Veeam Service Provider Console 8.1
Deployment Guide
Related documents
Search

General Security Considerations

General security considerations include best practices which help you to harden Veeam Service Provider Console infrastructure, build a more secure environment, and mitigate risks of being compromised. Ensure that your infrastructure meets the common recommendations described in this section. For more information about hardening specific Veeam Service Provider Console components, see Securing Veeam Service Provider Console Infrastructure.

Network

To secure the communication channel for network traffic, consider the following recommendations:

  • Create network segmentation policies to define network boundaries, control traffic between subnets and limit access to security-sensitive Veeam Service Provider Console components.
  • Make sure that only ports used by Veeam Service Provider Console components are opened. For more information, see Ports.
  • Use an isolated network to transport data between Veeam Service Provider Console components.
  • Disable outdated network protocols:
  • SSL 2.0 and 3.0 as they have well-known security vulnerabilities and are not NIST-approved. For more information, see NIST guidelines.
  • TLS 1.0 and 1.1 if they are not needed. For more information, see NIST guidelines.
  • LLMNR and NetBIOS broadcast protocols to prevent spoofing and man-in-the-middle (MITM) attacks.
  • SMB 1.0 protocol as it has a number of serious security vulnerabilities including remote code execution. For more information, see this Microsoft article.

User Permissions

Administrator privileges on the machine where Veeam Service Provider Console Server is deployed allow users to access other infrastructure components. If an attacker gains such permissions, they can erase most of the production data as well as compromise other systems in your environment. To mitigate risks, use the principle of least privilege. Provide the minimal required permissions needed for the accounts to operate correctly. For more information, see Permissions.

File System

Do not add paths writable by untrusted users to the PATH environment variable. A potential attacker may exploit this vulnerability to execute malware or access sensitive data. For more information, see this CWE article.

Security Audit

Perform regular security audits to assess your Veeam Service Provider Console infrastructure against security criteria and understand if it is compliant with best practices, industry standards, and federal regulations.

To reduce the risk of exploiting vulnerabilities by attackers, follow these recommendations:

  • Regularly install the latest security updates and patches on Veeam Service Provider Console Server and Veeam Service Provider Console components.
  • Develop an update management strategy to prevent a negative impact on the production environment.

Tip:

You can subscribe to Veeam security advisories published in the Veeam Knowledge Base to stay up to date with the latest security updates.

Microsoft Windows Server

To secure Microsoft Windows-based components in Veeam Service Provider Console infrastructure, consider the following recommendations:

  • Use operating system versions with Long Term Servicing Channel (LTSC). For these versions, Microsoft provides extended support including regular security updates. For more information, see this Microsoft article.
  • Regularly install the latest operating system and security updates for Microsoft Windows. To prevent a negative impact on the production environment, develop an update management strategy.
  • Turn on Microsoft Defender Firewall with Advanced Security. Set up rules for inbound and outbound connections according to your infrastructure and Microsoft best practices. For more information, see this Microsoft article.
  • Disable remote services if they are not needed:
  • Remote Desktop Service
  • Remote Registry service
  • Remote PowerShell
  • Windows Remote Management service

Linux Server

To secure Linux-based components in Veeam Service Provider Console infrastructure, consider the following recommendations:

  • Use operating system versions with long-term support (LTS). LTS versions of popular community-based and commercial Linux distributions have extended support including regular security updates.
  • Regularly install the latest operating system and security updates for Linux distributions. To prevent a negative impact on the production environment, develop an update management strategy.
  • For the SSH tunnel, use a strong and proven encryption algorithm with sufficient key length. Make sure that private keys are kept in a highly secure place and cannot be uncovered by a third-party.
  • Avoid using password authentication to connect to remote servers over SSH. Using key-based SSH authentication is generally considered more secure than using password authentication and helps avert man-in-the-middle (MITM) attacks. The private key is not passed to the server and cannot be captured even if a user connects to a fake server and accepts a bad fingerprint.

Page updated 6/2/2025

Page content applies to build 8.1.0.21999

View all results across Veeam
Back to document search