A customer is planning to implement Windows & ESXi OS hardening (using CIS templates) on physical VBR server (MS Win Server 2019) and Veeam Proxy server (MS Win Server 2019 VM).
And they are asking if there is any issue/impact on the Veeam backup setup.
Q1) As long as veeam service accounts have all required permissions and required firewall ports are opened (each Veeam components can be communicated with each other), then it should be fine. Is it correct understanding?
I’ve checked below articles but does not really mention about OS hardening.
https://helpcenter.veeam.com/docs/backu ... ml?ver=110
Q2) Specifically, they are checking if below item should be applied or skipped on Veeam Proxy VM.
Do we have any recommendation on this?
No. CIS Ref. Title
89 8.4.29 (L2) Ensure all but VGA mode on virtual machines is disabled (Manual)
Description:
Enable VGA Only mode for the Virtual Machine video card.
Note:this setting should only be applied to those virtual machines for which a video card is not needed such as Windows Server Core and UNIX / Linux servers.
CIS Recommended Values:
Check that the virtual machine advanced setting of "svga.vgaonly" is set to TRUE. To modify the advanced settings of a virtual machine using the vSphere Client:
1. Ensure that the virtual machine has been shutdown and is powered off.
2. Right-click on the virtual machine.
3. Click Edit Settings... to open the Virtual Machine Properties window.
4. Click the VM Options tab.
5. From the list on the left, click Advanced.
6. On the Configuration Parameters frame on the right, click Edit Configuration ...
7. Click Add Parameter.
8. On the new row, click under the Key column and specify the configuration option name.
9. On the new row, click under the Value column and specify the configuration value.
10. Start the virtual machine for the settings take effect.
Additionally, the following PowerCLI command may be used: # Add the setting to all VMs Get-VM | New-AdvancedSetting -Name "svga.vgaOnly" -value $true
-
morit
- Influencer
- Posts: 19
- Liked: 4 times
- Joined: Feb 04, 2021 5:50 am
- Full Name: Mori
- Contact:
-
HannesK
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: OS hardening (using CIS template) on physical VBR server and Veeam Proxy server
Hello,
Q1) Running Veeam as Local System is the recommendation (and default). Veeam does not use service accounts per default.But yes, as long you configure it aligned with the user guide, it must work.
Q2) The note already tells the answer. From a Veeam side I see no issues (you didn't say whether you have core or desktop experience on your proxy). The potential issues with machines that require svga are described on the internet. You could also switch to a Linux proxy without GUI.
Best regards,
Hannes
Q1) Running Veeam as Local System is the recommendation (and default). Veeam does not use service accounts per default.But yes, as long you configure it aligned with the user guide, it must work.
Q2) The note already tells the answer. From a Veeam side I see no issues (you didn't say whether you have core or desktop experience on your proxy). The potential issues with machines that require svga are described on the internet. You could also switch to a Linux proxy without GUI.
Best regards,
Hannes
-
morit
- Influencer
- Posts: 19
- Liked: 4 times
- Joined: Feb 04, 2021 5:50 am
- Full Name: Mori
- Contact:
Re: OS hardening (using CIS template) on physical VBR server and Veeam Proxy server
Thank you for the inputs. Noted.
Who is online
Users browsing this forum: Bing [Bot] and 68 guests