Preface:

As mentioned in the past, I have made it my mission to continuously develop my Veeam Windows Hardening script. To fulfill this commitment, I have now completed and released version 1.1 “PAW” of the script.

I often face the challenge that customers start using PAWs (Privileged Access Workstations) as single point of contact for their Veeam environments. These PAWs should be hardened as well to apply to state-of-the-art compliance parameters and have the same rules present than for any Veeam software.

The changes compared to the previous version can be found in the change log below! There were only very few changes I had to make since my goal is to keep almost the same settings and the same detail level than on other Windows-based Veeam components.

As I already had all the contents and functions of my working and tested script available I simply decided to remove very few options to dedicate this to Windows-based PAWs since the ruleset should remain.

What is a Privileged Access Workstation?

“A Privileged Access Workstation (PAW) is a dedicated and highly secure computing environment designed for tasks requiring elevated privileges, such as managing servers, databases, or other sensitive systems. PAWs are isolated from the broader network and Internet to minimize the risk of attacks targeting privileged accounts.”

I recommend customers to use them for dedicated purposes, e.g. for Veeam and for nothing else. These PAWs do appear as a security critical systems due to the fact that they can access DR sites and backup systems so hardening and monitoring is essential even though there is almost no software running on those systems (except e.g. Veeam consoles).

In a world of Windows Datacenter licensing many customers use VMs as PAWs but I always recommend to have redundancies in place to not rely on a virtual server that might fail and for restoring virtual workloads the access to Veeam through the PAW is neccessary.

Disclaimer:

Important: I do not provide any guarantee that the script, which has been successfully tested by me, will run without errors in every environment. The script is intended solely to simplify and standardize hardening standards, which may not be suitable for every environment! Additionally, I do not guarantee the completeness of the tests!

Requirements and procedure:

The script is primarily designed for new installations!

• The server must not be a domain member
• Initial login and script execution must be performed with the built-in Administrator
• OS: Windows Server 2022 or 2025 Standard oder Datacenter

1. Install Windows Server (as required).
2. Install drivers (VMware Tools or vendor-specific drivers).
3. Set IP configurations (assign IP address, etc.).
4. Set server name and workgroup, then restart the server.
5. Create a folder named “Install” on drive C:.
6. Copy the contents of the ZIP file (script and ntrights.exe) into the Install folder.
7. Execute the script with administrative privileges (PowerShell).
8. Allow the server to restart.

Important: I recommend familiarizing yourself with the content listed below, as it introduces changes that may affect the operation of the system!

Downloading the script:

Within the Veeam Community, the script, including all related information, is available for download at:

v1.0: Veeam Windows Hardening Script – one-click hardening with CIS contents | Veeam Community Resource Hub

v1.1: Update: Veeam Windows Hardening Script v1.1 – Win Server 2025 and Veeam ONE | Veeam Community Resource Hub

v1.1 PAW: Windows Hardening Script for PAWs | Veeam Community Resource Hub

Here is the corresponding GitHub link:

lukas-kl/veeam-win-hardening-script: Veeam Hardening Script for Windows (CIS contents)

Execution & script contents (ReadMe):

The script must be executed with administrative privileges!

The script, including the ntrights.exe file, must be located in and executed from the following path:

C:\Install

ntrights.exe

The tool “ntrights.exe” is used to modify the local security policy of the Windows system and set various rules. The required .exe file is provided in a tested version, but it can also be downloaded manually if preferred. This tool is well-known and originates from the Windows Server 2003 Resource Kit.

Change Log v1.1 PAW (as of 05/28/2025):

• Removing the option of creating service accounts
• Removing the idle timeout of 15min in case of inactivity

Change Log v1.1 (as of 03/03/2025):

• Correction of various spelling errors and optimization of outputs
• Renaming the system disk from “Local Disk” to “OSDisk”
• Adding input and implementation for NTP/NTP servers (multiple entries possible)
• Disabling Automount
• Deleting the Windows Recovery Partition and disabling dependent services
• Expanding system drive C: using the space freed by the Recovery Partition
• Successfully tested the script for Windows Server 2025
• Successfully tested the script with Veeam ONE
• Adding an input option to add multiple local administrators
• Adding an input option to add multiple service accounts with custom labels
• Optimization of script logic in multiple areas
• Adding a status bar for the main parts (categories)
• Optimization of the output file