Veeam Windows Hardening Script - one-click hardening with CIS contents

The vision:

For years, I have been deeply involved in security topics, hardening practices, and strategies to make these concepts more practical and accessible in real-world scenarios. The challenge often lies in the high barriers and effort required for implementation, which discourages many customers, IT administrators, and even managed service providers.

In the realm of Disaster Recovery, I view security as one of the most critical building blocks. We live in an era where it’s no longer sufficient to simply have a backup; what truly matters is recoverability. To achieve this, it is essential to protect company backups as effectively as possible, ensuring resilience against potential threats.

Veeam, in its recent versions, has introduced the Security & Compliance Analyzer, which provides an initial assessment of how an environment is set up. This tool goes beyond technical measures and examines the architecture itself, including adherence to the 3-2-1 rule, the presence of air gaps, and more.

My goal is to develop a script that explicitly focuses on the Windows stack under the Veeam installation. A default Windows operating system is not optimized and inherently comes with numerous vulnerabilities that are often overlooked, posing significant risks.

To make this solution even more practical and user-friendly, I aim to create an interactive script that guides users step-by-step through the hardening process. The guiding principle for me is “Out-of-the-Box Security for Windows”, empowering users to achieve a secure baseline effortlessly while reducing complexity.

CIS Benchmark:

The foundation of my script is aligned with the latest recommendations from the Center for Internet Security (CIS). Specifically, I utilized the CIS Benchmarks, focusing on the guidelines for Windows Server 2022, as of November 2024.

These benchmarks provide a comprehensive framework with over 980 pages of content, detailing measures to harden and protect Windows Server operating systems for various scenarios.

I reviewed the table of contents and noted all rules and guidelines for non-domain-joined systems. In the second step, I converted these rules into a script and tested them.

Disclaimer:

Important: I do not provide any guarantees that the script I have successfully tested will run without errors in every environment. The script is solely intended to simplify and standardize hardening standards, which may not be applicable or appropriate for all environments! Furthermore, I do not guarantee the completeness of the tests!

Applying the script in existing installations:

I have also conducted the above-mentioned tests on an existing environment that was installed as an Advanced Deployment. I applied the script and verified the functionality of the environment. A clear limitation here is that, for example, a service account for Veeam is created, which may already exist or may not be further utilized after creation, as Veeam is already installed and configured.

Prerequisities and procedure:

The script is primarily designed for new installations!

• The server must not be a domain member
• Initial login and script execution must be performed with the built-in Administrator
• OS: Windows Server 2022 Standard oder Datacenter

1. Install Windows Server (as required).
2. Install drivers (VMware Tools or vendor-specific drivers).
3. Set IP configurations (assign IP address, etc.).
4. Set server name and workgroup, then restart the server.
5. Create a folder named “Install” on drive C:.
6. Copy the contents of the ZIP file (script and ntrights.exe) into the Install folder.
7. Execute the script with administrative privileges (PowerShell).
8. Allow the server to restart and install Veeam, specifying the service account.
9. Apply / implement the Veeam Security & Compliance script.

Important: I recommend familiarizing yourself with the content listed below, as it introduces changes that may affect the operation of the system!

For example, an idle timeout of 15 minutes is configured. This means that an active session will be disconnected after 15 minutes, and all open windows and processes within that session will be terminated.

Roadmap:

1. Extraction of templates, GPOs, and registry keys based on the CIS benchmark
2. Creation of a comprehensive PowerShell script from the notes with the assistance of AI
3. Testing the script and its executability
4. Review and optimization of the script and implemented options
5. Installation of Veeam Backup & Replication and Veeam Enterprise Manager, followed by production testing
6. Documentation/commenting of the script
7. Outlook on further tasks

Forecast on further To-Dos:

• Testing the script with VeeamONE and Veeam Recovery Orchestrator
• Testing and extending the script for Windows Server 2025
• Continuous optimization of reporting and output
• Incorporating feedback from the community

Community feedback:

This is a community-driven project initiated by me. Specifically, this means that I not only rely on feedback from the community but actively welcome it. The reasoning behind this is that the Veeam community includes many brilliant minds who are deeply immersed (even more so than I am) in IT security and coding. Their inputs will undoubtedly be highly valuable and will help shape future versions of the script.

Testing the script:

I thoroughly tested the script within my lab environment and successfully validated the following scenarios:

• Installation and configuration of Veeam Backup & Replication v12.3.0.310
• Installation and configuration of Veeam Enterprise Manager v12.3.0.310
• Integration of a vSphere environment (vCenter) and creation of backup jobs
• Integration of a Hyper-V environment (Failover Cluster) and creation of backup jobs
• Execution of backup jobs using HotAdd transport mode
• Execution of backup jobs using NBD transport mode
• Execution of backup jobs using NBD (encrypted) transport mode
• Execution of Instant VM Recovery jobs with vSphere, including migrate to production
• Execution of Instant VM Recovery jobs with Hyper-V, including migrate to production
• Execution of Full Recovery jobs with vSphere
• Execution of Full Recovery jobs with Hyper-V
• Testing/application of Veeam Threat Hunters

Downloading the script:

Here is the corresponding GitHub link:

lukas-kl/veeam-win-hardening-script: Veeam Hardening Script for Windows (CIS contents)

I also uploaded a ZIP file including the current fileset to this post. Please refer to the GitHub link for the must current updates.

Execution & script contents (ReadMe):

The script must be executed with administrative privileges!

The script, including the ntrights.exe file, must be located in and executed from the following path:

C:\Install

ntrights.exe

The tool “ntrights.exe” is used to modify the local security policy of the Windows system and set various rules. The required .exe file is provided in a tested version, but it can also be downloaded manually if preferred. This tool is well-known and originates from the Windows Server 2003 Resource Kit.

Implemented contents of the script:

Since the content (which is around 1200 lines of code) and detailled policies is too long for this forum post (I now tried to upload this many times), please refer to the PDF file that is inside the .zip or use my blog instead:

18 – Veeam Windows Hardening Skript according to CIS defaults – Disaster and Recovery