Hi all,
I've written and tested a PowerShell script to harden a standalone Windows Server 2025 machine running Veeam Backup & Replication, based on the CIS Benchmarks (Level 1 & 2). I’m sharing it here in case it helps others — feedback is welcome!
What the Script Does
This script configures the server securely without breaking core Veeam functionality. It includes:
-
Account Policies: Max password age, complexity, and lockout thresholds (CIS 1.1.x, 1.2.x)
-
Guest & Anonymous Access: Disabled for better baseline security
-
Audit Policy: Enabled for all major categories (CIS 17.x)
-
Unneeded Services: Disabled (safe defaults — e.g., Print Spooler, Xbox services)
-
Windows Defender: Hardened settings with MAPS Advanced, PUA protection, etc.
-
Firewall Configuration:
-
Enables Windows Firewall with a default deny-inbound policy
-
Allows Veeam ports: TCP 6160–6162, 445 (SMB), 135–139 (RPC)
-
Blocks inbound RDP (port 3389) entirely (as this is often a target surface)
-
-
SMB Protocols:
-
SMBv1 is disabled
-
SMBv2 is enabled with encryption (
EncryptData
)
-
-
Windows Update: Enabled and set to auto
-
Backup Repository ACLs: Restricts access to only
Administrators
andSYSTEM
-
Logging: Outputs timestamped actions to
C:\Logs\
Notes
-
Adjust the backup repository path if it’s different (default is
C:\Backup
). -
This script is built for standalone/non-domain Veeam servers.
-
It does not touch any Veeam services or alter their configurations.
-
Make sure to test in a lab first — some settings may need tuning depending on your Veeam features (e.g., SureBackup, external repo access).