Security & Compliance Analyzer

[perjonsson1960]

Folks,

When I run the Security & Compliance Analyzer, it says that "Windows firewall should be enabled" is Not Implemented.
I have the firewall enabled in the backup server and the repository servers. Should it be enabled also in the proxy servers in order to get a "Passed" result?

Kind regards,
PJ

[marina.skobeleva]

Hi Per,

Security & Compliance Analyzer checks only Backup Server settings, firewall should be enabled for all network types:

• Domain

• Private

• Public

More detail regarding this topic you can find in Security & Compliance Analyzer - User Guide for VMware vSphere.

Thank you!

[perjonsson1960]

Marina,

The backup server is not a member of our AD, and the firewall is enabled for "Private networks" and "Guest or Public networks".
So I don't understand why I don't get a "Passed" result, if the backup server is the only server that is checked.

PJ

[perjonsson1960]

Also, the documentation that you linked to does not say what kind of registry value it should be, i.e. DWORD or String. Some of the values mentioned do not exist, so I must know what kind it should be when creating them. I have not checked the whole list, but the values for these keys do not exist:

WDigest, WPAD, Windows Script Host.

[mamosorre84]

Hello @perjonsson1960, please check this KB https://www.veeam.com/kb4525.

You can find the script to automate those security best practices, and of course the related registry values.

[perjonsson1960]

Okay, thanks!

Should this script be executed in the repo servers, as well?

Also, when the script was executed in the backup server, and the "Host to proxy traffic encryption" part was run, it seems to have missed one proxy server, a physical machine that serves as a proxy only. At least it was not listed. I have all jobs on "Automatic selection", and that proxy is chosen sometimes.

[mamosorre84]

The script is intended to be run only on the backup server.

For the other infrastructure components you can check the general guidelines:

https://helpcenter.veeam.com/docs/backu ... ml?ver=120
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Personally, if a template with the desired features does not already exist, I use some portions of the script to fix Windows proxies.

Regarding the physical proxy, I do not know why it is not listed, check its settings, maybe it is already set.

[perjonsson1960]

Thanks!

[perjonsson1960]

Oh, another thing; For "Deprecated versions of SSL and TLS should be disabled" I get status "Unable to detect".
Do you have any idea about what could be the cause?

[marina.skobeleva]

Hi @perjonsson1960,

Do you have any idea about what could be the cause?

This status appears if specific registry key does not exist.
Full list of register keys and values for passing this check, you can find in the article Security & Compliance Analyzer -> Configuration Parameters.

Thanks!

[perjonsson1960]

Okay, yes, these keys do not exist. There sure are a few...
Luckily, the script can be used to create them.

Thanks!

[marina.skobeleva]

Happy to help!

[perjonsson1960]

One more thing; About the parameter "Windows Script Host should be disabled", where it says:

"Before disabling Windows Script Host, make sure that this service is not used by backup infrastructure components you plan to install on the backup server. If there are any (for example, PostgreSQL database), install these components first, then disable the service. To update these components, you need to enable the service temporarily."

What about when Veeam B&R itself is updated? If a new version or a patch is going to be installed, is it necessary to activate the Script Host before the install?

PJ

[perjonsson1960]

Has this thread been closed somehow, or is my question just difficult to answer?

[marina.skobeleva]

Hi Per,
Sorry for delayed response.
No, it's not necessary to enable Windows Script Host for update Veeam B&R itself.

Thanks!

[perjonsson1960]

Thank you!
I think I am all out of questions now.

Kind regards,
PJ