The Veeam Security & Compliance Analyzer is a function integrated into Veeam that verifies that the configuration of the backup server and the product configuration of the Veeam Backup & Replication Server are in compliance with Veeam’s security best practices. The best practices are being continuously expanded and adapted with the updates of the Veeam Backup & Replication Server.

The Security & Compliance Analyzer is divided into the following 2 categories

  • Backup Infrastructure Security: Checking the Windows and services configuration, e.g. is RDP activated, is the remote registry service activated,…
  • Product Configuration: Checking the product configuration, which can be set/configured directly in the Veeam Console. For example, is MFA enabled, where is the configuration backup stored,…

 After installing Veeam Backup & Replication, one of my first steps is to implement the Backup Infrastructure Security Best Practices.

There are two ways to customize the configuration:

  • Manual configuration of all recommendations
  • Automatic configuration using the Powershell script “Veeam Security & Compliance Analyzer 1.8.ps1” from Veeam KB4525.

I generally use the script variant here.
This is a super simple and practical way to set the best practices very quickly and correctly.

The script and the best practices are continuously adapted to the latest Veeam versions. The latest version of the script from 30.08.2024 is also compatible with Veeam Backup & Replication 12.2. (Great that Veeam updates the script very quickly after the release).

 But what is the script doing?

  1. the script establishes a connection with the PowerShell plugin against the locally installed VBR instance
  2. it triggers a session/report of the Security & Compliance Analyzer
  3. it checks the status of the set options and shows which possible best practices can be set
  4. you must specify whether only some (option #3) or all (option #2) best practices found should be set. Only options with the description “Use ‘Apply Configurations’ option to fix” can be set with the script. (Suppressed points are not set!)
  5. the script will set the best practices
  6. it displays an updated report.

Suppress certain options

If you don’t want one of the options to be set by the script, you can simply deactivate it in the Security & Compliance Analyzer using the “Suppress” button. The script will not set this option and you will have to set it later manually or by running the script again.

The suppressed option/best practice is listed below

How to use the script?

  • download the current script from the Veeam website and place it on the backup server https://www.veeam.com/kb4525
  • unpack the ZIP
  • start a PowerShell in administrator mode
  • switch to the folder where the script is located
  • execute the script “& ‘.\Veeam Security & Compliance Analyzer 1.8.ps1’”
  • wait until the report is created
  • set best practices via “Option #3” (individually) or via “Option #2” (completely)
  • check the report (option #1)
  • end script (option #0)
  • reboot the server (a reboot is necessary for some adjustments)
  • run the Security & Compliance Analyzer Report via the Veeam Console and check that the adjusted points in the Backup infrastructure security section are all set to “passed”. (“deprecated versions of SSL and TLS should be disabled” must be adjusted manually)

Important!
Please note that this script does not have an undo option. If you want to undo the options that have been changed by the script, you must do this manually.

Now you can continue with the further configuration and further protection of the Veeam Backup Server.

Have fun securing a part of your Veeam server in a very simple way.