#1 Global Leader in Data Resilience

Script to Automate Implementation of Security & Compliance Analyzer Recommendations

KB ID: 4525
Product: Veeam Backup & Replication | 12.1 | 12.2
Published: 2023-12-14
Last Modified: 2024-08-30
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Purpose

This article provides information regarding automating the configuration of the Veeam Backup Server server according to practices suggested in the Security & Compliance Analyzer, a feature introduced in Veeam Backup & Replication 12.1.

The script on this page is provided to expedite the implementation of Security & Compliance Analyzer recommendations. It was created by Veeam's development team and will be updated as further Security & Compliance recommendations are added to Veeam Backup & Replication.

For details on the Security & Compliance Analyzer feature, please review the Veeam Backup & Replication User Guide.

Solution

Read Entire Article Closely
We strongly encourage you to read all of the information below before executing the provided automation script.
It is critical that you understand what this script does and the impact it will have.

Automated Script Limitations and Considerations

  • The script only applies missing security best practices found on the machine where Veeam Backup & Replication is installed, where the script is run from. The script will not apply security best practices to any other machine.
  • Some of the practices apply security settings that might affect other applications. For example, the script will attempt to disable SSL2.0 on a server, which will cause other applications that depend on SSL 2.0 to fail.
  • Some of the practices apply security settings that might cause server lockdown. For example, the script may attempt to disable Remote Desktop Services (TermService), restricting RDP access to the server; it may also disable Windows Remote Management (WinRM service), which, when disabled, may cause problems with external management of the server.
  • The script will not process Suppressed entries within the Security & Compliance Analyzer UI. Before using the apply option within the script, compare the report output of the script to the entries within the UI and suppress any security recommendations you do not want the script to attempt to remediate.
    Note: If you suppress any options after the script has generated its report, use option 1 to refresh the compliance report so that the script acknowledges the suppressed option(s). You'll note that the (total: #) for option 2 will change.
  • This script does not have an undo option. Once changes are made, if you wish to revert those changes, you must do so manually.

Automated Script Usage

The PowerShell script must be run in an elevated PowerShell console on the Veeam Backup Server using an account with local administrator permissions.

Script Explanation
  1. The script will connect to the local instance of Veeam Backup & Replication.
  2. The script will trigger a new session of the Security & Compliance Analyzer.
  3. The script will wait 10 seconds and then collect verification statuses.
  4. The script will determine the status for each of the suggested configurations and find which suggested best practices require remediation that the script can assist with.
  5. The script will output the results in the PowerShell console.
  6. The script will prompt the user to select a course of action:
    • 1: Refresh compliance report
    • 2: Apply ALL recommended configurations
    • 3: Apply selected configuration only...
    • 0: Exit
  7. Selecting option #2 will cause the script to attempt automatic remediation of all entries listed as:
    Not implemented (Use 'Apply Configurations' option to fix)
    

    Note: Entries that are suppressed within the Security & Compliance Analyzer UI will be listed as "Suppressed" but will NOT be fixed using the script.
  8. Option #3 will trigger the prompt for the recommendation ID listed in the compliance report. The script will attempt the remediation of the entry with the specified ID only.
  9. After applying remediation actions, results will be displayed in the console.

Example Screenshots

Supression Example
Example of Suppressed Entry

Download Information

Customers are strongly encouraged to review the entire article to ensure they understand how this script functions and the impacts it may have. 

For example, unless suppressed within the Security & Compliance Analyzer, this script will implement the Security & Compliance Analyzer recommendation to disable Remote Desktop Services.

Veeam Support will not assist with OS or third-party software issues resulting from executing this script.

Download Script

Filename: KB4525-1.8.zip
Update: 2024-08-28

MD5: E7CA2C7EA83C82F3267C59C424699A15
SHA-1: 97A50EDCCD547451FD7E4EF523F4DC7743B2B4D6

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.