Paginas

12 June 2022

Hardening and Secure Veeam Backup and Replication Servers

In this post I will show you how to secure/hardening your Veeam Servers in addition to following the 3-2-1-1-0 security standard.

3: Maintain at least 3 copies of your data

By three copies, I mean that in addition to your primary data, you should also have at least two more backups of the same data.

2: Store the backups on 2 different media

Store one of the copies on internal hard disk drives and the other copy on removable storage media (tapes, external hard disk drives, cloud-storage, etc.)

1: Store at least 1 of the copies at an offsite location

One copy of the backups away from the physical location where the primary data and primary backup is located. If the company has no remote or branch office, an alternative could be saving a copy at a service provider in a private cloud or saving a copy in the public cloud.

1: Store at least 1 of the copies offline or immutable

Keep at least one copy of the backups offline (USB Drives, tapes ejected) or immutable (Linux with Veeam immutability or object storage with immutability).

0: Be sure to have verified backups without errors

Backups are only as good as they are being verified.


Hardening is about securing the infrastructure against attacks, by reducing its attack surface and thus eliminating as many risks as possible. One of the main measures in hardening is removing all non-essential software programs and utilities from the deployed Veeam components. While these components may offer useful features to the administrator, if they provide “back-door” access to the system, they must be removed during the hardening process.
Protecting your infrastructure successfully is all about understanding the current attack vectors; what and whom you are protecting, your Veeam infrastructure, against. If you know what and whom you are protecting against, makes it easier to take the correct countermeasures. One of those countermeasures is hardening.

Looking at the different Veeam Backup & Replication components you must protect the following components:

  • Veeam Backup server
  • User Accounts
  • Backup repositories
  • Backup data flows

Consider the Veeam Backup & Replication server to be the Number 1 target on your infrastructure and it should have very restricted access. As a general rule, the backup server is the single greatest target a hacker can claim on your network/infrastructure. Also the backup repositories which holds the backup files are a primary target.

There are two options to secure all the Veeam Servers. Let's see the details.