Posted in_Backup_

Veeam v12.3 Some tips on safety features – Security and Compliance Analyzer

In today’s cyber threat landscape, backup is no longer just the last line of defence: it is the best protection against cyber attacks and security features have become a big deal for backups.

In this article, the first in a series, we begin to look at a whole range of security features related to the latest version of Veeam Backup & Replication.

Starting with version 12, and with further improvements in subsequent versions, Veeam Data Platform has begun to offer greater protection for backup data by reducing the impact of a cyber attack.

This is thanks to integrated security features and in this article we will analyse one of there.

Security and Compliance Analyzer

What is the analyzer? It is a security control tool integrated into Veeam. It’s been developed in line with guidelines set out by data protection and cybersecurity experts. We can use it in the VBR console, and it allows us to check all activities for compliance with security best practices.

The Backup Security & Compliance report assesses the configuration of all backup servers to guarantee that they align with established security best practices. This helps businesses maintain a robust backup infrastructure helping to increase confidence in their data protection strategy.

Compliance is divided into two broad categories:

Veeam server security: Verifies best practices for strengthening the operating system on which VBR is installed. The complete list is provided here:

  • Remote Desktop Services (TermService) should be disabled
  • Remote Registry service (RemoteRegistry) should be disabled
  • Windows Remote Management (WinRM) service should be disabled
  • Windows Firewall should be enabled
  • WDigest credentials caching should be disabled
  • Web Proxy Auto-Discovery service (WinHttpAutoProxySvc) should be disabled
  • Deprecated versions of SSL and TLS should be disabled
  • Windows Script Host should be disabled
  • SMBv1 protocol should be disabled
  • Link-Local Multicast Name Resolution (LLMNR) should be disabled
  • SMBv3 signing and encryption should be enabled
  • Local Security Authority Server Service (LSASS) should be set to run as a protected process
  • NetBIOS protocol should be disabled on all network interfaces

Veeam configuration: Verifies the application of Veeam configuration best practices in order to make the backup software more secure.

Here is the list

  • MFA for the backup console should be enabled
  • Immutable or offline (air gapped) media should be used
  • Password loss protection should be enabled
  • Backup server should not be a part of the production domain
    Email notifications should be enabled
  • All backups should have at least one copy (the 3-2-1 backup rule)
  • Reverse incremental backup mode is deprecated and should be avoided
  • Unknown Linux servers should not be trusted automatically
  • The configuration backup must not be stored on the backup server
  • Host to proxy traffic encryption should be enabled for the Network transport mode
  • Hardened repositories should not be hosted in virtual machines
  • Network traffic encryption should be enabled in the backup network
  • Linux servers should have password-based authentication disabled
  • Backup services should be running under the LocalSystem account
  • Configuration backup should be enabled and use encryption
  • Credentials and encryption passwords should be rotated at least annually
  • Hardened repositories should have the SSH Server disabled
  • S3 Object Lock in the Governance mode does not provide true immutability
  • Backup jobs to cloud repositories should use encryption
  • Latest product updates should be installed
  • PostgreSQL server should be configured with recommended settings
  • Hardened repositories should not be used as backup proxy servers
  • Backup encryption password length and complexity recommendations should be followed

Now we see how we can use the tool.

Running

We have 3 ways to run this report:

  1. manually running directly in UI interface
  2. by a daily planning
  3. with a Veeam One report

Manually mode: To start a security check, we can click on Security & Compliance button. A Security & Compliance Analyzer window opens and the security check starts automatically.

 

Daily planning: Consider the Analizer can be daily scheduled clicking on Schedule button and results can be send by email as a standard notification or customizing subject and notification type.

 

Veeam One Report: As per daily planning is possible to schedule periodically report from Veeam One and receive info about compliance as images below.

To run this report, you will need to open the Veeam ONE Web Client. From there, you can either perform a quick search or you can open the Veeam Backup Overview folder. Once the report is run you gain all the information on the backup servers that are connected to Veeam ONE.

 

Veeam ONE gives you a full report on how secure and compliant your backup infrastructure is, and it also notifies you of any issues. Alerts are a great way to keep on top of what’s going on around you. You’ll get alerts for each best practice for each backup server, so you can stay on top of things and make sure your environment is meeting the right standards.

 

Results

After Analizer rans we can verify the results on VBR Console where there will be the current status for every check.

Clicking on Last run button we can see the complete result for every row and check what aren’t in compliance.

Remediation

At the Security & Compliance Analyzer documentation page we can found all conditions and remediation actions to implement to solve the issues and obtain a fully secure environment.

We can apply these remediation in two ways:

  1. manually
  2. automatically with a script

Manually

However, some actions may not be applicable for certain reasons, so we can suppress the alert clicking on Suppress button

We must add a note and click OK

We could see suppressed alerts at the end of the page.

When we are ready to remediate the alert we can select it and click on Reset button

The alert will become in Not checked status.

We can run the analyzer and mark it as ‘Not Implemented’. Once you’ve put the right fixes in, following the instructions in the documentation page, it’ll be there in the Passed section for good.

Automatically with a script

Remediations can be applied automatically with a script as described in the tool page.

We can navigate the KB4525 page and download a script that permit to implement automatically all Security properties

The script on this page is provided to expedite the implementation of Security & Compliance Analyzer recommendations. It was created by Veeam’s development team and will be updated as further Security & Compliance recommendations are added to Veeam Backup & Replication.

(source Veeam kb4525 page)

The script will prompt the user to select a course of action:

1: Refresh compliance report

2: Apply ALL recommended configurations

3: Apply selected configuration only…

0: Exit

Selecting option #2 will cause the script to attempt automatic remediation of all entries listed as:

Not implemented (Use 'Apply Configurations' option to fix)

Note: Entries that are suppressed within the Security & Compliance Analyzer UI will be listed as “Suppressed” but will NOT be fixed using the script.

Option #3 will trigger the prompt for the recommendation ID listed in the compliance report. The script will attempt the remediation of the entry with the specified ID only.

 

That’s the end of the Security and Compliance Analyzer section. The next article will cover the Four-Eyes Authorisation section.

 

 

 

 

 

 

 

Post Views: 51
Tags: