Feature Request - Veeam Windows Hardening Scripts by Veeam

[petesteven]

I’ve been getting asked quite often both internally and by customers whether the hardening script that Lukas Klostermann from Veeam published in the Veeam Community has been officially approved by Veeam.
Lukas has done a fantastic job here and is providing real value to the community. Community projects are great, but something like this needs to come directly from Veeam.
https://community.veeam.com/cyber-secur ... yzer-13113

For me, it would be important for this script—or a similar one—to be published directly by Veeam and come with full support and not from a private GitHub. Unfortunately, I don’t have that with Lukas’s script, so I can’t recommend it to customers or colleagues. Great for labs, but not for productive environments. With the community script, there is no guarantee that everything will still work with the next VBR update or that the update/upgrade will even complete, since this hasn’t been cross-checked internally at Veeam.
When it comes to security, this would definitely be a real added value alongside the “Security & Compliance Analyzer” script.

And please don’t reply with “Use VSA”—there are many customers who will continue to rely on Windows VBR and have to, since VSA isn’t always a viable option. Anyone who disagrees is living in a lab environment and not in the daily business reality at the customer site.

[david.domask]

Hi Peter,

Scripts provided by Community Members do not receive support guarantees.

However, Lukas' script looks to be a fork of our Security and Compliance Analyzer script here: https://www.veeam.com/kb4525

Lukas adds a few extra items, but ultimately it looks to mostly replicate what our existing KB already does, and we will maintain the script provided in our KB and update it as necessary. (e.g., it was necessary for the script to be updated to work with v13)

[petesteven]

Hi David,

That’s exactly what I’m asking about, since I know there’s no support for this. I mentioned that at the top as well.

However, it would be great if Veeam would release a script like this (including for proxies) or expand the existing script you referred to. I’m already using that one (KB4525) right now

[petesteven]

And I know that Lukas included the items from the Security & Compliance Analyzer script. However, his script is significantly more comprehensive than the KB4525 script and can be run on all Veeam components, not just the VBR.

If we want to talk about secure and resilient environments, we definitely need something like this from Veeam!

[david.domask]

Got it, I will discuss internally, I didn't get initially that you want something similar for Windows-based proxies and Repositories.

Regarding your last point though, understood on the VSA and some users preferring / needing a Windows based backup server, but what about the Infrastructure Appliances (proxies / repos)?

You can add Infrastructure Appliances to Windows Backup Server just fine, and seems like this would handle a lot of the hardening requests for the proxies / repositories specifically?

[petesteven]

Hi David,

Great!

I’d like to use the script not only for proxies and repos (though I don’t actually use Windows repos—just Object and Hardened repos)—but generally for ALL Windows components on which I use Veeam, as Lukas also described:
Veeam Backup & Replication
Veeam Enterprise Manager
Veeam components:
Proxy server
Repository server
Tape server
WAN Accelerator
Backup & Replication Console
Cloud Gateway Server
Veeam ONE v13
Veeam Recovery Orchestrator
Veeam Backup for M365
PAWs (with tools like Veeam Backup & Replication Console and Veeam ONE Console installed)

Of course, we use VIAs and Hardened Repositories wherever possible and connect them to both the VSA and the Windows Backup Server. For GMSA, deduplicated data on the workload, REFS, etc., I simply still need Windows.

[jackroper]

I would also be very interested in a Veeam-supported hardening script for Windows servers that host Veeam products.

[Eric_Cartman]

Definatly a +1 from me - Veeam did a great job with f.e. the hardened repository ISO to use for all of us - even if you're not really into Linux.
The same "offer" should be with supported scripts like the great script from Lukas Klostermann just as petersteven mentioned - especially for Admins (like me) who aren't fully into Linux
As from the support side view it shouldn't be that hard to support something like that because it's basically the security analysers script with just some extra steps.
Just my 2 cents

[eclipse4ever]

Plus +1 from me on this topic request!

[Chalid]

+1 from me as well

[RubinCompServ]

+1 here too