-
- Veteran
- Posts: 543
- Liked: 63 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
Security & Compliance Analyzer
Folks,
When I run the Security & Compliance Analyzer, it says that "Windows firewall should be enabled" is Not Implemented.
I have the firewall enabled in the backup server and the repository servers. Should it be enabled also in the proxy servers in order to get a "Passed" result?
Kind regards,
PJ
When I run the Security & Compliance Analyzer, it says that "Windows firewall should be enabled" is Not Implemented.
I have the firewall enabled in the backup server and the repository servers. Should it be enabled also in the proxy servers in order to get a "Passed" result?
Kind regards,
PJ
-
- Veeam Software
- Posts: 51
- Liked: 21 times
- Joined: Feb 10, 2020 1:48 pm
- Full Name: Marina Skobeleva
- Contact:
Re: Security & Compliance Analyzer
Hi Per,
Security & Compliance Analyzer checks only Backup Server settings, firewall should be enabled for all network types:
More detail regarding this topic you can find in Security & Compliance Analyzer - User Guide for VMware vSphere.
Thank you!
Security & Compliance Analyzer checks only Backup Server settings, firewall should be enabled for all network types:
- Domain
- Private
- Public

More detail regarding this topic you can find in Security & Compliance Analyzer - User Guide for VMware vSphere.
Thank you!
-
- Veteran
- Posts: 543
- Liked: 63 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
Re: Security & Compliance Analyzer
Marina,
The backup server is not a member of our AD, and the firewall is enabled for "Private networks" and "Guest or Public networks".
So I don't understand why I don't get a "Passed" result, if the backup server is the only server that is checked.
PJ
The backup server is not a member of our AD, and the firewall is enabled for "Private networks" and "Guest or Public networks".
So I don't understand why I don't get a "Passed" result, if the backup server is the only server that is checked.
PJ
-
- Veteran
- Posts: 543
- Liked: 63 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
Re: Security & Compliance Analyzer
Also, the documentation that you linked to does not say what kind of registry value it should be, i.e. DWORD or String. Some of the values mentioned do not exist, so I must know what kind it should be when creating them. I have not checked the whole list, but the values for these keys do not exist:
WDigest, WPAD, Windows Script Host.
WDigest, WPAD, Windows Script Host.
-
- Veteran
- Posts: 363
- Liked: 39 times
- Joined: Oct 24, 2016 3:56 pm
- Full Name: Marco Sorrentino
- Location: Ancona - Italy
- Contact:
Re: Security & Compliance Analyzer
Hello @perjonsson1960, please check this KB https://www.veeam.com/kb4525.
You can find the script to automate those security best practices, and of course the related registry values.
You can find the script to automate those security best practices, and of course the related registry values.
-
- Veteran
- Posts: 543
- Liked: 63 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
Re: Security & Compliance Analyzer
Okay, thanks!
Should this script be executed in the repo servers, as well?
Also, when the script was executed in the backup server, and the "Host to proxy traffic encryption" part was run, it seems to have missed one proxy server, a physical machine that serves as a proxy only. At least it was not listed. I have all jobs on "Automatic selection", and that proxy is chosen sometimes.
Should this script be executed in the repo servers, as well?
Also, when the script was executed in the backup server, and the "Host to proxy traffic encryption" part was run, it seems to have missed one proxy server, a physical machine that serves as a proxy only. At least it was not listed. I have all jobs on "Automatic selection", and that proxy is chosen sometimes.
-
- Veteran
- Posts: 363
- Liked: 39 times
- Joined: Oct 24, 2016 3:56 pm
- Full Name: Marco Sorrentino
- Location: Ancona - Italy
- Contact:
Re: Security & Compliance Analyzer
The script is intended to be run only on the backup server.
For the other infrastructure components you can check the general guidelines:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
Personally, if a template with the desired features does not already exist, I use some portions of the script to fix Windows proxies.
Regarding the physical proxy, I do not know why it is not listed, check its settings, maybe it is already set.
For the other infrastructure components you can check the general guidelines:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
Personally, if a template with the desired features does not already exist, I use some portions of the script to fix Windows proxies.
Regarding the physical proxy, I do not know why it is not listed, check its settings, maybe it is already set.
-
- Veteran
- Posts: 543
- Liked: 63 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
-
- Veteran
- Posts: 543
- Liked: 63 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
Re: Security & Compliance Analyzer
Oh, another thing; For "Deprecated versions of SSL and TLS should be disabled" I get status "Unable to detect".
Do you have any idea about what could be the cause?
Do you have any idea about what could be the cause?
-
- Veeam Software
- Posts: 51
- Liked: 21 times
- Joined: Feb 10, 2020 1:48 pm
- Full Name: Marina Skobeleva
- Contact:
Re: Security & Compliance Analyzer
Hi @perjonsson1960,
Full list of register keys and values for passing this check, you can find in the article Security & Compliance Analyzer -> Configuration Parameters.
Thanks!
This status appears if specific registry key does not exist.Do you have any idea about what could be the cause?
Full list of register keys and values for passing this check, you can find in the article Security & Compliance Analyzer -> Configuration Parameters.
Thanks!
-
- Veteran
- Posts: 543
- Liked: 63 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
Re: Security & Compliance Analyzer
Okay, yes, these keys do not exist. There sure are a few... 
Luckily, the script can be used to create them.
Thanks!

Luckily, the script can be used to create them.

Thanks!
-
- Veeam Software
- Posts: 51
- Liked: 21 times
- Joined: Feb 10, 2020 1:48 pm
- Full Name: Marina Skobeleva
- Contact:
Re: Security & Compliance Analyzer
Happy to help!
-
- Veteran
- Posts: 543
- Liked: 63 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
Re: Security & Compliance Analyzer
One more thing; About the parameter "Windows Script Host should be disabled", where it says:
"Before disabling Windows Script Host, make sure that this service is not used by backup infrastructure components you plan to install on the backup server. If there are any (for example, PostgreSQL database), install these components first, then disable the service. To update these components, you need to enable the service temporarily."
What about when Veeam B&R itself is updated? If a new version or a patch is going to be installed, is it necessary to activate the Script Host before the install?
PJ
"Before disabling Windows Script Host, make sure that this service is not used by backup infrastructure components you plan to install on the backup server. If there are any (for example, PostgreSQL database), install these components first, then disable the service. To update these components, you need to enable the service temporarily."
What about when Veeam B&R itself is updated? If a new version or a patch is going to be installed, is it necessary to activate the Script Host before the install?
PJ
-
- Veteran
- Posts: 543
- Liked: 63 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
Re: Security & Compliance Analyzer
Has this thread been closed somehow, or is my question just difficult to answer? 

-
- Veeam Software
- Posts: 51
- Liked: 21 times
- Joined: Feb 10, 2020 1:48 pm
- Full Name: Marina Skobeleva
- Contact:
Re: Security & Compliance Analyzer
Hi Per,
Sorry for delayed response.
No, it's not necessary to enable Windows Script Host for update Veeam B&R itself.
Thanks!
Sorry for delayed response.
No, it's not necessary to enable Windows Script Host for update Veeam B&R itself.
Thanks!
-
- Veteran
- Posts: 543
- Liked: 63 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
Re: Security & Compliance Analyzer
Thank you!
I think I am all out of questions now.
Kind regards,
PJ
I think I am all out of questions now.

Kind regards,
PJ
Who is online
Users browsing this forum: Google [Bot], Semrush [Bot] and 38 guests