Preface:
As mentioned in the past, I have made it my mission to continuously develop my Veeam Windows Hardening script. To fulfill this commitment, I have now completed and released version 1.1 of the script.
The changes compared to the previous version can be found in the change log below!
Disclaimer:
Important: I do not provide any guarantee that the script, which has been successfully tested by me, will run without errors in every environment. The script is intended solely to simplify and standardize hardening standards, which may not be suitable for every environment! Additionally, I do not guarantee the completeness of the tests!
Requirements and procedure:
The script is primarily designed for new installations!
- The server must not be a domain member
- Initial login and script execution must be performed with the built-in Administrator
- OS: Windows Server 2022 or 2025 Standard oder Datacenter
- Install Windows Server (as required).
- Install drivers (VMware Tools or vendor-specific drivers).
- Set IP configurations (assign IP address, etc.).
- Set server name and workgroup, then restart the server.
- Create a folder named “Install” on drive C:.
- Copy the contents of the ZIP file (script and ntrights.exe) into the Install folder.
- Execute the script with administrative privileges (PowerShell).
- Allow the server to restart and install Veeam, specifying the service account.
- Apply / implement the Veeam Security & Compliance script.
Important: I recommend familiarizing yourself with the content listed below, as it introduces changes that may affect the operation of the system!
For example, an idle timeout of 15 minutes is configured. This means that an active session will be disconnected after 15 minutes, and all open windows and processes within that session will be terminated.
Windows Server 2025 – CIS Benchmark
The contents of the script are still based on the CIS Benchmark, which my employer has kindly provided access to.
Unfortunately, as of the release of version 1.1 of the script, no benchmark for Windows Server 2025 has been published yet, so I was unable to add any additional content.
Nevertheless, I have extensively tested the script’s compatibility with Windows Server 2025 and can therefore approve its use. I have conducted the same tests as for Windows Server 2022.
Veeam ONE:
To expand the scope of the script to include additional Veeam products and components, I have successfully tested this version with Veeam ONE. During the tests, no limitations, restrictions, or errors were observed.
Downloading the script:
Within the Veeam Community, the script, including all related information, is available for download at:
Here is the corresponding GitHub link:
lukas-kl/veeam-win-hardening-script: Veeam Hardening Script for Windows (CIS contents)
Execution & script contents (ReadMe):
The script must be executed with administrative privileges!
The script, including the ntrights.exe file, must be located in and executed from the following path:
C:\Install
ntrights.exe
The tool “ntrights.exe” is used to modify the local security policy of the Windows system and set various rules. The required .exe file is provided in a tested version, but it can also be downloaded manually if preferred. This tool is well-known and originates from the Windows Server 2003 Resource Kit.
Change Log v1.1 (as of 03/03/2025):
- Correction of various spelling errors and optimization of outputs
- Renaming the system disk from „Local Disk“ to „OSDisk“
- Adding input and implementation for NTP/NTP servers (multiple entries possible)
- Disabling Automount
- Deleting the Windows Recovery Partition and disabling dependent services
- Expanding system drive C: using the space freed by the Recovery Partition
- Successfully tested the script for Windows Server 2025
- Successfully tested the script with Veeam ONE
- Adding an input option to add multiple local administrators
- Adding an input option to add multiple service accounts with custom labels
- Optimization of script logic in multiple areas
- Adding a status bar for the main parts (categories)
- Optimization of the output file