Attack surface reduction
Console access
The Veeam Backup & Replication console is a client-side component that provides access to the backup server. The console lets several backup operators and admins log in to Veeam Backup & Replication simultaneously and perform all kind of data protection and disaster recovery operations as if you work on the backup server.
Prefer installing the Veeam Backup & Replication Console on a central management server positioned in a secure network zone and protected with 2-factor authentication rather than installing the console on the local desktops of backup & recovery admins. Always enforce MFA when authenticating to the Veeam Backup and Replication Console itself (supported starting v12).
Access to Veeam Backup & Replication Server should be limited to the Veeam Backup & Replication Console. Disable remote desktop access, any remote access protocol should be disallowed.
Console uninstallation from VBR server
Backup & Replication Console should be removed from the Veeam Backup & Replication Server when possible (see the note at the end of this section). The console is installed locally on the backup server by default.
The Console cannot be removed through the installer or by using Add/Remove in Windows. Open a cmd prompt with administrative access. On the command prompt type: wmic product list brief > installed.txt - this will create a text document with all installed products and their respective Product Codes.
For uninstalling Veeam Backup & Replication Console, first uninstall all Veeam Explorers:
- Veeam Explorer for Microsoft Exchange
- Veeam Explorer for Microsoft Sharepoint
- Veeam Explorer for Microsoft Active Directory
- Veeam Explorer for Microsoft SQL
- Veeam Explorer for Oracle
You can uninstall these components by using: msiexec /x {ProductCode}
Example for uninstalling the Veeam Backup & Replication console is: msiexec /x {D0BCF408-A05D-45AA-A982-5ACC74ADFD8A}
Important note: Uninstalling Veeam Backup and Replication console removes PowerShell module and makes using Veeam Backup PowerShell cmdlets impossible on the Backup Server. This may affect automation scripts or products that rely on PowerShell for interacting with Veeam Backup and Replication, for example Veeam Availability Orchestrator (former Veeam Disaster Recovery Orchestrator).
Veeam Backup and Replication Database protection
The Backup & Replication configuration database stores credentials to connect to virtual servers and other systems in the backup & replication infrastructure.
All passwords stored in the database are encrypted. However, a user with administrator privileges on the backup server can decrypt the passwords, which presents a potential threat. Refer to Veeam kb 4349 for more information.
To secure the Backup & Replication configuration database, follow these guidelines:
- Restrict user access to the database. Check that only authorized users can access the backup server and the server that hosts the Veeam Backup & Replication configuration database (if the database runs on a remote server).
- Encrypt data in configuration backups as a best practice. Enable data encryption for configuration backup to secure data stored in the configuration database. Please note that user accounts and passwords are not stored in configuration backups when encryption is not active.
Unused Components removal
Remove all non-essential software programs and utilities from the deployed Veeam components. While these programs may offer useful features to the administrator, if they provide additional access (“back-doors”) to the system, they must be removed during the hardening process.
Think about additional software like web browsers, java, adobe reader and such. All parts which do not belong to the operating system or to active Veeam components, remove them. It will make maintaining an up-to-date patch level much easier.
Unused services removal
Switch off the Veeam vPower NFS Service on each component where you do not plan on using the following Veeam features: SureBackup, Instant Recovery, or Other-OS File Level Recovery (FLR) operations.
Remove default proxy and default repository role from the VBR server if you do not plan to use them.
When Enterprise Manager is not used de-install it and remove it from your environment.
Patching and Updates
Patch operating systems, software, and firmware on Veeam components. Most hacks succeed because there is already vulnerable software in use which is not aligned to with current patch levels.
So, make sure every piece of software and hardware where Veeam components are running are up to date. One of the most possible causes of a credential theft are missing guest OS updates and use of outdated authentication protocols.
To mitigate risks, follow these guidelines:
- Track Common Vulnerabilities and Exposures (CVEs) for your systems.
- Ensure timely guest OS updates on backup infrastructure servers.
- Install the latest updates and patches on backup infrastructure servers to minimize the risk of exploiting guest OS vulnerabilities by attackers.
You may choose to isolate your Veeam Backup and Replication server from the internet, in that case you will have to proceed with offline updates : download updates from another machine, copy binaries to the VBR Server and apply updates. If you choose to allow your Veeam Backup and Replication Server to access the Internet, take care to strictly restrict access to update servers for applications and operating systems, again, remove any tool and browser to prevent installation/download of potential harmful pieces of code. Of course, do not expose your Veeam Backup and Replication Server to the Internet.
Ports
Try not to use obscure ports and other tricks to try and hide Veeam ports and protocols in use, while this may look like a good choice. In practice this often makes the infrastructure harder to manage which opens other possibilities for attackers. Obscurity is not security!
Two tools have been developed to ease ports identification between Veeam components:
Apply appropriate firewall rules to restrict network communications to applications minimum needs.
Note: More information can be found in Veeam Backup & Replication user guide.