Comprehensive data protection for all workloads
Post Reply
morit
Influencer
Posts: 19
Liked: 4 times
Joined: Feb 04, 2021 5:50 am
Full Name: Mori
Contact:

OS hardening (using CIS template) on physical VBR server and Veeam Proxy server

Post by morit »

A customer is planning to implement Windows & ESXi OS hardening (using CIS templates) on physical VBR server (MS Win Server 2019) and Veeam Proxy server (MS Win Server 2019 VM).
And they are asking if there is any issue/impact on the Veeam backup setup.

Q1) As long as veeam service accounts have all required permissions and required firewall ports are opened (each Veeam components can be communicated with each other), then it should be fine. Is it correct understanding?
I’ve checked below articles but does not really mention about OS hardening.
https://helpcenter.veeam.com/docs/backu ... ml?ver=110

Q2) Specifically, they are checking if below item should be applied or skipped on Veeam Proxy VM.
Do we have any recommendation on this?

No. CIS Ref. Title
89 8.4.29 (L2) Ensure all but VGA mode on virtual machines is disabled (Manual)

Description:
Enable VGA Only mode for the Virtual Machine video card.
Note:this setting should only be applied to those virtual machines for which a video card is not needed such as Windows Server Core and UNIX / Linux servers.

CIS Recommended Values:
Check that the virtual machine advanced setting of "svga.vgaonly" is set to TRUE. To modify the advanced settings of a virtual machine using the vSphere Client:
1. Ensure that the virtual machine has been shutdown and is powered off.
2. Right-click on the virtual machine.
3. Click Edit Settings... to open the Virtual Machine Properties window.
4. Click the VM Options tab.
5. From the list on the left, click Advanced.
6. On the Configuration Parameters frame on the right, click Edit Configuration ...
7. Click Add Parameter.
8. On the new row, click under the Key column and specify the configuration option name.
9. On the new row, click under the Value column and specify the configuration value.
10. Start the virtual machine for the settings take effect.
Additionally, the following PowerCLI command may be used: # Add the setting to all VMs Get-VM | New-AdvancedSetting -Name "svga.vgaOnly" -value $true
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: OS hardening (using CIS template) on physical VBR server and Veeam Proxy server

Post by HannesK » 1 person likes this post

Hello,

Q1) Running Veeam as Local System is the recommendation (and default). Veeam does not use service accounts per default.But yes, as long you configure it aligned with the user guide, it must work.

Q2) The note already tells the answer. From a Veeam side I see no issues (you didn't say whether you have core or desktop experience on your proxy). The potential issues with machines that require svga are described on the internet. You could also switch to a Linux proxy without GUI.

Best regards,
Hannes
morit
Influencer
Posts: 19
Liked: 4 times
Joined: Feb 04, 2021 5:50 am
Full Name: Mori
Contact:

Re: OS hardening (using CIS template) on physical VBR server and Veeam Proxy server

Post by morit »

Thank you for the inputs. Noted.
Post Reply

Who is online

Users browsing this forum: ante_704, mrmccoy007 and 287 guests