Securing the Veeam ONE server at the Windows OS level using security policy settings

[massimiliano.rizzi]

Hello Community and good day,

I am looking for a way to increase the security of a Veeam ONE server at the Windows OS level server with relatively minimal effort and fast gains by creating separate, Veeam ONE Client-specific users without admin rights at the Windows OS level of the Veeam ONE server itself and with just enough privileges to perform their tasks using the Veeam ONE Client.

Besides disabling the Remote Desktop Service on the Veeam ONE server itself and placing it to a separate workgroup, I believe that many if not all the Veeam Backup & Replication Security & Compliance Analyzer recommendations described at https://helpcenter.veeam.com/docs/backu ... ml?ver=120 can just be applied to a machine running a Veeam ONE server as well, but of course this is out-of-scope of my request below.

The purpose of my question is confirming the User Rights Assignments among the ones below that are not needed and, because of that, can be denied at the Windows OS level for both 1) the Veeam ONE service account and 2) the Veeam ONE Client-specific users:

==================================================

==================================================

Any suggestions and thoughts will be greatly appreciated.

Kind Regards,

Massimiliano

[jorgedlcruz]

Hello Massimiliano,
I have passed your question to our QA department to check all of this and will reply as soon as I have some more information.

Thank you!

[massimiliano.rizzi]

Hello Massimiliano,
I have passed your question to our QA department to check all of this and will reply as soon as I have some more information.

Thank you

Hello Jorge,

thank you very much for taking the time to reply to my question.

I am currently spending some time in our lab environment to play with the permissions. I plan on providing you with an update with my findings as well.

Thanks!

Massimiliano

[RomanK]

Hello Massimiliano,

Our QA team finished their checks:

• Deny access to this computer from the network cannot be applied as it causes GRPC issues
• Deny log on as a batch job can be applied
• Deny log on as a service cannot be applied for the Service account, while it can be applied to the Administrator/Power User/Read-only accounts
• Deny log on locally cannot be applied, as it causes login issues
• Deny log on through RDS can be applied

Thanks

[massimiliano.rizzi]

Hello Massimiliano,

Our QA team finished their checks:
Deny access to this computer from the network cannot be applied as it causes GRPC issues
Deny log on as a batch job can be applied
Deny log on as a service cannot be applied for the Service account, while it can be applied to the Administrator/Power User/Read-only accounts
Deny log on locally cannot be applied, as it causes login issues
Deny log on through RDS can be applied
Thanks

Hello Roman and Happy New Year,

thank you very much for taking the time to provide me with this information. And of course I would like to thank the QA team as well.

Kind Regards,

Massimiliano