Skip to main content

Hi all,

I've written and tested a PowerShell script to harden a standalone Windows Server 2025 machine running Veeam Backup & Replication, based on the CIS Benchmarks (Level 1 & 2). I’m sharing it here in case it helps others — feedback is welcome!

What the Script Does

This script configures the server securely without breaking core Veeam functionality. It includes:

  • Account Policies: Max password age, complexity, and lockout thresholds (CIS 1.1.x, 1.2.x)

  • Guest & Anonymous Access: Disabled for better baseline security

  • Audit Policy: Enabled for all major categories (CIS 17.x)

  • Unneeded Services: Disabled (safe defaults — e.g., Print Spooler, Xbox services)

  • Windows Defender: Hardened settings with MAPS Advanced, PUA protection, etc.

  • Firewall Configuration:

    • Enables Windows Firewall with a default deny-inbound policy

    • Allows Veeam ports: TCP 6160–6162, 445 (SMB), 135–139 (RPC)

    • Blocks inbound RDP (port 3389) entirely (as this is often a target surface)

  • SMB Protocols:

    • SMBv1 is disabled

    • SMBv2 is enabled with encryption (EncryptData)

  • Windows Update: Enabled and set to auto

  • Backup Repository ACLs: Restricts access to only Administrators and SYSTEM

  • Logging: Outputs timestamped actions to C:\Logs\

⚠️ Notes

  • Adjust the backup repository path if it’s different (default is C:\Backup).

  • This script is built for standalone/non-domain Veeam servers.

  • It does not touch any Veeam services or alter their configurations.

  • Make sure to test in a lab first — some settings may need tuning depending on your Veeam features (e.g., SureBackup, external repo access).

Great work with this script.  👍 

One more thing to add to my library and test in my lab. 😎


HI ​@VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!


HI ​@VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!

I have v1.1 posted a few months ago that covers Server 2025 and v1.2 is already in the making.

 

@VEEAM_Legend Great job! The Xbox services still get me every time.

Did you run tests with Veeam components like ONE or VB365 as well?


Nice Lukas! Thanks for the clarification 👍🏻 Great efforts by both!


HI ​@VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!

I have v1.1 posted a few months ago that covers Server 2025 and v1.2 is already in the making.

 

@VEEAM_Legend Great job! The Xbox services still get me every time.

Did you run tests with Veeam components like ONE or VB365 as well?

I've now added a second script to extend the hardening baseline further. It includes:

  • 🔒 Disable Unnecessary Protocols

    • Disables LLMNR and NetBIOS over TCP/IP (CIS 18.5.11.2, 18.5.14.1) to reduce lateral movement risk.

  • 🔐 Restrict PowerShell Execution

    • Forces Constrained Language Mode (CIS 18.9.101.2, Level 2) to limit execution of unauthorized scripts.

  • 🛡️Enable Secure Boot

    • Verifies and enforces Secure Boot (CIS 18.8.1.1) to prevent low-level boot-time malware.

  • 📁 Advanced Audit Policies for Veeam Repo

    • Adds granular auditing for filesystem access (CIS 17.5.4) to detect unauthorized access attempts.

  • 👤 Disable Unnecessary Accounts

    • Renames the built-in Administrator account (CIS 2.3.1.5) to reduce brute-force attack surface.

  • 🔐 Harden TLS Settings

    • Disables weak protocols and enforces strong TLS cipher suites (CIS 18.9.16.2).

  • 👥 Limit Local Admin Group

    • Restricts local Administrators group membership to essential accounts only (CIS 2.2.2).

  • 🧠 Enable Credential Guard

    • Activates Windows Defender Credential Guard (CIS 18.8.4.1) to protect against credential theft.

       

    • We don’t have Veeam ONE to test with yet, but so far this setup works well with Office 365 backups and other Veeam features.

    • All testing was performed in a lab environment, not in production (yet).

    • Designed for non-domain joined standalone servers.


Appreciate the additonal info ​@VEEAM_Legend 👍🏻


This is great. Thank you for the script and the detailed explanation of everything it does.


Well done 👏 maybe both of you ​@lukas.k and ​@VEEAM_Legend should team up and bring the best of your scripts in one version 😅

 


Another update - nice!!  I am going to test this in my lab to see how it works and any gotchas.  Will report back.


Comment