Best Practices for Hardening the Veeam Backup Repository (Windows)
A good way of hardening the backup repository is by running it on a standalone Windows Server with storage attached to it. Create/Use a local account with administrative access and make sure only this (newly created) account has access rights to the location where the backup files are being stored. Veeam needs a local account with administrative access to function properly. I already did a blog post around this subject earlier this year, that was aimed at educating and giving insight in what possibilities you have for hardening a Veeam Backup Repository based on Microsoft Windows. In this blog post I grouped and summarised the best practises for hardening a Veeam Backup Repository based on Microsoft Windows what is being used in the field with customers using Veeam Backup & Replication version 9.5.
Best Practices for Hardening Veeam Backup Repositories based on Microsoft Windows are:
- K.I.S.S. design – Keep It Simple and Straightforward.
- Use a standalone Windows Server which is not part of any Microsoft Active Directory Domain.
- Make sure the repository servers are physical secured.
- Use a local account with administrative access, rename the local administrator account
- Set permissions on the repository directory to only that local account.
- Modify the Firewall, with dedicated rules for Veeam to allow access to specific ports.
- Disable remote RDP services to the repository servers.
- Use Veeam encryption while storing backups on the repository.
1. K.I.S.S. design
Overly complex designs become harder for the IT team to manage and overlook and it makes it easier for an attacker to exploit and stay in the shadows. Simpler designs that can be easily overviewed are in basis more secure. Use the K.I.S.S. (Keep It Simple and Straightforward) principle for your designs. KISS is an acronym for “Keep it simple, stupid” as a design principle noted by the U.S. Navy in 1960. The KISS principle states that most systems work best if they are kept simple rather than made complicated; therefore simplicity should be a key goal in design and unnecessary complexity should be avoided. A simple design is easier to overview and to secure as a whole. Source: Wikipedia
Adding security to an already existing infrastructure is much harder and costly than thinking about it while designing a new or refreshing an existing infrastructure. In a virtual infrastructure, it is good use to build up a Master image which has been hardened from the start. Removing all known attack vectors and only open up access when Veeam components are added and needs specific (port) openings or extra software to function properly. This way all builds are consistent and kept up-to-date which makes it secure in the basis.
2. Use a standalone Windows Server
When protecting the whole environment you do not want the Veeam repository to be tied to the same Microsoft Active Directory domain you are protecting with the backup. Otherwise if everything is lost you could have a chicken and egg problem around accounts wanting to authenticate against a domain which is no longer available.
Furthermore if a Domain Admin account is compromised you do not want that account to be able to overrule a backup repository account password so the hacker gets access to the backup files together with access to the whole environment.
3. Make sure the repository servers are physical secured
Place the repository servers in a Restricted Zone, because these servers contain a 100% copy of your production environment! The repository servers should be physical secured, and have appropriate access control systems in place. This way access is restricted, who does have access is registered and monitored at certain specified levels.
4. Use a local account with administrative access
The easiest and best way to leverage a local account with administrative access to the repository server is by using the builtin Local Administrator account. As an extra precaution make sure you rename the account so a potential hacker has to guess the account name and the password. By using local Account specific per Veeam Backup Repository server you increase the level of protection. In the event that one of those accounts get compromised the other repository servers stay secure.
When your organisation does not allow you (e.g. global security policy) to use the builtin local administrator account, you can create a new local account and give it administrative access. Make sure the Local Administrator account is highly secure in this case.
Important: UAC affects connections for nondomain/local user accounts. If you connect to a remote computer using a nondomain/local user account included in the local Administrators group of the remote computer, then you must explicitly grant remote DCOM access, activation, and launch rights to the account. User Account Control (UAC) access-token filtering can affect which operations are allowed or what data is returned. Under UAC, all accounts in the local Administrators group run with a standard user access token, also known as UAC access-token filtering. An administrator account can run a script with an elevated privilege “Run as Administrator”.
Some securable objects may not allow a standard user to perform tasks and offer no means to alter the default security. In this case, you may need to disable UAC so that the local user account is not filtered and instead becomes a full administrator. One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure all. UAC helps most by being the prompt before software is installed.
This part of UAC is in full force when the “Notify me only when…” setting is used. UAC also prompts for other system wide changes that require administrator privileges which, considered in the abstract, would seem to be an effective counter-measure to malware after it is running, but the practical experience is that its effect is limited. For example, clever malware will avoid operations that require elevation. Be aware that for security reasons, disabling UAC should be a last resort.
The downside of creating a newly administrative local account is that you will need to disable Remote User Account Control (UAC) because this Windows function prevents local accounts from running in an elevated mode when connecting from the network. Veeam accesses the
C$ through the Installer Service with the local account you presented while adding the Windows server to Infrastructure in Veeam Backup & Replication.
The connection will fail with the following error message:
Access is denied –tr:Error code: 0x00000005[^1] –tr:Failed to create persistent connection to ADMIN$ shared folder on host [host name or ip-address] –tr:Failed to install service [VeeamDeploySvc] was not installed on the host [host name or ip-address] when Remote UAC is Enabled on the Windows Server.
or with the error message:
RPC Client is not a member of built-in Administrators group. –tr:Error code: 0x80070005 when the server was already added as a Veeam Backup Repository through Infrastructure within Veeam Backup & Replication.
The Veeam Installer service pushes the Veeam binaries through the ADMIN$ and C$ share on the target machine. It also uses administrative shares later on for other jobs.
You can disable Remote UAC on the repository server by using REGEDT32 to navigate to the following registry path:
Add a new Key with type DWORD (32-bit) Value and name it LocalAccountTokenFilterPolicy give it a value of 1. No restart is needed.
5. Set permissions on the repository directory
Login with the newly created local account or with the renamed local administrator and open File Explorer, locate the disk(s) where the backup files will be placed (or are already there in an existing deployment). Open the properties of the disk and Add the used account and give it Full access. Tick all Allow boxes.
Remove all accounts except the SYSTEM and the account you are using.
Important: the SYSTEM group account can also be removed, but then the Veeam services need to start with the local administrative account used instead of Local System otherwise the backups will fail. Keep the KISS principle in mind here.
After adding the used administrative account on the security tab of the disk(s) where backups will reside. Open the advanced security settings and Change the Owner. When there are already backup files on this disk make sure to tick the box: Replace all child objects permissions entries with inheritable permissions entries from this object.
6. Modify the Firewall
You have three options to make the first install of Veeam components, pushed from the Veeam Backup & Replication server, a success. From most preferred to least preferred option:
- Keep Windows Firewall On and add three new firewall rules.
- Keep Windows Firewall On and manual install the Veeam Installer Service (VeeamDeploySvc)
- Switch Windows Firewall Off and enable File and Printer Sharing during the first install
Option 1 – Keep the Windows Firewall On and add three new firewall rules.
From a command prompt run the following three commands to add three new rules to the Windows Firewall:
netsh advfirewall firewall add rule name="Veeam (DCOM-in)" dir=in action=allow protocol=TCP LocalPort=135 enable=yes program="%systemroot%\system32\svchost.exe" service=RPCSS remoteip=<VBR Server IP-address>
netsh advfirewall firewall add rule name="Veeam (SMB-in)" dir=in action=allow protocol=TCP LocalPort=445 enable=yes program=”System" remoteip=<VBR Server IP-address>
netsh advfirewall firewall add rule name="Veeam (WMI-in)" dir=in action=allow protocol=TCP LocalPort=RPC enable=yes program="%systemroot%\system32\svchost.exe" service=winmgmt remoteip=<VBR Server IP-address>
After adding these firewall rules nothing else has to be done to the Windows server to be added to the Veeam Infrastructure components. You also do not have to switch on File and Printer Sharing specifically. By using these commands on a Veeam Infrastructure template in your infrastructure you can make sure any VM which you are going to deploy to be added to the Veeam Infrastructure is ready for installation, while being fully protected.
Note: You can also store these three commands in a windows .bat file and run that on every Windows server you are preparing to use as a Veeam Infrastructure component.
Option 2 – Keep Windows Firewall On and manual install the Veeam Installer Service.
Open the CMD utility on the repository server and create a folder C:\Windows\Veeam\Backup
Copy two files named: VeeamDeploymentDll.dll & VeeamDeploymentSvc.exe from the Veeam Backup & Repository server path C:\Program Files\Veeam\Backup and Replication\Backup\Packages to the newly created folder on the repository server C:\Windows\Veeam\Backup.
You can use the <TAB> key for auto completion.
Drop to a command window on the Veeam repository server in the directory C:\Windows\Veeam\Backup the following command: VeeamDeploymentSvc.exe -install this way the Veeam installer service will be installed. Veeam will add Firewall rules for Veeam during installation, which are visible as Veeam Networking in the firewall under Allowed apps and features. When using the -uninstall flag the installed service will be gracefully be uninstalled.
This manual install process can be interesting when the repositories are situated in a zone where you have no internet or other network access to download the needed program files.
Option 3 (Not recommended) – Turn Windows Firewall Off and Enable File and Printer Sharing during the first install
This option is not recommended from a security standpoint! You can disable the Windows Firewall and enable File and Printer Sharing for the Private Networks during the initial Veeam installation. This way the right binaries gets pushed to the Windows Veeam Backup repository server. Veeam will add Firewall rules for Veeam during installation, which are visible as Veeam Networking in the firewall under Allowed apps and features. After the process completed successful make sure you enable the Windows Firewall again!
7. Disable remote RDP services to the repository servers
Veeam Backup Repositories are (most) often physical. An extra security measure is to disable any remote RDP access towards that Windows Machine in Windows and use a KVM-over-IP switch to access this machine remotely in the datacenter.
8. Use Veeam encryption
Backup and replica data can be intercepted in-transit, when it is communicated from source to target over a network. To secure the communication channel for backup traffic, consider these guidelines:
- Isolate backup traffic. Use an isolated network to transport data between backup infrastructure components — backup server, backup proxies, repositories and so on. (also see segmentation)
- Encrypt network traffic. By default, Veeam Backup & Replication encrypts network traffic traveling between public networks. To ensure secure communication of sensitive data within the boundaries of the same network, you can also encrypt backup traffic in private networks. For details, see Enabling Network Data Encryption.
To make sure that an unauthorised person is not able to read and abuse anything in the backup files, use Veeam Backup & Replication inbuilt encryption to protect data in backups. To guarantee security of data in backups, follow the Veeam Encryption Best Practices.
For more information around Best Practises for Veeam Backup & Replication see the online library.
For extra insights, details and possibilities around hardening the Veeam Backup Repository see the blog post: How to harden the Veeam Backup Repository.
White-paper around Veeam Backup & Replication and Infrastructure hardening – Veeam Backup & Replication 9.5 Update 3 – Infrastructure Hardening