Skip to main content
  • EN

Preface:

As mentioned in the past, I have made it my mission to continuously develop my Veeam Windows Hardening script. To fulfill this commitment, I have now completed and released version 1.1 "PAW" of the script.

 

I often face the challenge that customers start using PAWs (Privileged Access Workstations) as single point of contact for their Veeam environments. These PAWs should be hardened as well to apply to state-of-the-art compliance parameters and have the same rules present than for any Veeam software.

 

The changes compared to the previous version can be found in the change log below! There were only very few changes I had to make since my goal is to keep almost the same settings and the same detail level than on other Windows-based Veeam components.

 

As I already had all the contents and functions of my working and tested script available I simply decided to remove very few options to dedicate this to Windows-based PAWs since the ruleset should remain.

 

What is a Privileged Access Workstation?

"A Privileged Access Workstation (PAW) is a dedicated and highly secure computing environment designed for tasks requiring elevated privileges, such as managing servers, databases, or other sensitive systems. PAWs are isolated from the broader network and Internet to minimize the risk of attacks targeting privileged accounts."

 

I recommend customers to use them for dedicated purposes, e.g. for Veeam and for nothing else. These PAWs do appear as a security critical systems due to the fact that they can access DR sites and backup systems so hardening and monitoring is essential even though there is almost no software running on those systems (except e.g. Veeam consoles).

 

In a world of Windows Datacenter licensing many customers use VMs as PAWs but I always recommend to have redundancies in place to not rely on a virtual server that might fail and for restoring virtual workloads the access to Veeam through the PAW is neccessary.

 

Disclaimer:

Important: I do not provide any guarantee that the script, which has been successfully tested by me, will run without errors in every environment. The script is intended solely to simplify and standardize hardening standards, which may not be suitable for every environment! Additionally, I do not guarantee the completeness of the tests!

Requirements and procedure:

The script is primarily designed for new installations!

  • The server must not be a domain member
  • Initial login and script execution must be performed with the built-in Administrator
  • OS: Windows Server 2022 or 2025 Standard or Datacenter
  1. Install Windows Server (as required).
  2. Install drivers (VMware Tools or vendor-specific drivers).
  3. Set IP configurations (assign IP address, etc.).
  4. Set server name and workgroup, then restart the server.
  5. Create a folder named “Install” on drive C:.
  6. Copy the contents of the ZIP file (script and ntrights.exe) into the Install folder.
  7. Execute the script with administrative privileges (PowerShell).
  8. Allow the server to restart.

Important: I recommend familiarizing yourself with the content listed below, as it introduces changes that may affect the operation of the system!

 

Downloading the script:

Here is the corresponding GitHub link:

lukas-kl/veeam-win-hardening-script: Veeam Hardening Script for Windows (CIS contents)

 

Execution & script contents (ReadMe):

The script must be executed with administrative privileges!

The script, including the ntrights.exe file, must be located in and executed from the following path:

C:\Install

ntrights.exe

The tool “ntrights.exe” is used to modify the local security policy of the Windows system and set various rules. The required .exe file is provided in a tested version, but it can also be downloaded manually if preferred. This tool is well-known and originates from the Windows Server 2003 Resource Kit.

 

Change Log v1.1 PAW (as of 05/28/2025):

  • Removing the option of creating service accounts
  • Removing the idle timeout of 15min in case of inactivity

 

The article is also available on my blog:

https://disaster-und-recovery.de/21-veeam-windows-hardening-script-v1-1-for-paws/

Very interesting project Lukas.  Love seeing hardening stuff.  Will take a read and give this one a go.

@lukas.k ,
Thank you for sharing such great script.

Awesome and a very great approach for protecting non-domain joined PAWs 💯  Due to security concerns, here are some remarks ans would like to engage more based on these remarks.

Would you recommend managing non domain-joined PAWs via a modern Endpoint Management System as it provides an enforceable configuration baseline far more robust than relying on hardening scripts alone? While scripts can help with initial setup, they are typically a one-time enforcement and can be easily reverted by anyone with administrative or SYSTEM-level access. I know “the Task Scheduler” can be used as a workaround here but there are other concerns too.

Does your script strip off the local administrative rights to lock down elevation paths? If yes, this may introduce issues with Veeam Backup & Replication (VBR): https://forums.veeam.com/veeam-backup-replication-f2/veeam-b-r-console-needs-admin-rights-to-start-t32617.html

Since Microsoft recommends Windows Defender Application Control (WDAC) over AppLocker, I suggest implementing WDAC as part of a defense-in-depth strategy to prevent unauthorized scripts or executables from running. Additionally, enabling comprehensive event logging is essential for monitoring PAWs and detecting potential policy drift or tampering.

Once again, thank you for your efforts ​@lukas.k!

Awesome and a very great approach for protecting non-domain joined PAWs 💯  Due to security concerns, here are some remarks ans would like to engage more based on these remarks.

Would you recommend managing non domain-joined PAWs via a modern Endpoint Management System as it provides an enforceable configuration baseline far more robust than relying on hardening scripts alone? While scripts can help with initial setup, they are typically a one-time enforcement and can be easily reverted by anyone with administrative or SYSTEM-level access. I know “the Task Scheduler” can be used as a workaround here but there are other concerns too.

Does your script strip off the local administrative rights to lock down elevation paths? If yes, this may introduce issues with Veeam Backup & Replication (VBR): https://forums.veeam.com/veeam-backup-replication-f2/veeam-b-r-console-needs-admin-rights-to-start-t32617.html

Since Microsoft recommends Windows Defender Application Control (WDAC) over AppLocker, I suggest implementing WDAC as part of a defense-in-depth strategy to prevent unauthorized scripts or executables from running. Additionally, enabling comprehensive event logging is essential for monitoring PAWs and detecting potential policy drift or tampering.

Once again, thank you for your efforts ​@lukas.k!

Endpoint Management: Yes, I’d prefer to use this in case it’s possible. But please don’t do this to Veeam systems so only for the PAW to maintain a separation and to avoid policies to affect Veeam.

 

Task scheduler: I’ve actually never thought about applying the script multiple times due to the fact that you are prompted for inputs and without the inputs the script doesn’t run throught. Basically it’s designed for a initial configuration.

The policies that the script applies (there are a lot) can be changes afterwards of course but there should be another approach to avoid this (e.g. monitoring to get visibility).

 

Lock down elevation paths: Yes, the script does this. For specific restore operations you’d need local admin right to run the Veeam Explorers so there could be two approaches (same for 4-eye for example). You can either create a second, personalized administrative account or you can use any local admin to execute the console as admin and then continue with your non-admin account within Veeam.

I strongly recommend the second approach because it’s important to achieve a separation between Windows OS and Veeam software as far as possible (by RBAC).

 

WDAC is also a very good approach but I honestly have to deepdive a bite more into this to find a useful way in this scenario.

 

Thank you for your feedback, I appreciate it!

Lukas

Thank you for your feedback, I appreciate it!

You are welcome 

Comment


Terms & Conditions