Veeam: Community Preview of Managed Hardened Repository ISO by Veeam

Yesterday, Veeam released the Community Preview of the Hardened Repository ISO (Build 0.1.15).
The ISO respectively the project was presented at the Veeam ON in Fort Lauderdale this year. I have been eagerly awaiting this installation ISO since the information was published.

What is this Managed Hardened Repository ISO by Veeam?

The Managed Hardened Repository ISO is an installation ISO to correctly install a Veeam Hardened Repository with Veeam’s best practices and a full hardening.
Inside the installer you have to specify some settings, but everything else is predefined, so that after the guide guided installation you have a DISA STIG hardened repository. The whole thing without any further necessary adjustments.

Benefits of the ISO

  • The biggest benefit of the ISO is that you don’t have to make any further customizations or run any scripts (the system is already hardened through the customized installer).
  • There is no root user.
  • Due to the use of Rocky Linux as the base, you have 10 years of support.
  • After the official version is released, you will also receive support from Veeam.

Important!
At the moment this is a technical preview and not intended for productive use.

 

Requirements

  • RedHat supported hardware (for productive deployment physically is recommended, for LAB a VM is also possible) (ISO is Rocky based)
  • Same CPU & RAM resources as Linux Repositories
  • 2 disks with at least 100GB each
  • Only internal storage or direct attached storage with hardware RAID controller with write-back cache are supported
  • UEFI must be activated
  • Min. Veeam V12.2

 

Installation of the Hardened Repository

Boot from ISO

Select “Install Hardened Repository (deletes all data)” in Grub –> it deletes all data on the machine

 During boot required system/disk requirements getting checked if the are met (for exampe are there 2 disks, each min 100GB?)

 GUI Installer

After booting, the GUI installer appears. The displayed options must be set here

 

Keyboard Layout

Set the correct keyboard layout after booting –> important for entering the password correctly

 Time &Date

Region, City and NTP servers must be set

Device

Nothing can be customized in the Device Section. The installer always takes all disks and splits them up as follows:

  •  smallest disk is the operating system
  • All other disks are bundled into one LVM and mounted under /mnt/veeam-repository01

Network

Only one adapter is activated by default; if you want more than one, you must activate them.
Bond should always be configured for reliability if possible (As I am working with a LAB VM here, I have decided not to use it).
Hostname must also be set (don’t forget).

A static IP address, DNS and search domains should be set. –> After confirming, the IP should be accessible/pingable.

Start installation

The installation can be started by clicking on “Begin Installation”

 When the installation is complete, you can reboot.

 

Configuration of the Hardened Repository

Boot

When booting, the Grub bootloader is displayed and the system starts automatically.

First Login

You must log in to the server with the default credentials (User: vhradmin, PW:vhradmin).

The password must be changed directly. The password must match the DISA STIG complexity requirements:

  • 1 numeric character
  • 1 lower case
  • 15 characters
  • 1 special character
  • Maximum 4 characters of the same character class in a row (e.g. 4 lower case, 4 numbers etc.)
  • 24h minimum lifetime of password (that means you can change a password only once per day)

License Agreement

The license agreement must be confirmed (jump down with tab)

Main Menu

Certain settings can now be modified. But as you can see, there is not much you can adjust.

  • Proxy must be adjusted if the server cannot access the Internet directly (Internet connection is required for updates to repository.veeam.com for security updates).
  • “Reset time lock” is only used if the machine has been off for a longer period of time and you have a problem with the timeshift (if the time jump is too large)
  • The other points should explain themselves

 

Start SSH

SSH is required to add the machine to Veeam.
To activate SSH, simply navigate to the option and confirm.

The password is generated automatically according to DISA STIG specifications. If the password is not readable, simply stop SSH and restart, then you will receive a new password.
You have to write down the password temporarily. This is required for adding the server to Veeam.
(SSH must be stopped after the repo has been added to Veeam.)

 Click Continue to close the window and start the configuration in Veeam.

Create DNS entry

A DNS entry must  be created before adding it to Veeam. Otherwise the Veeam server cannot resolve the DNS name of the repo.

  

Configuration inside Veeam

In Veeam, the community hardened repository is added in the same way as any other hardened repository.

 When entering the user, make sure that you enter the username from the SSH prompt “veeamsvc” and not “vhradmin”

 When selecting the path, the LVM is specified with the mount path “/mnt/veeam-repository01”

The desired path and immutability must be set here.

 And that’s it inside Veeam. The hardened repository has now been added.

 

SSH disable

After adding the repository, SSH must be deactivated on the hardened repo server

 

Finished

The hardened repository is now installed and ready to be tested.

 

Tests

I have done some tests such as creating backups, restoring or deleting backups and everything worked correctly.

When trying to delete backups, the wanted message appears that the backups can only be deleted after the retention period has expired.

 

Conclusion

I’m already looking forward to using the ISO in productive environments after the official stable release.

Until that happens, test it diligently in the LAB and report any problems via the R&D forum. Iwill also carry out further tests with hardware systems.

 

###############################

more

Known issues and limitations

Here are the current known issues and limitation from the Community Preview with build number 0.1.15

####

The following known issues and limitation apply to the Community Preview build only and will be addressed in the final release.

ISO Installer

  • Current sudo permissions for the veeamsvc user allow to install additional packages that are signed by a trusted key.
  • The Installer does not discard systems with UEFI Secure Boot disabled (this is on purpose not to create barriers for preview testing)
  • The Help button does not function. Please use the included manual.

Hardened Repository Configurator Tool

  • The License Agreement wizard and files are incomplete.
  • Some texts and error messages are not final.

[PREVIEW] Managed Hardened Repository ISO by Veeam – R&D Forums

####

Veeam: Using the automatic Security & Compliance Analyzer recommendations script

The Veeam Security & Compliance Analyzer is a function integrated into Veeam that verifies that the configuration of the backup server and the product configuration of the Veeam Backup & Replication Server are in compliance with Veeam’s security best practices. The best practices are being continuously expanded and adapted with the updates of the Veeam Backup & Replication Server.

The Security & Compliance Analyzer is divided into the following 2 categories

  • Backup Infrastructure Security: Checking the Windows and services configuration, e.g. is RDP activated, is the remote registry service activated,…
  • Product Configuration: Checking the product configuration, which can be set/configured directly in the Veeam Console. For example, is MFA enabled, where is the configuration backup stored,…

 After installing Veeam Backup & Replication, one of my first steps is to implement the Backup Infrastructure Security Best Practices.

There are two ways to customize the configuration:

  • Manual configuration of all recommendations
  • Automatic configuration using the Powershell script “Veeam Security & Compliance Analyzer 1.8.ps1” from Veeam KB4525.

I generally use the script variant here.
This is a super simple and practical way to set the best practices very quickly and correctly.

The script and the best practices are continuously adapted to the latest Veeam versions. The latest version of the script from 30.08.2024 is also compatible with Veeam Backup & Replication 12.2. (Great that Veeam updates the script very quickly after the release).

 But what is the script doing?

  1. the script establishes a connection with the PowerShell plugin against the locally installed VBR instance
  2. it triggers a session/report of the Security & Compliance Analyzer
  3. it checks the status of the set options and shows which possible best practices can be set
  4. you must specify whether only some (option #3) or all (option #2) best practices found should be set. Only options with the description “Use ‘Apply Configurations’ option to fix” can be set with the script. (Suppressed points are not set!)
  5. the script will set the best practices
  6. it displays an updated report.

Suppress certain options

If you don’t want one of the options to be set by the script, you can simply deactivate it in the Security & Compliance Analyzer using the “Suppress” button. The script will not set this option and you will have to set it later manually or by running the script again.

The suppressed option/best practice is listed below

How to use the script?

  • download the current script from the Veeam website and place it on the backup server https://www.veeam.com/kb4525
  • unpack the ZIP
  • start a PowerShell in administrator mode
  • switch to the folder where the script is located
  • execute the script “& ‘.\Veeam Security & Compliance Analyzer 1.8.ps1’”
  • wait until the report is created
  • set best practices via “Option #3” (individually) or via “Option #2” (completely)
  • check the report (option #1)
  • end script (option #0)
  • reboot the server (a reboot is necessary for some adjustments)
  • run the Security & Compliance Analyzer Report via the Veeam Console and check that the adjusted points in the Backup infrastructure security section are all set to “passed”. (“deprecated versions of SSL and TLS should be disabled” must be adjusted manually)

Important!
Please note that this script does not have an undo option. If you want to undo the options that have been changed by the script, you must do this manually.

Now you can continue with the further configuration and further protection of the Veeam Backup Server.

Have fun securing a part of your Veeam server in a very simple way.

« Older posts