There are some recommended settings to apply to your backup infrastructure to keep access under control and provide the highest level of security to your Veeam Backup Server.
Secure Veeam Backup Server
Due to the next release of Veeam Backup & Replication, the screenshots have been taken using version 12 beta 3 to keep the settings good for the next version as well.
Here are the ten tips to secure Veeam Backup Server:
- 01 Move the Veeam Console to a management VM - Use a dedicated VM to manage the access to the Veeam infrastructure.
- 02 Use accounts with right roles - To limit unauthorized changes o malicious activities, assign the correct permissions to each account configured to access the Veeam console.
- 03 Remove the BUILTIN\Administrator group - Only added accounts have the appropriated permissions to operate in Veeam based on the assigned role and not if they are member of the Local Administrators group.
- 04 Activate 2FA per account - Secure Veeam Backup Server access by enabling MFA per account. This feature will be available with Veeam VBR v12.
- 05 Enable auto logoff - To prevent a console from remaining accessible if not in use, enable the console auto logoff option. This feature will be available with Veeam VBR v12.
- 06 Enable data encryption for configuration backup - To protect your infrastructure and keep all used passwords in the configuration in case of server restore, enable encryption for the Veeam database configuration.
- 07 Use encryption on all backup jobs - To protect your backup data increasing the security, enable the encryption on all backup jobs.
- 08 Disable the Remote Desktop service - Access via RDP protocol to the backup server is blocked saving the computer from potential intrusion.
- 09 Disable Remote Registry service - Remote users will not be able to modify registry settings on the server.
- 10 Updates - Always keep your backup server version always up to date to avoid potential security issues.
Following these recommendations, the Veeam Backup Server will be protected and secured against unauthorized access.