I’d like to gather as much information on hardening Windows Repos and Proxies, and have it all posted below to help others if they are looking for information on this topic.
We all know the Veeam B&R Server has a security checklist which gives you very clear concise things to do for security. There is also the LHR. Following the DISA STIG, or using the ISO is a great way to make sure the software portion of your LHR is safe.
With the above, you still have to protect the underlying hardware. Everything from physically getting at the Disk, Server Bios/UEFI, destroying the hardware, to SSH ports on a SAN, and use of MFA for logins to a SAN to prevent access. Turning on immutable snapshots and 4-eyes features on the storage pools are also great to implement. Lets not forget the VLAN for your management networks and who is allowed to see those IP’s.
Even with all of this, I still don’t see specific documents for hardening a Windows Repository or Proxy server. Many of the same guidelines should be followed as the Veeam B&R server but there are some differences. Veeam has great guides for which ports need to be open, but I’d like to see more on the security for other devices in a single location.
If there are any settings you guys configure on every install post them below and hopefully we can help someone in the future stay safe!
Hi @Scott,
I wrote an article about this in December that catches up on Windows OS hardening both for VBR primary components (VBR, VBO, VONE, Enterprise Manager) and secondary components (proxy, repo, GIP), you find it here:
Veeam Windows Hardening Script - one-click hardening with CIS contents | Veeam Community Resource Hub
This only catches up on OS hardening but feel free to visit our Cyber Security Space which has tons of content on hardening.
The specific scenario and the options you can take is depending on your usage. Example:
In case of guest interaction proxies for gMSA you need these GIPs to be part of the Active Directory domain which shouldn’t be done for other components except you have a dedicated management domain.
Hope that helps in the first place!
Best
Lukas
Hey @Scott - any reason why you’re not implementing Linux? Just curious.
@coolsport00
I’m not against it at all, and actually have an LHR for immutable copies in my environment.
Not everyone has Linux skills, nor the ability to migrate, and Windows is still a supported option though. Plus, if you flip everything to LHR, you cant send your config backup to it, so people without cloud options may run a hybrid environment. I do run a Windows SOBR as well and get the best of both worlds.
@lukas.k
Wow, how did I miss that one. What a fantastic post!
I’d be a bit scared to run something that does so much on production 
but will pick and choose some of those items if I am missing them.
Agreed with the domain, I like my backup infra off domain for now.
Do you use that for your Veeam B&R server, proxies and repos? or just the B&R, EM, VeeamONE
@Scott - all good..was just curious. I actually don’t run hardened repos per se’...but just standard Linux OS (semi-hardened 
). Same with Proxies.
Yeah..I like Windows fine...just no longer use. I understand about the Linux skills. Before 2023 I didn’t have much but what I found/needed for given tasks. Glad I took some time to learn. I have an appreciation for it now.
Thanks for the post!
@coolsport00
I’m not against it at all, and actually have an LHR for immutable copies in my environment.
Not everyone has Linux skills, nor the ability to migrate, and Windows is still a supported option though. Plus, if you flip everything to LHR, you cant send your config backup to it, so people without cloud options may run a hybrid environment. I do run a Windows SOBR as well and get the best of both worlds.
@lukas.k
Wow, how did I miss that one. What a fantastic post!
I’d be a bit scared to run something that does so much on production but will pick and choose some of those items if I am missing them.
Agreed with the domain, I like my backup infra off domain for now.
Do you use that for your Veeam B&R server, proxies and repos? or just the B&R, EM, VeeamONE
Thank you!
Basically I ran the script on everything except domain joined guest interaction proxies for gMSA, so:
VBR, Enterprise Manager, VONE, even VBM365 (aka VBO), proxies, repos, etc.
I now have my 3rd production envorionment running on that script so I can share positive feedback from the customers! Please read the readme attached to the script to make sure it runs smoothly!
@Scott - all good..was just curious. I actually don’t run hardened repos per se’...but just standard Linux OS (semi-hardened ). Same with Proxies.
Yeah..I like Windows fine...just no longer use. I understand about the Linux skills. Before 2023 I didn’t have much but what I found/needed for given tasks. Glad I took some time to learn. I have an appreciation for it now.
Thanks for the post!
I’m getting better, but was sad the ISO didn’t work with fiber storage. I have a meeting with someone at Veeam to discuss that possibility actually going forward. I want an “Advanced” option where I could select the OS disks, and DATA disks which would solve that quite easy as it did see all the volumes presented to the host. Plus, if someone say had a server with many disks, they could pick and choose where their OS is stored. Everything else would just get locked down.
@coolsport00
I’m not against it at all, and actually have an LHR for immutable copies in my environment.
Not everyone has Linux skills, nor the ability to migrate, and Windows is still a supported option though. Plus, if you flip everything to LHR, you cant send your config backup to it, so people without cloud options may run a hybrid environment. I do run a Windows SOBR as well and get the best of both worlds.
@lukas.k
Wow, how did I miss that one. What a fantastic post!
I’d be a bit scared to run something that does so much on production but will pick and choose some of those items if I am missing them.
Agreed with the domain, I like my backup infra off domain for now.
Do you use that for your Veeam B&R server, proxies and repos? or just the B&R, EM, VeeamONE
Thank you!
Basically I ran the script on everything except domain joined guest interaction proxies for gMSA, so:
VBR, Enterprise Manager, VONE, even VBM365 (aka VBO), proxies, repos, etc.
I now have my 3rd production envorionment running on that script so I can share positive feedback from the customers! Please read the readme attached to the script to make sure it runs smoothly!
Amazing. Thanks for the reply.
Perhaps I’ll make a test proxy and run it to see. If it works great i’ll look at what we can do for some production boxes.
That’s interesting..wasn’t aware the hardened ISO didn’t support FC...or, I just forgot, which is probably more the case 
Personally, am an iSCSI guy so another reason why I didn’t pay attention. ha
@Scott - all good..was just curious. I actually don’t run hardened repos per se’...but just standard Linux OS (semi-hardened ). Same with Proxies.
Yeah..I like Windows fine...just no longer use. I understand about the Linux skills. Before 2023 I didn’t have much but what I found/needed for given tasks. Glad I took some time to learn. I have an appreciation for it now.
Thanks for the post!
I’m getting better, but was sad the ISO didn’t work with fiber storage. I have a meeting with someone at Veeam to discuss that possibility actually going forward. I want an “Advanced” option where I could select the OS disks, and DATA disks which would solve that quite easy as it did see all the volumes presented to the host. Plus, if someone say had a server with many disks, they could pick and choose where their OS is stored. Everything else would just get locked down.
Let us know how this goes as I need the ISO to work with FC storage as that is all we use. Hopefully they add some features to the install.
I worked with Hannes a bit trying to get it going, even unsupported for testing, but had to put the hardware into production eventually. It should be pretty easy to allow as all the disk showed up right away. I just couldn’t use it :) I love the set and forget mindset and low maintenance required for it.
Yeah I tried several times but could not get the storage on FC to be used no matter what. I really hope they fix this.
> With the above, you still have to protect the underlying hardware. Everything from physically getting at the Disk, Server Bios/UEFI, destroying the hardware, to SSH ports on a SAN, and use of MFA for logins to a SAN to prevent access. Turning on immutable snapshots and 4-eyes features on the storage pools are also great to implement. Lets not forget the VLAN for your management networks and who is allowed to see those IP’s.
You have covered the key points as well, and many more could be added to this list as hardening alone is not enough. A comprehensive security strategy must incorporate multiple layers of defense. Defense in depth requires considering additional security measures beyond system hardening to ensure robust protection just as you have mentioned.
