Preface:

Veeam recently published the first version of a pre-hardened VBR v13 appliance based on linux. I totally understand and also support this approach and I am pretty sure that this is not only the right decision but also the right direction as well as one of the greatest releases Veeam has ever had.

Nevertheless will v13 (I expect future releases as well, but not endlessly) be available for Windows deployments at the end of 2025 as per current statement.

I took the chance and made some changes to my hardening scripts since the CIS benchmark for Windows Server 2025 has finally been released. Meanwhile this is more than a hardening script in my opinion. I have automated some default settings that I developed as personal recommendations (my own “best practices”) in the past years and will – as promised – continue to develop this until Veeam discontinues the support of Windows-based rollouts completely.

With v1.2 of my script (including the PAW version of the script) I put the focus on Windows Server 2025 and the ability to run the scripts on hardened systems that saw my script in previous versions to let them profit from the changes.

I also decided to provide both the script for Veeam components and the script version for PAWs (Privileged Access Workstations) together so you can now download both versions of the script and refer to this article.

The changes compared to previous versions can be found in the change log below!

Disclaimer:

Important: I do not provide any guarantee that the script, which has been successfully tested by me, will run without errors in every environment. The script is intended solely to simplify and standardize hardening standards, which may not be suitable for every environment! Additionally, I do not guarantee the completeness of the tests!

Requirements and procedure:

The scripts are designed for new and existing installations. They supports systems that have used a previous version of my script before as well as systems that have not been hardened and optimized at all.

  • The server must not be a domain member
  • Initial script execution (new installations only) must be performed with the built-in Administrator
  • Script execution for pre-hardened systems can be performed with any administrator
  • OS: Windows Server 2022 or 2025 Standard or Datacenter

Procedure for new installations:

  1. Install Windows Server (as required).
  2. Install drivers (VMware Tools or vendor-specific drivers).
  3. Set IP configurations (assign IP address, etc.) and disable IPv6 (optional).
  4. Set server name and workgroup, then restart the server.
  5. Create a folder named “Install” on drive C:.
  6. Copy the contents of the ZIP file (script and ntrights.exe) into the Install folder.
  7. Execute the script with administrative privileges (PowerShell) and select “new installation” when prompted.
  8. Allow the server to restart and install Veeam, specifying the service account.
  9. Apply / implement the Veeam Security & Compliance script.

Procedure for new installations (PAW only):

  1. Install Windows Server (as required).
  2. Install drivers (VMware Tools or vendor-specific drivers).
  3. Set IP configurations (assign IP address, etc.) and disable IPv6 (optional).
  4. Set server name and workgroup, then restart the server.
  5. Create a folder named “Install” on drive C:.
  6. Copy the contents of the ZIP file (script and ntrights.exe) into the Install folder.
  7. Execute the PAW script with administrative privileges (PowerShell) and select “new installation” when prompted.
  8. Allow the server to restart and installtools as required.

Procedure for existing installations:

  1. Create a folder named “Install” on drive C: (if not already existing).
  2. Copy the script into the Install folder.
  3. Execute the script with administrative privileges (PowerShell) and select “existing installation” when prompted.
  4. Allow the server to restart and verify Veeam service availability (await the services set to “delayed start” by default).
  5. Apply / re-run the Veeam Security & Compliance script.

Procedure for existing installations (PAW only):

  1. Create a folder named “Install” on drive C: (if not already existing).
  2. Copy the script into the Install folder.
  3. Execute the PAW script with administrative privileges (PowerShell) and select “existing installation” when prompted.
  4. Allow the server to restart and verify tool availability (as required).

Note: ntrights.exe is not required for existing installations.

Important: I recommend familiarizing yourself with the content listed below, as it introduces changes that may affect the operation of the system!

For example, an idle timeout of 15 minutes is configured. This means that an active session will be disconnected after 15 minutes, and all open windows and processes within that session will be terminated. This does not apply for the PAW script!

Windows Server 2025 – CIS Benchmark:

The contents of the scripts are still based on the CIS Benchmark, which my employer has kindly provided access to.

I reviewed v1.0 of of the Benchmark for Windows Server 2025 and ran multiple tests and consulted colleagues deeper involved into Windows OS to decide on which sections and settings to focus.

After running multiple tests and going through the Benchmark for Windows Server 2022 the script and the applied settings and options can be set for Windows Server 2022 and Windows Server 2025.

Test scenarios:

I ran multiple tests to ensure the correct deployment of the policies and to make sure that the scripts do not interfere with Veeam product installations. The following Veeam products and components have been tested successfully on Windows Server 2022 and 2025:

  • Veeam Backup & Replication v12
  • Veeam Enterprise Manager v12
  • Veeam components:
    • Proxy server
    • Repository server
    • Tape server
    • WAN Accelerator
    • Backup & Replication Console
    • Cloud Gateway Server
  • Veeam ONE v12
  • Veeam ONE v13
  • Veeam Recovery Orchestrator 7.2
  • Veeam Backup for M365 v8
  • PAWs (with tools like Veeam Backup & Replication Console and Veeam ONE Console installed)

Downloading the script:

Within the Veeam Community, the scripts, including all related information, is available for download at:

v1.2: https://community.veeam.com/cyber-security-space-95/veeam-windows-hardening-script-v1-2-with-paw-win-server-2025-benchmark-and-new-policies-12017?fid=95&tid=12017

Here is the corresponding GitHub link:

https://github.com/lukas-kl/veeam-win-hardening-script

Execution & script contents (ReadMe):

The scripts must be executed with administrative privileges!

The scripts, including the ntrights.exe file, must be located in and executed from the following path:

C:\Install

ntrights.exe (only required for new deployments):

The tool “ntrights.exe” is used to modify the local security policy of the Windows system and set various rules. The required .exe file is provided in a tested version, but it can also be downloaded manually if preferred. This tool is well-known and originates from the Windows Server 2003 Resource Kit.

Change Log v1.2 PAW (as of 09/24/2025):

  • Removing the option of creating service accounts
  • Removing the RDS / RDP idle limit of 15 min
  • Removing the RDS disconnect limit of 1 min
  • See v1.2 “base version” below

Change Log v1.2 (as of 09/24/2025):

  • Adding a prompt to select between new installations and existing installations
    • „New installation“ runs the complete script
    • „Existing installation“ skips the service account creation, local admin creation, security login policy adjustment and NTP server adjustment and so only applies the CIS policies including the Windows best practices such as renaming C, deleting the recovery partition and setting the power plan to „High Performance“
  • Adding a prompt to select if the recovery partition shall be deleted (including WinRE deactivation)
  • Editing multiple descriptions and removing typos
  • Editing code style: replacing “Set-ItemProperty” / “Net-ItemProperty” by “Set-RegistryValue”
  • Optimizing the logging by adding start and stop timestamps and duration time to the output file
  • Configuring the SMB v1 client driver to „Start value 4“
  • SMB Server: Mandate minimum SMB version 3.1.1
  • SMB Server: Enable authentication rate limiter
  • SMB Server: Set authentication rate limiter delay (ms) = 2000
  • Lanman Server: Disable remote mailslots
  • SMB Server: Require SMB signing
  • SMB Client: Require SMB signing
  • SMB Client: Mandate minimum SMB version 3.1.1
  • SMB Client: Require encryption
  • LAN Manager authentication level: NTLMv2 only, refuse LM & NTLM
  • Minimum session security for NTLM SSP clients: Require NTLMv2 + 128-bit
  • Minimum session security for NTLM SSP servers: Require NTLMv2 + 128-bit
  • Restrict NTLM: Audit incoming NTLM traffic
  • Restrict NTLM: Outgoing NTLM traffic = Audit all
  • Audit: Force subcategory policy to override legacy category settings
  • NetBT: NodeType = P-node (no NetBIOS broadcasts)
  • TLS/Schannel: Disable TLS 1.0/1.1; enable TLS 1.2/1.3 (server & client)
    • TLS 1.0 (off)
    • TLS 1.1 (off)
    • TLS 1.2 (on)
    • TLS 1.3 (on)
  • Enable Structured Exception Handling Overwrite Protection (SEHOP)
  • Microsoft Defender Firewall: Monitor MPSSVC Rule-Level Policy Change (successful and failed)

Leave a Reply

Your email address will not be published. Required fields are marked *