Attack surface reduction
Console access
The Veeam Backup for Microsoft 365 console is a client-side component that provides access to the backup server. The console allows multiple backup operators and administrators to log in to Veeam Backup for Microsoft 365 simultaneously and perform various data protection and disaster recovery operations, as if working directly on the backup server. The console is integrating with multiple Veeam Explorers for restore tasks.
For enhanced security, it is recommended to install the Veeam Backup for Microsoft 365 Console on a central management server located in a secure network zone and protected with 2-factor authentication. This approach is preferred over installing the console on local desktops of backup and recovery admins.
Access to Veeam Backup for Microsoft 365 Server should be limited to the Veeam Backup for Microsoft 365 Console. Disable remote desktop access, and disallow any remote access protocols.
Console uninstallation
Veeam Backup for Microsoft 365 Console should be removed from the Veeam Backup for Microsoft 365 Server when possible (refer to the note at the end of this section). The console is installed locally on the backup server by default and can be uninstalled using the modify option in the “Add or remove programs” settings.
Veeam Explorer uninstallation
Open a cmd prompt with administrative access. On the command prompt type: wmic product list brief > installed.txt - this command will create a text document containing a list of all installed products and their respective Product Codes.
For uninstalling all Veeam Explorers:
- Veeam Explorer for Microsoft Exchange
- Veeam Explorer for Microsoft Sharepoint
- Veeam Explorer for Microsoft Teams
You can uninstall these components by using: msiexec /x {ProductCode}
An example for uninstalling the Veeam Explorer for Microsoft Exchange is: msiexec /x {AA27A99E-3CA4-4DE5-8E1A-FC16C4BB03AE}
Important note: Uninstalling Veeam Backup for Microsoft 365 console removes PowerShell module ,rendering the use of Veeam Backup for Microsoft 365 cmdlets impossible on the Backup Server. This may affect automation scripts or products that rely on PowerShell for interacting with Veeam Backup for Microsoft 365.
Veeam Backup for Microsoft 365 Database protection
The Veeam Backup for Microsoft 365 configuration database stores encrypted credentials used to connect to Microsoft 365 organizations.
While the stored passwords are encrypted, it’s important to note that an administrator with sufficient privileges on the backup server can potentially decrypt these passwords, posing a security risk.
To secure the Veeam Backup for Microsoft 365 configuration database, restrict user access to the database. Check that only authorized users can access the Veeam Backup for Microsoft 365 server.
Unused Components removal
Remove all non-essential software programs and utilities from the deployed Veeam components. While these programs may offer useful features to the administrator, their presence could potentially create additional access points or “back-doors” into the system. As part of the hardening process, it is crucial to eliminate any unnecessary software to enhance the overall security posture.
Consider removing additional software, such as web browsers, Java, Adobe Reader, and similar applications, that are not essential to the operating system or active Veeam components. Eliminating unnecessary software can simplify the process of maintaining an up-to-date patch level and reduce potential security risks associated with non-essential applications.
Patching and Updates
To enhance security and mitigate risks, regularly patch operating systems, software, and firmware on all Veeam components. Many security breaches exploit vulnerabilities in outdated software, so keeping everything up-to-date is crucial. Focus on the following guidelines:
- CVE Tracking: Regularly track Common Vulnerabilities and Exposures (CVEs) for all systems within your infrastructure. Stay informed about potential vulnerabilities and apply patches promptly.
- Timely Guest OS Updates: Ensure that guest operating systems on backup infrastructure servers receive timely updates. Keeping the guest OS up-to-date is essential for addressing vulnerabilities and maintaining a secure environment.
- Install Latest Updates: Regularly install the latest updates and patches on all backup infrastructure servers. This practice helps minimize the risk of attackers exploiting vulnerabilities in the guest OS.
By actively addressing CVEs, ensuring timely updates for guest OS, and regularly patching backup infrastructure servers, you can proactively safeguard your Veeam Backup for Microsoft 365 deployment against potential security threats.
Ensure strict restrictions on access to update servers for applications and operating systems. Additionally, remove any unnecessary tools and browsers to prevent the installation or download of potentially harmful code.
Avoid direct exposure of your Veeam Backup for Microsoft 365 server to the internet. If external access to the Restore Portal is required, run the Veeam Backup for Microsoft 365 RestAPI server on a dedicated machine located in a DMZ (Demilitarized Zone) for increased security. Refer to the documentation for details on Configuring REST API and Restore Portal on Separate Machine for further details.
Ports
Reduce the number of open ports to a minimum. Refer to the latest port list in Helpcenter User Guide. for guidance.