Securing Veeam Service Provider Console Infrastructure

This section includes recommendations for hardening specific Veeam Service Provider Console components in addition to general security considerations.

Infrastructure Planning

For large-scale environments, it is recommended to add Veeam Service Provider Console Server and other components to a management domain in a separate Active Directory forest.

For medium-sized and small environments, Veeam Service Provider Console components can be placed in a separate workgroup.

In both cases, Veeam Service Provider Console components should be placed in a separate network where applicable.

Veeam Service Provider Console Server

To secure Veeam Service Provider Console Server, consider the following recommendations:

Restrict outbound connections. To enable product update check, automatic license update, and license usage reporting, Veeam Service Provider Console Server must be connected to the internet and be able to send requests to servers on the internet. Allow only HTTPS connections to the Veeam License Update Servers (vac.butler.veeam.com, autolk.veeam.com), Veeam Installation Servers (download.veeam.com, download2.veeam.com), and Microsoft WSUS servers or Microsoft Update sites.
Restrict inbound connections. Inbound connectivity to Veeam Service Provider Console Server from the internet must not be allowed.

Use the recommended Access Control List (ACL) for the custom installation folder. If you specify a custom installation folder for Veeam Service Provider Console, use the recommended ACL configuration to prevent privilege escalation and arbitrary code execution (ACE) attacks. Remove all inherited permissions from this folder. Then, add the following permissions:

Administrators: Full control, applies to this folder, subfolders and files
SYSTEM: Full control, applies to this folder, subfolders and files
CREATOR OWNER: Full control, applies to subfolders and files only
Users: Read & Execute, applies to this folder, subfolders and files

Veeam Service Provider Console Database

The Veeam Service Provider Console configuration database stores credentials of user accounts required to connect to various components in the Veeam Service Provider Console infrastructure. All passwords stored in the database are encrypted. However, users that have administrator privileges on Veeam Service Provider Console Server can decrypt passwords, which is a potential threat.

To secure the Veeam Service Provider Console configuration database, consider the following recommendations:

Check that only authorized users can access Veeam Service Provider Console Server and the server that hosts the Veeam Service Provider Console configuration database (if the database runs on a dedicated server).
To protect Veeam Service Provider Console data, back up the Veeam Service Provider Console database on a regular basis. Also, make sure that the repository for Veeam Service Provider Console database backups is not located in the same network as Veeam Service Provider Console Server.

Veeam Service Provider Console Web UI

To secure Veeam Service Provider Console Web UI components, consider the following recommendations:

Veeam Service Provider Console Web UI components use Microsoft IIS Web Server. To reduce the attack surface, follow CIS Benchmark security guidelines for your Microsoft IIS version.
To enforce TLS 1.2 encryption protocol and disable weak ciphers for all communications with Veeam Service Provider Console Web UI components, enable the high security mode during the Veeam Service Provider Console installation. For more information, see Single-Server Installation Scenario or Installing Web UI Component if you use a distributed installation scenario.
Enable multi-factor authentication (MFA) in the Veeam Service Provider Console console to protect user accounts with additional user verification. For more information, see section Configuring Multi-Factor Authentication in the Guide for Service Providers.