Hi all,
I've written and tested a PowerShell script to harden a standalone Windows Server 2025 machine running Veeam Backup & Replication, based on the CIS Benchmarks (Level 1 & 2). I’m sharing it here in case it helps others — feedback is welcome!
What the Script Does
This script configures the server securely without breaking core Veeam functionality. It includes:
- 	Account Policies: Max password age, complexity, and lockout thresholds (CIS 1.1.x, 1.2.x) 
- 	Guest & Anonymous Access: Disabled for better baseline security 
- 	Audit Policy: Enabled for all major categories (CIS 17.x) 
- 	Unneeded Services: Disabled (safe defaults — e.g., Print Spooler, Xbox services) 
- 	Windows Defender: Hardened settings with MAPS Advanced, PUA protection, etc. 
- 	Firewall Configuration: - 		Enables Windows Firewall with a default deny-inbound policy 
- 		Allows Veeam ports: TCP 6160–6162, 445 (SMB), 135–139 (RPC) 
- 		Blocks inbound RDP (port 3389) entirely (as this is often a target surface) 
 
- 		
- 	SMB Protocols: - 		SMBv1 is disabled 
- 		SMBv2 is enabled with encryption ( EncryptData)
 
- 		
- 	Windows Update: Enabled and set to auto 
- 	Backup Repository ACLs: Restricts access to only AdministratorsandSYSTEM
- 	Logging: Outputs timestamped actions to C:\Logs\
⚠️ Notes
- 	Adjust the backup repository path if it’s different (default is C:\Backup).
- 	This script is built for standalone/non-domain Veeam servers. 
- 	It does not touch any Veeam services or alter their configurations. 
- 	Make sure to test in a lab first — some settings may need tuning depending on your Veeam features (e.g., SureBackup, external repo access). 

