Hi all,I've written and tested a PowerShell script to harden a standalone Windows Server 2025 machine running Veeam Backup & Replication, based on the CIS Benchmarks (Level 1 & 2). I’m sharing it here in case it helps others — feedback is welcome!What the Script DoesThis script configures the server securely without breaking core Veeam functionality. It includes: Account Policies: Max password age, complexity, and lockout thresholds (CIS 1.1.x, 1.2.x) Guest & Anonymous Access: Disabled for better baseline security Audit Policy: Enabled for all major categories (CIS 17.x) Unneeded Services: Disabled (safe defaults — e.g., Print Spooler, Xbox services) Windows Defender: Hardened settings with MAPS Advanced, PUA protection, etc. Firewall Configuration: Enables Windows Firewall with a default deny-inbound policy Allows Veeam ports: TCP 6160–6162, 445 (SMB), 135–139 (RPC) Blocks inbound RDP (port 3389) entirely (as this is often a target surface) SMB Protocols: SMBv1 is disabled SMBv2 is enabled with encryption (EncryptData) Windows Update: Enabled and set to auto Backup Repository ACLs: Restricts access to only Administrators and SYSTEM Logging: Outputs timestamped actions to C:\Logs\ ⚠️ Notes Adjust the backup repository path if it’s different (default is C:\Backup). This script is built for standalone/non-domain Veeam servers. It does not touch any Veeam services or alter their configurations. Make sure to test in a lab first — some settings may need tuning depending on your Veeam features (e.g., SureBackup, external repo access).

Hardened Windows Server 2025 Script for Standalone Veeam Backup — Based on CIS Benchmarks

Hi all,

I've written and tested a PowerShell script to harden a standalone Windows Server 2025 machine running Veeam Backup & Replication, based on the CIS Benchmarks (Level 1 & 2). I’m sharing it here in case it helps others — feedback is welcome!

What the Script Does

This script configures the server securely without breaking core Veeam functionality. It includes:

Account Policies: Max password age, complexity, and lockout thresholds (CIS 1.1.x, 1.2.x)
Guest & Anonymous Access: Disabled for better baseline security
Audit Policy: Enabled for all major categories (CIS 17.x)
Unneeded Services: Disabled (safe defaults — e.g., Print Spooler, Xbox services)
Windows Defender: Hardened settings with MAPS Advanced, PUA protection, etc.
Firewall Configuration:
- Enables Windows Firewall with a default deny-inbound policy
- Allows Veeam ports: TCP 6160–6162, 445 (SMB), 135–139 (RPC)
- Blocks inbound RDP (port 3389) entirely (as this is often a target surface)
SMB Protocols:
- SMBv1 is disabled
- SMBv2 is enabled with encryption (EncryptData)
Windows Update: Enabled and set to auto
Backup Repository ACLs: Restricts access to only Administrators and SYSTEM
Logging: Outputs timestamped actions to C:\Logs\

⚠️ Notes

Adjust the backup repository path if it’s different (default is C:\Backup).
This script is built for standalone/non-domain Veeam servers.
It does not touch any Veeam services or alter their configurations.
Make sure to test in a lab first — some settings may need tuning depending on your Veeam features (e.g., SureBackup, external repo access).

Page 1 / 1

Great work with this script. 👍

One more thing to add to my library and test in my lab. 😎

HI @VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!

HI @VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!

I have v1.1 posted a few months ago that covers Server 2025 and v1.2 is already in the making.

@VEEAM_Legend Great job! The Xbox services still get me every time.

Did you run tests with Veeam components like ONE or VB365 as well?

Nice Lukas! Thanks for the clarification 👍🏻 Great efforts by both!

HI @VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!

I have v1.1 posted a few months ago that covers Server 2025 and v1.2 is already in the making.

@VEEAM_Legend Great job! The Xbox services still get me every time.

Did you run tests with Veeam components like ONE or VB365 as well?

I've now added a second script to extend the hardening baseline further. It includes:

🔒 Disable Unnecessary Protocols
- Disables LLMNR and NetBIOS over TCP/IP (CIS 18.5.11.2, 18.5.14.1) to reduce lateral movement risk.
🔐 Restrict PowerShell Execution
- Forces Constrained Language Mode (CIS 18.9.101.2, Level 2) to limit execution of unauthorized scripts.
🛡️ Enable Secure Boot
- Verifies and enforces Secure Boot (CIS 18.8.1.1) to prevent low-level boot-time malware.
📁 Advanced Audit Policies for Veeam Repo
- Adds granular auditing for filesystem access (CIS 17.5.4) to detect unauthorized access attempts.
👤 Disable Unnecessary Accounts
- Renames the built-in Administrator account (CIS 2.3.1.5) to reduce brute-force attack surface.
🔐 Harden TLS Settings
- Disables weak protocols and enforces strong TLS cipher suites (CIS 18.9.16.2).
👥 Limit Local Admin Group
- Restricts local Administrators group membership to essential accounts only (CIS 2.2.2).
🧠 Enable Credential Guard
- Activates Windows Defender Credential Guard (CIS 18.8.4.1) to protect against credential theft.
- We don’t have Veeam ONE to test with yet, but so far this setup works well with Office 365 backups and other Veeam features.
- All testing was performed in a lab environment, not in production (yet).
- Designed for non-domain joined standalone servers.

Appreciate the additonal info @VEEAM_Legend 👍🏻

This is great. Thank you for the script and the detailed explanation of everything it does.

Well done 👏 maybe both of you @lukas.k and @VEEAM_Legend should team up and bring the best of your scripts in one version 😅

Another update - nice!! I am going to test this in my lab to see how it works and any gotchas. Will report back.

HI @VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!

I have v1.1 posted a few months ago that covers Server 2025 and v1.2 is already in the making.

@VEEAM_Legend Great job! The Xbox services still get me every time.

Did you run tests with Veeam components like ONE or VB365 as well?

I've now added a second script to extend the hardening baseline further. It includes:

🔒 Disable Unnecessary Protocols
- Disables LLMNR and NetBIOS over TCP/IP (CIS 18.5.11.2, 18.5.14.1) to reduce lateral movement risk.
🔐 Restrict PowerShell Execution
- Forces Constrained Language Mode (CIS 18.9.101.2, Level 2) to limit execution of unauthorized scripts.
🛡️ Enable Secure Boot
- Verifies and enforces Secure Boot (CIS 18.8.1.1) to prevent low-level boot-time malware.
📁 Advanced Audit Policies for Veeam Repo
- Adds granular auditing for filesystem access (CIS 17.5.4) to detect unauthorized access attempts.
👤 Disable Unnecessary Accounts
- Renames the built-in Administrator account (CIS 2.3.1.5) to reduce brute-force attack surface.
🔐 Harden TLS Settings
- Disables weak protocols and enforces strong TLS cipher suites (CIS 18.9.16.2).
👥 Limit Local Admin Group
- Restricts local Administrators group membership to essential accounts only (CIS 2.2.2).
🧠 Enable Credential Guard
- Activates Windows Defender Credential Guard (CIS 18.8.4.1) to protect against credential theft.
- We don’t have Veeam ONE to test with yet, but so far this setup works well with Office 365 backups and other Veeam features.
- All testing was performed in a lab environment, not in production (yet).
- Designed for non-domain joined standalone servers.

Thank you for the sharing of this great script.

Looking forward to test on the second edition above :-) @VEEAM_Legend .

HI @VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!

I have v1.1 posted a few months ago that covers Server 2025 and v1.2 is already in the making.

@VEEAM_Legend Great job! The Xbox services still get me every time.

Did you run tests with Veeam components like ONE or VB365 as well?

I've now added a second script to extend the hardening baseline further. It includes:

🔒 Disable Unnecessary Protocols
- Disables LLMNR and NetBIOS over TCP/IP (CIS 18.5.11.2, 18.5.14.1) to reduce lateral movement risk.
🔐 Restrict PowerShell Execution
- Forces Constrained Language Mode (CIS 18.9.101.2, Level 2) to limit execution of unauthorized scripts.
🛡️ Enable Secure Boot
- Verifies and enforces Secure Boot (CIS 18.8.1.1) to prevent low-level boot-time malware.
📁 Advanced Audit Policies for Veeam Repo
- Adds granular auditing for filesystem access (CIS 17.5.4) to detect unauthorized access attempts.
👤 Disable Unnecessary Accounts
- Renames the built-in Administrator account (CIS 2.3.1.5) to reduce brute-force attack surface.
🔐 Harden TLS Settings
- Disables weak protocols and enforces strong TLS cipher suites (CIS 18.9.16.2).
👥 Limit Local Admin Group
- Restricts local Administrators group membership to essential accounts only (CIS 2.2.2).
🧠 Enable Credential Guard
- Activates Windows Defender Credential Guard (CIS 18.8.4.1) to protect against credential theft.
- We don’t have Veeam ONE to test with yet, but so far this setup works well with Office 365 backups and other Veeam features.
- All testing was performed in a lab environment, not in production (yet).
- Designed for non-domain joined standalone servers.

Thank you for the sharing of this great script.

Looking forward to test on the second edition above :-) @VEEAM_Legend .

Scripted Hardening for Veeam on Windows: Secure, Repeatable, Automated | LinkedIn

Stay tuned, my new v1.2 will be released shortly before the V100 show linked above. :)

Wow that is so awesome, thank you @lukas.k

What the Script Does

⚠️ Notes

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded