Exit the Veeam server from the Domain

[GianlucaCroci]

Hello,
we're working to remove Veeam servers from the corporate domain, in order to increase security.
We've already created local users with different passwords, and now I'd like to increase the security at the Windows Firewall level.
The various servers already have inbound and outbound rules, but I'd like to specify the Veeam server IPs where possible, in order to minimize the ability to access servers on the ports used by Veeam.

I found the page where the various ports to use and the protocol are indicated for each service, but I don't know in which rules I can also indicate the IPs in the "Scope" part (Remote IP Address)

Can you tell me if there are any indications on this?


Here the firewall rules and services

Code: Select all

Status  Name                      DisplayName
------  ----                      -----------
Running VeeamAWSSvc               Veeam AWS Service
Running VeeamAzureSvc             Veeam Azure Service
Running VeeamBackupCdpSvc         Veeam CDP Coordinator Service
Running VeeamBackupRESTSvc        Veeam Backup Server RESTful API Service
Running VeeamBackupSvc            Veeam Backup Service
Running VeeamBrokerSvc            Veeam Broker Service
Running VeeamCatalogSvc           Veeam Guest Catalog Service
Running VeeamCloudSvc             Veeam Cloud Connect Service
Running VeeamDeploySvc            Veeam Installer Service
Running VeeamDistributionSvc      Veeam Distribution Service
Running VeeamEndpointBackupSvc    Veeam Agent for Microsoft Windows
Running VeeamExplorersRecoverySvc Veeam Explorers Recovery Service
Running VeeamFilesysVssSvc        Veeam Backup VSS Integration Service
Running VeeamGCPSvc               Veeam GCP Service
Running VeeamMountSvc             Veeam Mount Service
Running VeeamNFSSvc               Veeam vPower NFS Service
Running VeeamOneAgentSvc          Veeam ONE Agent
Running VeeamTransportSvc         Veeam Data Mover Service
Running VeeamVssProviderSvc       Veeam VSS Hardware Provider Service
Running VeeamWANSvc               Veeam WAN Accelerator Service
--------------------------------------------------------------------------------------------------------
DisplayName : Veeam WAN Accelerator Service (In)
description : Inbound rule for Veeam WAN Accelerator Service

DisplayName : Veeam WAN Accelerator Service (Out)
description : Outbound rule for Veeam WAN Accelerator Service

DisplayName : Veeam ONE Agent (In)
description : Inbound rule for Veeam ONE agent

DisplayName : Veeam Catalog Service (In)
description : Inbound rule for Veeam Catalog Service

DisplayName : Veeam Catalog Service (Out)
description : Outbound rule for Veeam Catalog Service

DisplayName : Veeam Data Mover (Veeam Catalog Service)  (In)
description : Inbound rule for Veeam Data Mover included with Veeam Catalog Service

DisplayName : Veeam Data Mover (Veeam Catalog Service)  (Out)
description : Outbound rule for Veeam Data Mover included with Veeam Catalog Service

DisplayName : Veeam Broker Service (In)
description : Inbound rule for Veeam Broker Service

DisplayName : Veeam Broker Service (Out)
description : Outbound rule for Veeam Broker Service

DisplayName : Veeam Backup CDP Coordinator Service (In)
description : Inbound rule for Veeam Backup CDP Coordinator Service

DisplayName : Veeam Backup CDP Coordinator Service (Out)
description : Outbound rule for Veeam Backup CDP Coordinator Service

DisplayName : Veeam Backup CDP Coordinator Service Communication (In)
description : Inbound rule for secure connections between Veeam Backup CDP Coordinator Service components

DisplayName : Veeam Backup CDP Coordinator Service Communication (Out)
description : Outbound  rule for secure connections between Veeam Backup CDP Coordinator Service components

DisplayName : Veeam Backup Remote PowerShell Manager (In)
description : Inbound rule for Veeam Backup Remote PowerShell Manager

DisplayName : Veeam Backup Remote PowerShell Manager (Out)
description : Outbound rule for Veeam Backup Remote PowerShell Manager

DisplayName : Veeam Backup Server RESTful API Service (In)
description : Inbound rule for Veeam Backup Server RESTful API Service

DisplayName : Veeam Backup Server RESTful API Service (Out)
description : Outbound rule for Veeam Backup Server RESTful API Service

DisplayName : Veeam Backup UI Server (In)
description : Inbound rule for Veeam  Backup UI Server

DisplayName : Veeam Backup UI Server (Out)
description : Outbound rule for Veeam Backup UI Server

DisplayName : Veeam Data Mover (In)
description : Inbound rule for Veeam Data Mover included with Veeam Backup and Replication

DisplayName : Veeam Data Mover (Out)
description : Outbound rule for Veeam Data Mover included with Veeam Backup and Replication

DisplayName : Veeam Cloud Connect Service (In)
description : Inbound rule for Veeam Cloud Connect Service

DisplayName : Veeam Cloud Connect Service (Out)
description : Outbound rule for Veeam Cloud Connect Service

DisplayName : Veeam Backup Management Service (In)
description : Inbound rule for Veeam Backup Management Service

DisplayName : Veeam Backup Management Service (Out)
description : Outbound rule for Veeam Backup Management Service

DisplayName : Veeam Backup Secure Communication (In)
description : Inbound rule for secure connections between Veeam Backup & Replication components

DisplayName : Veeam Backup Secure Communication (Out)
description : Outbound rule for secure connections between Veeam Backup & Replication components

DisplayName : Veeam Traffic Redirector (In)
description : Inbound rule for Veeam Traffic Redirector included with Veeam Backup & Replication

DisplayName : Veeam Traffic Redirector (Out)
description : Outbound rule for Veeam Traffic Redirector included with Veeam Backup & Replication

DisplayName : Veeam VSS Hardware Provider Service (In)
description : Inbound rule for Veeam VSS Hardware Provider Service

DisplayName : Veeam VSS Hardware Provider Service (Out)
description : Outbound rule for Veeam VSS Hardware Provider Service

DisplayName : Veeam vPower NFS Service (In)
description : Inbound rule for Veeam vPower NFS Service

DisplayName : Veeam vPower NFS Service (Out)
description : Outbound rule for Veeam vPower NFS Service

DisplayName : Veeam Traffic Redirector (Veeam Backup & Replication console) (In)
description : Inbound rule for Veeam Network Traffic included with Veeam Backup & Replication console

DisplayName : Veeam Traffic Redirector (Veeam Backup & Replication console) (Out)
description : Outbound rule for Veeam Network Traffic included with Veeam Backup & Replication console

DisplayName : Veeam Backup & Replication Console (Out)
description : Outbound rule for Veeam Backup & Replication Console

DisplayName : Veeam Installer Service (Veeam Backup and Replication) (In)
description : Inbound rule for Veeam Installer Service included with Veeam Backup and Replication

DisplayName : Veeam Installer Service (Veeam Backup and Replication) (Out)
description : Outbound rule for Veeam Installer Service included with Veeam Backup and Replication

DisplayName : Veeam AWS Service (In)
description : Inbound rule for Veeam AWS Service.

DisplayName : Veeam AWS Service (Out)
description : Outbound rule for Veeam AWS Service.

DisplayName : Veeam AWS UI (Out)
description : Outbound rule for Veeam AWS UI.

DisplayName : Veeam Azure Service (In)
description : Inbound rule for Veeam for Azure Platform Service

DisplayName : Veeam Azure Service (Out)
description : Outbound rule for Veeam for Azure Platform Service

DisplayName : Veeam Azure UI (Out)
description : Outbound rule for Veeam Azure UI.

DisplayName : Veeam GCP Service (In)
description : Inbound rule for Veeam GCP Service

DisplayName : Veeam GCP Service (Out)
description : Outbound rule for Veeam GCP Service

DisplayName : Veeam GCP UI (Out)
description : Outbound rule for Veeam GCP UI.

DisplayName : Veeam Backup VSS Integration Service (In)
description : Inbound rule for Veeam Backup VSS Integration Service

DisplayName : Veeam Backup VSS Integration Service (Out)
description : Outbound rule for Veeam Backup VSS Integration Service

DisplayName : Veeam Guest Interaction Proxy (In)
description : Inbound rule for Veeam Guest Interaction Proxy

DisplayName : Veeam Guest Interaction Proxy (Out)
description : Outbound rule for Veeam Guest Interaction Proxy

DisplayName : Veeam Transport Service (In)
description : Inbound rule for Veeam Transport Service

DisplayName : Veeam Transport Service (Out)
description : Outbound rule for Veeam Transport Service

DisplayName : Veeam Data Mover x64 (Veeam Transport Service) (In)
description : Inbound rule for Veeam Data Mover x64 included with Veeam Transport Service

DisplayName : Veeam Data Mover x64 (Veeam Transport Service) (Out)
description : Outbound rule for Veeam Data Mover x64 included with Veeam Transport Service

DisplayName : Veeam Data Mover (Veeam Transport Service) (In)
description : Inbound rule for Veeam Data Mover included with Veeam Transport Service

DisplayName : Veeam Data Mover (Veeam Transport Service) (Out)
description : Outbound rule for Veeam Data Mover included with Veeam Transport Service

DisplayName : Veeam Mount Service (In)
description : Inbound rule for Veeam Mount Service

DisplayName : Veeam Mount Service (Out)
description : Outbound rule for Veeam Mount Service

DisplayName : Veeam Distribution Service (In)
description : Inbound rule for Veeam Distribution Service

DisplayName : Veeam Distribution Service (Out)
description : Outbound rule for Veeam Distribution Service

DisplayName : Veeam Recovery (Out)
description : Outbound rule for Veeam Recovery

DisplayName : Veeam Agent for Microsoft Windows Service (In)
description : Inbound rule for Veeam Agent for Microsoft Windows Service

DisplayName : Veeam Agent for Microsoft Windows Service (Out)
description : Outbound rule for Veeam Agent for Microsoft Windows Service

DisplayName : Veeam Data Mover x64 (Veeam Agent for Microsoft Windows) (In)
description : Inbound rule for Veeam Data Mover included with Veeam Agent for Microsoft Windows

DisplayName : Veeam Data Mover x64 (Veeam Agent for Microsoft Windows) (Out)
description : Outbound rule for Veeam Data Mover included with Veeam Agent for Microsoft Windows

DisplayName : Veeam Data Mover (Veeam Agent for Microsoft Windows) (In)
description : Inbound rule for Veeam Data Mover included with Veeam Agent for Microsoft Windows

DisplayName : Veeam Data Mover (Veeam Agent for Microsoft Windows) (Out)
description : Outbound rule for Veeam Data Mover included with Veeam Agent for Microsoft Windows

DisplayName : Veeam Installer Service (Veeam Agent for Microsoft Windows) (In)
description : Inbound rule for Veeam Installer Service included with Veeam Agent for Microsoft Windows

DisplayName : Veeam Installer Service (Veeam Agent for Microsoft Windows) (Out)
description : Outbound rule for Veeam Installer Service included with Veeam Agent for Microsoft Windows
--------------------------------------------------------------------------------------------------------

Thanks a lot in advance.
Kind regards
Gianluca

[Mildur]

Hi Gianluca

That's a long list. Do you want to know which rule is between which components?

have you tried to go through our guide and create the rules by yourself?
https://helpcenter.veeam.com/docs/backu ... ml?ver=110

[GianlucaCroci]

Hello Mildur,

thanks for your reply.

What I would like to know is which services or firewall rules are exclusively Veeam, so that I can enter the IPs of the Veeam servers, and which ones I can't touch and I've to leave ANY because they serve all the infrastructure.

Kind regards
Gianluca

[lang.matthias]

Hi Gianluca,

Maybe the "Hardening Guide" can help you..
https://bp.veeam.com/vbr/Security/infra ... ening.html

BR
Matthias

[Mildur]

Hi Gianluca

In your list, everything is exclusively from Veeam. But not all of them are required.
It depends mostly on what veeam products you are using and how you have installed the components. And then there are veeam services exclusively for HyperV and Services exclusively for VmWare. If you don't use our Cloud Products, you don't need the to open Ports for Azure, AWS or GCP.

If you want to harden your Veeam Server, then please follow the port list I have posted in my earlier answer.

[GianlucaCroci]

ok, thanks a lot.
I understand that's not simple to reply.

I'm watching the port list and the "Hardening Guide".

thanks you so much
Kind regards
Gianluca

[AhmedS]

Hello Gianluca
We did a similar thing a few months ago post a ransomware attack during which the attacker used a compromised domain admin account to log in to the B&R server and erased the repository.
You can do your own research for what is required in your specific implementation but in a nutshell these are what I implemented and haven't had any issues.
On the Proxy Servers:

Backup Proxy Inbound TCP
445,6160,2500-3300,6161,6162,49152-65535

Backup Proxy Outbound TCP
135, 443,445,902,49152-65535,111,2049, 2500, 3300

Backup Proxy Outbound UDP
111,2049

The commands, for ease:
netsh advfirewall firewall add rule name="Veeam Proxy Inbound (TCP)" dir=in action=allow protocol=TCP LocalPort=445,6160,2500-3300,6161,6162,49152-65535 enable=yes

netsh advfirewall firewall add rule name="Veeam Proxy Outbound (TCP)" dir=out action=allow protocol=TCP LocalPort=135, 443,445,902,49152-65535,111,2049, 2500, 3300 enable=yes

netsh advfirewall firewall add rule name="Veeam Proxy Outbound (UDP)" dir=out action=allow protocol=TCP LocalPort=111,2049 enable=yes


netsh advfirewall firewall add rule name="Veeam (DCOM-in)" dir=in action=allow protocol=TCP LocalPort=135 enable=yes program="%systemroot%\system32\svchost.exe" service=RPCSS remoteip=x.x.x.x

netsh advfirewall firewall add rule name="Veeam (SMB-in)" dir=in action=allow protocol=TCP LocalPort=445 enable=yes program=”System" remoteip=x.x.x.x

netsh advfirewall firewall add rule name="Veeam (WMI-in)" dir=in action=allow protocol=TCP LocalPort=RPC enable=yes program="%systemroot%\system32\svchost.exe" service=winmgmt remoteip=x.x.x.x

where remote IP is the VBR server IP address.

If I recall correctly, Veeam installer will create any rules required when installing the VBR server.
But these are what I have:

Code: Select all

Name	Group	Profile	Enabled	Action	Override	Program	Local Address	Remote Address	Protocol	Local Port	Remote Port	Authorized Users	Authorized Computers	Authorized Local Principals	Local User Owner	Application Package	
Veeam Enterprise Manager		Private, Public	Yes	Allow	No	Any	Any	192.168.1.1	TCP	9392, 2805, 135, 445	Any	Any	Any	Any	Any	Any
Veeam AWS Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Plugins\AWS\Service\Veeam.CloudBackup.PlatformService.exe	Any	Any	TCP	9402	Any	Any	Any	Any	Any	Any
Veeam Azure Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Plugins\Microsoft Azure\Service\Veeam.Azure.PlatformSvc.exe	Any	Any	TCP	20443	Any	Any	Any	Any	Any	Any
Veeam Backup CDP Coordinator Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Cdp.Service.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam Backup CDP Coordinator Service Communication (In)	Veeam Networking	All	Yes	Allow	No	Any	Any	Any	TCP	33034	Any	Any	Any	Any	Any	Any
Veeam Backup Management Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Service.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam Backup Remote PowerShell Manager (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.PSManager.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam Backup Secure Communication (In)	Veeam Networking	All	Yes	Allow	No	Any	Any	Any	TCP	9401	Any	Any	Any	Any	Any	Any
Veeam Backup Server RESTful API Service (In)	Veeam Networking	All	Yes	Allow	No	Any	Any	Any	TCP	9419	Any	Any	Any	Any	Any	Any
Veeam Backup UI Server (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.UIServer.exe	Any	Any	TCP	9396	Any	Any	Any	Any	Any	Any
Veeam Backup VSS Integration Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Backup File System VSS Integration\VeeamFilesysVssSvc.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam Broker Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.BrokerService.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam Catalog Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Backup and Replication\Backup Catalog\Veeam.Backup.CatalogDataService.exe	Any	Any	TCP	9393	Any	Any	Any	Any	Any	Any
Veeam Cloud Connect Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.CloudService.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam Data Mover (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Backup and Replication\Backup\WinAgent\VeeamAgent.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam Data Mover (Veeam Catalog Service)  (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Backup and Replication\Backup Catalog\WinAgent\VeeamAgent.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam Data Mover (Veeam Transport Service) (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files (x86)\Veeam\Backup Transport\x86\VeeamAgent.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam Data Mover x64 (Veeam Transport Service) (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files (x86)\Veeam\Backup Transport\x64\VeeamAgent.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam Distribution Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Veeam Distribution Service\Veeam.Backup.Agent.ConfigurationService.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam GCP Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Plugins\GCP\Service\Veeam.GCP.PlatformService.WebService.exe	Any	Any	TCP	9403	Any	Any	Any	Any	Any	Any
Veeam Guest Interaction Proxy (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files (x86)\Veeam\Backup Transport\GuestInteraction\Veeam.Guest.Interaction.Proxy.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam Installer Service (Veeam Backup and Replication) (In)	Veeam Networking	All	Yes	Allow	No	C:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam Mount Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Common Files\Veeam\Backup and Replication\Mount Service\Veeam.Backup.MountService.exe	Any	Any	TCP	6170	Any	Any	Any	Any	Any	Any
Veeam ONE Agent (In)	Veeam Networking	All	Yes	Allow	No	Any	Any	Any	TCP	2805	Any	Any	Any	Any	Any	Any
Veeam Traffic Redirector (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Backup and Replication\Backup\VeeamNetworkRedirector.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam Traffic Redirector (Veeam Backup & Replication console) (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\Backup and Replication\Console\VeeamNetworkRedirector.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam Transport Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files (x86)\Veeam\Backup Transport\VeeamTransportSvc.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam vPower NFS Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files (x86)\Veeam\vPowerNFS\VeeamNFSSvc.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam VSS Hardware Provider Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\VSS Hardware Provider\Veeam.VssHwSnapshotProvider.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any
Veeam WAN Accelerator Service (In)	Veeam Networking	All	Yes	Allow	No	C:\Program Files\Veeam\WAN Accelerator Service\VeeamWANSvc.exe	Any	Any	TCP	Any	Any	Any	Any	Any	Any	Any

Sorry, but the formatting is way off in the message body. Private Message me if you want and I can email you an .xls extract.
Let us know how it goes, and if you have any better recommendations.
All the best.

[Link State]

Hi Gianluca,

check this for more detailed info on port

https://www.veeambp.com/ports/index.html
https://app.veeambp.com/veeamports
regards

[Frenchyaz]

You may not need to. It's been a while that we have implemented Veaam however at the time we put the server in the domain but prevented domain users, even domain admin to access it. Only the local administrators can connect. Maybe something you can look into?

[Steve-nIP]

But that won't help. A domain admin can push a new group policy to the machine to override the local settings.