Skip to main content

Veeam Windows Hardening Script - one-click hardening with CIS contents


lukas.k
Forum|alt.badge.img+8

The vision:

For years, I have been deeply involved in security topics, hardening practices, and strategies to make these concepts more practical and accessible in real-world scenarios. The challenge often lies in the high barriers and effort required for implementation, which discourages many customers, IT administrators, and even managed service providers.

 

In the realm of Disaster Recovery, I view security as one of the most critical building blocks. We live in an era where itā€™s no longer sufficient to simply have a backup; what truly matters is recoverability. To achieve this, it is essential to protect company backups as effectively as possible, ensuring resilience against potential threats.

 

Veeam, in its recent versions, has introduced the Security & Compliance Analyzer, which provides an initial assessment of how an environment is set up. This tool goes beyond technical measures and examines the architecture itself, including adherence to the 3-2-1 rule, the presence of air gaps, and more.

 

My goal is to develop a script that explicitly focuses on the Windows stack under the Veeam installation. A default Windows operating system is not optimized and inherently comes with numerous vulnerabilities that are often overlooked, posing significant risks.

 

To make this solution even more practical and user-friendly, I aim to create an interactive script that guides users step-by-step through the hardening process. The guiding principle for me is ā€œOut-of-the-Box Security for Windowsā€, empowering users to achieve a secure baseline effortlessly while reducing complexity.

 

CIS Benchmark:

The foundation of my script is aligned with the latest recommendations from the Center for Internet Security (CIS). Specifically, I utilized the CIS Benchmarks, focusing on the guidelines for Windows Server 2022, as of November 2024.

These benchmarks provide a comprehensive framework with over 980 pages of content, detailing measures to harden and protect Windows Server operating systems for various scenarios.

I reviewed the table of contents and noted all rules and guidelines for non-domain-joined systems. In the second step, I converted these rules into a script and tested them.

 

Disclaimer:

Important: I do not provide any guarantees that the script I have successfully tested will run without errors in every environment. The script is solely intended to simplify and standardize hardening standards, which may not be applicable or appropriate for all environments! Furthermore, I do not guarantee the completeness of the tests!

 

Applying the script in existing installations:

I have also conducted the above-mentioned tests on an existing environment that was installed as an Advanced Deployment. I applied the script and verified the functionality of the environment. A clear limitation here is that, for example, a service account for Veeam is created, which may already exist or may not be further utilized after creation, as Veeam is already installed and configured.

 

Prerequisities and procedure:

The script is primarily designed for new installations!

  • The server must not be a domain member
  • Initial login and script execution must be performed with the built-in Administrator
  • OS: Windows Server 2022 Standard oder Datacenter
  1. Install Windows Server (as required).
  2. Install drivers (VMware Tools or vendor-specific drivers).
  3. Set IP configurations (assign IP address, etc.).
  4. Set server name and workgroup, then restart the server.
  5. Create a folder named ā€œInstallā€ on drive C:.
  6. Copy the contents of the ZIP file (script and ntrights.exe) into the Install folder.
  7. Execute the script with administrative privileges (PowerShell).
  8. Allow the server to restart and install Veeam, specifying the service account.
  9. Apply / implement the Veeam Security & Compliance script.

 

Important: I recommend familiarizing yourself with the content listed below, as it introduces changes that may affect the operation of the system!

 

For example, an idle timeout of 15 minutes is configured. This means that an active session will be disconnected after 15 minutes, and all open windows and processes within that session will be terminated.

 

Roadmap:

  1. Extraction of templates, GPOs, and registry keys based on the CIS benchmark
  2. Creation of a comprehensive PowerShell script from the notes with the assistance of AI
  3. Testing the script and its executability
  4. Review and optimization of the script and implemented options
  5. Installation of Veeam Backup & Replication and Veeam Enterprise Manager, followed by production testing
  6. Documentation/commenting of the script
  7. Outlook on further tasks

 

Forecast on further To-Dos:

  • Testing the script with VeeamONE and Veeam Recovery Orchestrator
  • Testing and extending the script for Windows Server 2025
  • Continuous optimization of reporting and output
  • Incorporating feedback from the community

 

Community feedback:

This is a community-driven project initiated by me. Specifically, this means that I not only rely on feedback from the community but actively welcome it. The reasoning behind this is that the Veeam community includes many brilliant minds who are deeply immersed (even more so than I am) in IT security and coding. Their inputs will undoubtedly be highly valuable and will help shape future versions of the script.

 

Testing the script:

I thoroughly tested the script within my lab environment and successfully validated the following scenarios:

  • Installation and configuration of Veeam Backup & Replication v12.3.0.310
  • Installation and configuration of Veeam Enterprise Manager v12.3.0.310
  • Integration of a vSphere environment (vCenter) and creation of backup jobs
  • Integration of a Hyper-V environment (Failover Cluster) and creation of backup jobs
  • Execution of backup jobs using HotAdd transport mode
  • Execution of backup jobs using NBD transport mode
  • Execution of backup jobs using NBD (encrypted) transport mode
  • Execution of Instant VM Recovery jobs with vSphere, including migrate to production
  • Execution of Instant VM Recovery jobs with Hyper-V, including migrate to production
  • Execution of Full Recovery jobs with vSphere
  • Execution of Full Recovery jobs with Hyper-V
  • Testing/application of Veeam Threat Hunters

 

Downloading the script:

Here is the corresponding GitHub link:

lukas-kl/veeam-win-hardening-script: Veeam Hardening Script for Windows (CIS contents)

I also uploaded a ZIP file including the current fileset to this post. Please refer to the GitHub link for the must current updates.

 

Execution & script contents (ReadMe):

The script must be executed with administrative privileges!

The script, including the ntrights.exe file, must be located in and executed from the following path:

C:\Install

 

ntrights.exe

The tool ā€œntrights.exeā€ is used to modify the local security policy of the Windows system and set various rules. The required .exe file is provided in a tested version, but it can also be downloaded manually if preferred. This tool is well-known and originates from the Windows Server 2003 Resource Kit.

 

Implemented contents of the script:

Since the content (which is around 1200 lines of code) and detailled policies is too long for this forum post (I now tried to upload this many times), please refer to the PDF file that is inside the .zip or use my blog instead:

 

18 ā€“ Veeam Windows Hardening Skript according to CIS defaults ā€“ Disaster and Recovery

25 comments

Dynamic
Forum|alt.badge.img+8
  • Influencer
  • 361 comments
  • December 16, 2024

Well done my friend, as discussed with you the last days, this will really help us a lot. šŸ’ššŸ‘
Canā€™t wait to test this out, appreciate it!


Chris.Childerhose
Forum|alt.badge.img+21
  • Veeam Legend, Veeam Vanguard
  • 8402 comments
  • December 16, 2024

Great looking project here Lukas.  I am going to take a look and possibly try this out in my lab.  Will provide feedback as I go.


Madi.Cristil
Forum|alt.badge.img+8
  • Community Manager
  • 616 comments
  • December 16, 2024

Great job in here, Lukas! 


Andanet
Forum|alt.badge.img+11
  • Veeam Legend
  • 350 comments
  • December 16, 2024

WOW ā€‹@lukas.k 

I haven't seen the script yet or read your article in depth, but it's the same goal I was focusing on.... let's sayā€¦. I saved some time... thanks for sharing.


marco_s
Forum|alt.badge.img+8
  • Influencer
  • 368 comments
  • December 16, 2024

Wow, great effort Lukas!! šŸ‘šŸ»

It will take some time to verify all these lines of code! šŸ˜


lukas.k
Forum|alt.badge.img+8
  • Author
  • Influencer
  • 186 comments
  • December 16, 2024
Andanet wrote:

WOW ā€‹@lukas.k 

I haven't seen the script yet or read your article in depth, but it's the same goal I was focusing on.... let's sayā€¦. I saved some time... thanks for sharing.

In case you have experience in designing reports in HTML (e.g.) please feel free to reach out, maybe we could collaborate. Based on the amount of policies / keys that are applied this is an own project Iā€™m afraidā€¦šŸ˜


dips
Forum|alt.badge.img+7
  • Veeam Legend
  • 808 comments
  • December 16, 2024

This is awesome. Well done ā€‹@lukas.k 


AndrePulia
Forum|alt.badge.img+5
  • Veeam Legend
  • 318 comments
  • December 16, 2024

Bi ā€‹@lukas.k , that is brilhant, thank you!
Just a question, your script will replace the  https://www.veeam.com/kb4525 ā€œScript to Automate Implementation of Security & Compliance Analyzer Recommendationsā€?


Iams3le
Forum|alt.badge.img+11
  • Veeam Legend
  • 1374 comments
  • December 16, 2024
marco_s wrote:

Wow, great effort Lukas!! šŸ‘šŸ»

It will take some time to verify all these lines of code! šŸ˜

Thank you ā€‹@lukas.k for the script, indeed that was a lot! BTW, it is actually great to have an alternative script based on the CIS benchmark for Out-of-the-Box Security for Windows. Do you have a policy to disable the execution policy after applying this script? Or what other strategies do you have in place to mitigate or ensure that only this script is able to run as this will help reduce the risk of running untrusted or harmful scripts on your server. 


Iams3le
Forum|alt.badge.img+11
  • Veeam Legend
  • 1374 comments
  • December 16, 2024

> This is a community-driven project initiated by me. Specifically, this means that I not only rely on feedback from the community but actively welcome it.

Here is a scenario I would like you to reproduce to see if it affects your script as well ā€œhttps://www.veeam.com/kb4698ā€ as reported by ā€‹@vAdmin today. 


lukas.k
Forum|alt.badge.img+8
  • Author
  • Influencer
  • 186 comments
  • December 16, 2024
AndrePulia wrote:

Bi ā€‹@lukas.k , that is brilhant, thank you!
Just a question, your script will replace the  https://www.veeam.com/kb4525 ā€œScript to Automate Implementation of Security & Compliance Analyzer Recommendationsā€?

HI and thank you for the positive feedback! This will not replace the Security & Compliance Script because that script takes the architecture as well (3-2-1 rule, air-gapping, immutability and design topics) besides some technical stuff.

My script is dedicated to the preparation of the underlaying Windows OS. You should run both scripts, first the OS script (my hardening script above), then install Veeam, then run the Security & Compliance script.


Dynamic
Forum|alt.badge.img+8
  • Influencer
  • 361 comments
  • December 16, 2024
AndrePulia wrote:

Bi ā€‹@lukas.k , that is brilhant, thank you!
Just a question, your script will replace the  https://www.veeam.com/kb4525 ā€œScript to Automate Implementation of Security & Compliance Analyzer Recommendationsā€?

 

Hi Andre, Lukas script does not replace KB4525. Lukas intend is to help us, harden our Windows based VBR (with focus on CIS). Use it as an additional tool/script to secure your underlying Windows system.

 

edit: Lukas was faster šŸ˜…


lukas.k
Forum|alt.badge.img+8
  • Author
  • Influencer
  • 186 comments
  • December 16, 2024
Iams3le wrote:
marco_s wrote:

Wow, great effort Lukas!! šŸ‘šŸ»

It will take some time to verify all these lines of code! šŸ˜

Thank you ā€‹@lukas.k for the script, indeed that was a lot! BTW, it is actually great to have an alternative script based on the CIS benchmark for Out-of-the-Box Security for Windows. Do you have a policy to disable the execution policy after applying this script? Or what other strategies do you have in place to mitigate or ensure that only this script is able to run as this will help reduce the risk of running untrusted or harmful scripts on your server. 

Thank you for the feedback!

I currently do not have a policy implemented to disable PS in general. Iā€™m still evaluating if Veeam (or upgrades in underlying components or Veeam itself) has dependencies on PS. Keep in mind that depending on the architecture you want to be able to run scripts in general, e.g. the Security & Compliance script has to be executed after the OS hardening script so I canā€™t trigger that command during my script.

I noted this on my agenda to spend some thoughts on this. Maybe this required some manual advice to disable PS after everything (including both scripts) is done and re-activate it to perform certain actions.

 

Basically the usage of any script doesnā€™t prevent thoughts on hardened architecture strategies such as disabling internet access, isolating Veeam components from production networks, using PAWs etc.


lukas.k
Forum|alt.badge.img+8
  • Author
  • Influencer
  • 186 comments
  • December 16, 2024
Iams3le wrote:

> This is a community-driven project initiated by me. Specifically, this means that I not only rely on feedback from the community but actively welcome it.

Here is a scenario I would like you to reproduce to see if it affects your script as well ā€œhttps://www.veeam.com/kb4698ā€ as reported by ā€‹@vAdmin today. 

I noted this on my agenda. I tested the script and made final changes at the end of last week and Iā€™ve used the latest ISO available. Since this is a more recent topic I will test this again and share some feedback asap!

 

Hint: Iā€™m 90% sure there will be no issue, hereā€™s why:

The error seems to be caused by the Windows Script Host disabled. My script does not disable it yet but the Security & Compliance script which should be executed anyways after the initial Veeam installation & configuration will so basically: Yes, you might run into this error when you follow the process from start to finish (which will run the S&C script) but you might not when you still execute my script.

 

I will test it either way and share feedback. šŸ˜Š


AndrePulia
Forum|alt.badge.img+5
  • Veeam Legend
  • 318 comments
  • December 17, 2024
lukas.k wrote:
AndrePulia wrote:

Bi ā€‹@lukas.k , that is brilhant, thank you!
Just a question, your script will replace the  https://www.veeam.com/kb4525 ā€œScript to Automate Implementation of Security & Compliance Analyzer Recommendationsā€?

HI and thank you for the positive feedback! This will not replace the Security & Compliance Script because that script takes the architecture as well (3-2-1 rule, air-gapping, immutability and design topics) besides some technical stuff.

My script is dedicated to the preparation of the underlaying Windows OS. You should run both scripts, first the OS script (my hardening script above), then install Veeam, then run the Security & Compliance script.

Hi ā€‹@lukas.k , thank you for clarifing.


AndrePulia
Forum|alt.badge.img+5
  • Veeam Legend
  • 318 comments
  • December 17, 2024
Dynamic wrote:
AndrePulia wrote:

Bi ā€‹@lukas.k , that is brilhant, thank you!
Just a question, your script will replace the  https://www.veeam.com/kb4525 ā€œScript to Automate Implementation of Security & Compliance Analyzer Recommendationsā€?

 

Hi Andre, Lukas script does not replace KB4525. Lukas intend is to help us, harden our Windows based VBR (with focus on CIS). Use it as an additional tool/script to secure your underlying Windows system.

 

edit: Lukas was faster šŸ˜…

ā€‹@Dynamic yes, he was faster, thank you !!! ;-)


MarcoLuvisi
Forum|alt.badge.img+5
  • Influencer
  • 265 comments
  • December 18, 2024

Hopefully soon the only TCP port to VBR will be 443 šŸ˜Ž !

 

Thank you ā€‹@lukas.k for share you good work !


lukas.k
Forum|alt.badge.img+8
  • Author
  • Influencer
  • 186 comments
  • December 20, 2024
Iams3le wrote:

> This is a community-driven project initiated by me. Specifically, this means that I not only rely on feedback from the community but actively welcome it.

Here is a scenario I would like you to reproduce to see if it affects your script as well ā€œhttps://www.veeam.com/kb4698ā€ as reported by ā€‹@vAdmin today. 

Hi ā€‹@Iams3le,

As promised I ran some tests and this is the result:

As expected the script does not affect or reproduce the error mention in the KB article. This is because my script does not disable the Windows Script Host service which seems required during the upgrade process.

The Security & Compliance analyzer script does so it does affect the process but I intentionally did not let the S&C script run but just mine (before the installation).

 

Hope that helps! Take care!

Lukas


Iams3le
Forum|alt.badge.img+11
  • Veeam Legend
  • 1374 comments
  • December 20, 2024
lukas.k wrote:
Iams3le wrote:

> This is a community-driven project initiated by me. Specifically, this means that I not only rely on feedback from the community but actively welcome it.

Here is a scenario I would like you to reproduce to see if it affects your script as well ā€œhttps://www.veeam.com/kb4698ā€ as reported by ā€‹@vAdmin today. 

Hi ā€‹@Iams3le,

As promised I ran some tests and this is the result:

As expected the script does not affect or reproduce the error mention in the KB article. This is because my script does not disable the Windows Script Host service which seems required during the upgrade process.

The Security & Compliance analyzer script does so it does affect the process but I intentionally did not let the S&C script run but just mine (before the installation).

 

Hope that helps! Take care!

Lukas

Thank you very much ā€‹@lukas.k for the exceptional script and tests you have performed so far! Cheers and merry Christmas in advance


leduardoserrano
Forum|alt.badge.img+6

Great project, congratulations ā€‹@lukas.k ! šŸ‘šŸ»


Link State
Forum|alt.badge.img+11
  • Veeam Legend
  • 602 comments
  • December 29, 2024

Hi ā€‹@lukas.k great work. Thank you

If you are interested here Hardening Active Directory - GPO MSCT 1.0 CIS Benchmark - Poicy Analyser | Veeam Community Resource Hub you will find a post of mine pertaining to hardening Active Directory with CIS GPOs. šŸ˜‰

 


lukas.k
Forum|alt.badge.img+8
  • Author
  • Influencer
  • 186 comments
  • December 30, 2024
Link State wrote:

Hi ā€‹@lukas.k great work. Thank you

If you are interested here Hardening Active Directory - GPO MSCT 1.0 CIS Benchmark - Poicy Analyser | Veeam Community Resource Hub you will find a post of mine pertaining to hardening Active Directory with CIS GPOs. šŸ˜‰

 

Nice, thanks for the offer! That could be a great approach / combination to harden Veeam deployments within management domains (or DR domains)!


lukas.k
Forum|alt.badge.img+8
  • Author
  • Influencer
  • 186 comments
  • January 31, 2025

Hi folks!

Just a quick catch up: I recently ran the script successfully on my 3rd production deployment for customers. Until now - the oldest deployment is around 4 weeks old and live - I can only share positive feedback and no issues at all.

 

In case someone runs into errors please keep me posted to give me the chance to optimize the script. Iā€™m already working on the next version so stay tuned!


dloseke
Forum|alt.badge.img+7
  • On the path to Greatness
  • 1447 comments
  • February 3, 2025

This is a very cool project and I look forward to seeing where it goes.  Congrats Lukas on this initiative.


BertrandFR
Forum|alt.badge.img+8
  • Influencer
  • 527 comments
  • February 14, 2025

 An excellent initiative! Thanks for Sharing. ā€‹@lukas.k 
In the past I've also seen powershell scripts for checking compliance of  system OS hardening, integrated directly into the monitoring or SIEM system. I will check if i can do POC based on your work.


Comment