Hi all,I've written and tested a PowerShell script to harden a standalone Windows Server 2025 machine running Veeam Backup & Replication, based on the CIS Benchmarks (Level 1 & 2). I’m sharing it here in case it helps others — feedback is welcome!What the Script DoesThis script configures the server securely without breaking core Veeam functionality. It includes: Account Policies: Max password age, complexity, and lockout thresholds (CIS 1.1.x, 1.2.x) Guest & Anonymous Access: Disabled for better baseline security Audit Policy: Enabled for all major categories (CIS 17.x) Unneeded Services: Disabled (safe defaults — e.g., Print Spooler, Xbox services) Windows Defender: Hardened settings with MAPS Advanced, PUA protection, etc. Firewall Configuration: Enables Windows Firewall with a default deny-inbound policy Allows Veeam ports: TCP 6160–6162, 445 (SMB), 135–139 (RPC) Blocks inbound RDP (port 3389) entirely (as this is often a target surface) SMB Protocols: SMBv1 is disabled SMBv2 is enabled with encryption (EncryptData) Windows Update: Enabled and set to auto Backup Repository ACLs: Restricts access to only Administrators and SYSTEM Logging: Outputs timestamped actions to C:\Logs\ ⚠️ Notes Adjust the backup repository path if it’s different (default is C:\Backup). This script is built for standalone/non-domain Veeam servers. It does not touch any Veeam services or alter their configurations. Make sure to test in a lab first — some settings may need tuning depending on your Veeam features (e.g., SureBackup, external repo access).

Hardened Windows Server 2025 Script for Standalone Veeam Backup — Based on CIS Benchmarks

Hi all,

I've written and tested a PowerShell script to harden a standalone Windows Server 2025 machine running Veeam Backup & Replication, based on the CIS Benchmarks (Level 1 & 2). I’m sharing it here in case it helps others — feedback is welcome!

What the Script Does

This script configures the server securely without breaking core Veeam functionality. It includes:

Account Policies: Max password age, complexity, and lockout thresholds (CIS 1.1.x, 1.2.x)
Guest & Anonymous Access: Disabled for better baseline security
Audit Policy: Enabled for all major categories (CIS 17.x)
Unneeded Services: Disabled (safe defaults — e.g., Print Spooler, Xbox services)
Windows Defender: Hardened settings with MAPS Advanced, PUA protection, etc.
Firewall Configuration:
- Enables Windows Firewall with a default deny-inbound policy
- Allows Veeam ports: TCP 6160–6162, 445 (SMB), 135–139 (RPC)
- Blocks inbound RDP (port 3389) entirely (as this is often a target surface)
SMB Protocols:
- SMBv1 is disabled
- SMBv2 is enabled with encryption (EncryptData)
Windows Update: Enabled and set to auto
Backup Repository ACLs: Restricts access to only Administrators and SYSTEM
Logging: Outputs timestamped actions to C:\Logs\

Notes

Adjust the backup repository path if it’s different (default is C:\Backup).
This script is built for standalone/non-domain Veeam servers.
It does not touch any Veeam services or alter their configurations.
Make sure to test in a lab first — some settings may need tuning depending on your Veeam features (e.g., SureBackup, external repo access).

Page 1 / 1

Great work with this script.

One more thing to add to my library and test in my lab.

HI @VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!

HI @VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!

I have v1.1 posted a few months ago that covers Server 2025 and v1.2 is already in the making.

@VEEAM_Legend Great job! The Xbox services still get me every time.

Did you run tests with Veeam components like ONE or VB365 as well?

Nice Lukas! Thanks for the clarification Great efforts by both!

HI @VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!

I have v1.1 posted a few months ago that covers Server 2025 and v1.2 is already in the making.

@VEEAM_Legend Great job! The Xbox services still get me every time.

Did you run tests with Veeam components like ONE or VB365 as well?

I've now added a second script to extend the hardening baseline further. It includes:

Disable Unnecessary Protocols
- Disables LLMNR and NetBIOS over TCP/IP (CIS 18.5.11.2, 18.5.14.1) to reduce lateral movement risk.
Restrict PowerShell Execution
- Forces Constrained Language Mode (CIS 18.9.101.2, Level 2) to limit execution of unauthorized scripts.
️ Enable Secure Boot
- Verifies and enforces Secure Boot (CIS 18.8.1.1) to prevent low-level boot-time malware.
Advanced Audit Policies for Veeam Repo
- Adds granular auditing for filesystem access (CIS 17.5.4) to detect unauthorized access attempts.
Disable Unnecessary Accounts
- Renames the built-in Administrator account (CIS 2.3.1.5) to reduce brute-force attack surface.
Harden TLS Settings
- Disables weak protocols and enforces strong TLS cipher suites (CIS 18.9.16.2).
Limit Local Admin Group
- Restricts local Administrators group membership to essential accounts only (CIS 2.2.2).
🧠 Enable Credential Guard
- Activates Windows Defender Credential Guard (CIS 18.8.4.1) to protect against credential theft.
- We don’t have Veeam ONE to test with yet, but so far this setup works well with Office 365 backups and other Veeam features.
- All testing was performed in a lab environment, not in production (yet).
- Designed for non-domain joined standalone servers.