Skip to main content
Question

Hardened Windows Server 2025 Script for Standalone Veeam Backup β€” Based on CIS Benchmarks


Forum|alt.badge.img

Hi all,

I've written and tested a PowerShell script to harden a standalone Windows Server 2025 machine running Veeam Backup & Replication, based on the CIS Benchmarks (Level 1 & 2). I’m sharing it here in case it helps others β€” feedback is welcome!

What the Script Does

This script configures the server securely without breaking core Veeam functionality. It includes:

  • Account Policies: Max password age, complexity, and lockout thresholds (CIS 1.1.x, 1.2.x)

  • Guest & Anonymous Access: Disabled for better baseline security

  • Audit Policy: Enabled for all major categories (CIS 17.x)

  • Unneeded Services: Disabled (safe defaults β€” e.g., Print Spooler, Xbox services)

  • Windows Defender: Hardened settings with MAPS Advanced, PUA protection, etc.

  • Firewall Configuration:

    • Enables Windows Firewall with a default deny-inbound policy

    • Allows Veeam ports: TCP 6160–6162, 445 (SMB), 135–139 (RPC)

    • Blocks inbound RDP (port 3389) entirely (as this is often a target surface)

  • SMB Protocols:

    • SMBv1 is disabled

    • SMBv2 is enabled with encryption (EncryptData)

  • Windows Update: Enabled and set to auto

  • Backup Repository ACLs: Restricts access to only Administrators and SYSTEM

  • Logging: Outputs timestamped actions to C:\Logs\

⚠️ Notes

  • Adjust the backup repository path if it’s different (default is C:\Backup).

  • This script is built for standalone/non-domain Veeam servers.

  • It does not touch any Veeam services or alter their configurations.

  • Make sure to test in a lab first β€” some settings may need tuning depending on your Veeam features (e.g., SureBackup, external repo access).

9 comments

Chris.Childerhose
Forum|alt.badge.img+21
  • Veeam Legend, Veeam Vanguard
  • 9396 comments
  • July 30, 2025

Great work with this script.  πŸ‘ 

One more thing to add to my library and test in my lab. 😎


coolsport00
Forum|alt.badge.img+21
  • Veeam Legend
  • 4809 comments
  • July 30, 2025

HI ​@VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!


lukas.k
Forum|alt.badge.img+12
  • Veeam Vanguard
  • 333 comments
  • July 30, 2025
coolsport00 wrote:

HI ​@VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!

I have v1.1 posted a few months ago that covers Server 2025 and v1.2 is already in the making.

 

​@VEEAM_Legend Great job! The Xbox services still get me every time.

Did you run tests with Veeam components like ONE or VB365 as well?


coolsport00
Forum|alt.badge.img+21
  • Veeam Legend
  • 4809 comments
  • July 30, 2025

Nice Lukas! Thanks for the clarification πŸ‘πŸ» Great efforts by both!


Forum|alt.badge.img
  • Author
  • Comes here often
  • 34 comments
  • July 30, 2025
lukas.k wrote:
coolsport00 wrote:

HI ​@VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!

I have v1.1 posted a few months ago that covers Server 2025 and v1.2 is already in the making.

 

​@VEEAM_Legend Great job! The Xbox services still get me every time.

Did you run tests with Veeam components like ONE or VB365 as well?

I've now added a second script to extend the hardening baseline further. It includes:

  • πŸ”’ Disable Unnecessary Protocols

    • Disables LLMNR and NetBIOS over TCP/IP (CIS 18.5.11.2, 18.5.14.1) to reduce lateral movement risk.

  • πŸ” Restrict PowerShell Execution

    • Forces Constrained Language Mode (CIS 18.9.101.2, Level 2) to limit execution of unauthorized scripts.

  • πŸ›‘οΈ Enable Secure Boot

    • Verifies and enforces Secure Boot (CIS 18.8.1.1) to prevent low-level boot-time malware.

  • πŸ“ Advanced Audit Policies for Veeam Repo

    • Adds granular auditing for filesystem access (CIS 17.5.4) to detect unauthorized access attempts.

  • πŸ‘€ Disable Unnecessary Accounts

    • Renames the built-in Administrator account (CIS 2.3.1.5) to reduce brute-force attack surface.

  • πŸ” Harden TLS Settings

    • Disables weak protocols and enforces strong TLS cipher suites (CIS 18.9.16.2).

  • πŸ‘₯ Limit Local Admin Group

    • Restricts local Administrators group membership to essential accounts only (CIS 2.2.2).

  • 🧠 Enable Credential Guard

    • Activates Windows Defender Credential Guard (CIS 18.8.4.1) to protect against credential theft.

       

    • We don’t have Veeam ONE to test with yet, but so far this setup works well with Office 365 backups and other Veeam features.

    • All testing was performed in a lab environment, not in production (yet).

    • Designed for non-domain joined standalone servers.


coolsport00
Forum|alt.badge.img+21
  • Veeam Legend
  • 4809 comments
  • July 30, 2025

Appreciate the additonal info ​@VEEAM_Legend πŸ‘πŸ»


Tommy O'Shea
Forum|alt.badge.img+5
  • Veeam Legend
  • 334 comments
  • July 30, 2025

This is great. Thank you for the script and the detailed explanation of everything it does.


Dynamic
Forum|alt.badge.img+11
  • Veeam Vanguard
  • 488 comments
  • July 30, 2025

Well done πŸ‘ maybe both of you ​@lukas.k and ​@VEEAM_Legend should team up and bring the best of your scripts in one version πŸ˜…

 


Chris.Childerhose
Forum|alt.badge.img+21
  • Veeam Legend, Veeam Vanguard
  • 9396 comments
  • July 30, 2025

Another update - nice!!  I am going to test this in my lab to see how it works and any gotchas.  Will report back.


Comment