#1 Global Leader in Data Resilience

General Security Guidelines for Veeam Self-Service Backup Portal

KB ID: 2376
Product: Veeam Backup & Replication
Version: All
Published: 2017-11-10
Last Modified: 2021-10-04
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Purpose

Self-Service Backup Portal is usually publicly available, this leads to increased risks associated with security. While it is generally safe to use this site, in order to reach maximum security it's recommended to apply certain Microsoft IIS and Windows settings.


More information:


The desired security settings can be divided in three categories:
  • Allowed protocols for secure communications
  • Allowed ciphers
  • Recommended Microsoft IIS settings
All of these settings should be applied on the Veeam Enterprise Manager server.

 

Solution

Step 1. Disable old security protocols in Windows registry


When IIS server receives an HTTPS connection, the client and server negotiate a common protocol to secure the channel. By default, Windows has a set of enabled protocols, and if the client negotiates a weak protocol (e.g., PCT 1.0), it will be used for communication. In modern networks, it's recommended to use one of the latest protocols ( either TLS 1.1 or 1.2).
Windows Server stores information about channel protocols in the Windows registry key below:

[HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

This key may contain the following subkeys:

  • PCT 1.0
  • SSL 2.0
  • SSL 3.0
  • TLS 1.0

Each key holds information about the protocol and any of these protocols can be disabled on the server. The following registry values (and subkeys, if necessary) should be created to disable the old protocols:

  • [HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
    "Enabled" = DWORD:0x00000000
  • [HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
    "Enabled" = DWORD:0x00000000
  • ​[HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
    "Enabled" = DWORD:0x00000000
  • [HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
    "Enabled" = DWORD:0x00000000


​Step 2: Disable weak ciphers


By default, the list of ciphers negotiated for given security protocol includes RC4 and 3DES. These ciphers are considered vulnerable, and it's recommended to disable them altogether.

Note: If you use any Windows version except Windows Server 2012R2, Server 2016, and Windows 10, the KB2868725 security update must be installed before applying the settings below.

In order to disable RC4 and 3DES, the following registry values should be created:

  • [HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
    "Enabled" = DWORD:0x00000000

  • [HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
    "Enabled" = DWORD:0x00000000

  • [HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
    "Enabled" = DWORD:0x00000000

  • [HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
    "Enabled" = DWORD:0x00000000


Step 3: Tweak website settings


The settings for the Self-Service Backup Portal site are stored in the special Web.config file. The default Web.config file created after installation does not contain recommended security settings. In order to change this file according to recommendations, please follow the steps below:

  1. Browse to the web app installation folder (default is at C:\Program Files\Veeam\Backup and Replication\Enterprise Manager\WebApp)
  2. Copy original Web.config file someplace else to revert the changes if something goes wrong.
  3. Open Web.config file
  4. Find <system.web> section and add the following option to the httpRuntime settings: enableVersionHeader = "false". The httpRuntime settings should look like that afterwards:
<system.web>
  <httpRuntime requestValidationMode="2.0" targetFramework="4.5" executionTimeout="300" enableVersionHeader="false"/>
</system.web>
  1. Find <system.webServer> ---> <httpProtocol> ---> <customHeaders> section and add the following options:
<add name="Strict-Transport-Security" value="max-age=31536000"/>
<add name="X-XSS-Protection" value="1; mode=block"/>
<add name="X-Content-Type-Options" value="nosniff"/>
<remove name="X-Powered-By" />

The httpProtocol section should look like that afterward:
 
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
<add name="X-XSS-Protection" value="1; mode=block"/>
<add name="X-Content-Type-Options" value="nosniff"/>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
  1. In the same folder, there is an Error.aspx file. Copy it to someplace else, then open it and delete its contents.

Please restart the server after all of the changes listed above. If any issues appear after this configuration, please feel free to contact Veeam support.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.