Link Search Menu Expand Document

Attack surface reduction

Console access

The Veeam Backup & Replication console is a client-side component that provides access to the backup server. The console lets several backup operators and admins log in to Veeam Backup & Replication simultaneously and perform all kind of data protection and disaster recovery operations as if you work on the backup server.

Prefer installing the Veeam Backup & Replication Console on a central management server positioned in a secure network zone and protected with 2-factor authentication rather than installing the console on the local desktops of backup & recovery admins. Always enforce MFA when authenticating to the Veeam Backup and Replication Console itself (supported starting v12).

Access to Veeam Backup & Replication Server should be limited to the Veeam Backup & Replication Console. Disable remote desktop access, any remote access protocol should be disallowed.

Veeam Backup and Replication Database protection

The Backup & Replication configuration database stores credentials to connect to virtual servers and other systems in the backup & replication infrastructure.

All passwords stored in the database are encrypted. However, a user with administrator privileges on the backup server can decrypt the passwords, which presents a potential threat. Refer to Veeam kb 4349 for more information.

To secure the Backup & Replication configuration database, follow these guidelines:

  • Restrict user access to the database. Check that only authorized users can access the backup server and the server that hosts the Veeam Backup & Replication configuration database (if the database runs on a remote server).
  • Encrypt data in configuration backups as a best practice. Enable data encryption for configuration backup to secure data stored in the configuration database. Please note that user accounts and passwords are not stored in configuration backups when encryption is not active.

Unused Components removal

Remove all non-essential software programs and utilities from the deployed Veeam components. While these programs may offer useful features to the administrator, if they provide additional access (“back-doors”) to the system, they must be removed during the hardening process.

Think about additional software like web browsers, java, adobe reader and such. All parts which do not belong to the operating system or to active Veeam components, remove them. It will make maintaining an up-to-date patch level much easier.

Unused services removal

Switch off the Veeam vPower NFS Service on each component where you do not plan on using the following Veeam features: SureBackup, Instant Recovery, or Other-OS File Level Recovery (FLR) operations.

Remove default proxy and default repository role from the VBR server if you do not plan to use them.

When Enterprise Manager is not used de-install it and remove it from your environment.

Patching and Updates

Patch operating systems, software, and firmware on Veeam components. Most hacks succeed because there is already vulnerable software in use which is not aligned to with current patch levels.

So, make sure every piece of software and hardware where Veeam components are running are up to date. One of the most possible causes of a credential theft are missing guest OS updates and use of outdated authentication protocols.

To mitigate risks, follow these guidelines:

  • Track Common Vulnerabilities and Exposures (CVEs) for your systems.
  • Ensure timely guest OS updates on backup infrastructure servers.
  • Install the latest updates and patches on backup infrastructure servers to minimize the risk of exploiting guest OS vulnerabilities by attackers.

You may choose to isolate your Veeam Backup and Replication server from the internet, in that case you will have to proceed with offline updates : download updates from another machine, copy binaries to the VBR Server and apply updates. If you choose to allow your Veeam Backup and Replication Server to access the Internet, take care to strictly restrict access to update servers for applications and operating systems, again, remove any tool and browser to prevent installation/download of potential harmful pieces of code. Of course, do not expose your Veeam Backup and Replication Server to the Internet.

Ports

Try not to use obscure ports and other tricks to try and hide Veeam ports and protocols in use, while this may look like a good choice. In practice this often makes the infrastructure harder to manage which opens other possibilities for attackers. Obscurity is not security!

Two tools have been developed to ease ports identification between Veeam components:

Apply appropriate firewall rules to restrict network communications to applications minimum needs.

Note: More information can be found in Veeam Backup & Replication user guide.


Back to top

Copyright © 2023 Solutions Architects, Veeam Software.
Please note that information provided in this guide is not produced or verified by Veeam R&D but is a result of community effort based on the field observations.