Security & Compliance Analyzer

Veeam Backup & Replication provides a built-in tool to ensure that your backup server configuration follows security best practices for Veeam backup infrastructure components based on Microsoft Windows Server and Linux operating systems.

To perform a security check, open the Home tab and click Security & Compliance on the ribbon. After that, the Security & Compliance Analyzer window opens and the security check starts automatically.

Security & Compliance Analyzer 

Configuration parameters that have recommended settings will have the Passed status. Parameters that have the Not implemented status should be revised in terms of your backup infrastructure. You can set them up as recommended or exclude specific parameters from the checklist.

To see the last scan results, click Last run. For more information about the results, you can view the log file. The path by default: C:\ProgramData\Veeam\Backup\Job.BestPracticesAnalyzer.log.

Tip

Run Security & Compliance Analyzer regularly, especially after you made significant changes in the backup infrastructure. To configure scan scheduling, see this section.

Configuration Parameters

Security & Compliance Analyzer checks configuration parameters both for the operating system and Veeam products. You can implement these recommendations manually or use the automatic configuration script provided by Veeam. For more information, see this KB article.

Parameter

Check Condition

Notes

Backup Infrastructure Security

Remote Desktop Services (TermService) should be disabled

The Remote Desktop Services service is not running. The Startup type parameter is set to Disabled.

Remote services should be disabled if they are not needed. Note that for the Veeam Cloud Connect infrastructure, this parameter must be enabled if the SP uses Remote Desktop Protocol (RDP) to connect to the tenant backup server. For more information, see Remote Desktop Connection to Tenant.

Remote Registry service (RemoteRegistry) should be disabled

The Remote Registry service is not running. The Startup type parameter is set to Disabled.

Remote services should be disabled if they are not needed.

Windows Remote Management (WinRM) service should be disabled

The Windows Remote Management (WS-Management) service is not running. The Startup type parameter is set to Disabled.

Remote services should be disabled if they are not needed.

Windows Firewall should be enabled

The following PowerShell command returns True for Domain, Public, and Private firewall profiles:

Get-NetFirewallProfile | Format-Table Name, Enabled

Microsoft Defender Firewall with Advanced Security should be turned on. Also, rules for inbound and outbound connections should be configured according to your infrastructure and Microsoft best practices. For more information, see this Microsoft article.

WDigest credentials caching should be disabled

The value of the HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential registry key is set to 0.

WDigest credentials caching stores cleartext credentials in Windows RAM. To reduce the risk of credential dumping attacks, the setting should be disabled with a registry value. For more information, see this Microsoft article.

Web Proxy Auto-Discovery service (WinHttpAutoProxySvc) should be disabled

The WinHTTP Web Proxy Auto-Discovery service is not running. The Startup type parameter is set to Disabled.

The value of the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableWpad registry key is set to 1.

The Web Proxy Auto-Discovery (WPAD) protocol provides automatic discovery of web proxy configuration. If this feature is not used in the backup infrastructure, the WinHTTP Web Proxy Auto-Discovery Service should be disabled to prevent man-in-the-middle (MITM) attacks.

Deprecated versions of SSL and TLS should be disabled

Values of the following registry keys are set to 1:

  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client\DisabledByDefault
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server\DisabledByDefault
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client\DisabledByDefault
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server\DisabledByDefault
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\DisabledByDefault
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\DisabledByDefault
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\DisabledByDefault
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\DisabledByDefault

Values of the following registry keys are set to 0:

  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client\Enabled
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSl 2.0\Server\Enabled
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client\Enabled
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSl 3.0\Server\Enabled
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\Enabled
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\Enabled
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\Enabled

Outdated network protocols SSL 2.0 and 3.0 should be disabled as they have well-known security vulnerabilities and are not NIST-approved. Also, TLS 1.0 and 1.1 should be disabled if they are not needed. For more information, see NIST guidelines.

Note that this parameter will have the Passed or Not implemented status only if specific registry keys with specific values exist. For more information, see this Microsoft article. If the registry key does not exist, the parameter will have the Unable to detect status.

If the registry key existence cannot be checked for some reason, the parameter will also have the Not implemented status.

Windows Script Host should be disabled

The value of the HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled registry key is set to 0.

Windows Script Host should be disabled to prevent script-based malware attacks.

Before disabling Windows Script Host, make sure that this service is not used by backup infrastructure components you plan to install on the backup server. If there are any (for example, PostgreSQL database), install these components first, then disable the service. To update these components, you need to enable the service temporarily.

SMBv1 protocol should be disabled

The following PowerShell command returns False:

Get-SmbServerConfiguration | Select EnableSMB1Protocol

Outdated network protocol SMB 1.0 should be disabled as it has a number of serious security vulnerabilities including remote code execution. For more information, see this Microsoft article.

Link-Local Multicast Name Resolution (LLMNR) should be disabled

The HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMultiCast registry key exists. The value of the key is set to 0.

Outdated broadcast protocol Link-Local Multicast Name Resolution (LLMNR) should be disabled to prevent spoofing and man-in-the-middle (MITM) attacks.

Note that this parameter will have the Passed or Not implemented status only if specific registry keys with specific values exist. If the registry key does not exist, the parameter will have the Unable to detect status.

If the registry key existence cannot be checked for some reason, the parameter will also have the Not implemented status.

SMBv3 signing and encryption should be enabled

The following PowerShell command returns True for all specified parameters:

Get-SmbServerConfiguration | select RequireSecuritySignature, EncryptData, EnableSecuritySignature

If SMB shares are used in the backup infrastructure, SMB signing and encryption should be enabled to prevent NTLMv2 relay attacks. For more information, see these Microsoft articles: Configure SMB Signing with Confidence, SMB security enhancements.

Local Security Authority Server Service (LSASS) should be set to run as a protected process

The value of the HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL registry key is set to 1 or 2.

The protection for the Local Security Authority (LSA) process should be configured properly to prevent code injection and credential theft attacks. For more information, see this Microsoft article.

If the registry key existence cannot be checked for some reason, the parameter will also have the Not implemented status.

NetBIOS protocol should be disabled on all network interfaces

The value of HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{GUID}\NetbiosOptions registry keys is set to 2.

NetBIOS should be disabled to reduce the risk of data theft attacks through shared folders.

If the registry key existence cannot be checked for some reason, the parameter will also have the Not implemented status.

Product Configuration

MFA for the backup console should be enabled

In the Users and Roles > Security settings, the Enable multi-factor authentication (MFA) check box is selected.

Multi-factor authentication (MFA) should be enabled for the Veeam Backup & Replication console to protect user accounts with additional user verification. For more information, see Multi-Factor Authentication.

Immutable or offline (air gapped) media should be used

At least one of the following components is added to the Veeam Backup & Replication console and actively used:

  • Backup repository with enabled immutability
  • Backup repository with rotated drives
  • Tape device

Immutable repositories should be used to protect backup files from being modified or deleted. For more information, see Immutability.

Offline media should be used to keep backup files in addition to virtual storage devices. For more information, see Backup Repositories with Rotated Drives and Tape Device Support Guide.

Password loss protection should be enabled

In Veeam Backup Enterprise Manager settings, the Enable encryption password loss protection check box is selected.

Password loss protection should be enabled on Veeam Backup Enterprise Manager to provide an alternative way to decrypt the data if a password for encrypted backup or tape is lost. For more information, see Managing Encryption Keys.

Backup server should not be a part of the production domain

The backup server is in a workgroup.

For large environments, it is recommended to add the backup server and other backup infrastructure components to a management domain in a separate Active Directory forest. For medium-sized and small environments, backup infrastructure components can be placed to a separate workgroup.

Note that this parameter will have the Passed status only if the backup server is not joined to any domain. In other cases, it will have the Unable to detect status because there is no way to identify the production domain automatically.

Email notifications should be enabled

In the global email notification settings, the Enable e-mail notifications check box is selected.

Email notifications should be enabled to monitor job statuses. For more information, see Specifying Email Notification Settings.

All backups should have at least one copy (the 3-2-1 backup rule)

At least one of the following jobs or components exists in the Veeam Backup & Replication console:

  • Backup copy job
  • Scale-out backup repository with the copy mode
  • Archive Tier

To be compliant with the 3-2-1 rule, at least one backup copy job should be created, or a scale-out backup repository with the copy mode or archive tier should be added. For more information, see Plan How Many Copies of Data You Need (3-2-1 rule).

Reverse incremental backup mode is deprecated and should be avoided

In the backup job settings, the incremental backup method is selected.

The reverse incremental backup method should not be used as it produces the heaviest I/O impact on the backup storage compared to other backup methods. For more information, see Backup Methods.

Unknown Linux servers should not be trusted automatically

In the Options > Security settings, the Add unknown hosts to the list manually option is selected in the Linux hosts authentication section.

Untrusted Linux VMs and Linux servers must be allowed to connect to the backup server only using manual SSH fingerprint verification. For more information, see Linux Host Authentication.

The configuration backup must not be stored on the backup server

In the configuration backup settings, the default backup repository or any other folder on the backup server are not selected as target backup repository.

The configuration backup must not be stored on the backup server or on the default backup repository to be able to recover its configuration in case of failure. For more information, see Configuration Backup.

Host to proxy traffic encryption should be enabled for the Network transport mode

For VMware backup proxy that is used the Network transport mode, the Enable host to proxy traffic encryption in Network mode (NBDSSL) check box is selected.

If a VMware backup proxy uses the Network transport mode, it is recommended to transfer VM data over an encrypted TLS connection. For more information about this configuration and its limitations, see Choose Server.

Hardened repositories should not be hosted in virtual machines

The hardened repository added to the Veeam Backup & Replication console is not hosted on a virtual machine.

To reduce the attack surface, the hardened repository should be hosted on a physical machine with local storage. For more information about hardened repository requirements, see Requirements and Limitations.

Network traffic encryption should be enabled in the backup network

All global network traffic rules have the Encrypt network traffic check box selected.

Network traffic encryption should be enabled in the backup network to ensure secure communication of sensitive data not only between public networks but also between private ones. For more information, see Enabling Traffic Encryption.

Linux servers should have password-based authentication disabled

Linux servers added to the Veeam Backup & Replication console do not use standard accounts.

Key-based SSH authentication is generally considered more secure than password-based authentication. The private key is not passed to the server and cannot be captured even if a user connects to a fake server and accepts a bad fingerprint. This helps averting man-in-the-middle (MITM) attacks.

Backup services should be running under the LocalSystem account

The Veeam Backup Service runs under a LocalSystem account.

The account used to run Veeam services should be a LocalSystem account.

Configuration backup should be enabled and use encryption

In the configuration backup settings, the following check boxes are selected:

  • The Enable configuration backup to the following repository check box.
  • The Enable configuration backup file encryption check box.

Configuration backup should be enabled to reduce the risk of data loss and manage the Veeam Backup & Replication configuration database easier. For more information, see Configuration Backup and Restore.

Data encryption for configuration backup should be enabled to secure sensitive data stored in the configuration database. For more information, see Creating Encrypted Configuration Backups.

Credentials and encryption passwords should be rotated at least annually

Passwords of the user accounts added to the Credentials Manager, Cloud Credentials Manager, and Password Manager were changed less than 365 days ago.

For all user accounts added to the Credentials Manager, Cloud Credentials Manager and Password Manager, passwords should be changed at least once a year.

Hardened repositories should have the SSH Server disabled

Hardened repositories added to the Veeam Backup & Replication console are not available through SSH connection.

SSH connection is necessary only for the deployment of Veeam Data Mover. For security purposes, after adding the hardened repository to the backup infrastructure, the SSH connection should be disabled for the user account used to connect to the Linux server or for the server itself.

S3 Object Lock in the Governance mode does not provide true immutability

Immutable object storage repositories added to the Veeam Backup & Replication console use the Compliance retention mode.

The Compliance retention mode should be used for object storage repositories with immutability enabled. This is a more secure option compared to the Governance retention mode. For more information about immutability for object storage repositories, see this section. For more information about retentions modes, see this Amazon article.

Backup jobs to cloud repositories should use encryption

In the backup job settings, if the cloud repository is selected as a backup repository, the Enable backup file encryption check box is also selected.

To reduce the cloud attack surface, job-level encryption should be enabled. For more information, see Job Encryption.

Latest product updates should be installed

In the Options > Notifications settings, the Check for product and hypervisor updates periodically check box is selected.

Veeam Backup & Replication should be updated regularly. Major releases and cumulative patches usually contain bug fixes, performance enhancements, and new features.

PostgreSQL server should be configured with recommended settings

In the postgresql.conf file, the following parameters have specific values:

  • max_connections = 3000
  • max_wal_senders = 0

PostgreSQL should have optimal run-time settings to operate correctly.

For more information about configuration file, see PostgreSQL documentation.

Hardened repositories should not be used as backup proxy servers

The hardened repository added to the Veeam Backup & Replication console is not used as a VMware backup proxy.

A VMware backup proxy requires VMware VDDK components to be installed. To reduce the risk of attacks through VMware VDDK vulnerabilities, a hardened repository should have only one role assigned.

For more information about hardened repositories, see Hardened Repository.

Backup encryption password length and complexity recommendations should be followed

Encryption passwords meet Veeam requirements for password complexity.

To minimize the possibility of unauthorized access, encryption passwords should meet Veeam requirements for password complexity:

  • The password is at least 12 characters long.
  • The password contains at least:
    • One uppercase character
    • One lowercase character
    • One special character
    • One numeric character

If you want to perform a security check with custom values according to your company password policy, see this KB article.

If you implement recommended settings for configuration parameters, click Analyze to perform a security check again. Make sure that the status changed to Passed.

Excluding Parameters from Checklist

You can skip security check for specific parameters. For example, if you use Remote Desktop Service to connect to Veeam Backup & Replication and do not need to disable it, exclude this parameter from the checklist. To do this, perform the following steps:

  1. Select a parameter and click Suppress.
  2. [Optional] Leave a comment in the Note field.
  3. Click OK.

Excluded parameters are displayed in the Suppressed section. To restore default settings for the selected parameter and return it to the checklist, click Reset. If you want to return all excluded parameters to the checklist, click Reset All.

Security & Compliance Analyzer 

Scan Scheduling

To configure daily scan scheduling, do the following:

  1. Click Schedule.
  2. Select the Scan the backup infrastructure daily at check box and specify the time.
  3. If you want to receive scan results by email, select the Send scan results to the following recipients check box and specify one or several email addresses separated with a semicolon. You can use global notification settings or specify custom notification settings as required.
  4. Click OK.

Security & Compliance Analyzer