy and started using it.

Will try to find out the cause, please keep me updated in case you find something out.

I’m currently trying to reproduce the error.

Hey @lukas.k. Your instructions recommend installing VBR and specifying the service account during the install, yet the Veeam Security and Compliance check complains when services are not running as LOCALSYSTEM and this is listed on their site:

For security reasons, the account used to run Veeam services should be a LocalSystem account. If a Veeam service runs under a user account other than LocalSystem, this user will have full access to the Veeam Backup & Replication console even if they are not specified in the Users and Roles > Security settings.

Why do you recommend running the services as the created service account?

@lukas.k - No need to respond. I found your question/answer on the R & D Forums. Great explanation:

Security Guideline - Service Account usage - R&D Forums