Hardened Windows Server 2025 Script for Standalone Veeam Backup — Based on CIS Benchmarks

Great work with this script.  👍 

One more thing to add to my library and test in my lab. 😎

HI ​@VEEAM_Legend -

Great efforts! Another member (Vanguard) posted something similar a few mos back, but I don’t think it covered Win2025.

Appreciate the share!

I have v1.1 posted a few months ago that covers Server 2025 and v1.2 is already in the making.

​@VEEAM_Legend Great job! The Xbox services still get me every time.

Did you run tests with Veeam components like ONE or VB365 as well?

Nice Lukas! Thanks for the clarification 👍🏻 Great efforts by both!

I've now added a second script to extend the hardening baseline further. It includes:

• 🔒 Disable Unnecessary Protocols

  • Disables LLMNR and NetBIOS over TCP/IP (CIS 18.5.11.2, 18.5.14.1) to reduce lateral movement risk.

• 🔐 Restrict PowerShell Execution

  • Forces Constrained Language Mode (CIS 18.9.101.2, Level 2) to limit execution of unauthorized scripts.

• 🛡️ Enable Secure Boot

  • Verifies and enforces Secure Boot (CIS 18.8.1.1) to prevent low-level boot-time malware.

• 📁 Advanced Audit Policies for Veeam Repo

  • Adds granular auditing for filesystem access (CIS 17.5.4) to detect unauthorized access attempts.

• 👤 Disable Unnecessary Accounts

  • Renames the built-in Administrator account (CIS 2.3.1.5) to reduce brute-force attack surface.

• 🔐 Harden TLS Settings

  • Disables weak protocols and enforces strong TLS cipher suites (CIS 18.9.16.2).

• 👥 Limit Local Admin Group

  • Restricts local Administrators group membership to essential accounts only (CIS 2.2.2).

• 🧠 Enable Credential Guard

  • Activates Windows Defender Credential Guard (CIS 18.8.4.1) to protect against credential theft.
    
     

  • We don’t have Veeam ONE to test with yet, but so far this setup works well with Office 365 backups and other Veeam features.

  • All testing was performed in a lab environment, not in production (yet).

  • Designed for non-domain joined standalone servers.

Appreciate the additonal info ​@VEEAM_Legend 👍🏻

This is great. Thank you for the script and the detailed explanation of everything it does.

Well done 👏 maybe both of you ​@lukas.k and ​@VEEAM_Legend should team up and bring the best of your scripts in one version 😅

Another update - nice!!  I am going to test this in my lab to see how it works and any gotchas.  Will report back.

Thank you for the sharing of this great script.

Looking forward to test on the second edition above :-) ​@VEEAM_Legend .

Scripted Hardening for Veeam on Windows: Secure, Repeatable, Automated | LinkedIn

Stay tuned, my new v1.2 will be released shortly before the V100 show linked above. :)

Wow that is so awesome, thank you ​@lukas.k 

Have you seen your script 1.2? It’s quite similar to mine, isn’t it? 😉

I’m working on a script for immutable/installation-immutable services with a default username and password. It will also add your immutable storage to version 13.

I haven’t finished testing it yet but I’ll share it here.

The reason behind that might be that the CIS Benchmark contents are the same for everyone 😊

My script (new version released a few days ago) focusses on user inputs / prompts for entering credentials and it now has the possibility to re-apply the script to already pre-hardened systems that saw hardening before. It may be more than hardening, you can now chose to delete recovery partitions etc. (which is not basically included in the CIS Benchmark afaik).

I’m looking forward to your newest release, sounds very interesting with the focus on immutable storage - pretty much the appliance approach from Veeam which I really appreciate.

A suggestion: Instead of working with pre-defined (default) credentials you could consider working with prompts and user inputs, that removes an additional step to change things afterwards.