Best Practices Analyzer
Veeam Backup & Replication allows you to check your backup server configuration with a built-in tool to ensure it follows security best practices for Microsoft Windows Server operating system and Veeam backup infrastructure components.
To perform a security check, click Best Practices Analyzer on the Home tab. Configuration parameters set up as recommended will have the Passed status.
Parameters that have the Not implemented status should be revised in terms of your backup infrastructure. You can set them up as recommended or exclude specific parameters from the checklist.
Run the Best Practices Analyzer tool regularly, especially after you made significant changes in the backup infrastructure.
The Best Practices Analyzer tool checks the following configuration parameters:
Remote Desktop Service (TermService) should be disabled
Remote services should be disabled if they are not needed. Note that for the Veeam Cloud Connect infrastructure, this parameter must be enabled if the SP uses Remote Desktop Protocol (RDP) to connect to the tenant backup server. For more information, see Remote Desktop Connection to Tenant.
Remote Registry service (RemoteRegistry) should be disabled
Remote services should be disabled if they are not needed.
Windows Firewall should be enabled
Microsoft Defender Firewall with Advanced Security should be turned on. Also, rules for inbound and outbound connections should be set up according to your infrastructure and Microsoft best practices. For more information, see this Microsoft article.
MFA for the backup console should be enabled
Multi-factor authentication (MFA) should be enabled for the Veeam Backup & Replication console to protect user accounts with additional user verification. For more information, see Multi-Factor Authentication.
Immutable or offline (air gapped) media should be used
Immutable repositories should be used to protect backup files from being modified or deleted.
Offline media should be used to keep backup files in addition to virtual storage devices. For more information, see Backup Repositories with Rotated Drives and Tape Devices Support.
Password loss protection should be enabled
Password loss protection should be enabled on Veeam Backup Enterprise Manager to provide an alternative way to decrypt the data if a password for encrypted backup or tape is lost. For more information, see Managing Encryption Keys.
Configuration backup should be enabled
Configuration backup should be enabled to reduce the risk of data loss and manage the Veeam Backup & Replication configuration database easier. For more information, see Configuration Backup and Restore.
Configuration backup should be encrypted
Data encryption for configuration backup should be enabled to secure sensitive data stored in the configuration database. For more information, see Creating Encrypted Configuration Backups.
Backup server should not be a part of the production domain
Adding the backup server and other backup infrastructure components to a management domain in a separate Active Directory forest is the best practice for building the most secure infrastructure. For medium-sized and small environments, backup infrastructure components can be placed to a separate workgroup.
Note that this parameter will have the Passed status only if the backup server is not joined to any domain. In other cases, it will have the Unable to detect status because there is no way to identify the production domain automatically.
If you set up parameters as recommended, click Analyze to perform a security check again and ensure that the status changed to Passed.
To pass the check for the service that should be disabled, ensure that in the service properties the Startup type is set to Disabled.
Excluding Parameters from Checklist
You can skip security check for specific parameters. For example, if you use Remote Desktop Service to connect to Veeam Backup & Replication and do not need to disable it, exclude this parameter from the checklist. To do this, perform the following steps:
- Select the parameter and click Suppress.
- [Optional] Leave a comment in the Note field. The default comment contains information about the user who made changes, date and time when the parameter was suppressed.
- Click OK.
All excluded parameters are shown in the Suppressed section. To restore the default settings and return all parameters to the checklist, click Reset All.