How to harden the Veeam Backup Repository
The Veeam Backup Repository is a storage location used to store backup files, VM copies, configuration backups (BCO) and auxiliary replica files. There are several flavours of Veeam backup repositories, namely: Windows, Linux or Specific DeDuplication devices like the ExaGrid, EMC DataDomain or HPE StoreOnce.
In this blogpost, I will focus on possibilities on hardening the Microsoft Windows-based backup repository. Overall the most Veeam Backup Repository Servers are physical machines with storage. Make sure that your servers are physical secured. Check that only authorised personnel have access to the data centers where your backup repository servers reside. As an extra precaution or when the backup files leave the security domain, make sure you encrypt the data in the backups. You can use the built-in encryption options from Veeam Backup & Replication. For Veeam Backup & Replication encryption best practices see Veeam Best Practices – Infrastructure hardening.
How to harden the Veeam Microsoft Windows-based Backup repository?
A good way of hardening the backup repository is by running it on a standalone Windows Server with storage attached to it. Create a local account with administrative access (or use the builtin administrator) and make sure only this newly created account has access rights to the location where the backup files are being stored. Veeam needs a local account with administrative access to function properly. For best practises around hardening the Veeam Backup Repository based on Microsoft Windows see the following blog post.
Step 1 – Create new local account
Make sure to create a new local account with administrative access. Open the Magnify Glass on the menu bar of the Windows Backup Repository server > search for Computer Management > go to Local Users and Groups > open Users folder > right click in Users window > create New User.
Tick the User cannot change password box and the Password never expires box.
Open the newly created account and open the Member Of tab, Add the Administrators group and remove the Users group.
By creating a local Service Account specific per Veeam Backup Repository Server you increase the level of protection. In the event that one of those accounts get compromised the other Repository servers stay secure.
Step 2 – Disable Remote UAC
Remote User Account Control (UAC) prevents local accounts from running in an elevated mode when connecting from the network. Veeam accesses the ADMIN$ through the Installer Service with the local account you presented while adding the Windows server to Infrastructure in Veeam Backup & Replication.
The connection will fail with the error message: Access is denied –tr:Error code: 0x00000005 –tr:Failed to create persistent connection to ADMIN$ shared folder on host [host name or ip-address] –tr:Failed to install service [VeeamDeploySvc] was not installed on the host [host name or ip-address] when Remote UAC is Enabled on the Windows Server.
or with the error message RPC Client is not a member of built-in Administrators group. –tr:Error code: 0x80070005 when the server was already added as a Veeam Backup Repository through Infrastructure within Veeam Backup & Replication.
The Veeam Installer service pushes the Veeam binaries through the ADMIN$ and C$ share on the target machine. It also uses administrative shares later on for other jobs. On the Veeam Backup Repository server use REGEDT32 to navigate the registry to the following path:
Add a new Key with type DWORD (32-bit) Value and name it LocalAccountTokenFilterPolicy give it a value of 1. No restart is needed.
Step 3 – Changing Security Settings on Backup Target location
Login with the newly created local account and open File Explorer locate the disk(s) where the backup files will be placed (or are already there in an existing deployment). Open the properties of the disk and Add the newly created local service account and give it Full access. Tick all Allow boxes.
Remove all accounts except the SYSTEM and the newly added local account.
Important: the SYSTEM group account can also be removed, but then the Veeam services need to start with the newly created local account instead of Local System otherwise the backups will fail. (For more information see Step 6)
After adding the newly created local account on the security tab of the disk(s) where backups will reside. Open the advanced security settings and Change the Owner. When there are already backup files on this disk make sure to tick the box: Replace all child objects permissions entries with inheritable permissions entries from this object.
Logout with the newly created local account. Now log back in with the local administrator, you should get an Access Denied while opening the protected drive(s).
Step 4 – Changing the Windows Firewall
Check if the Windows Firewall is On by opening the Windows Firewall.
You will have two options to make the first Install of Veeam components, pushed from the Veeam Backup & Replication server, a success.
Option 1 – Disable the Windows Firewall for the Private Networks during the initial Veeam installation. This way the right binaries gets pushed to the Windows server. Veeam will add Firewall rules for Veeam during installation, which are visible as Veeam Networking in the firewall under Allowed apps and features. After the process completed successful make sure you complete Step 4a before enabling the Windows Firewall again.
Veeam Networking will create Inbound and Outbound rules in the Firewall and they will look like the picture below.
Option 2 – Adjusting the Windows Firewall for the Pre-Install phase without ever having to disabling the Windows Firewall. Complete Step 4a and Step 4b.
Step 4a – Allowing Remote Event Log Management
Select Allow an app or feature through Windows Firewall. Press the button Change Settings. Scroll down till you find Remote Event Log Management and tick the box. Remote Event Log Management should be allowed for the Private Network otherwise you will get a Warning while modifying or adding a Windows server on the line Detecting the OS version.
After pressing the OK button, you will return to the previous window.
Step 4b – Adjusting the Firewall rules
Press Advanced settings to open the Windows Firewall with Advanced Security and click Inbound Rules.
Create a New Rule with the following settings:
- Rule Type: Port
- Protocol and Ports: TCP, Specific local Ports: 6160
- Action: Allow the connection
- Profile: Private
- Name: Veeam Pre-Install
After creating the new Inbound Firewall Rule, you can open it by double clicking and then open the tab Scope. Here you can add the IP-address from the Veeam Backup & Replication Server under Remote IP address to Allow specific access just from that IP-Address.
Step 5 – Adding New Windows Server in Backup & Replication
Open the Veeam Backup & Replication console. Go to Backup Infrastructure and press Add Server or right click in the right screen and press Add Server.
A new window will open. Fill out the fields with the FQDN DNS name or the IP-address of the new Windows Server which will function as Veeam Backup Repository. On the Credentials tab choose an already stored credential or Add a new one. Add the newly created local account from the Windows Server you are about to add.
Press Next> to progress a window will open with Detecting previously installed components… This window will show if there are already components on this server. It will show that the Transport component will be installed. The Veeam Installer service will also be deployed to the new Windows Server. Press Apply.
Press Next> and then Finish to wrap the initial install up.
Step 6 – Changing the Veeam Services
Open the Services on the new Windows Server and scroll down to the Veeam services which are just installed. Make sure that the Veeam services all start with the newly created local account. If you forget this step the protected backup target disks will not show up when adding the Veeam Repository role to this Windows Server.
Tip: if services are running and you need to change an existing installation the new logon name will not take effect until you stop and restart the service.
Step 7 – Adding Repository Server in Veeam Backup & Replication
You can add (or change) the backup repository by going to the Veeam Backup & Replication console > Backup Infrastructure > Backup Repositories > Add Repository. Give the repository a name and select Microsoft Windows Server on the type stage. At the Server stage select the correct server from the dropdown and press the Populate button. If you missed step 6 you will not see the Backup Target disk which you protected in Step 3.
Select the Path to folder and press the Populate button to see the Capacity and Free space. You might want to open the Advanced settings and tick the Per-VM box. Press Next> to go to the Mount Server stage. You can choose to install the Mount service on this server and/or Enable it for vPower NFS Service.
IMPORTANT: If you do install those, remember to also adjust those services to start with the local service account!!
How to harden the Veeam Linux-based Backup repository?
But what about Veeam Linux-based Backup repositories? If you happen to have Veeam Linux-based Backup repositories please check out a blog post my Colleague Luca Dell’Oca did. You can find a comprehensive write up on how to protect a Linux based Backup Repository on his blog here.
- Best Practices for Hardening the Veeam Backup… by Edwin Weijdema
- Using VMware and Veeam? Update VBR 9.5 to Update 3a now by Edwin Weijdema
- Unable to backup iSCSI volume with Veeam Agent for Windows by Edwin Weijdema
- Add Veeam to a Workgroup, Domain or Forest? by Edwin Weijdema
- Backup failed due to bitlocker by Edwin Weijdema