Veeam backup best practices
- #Veeam backup best practices install
- #Veeam backup best practices full
- #Veeam backup best practices software
- #Veeam backup best practices windows
Keep the firewall on for all domains (public, private and if applicable domain).
#Veeam backup best practices windows
The Windows firewall is not the strongest solution as a firewall, but’s build-in, it’s available, therefore use it as it should. Lately those devices are frequently being impacted.ĭon’t forget to schedule this frequently, not once a year!Ħ – Use Windows Firewall with only necessary ports Do not think only on physical windows servers, but don’t forget the NAS-devices being used as a backup repository.
#Veeam backup best practices install
If you are using a physical VBR server, then schedule on a regular basis a maintenance window where you will install the most recent firmware and drivers for this server. First check the status of the jobs, if everything is OK, disable them, reboot the server, install all available updates, reboot again, check again, enable the jobs, follow-up the backups the day after.ĥ – Schedule maintenance for Firmware Updates on all Veeam components Then you can do this in a controlled manner. Personally I prefer to install Windows updates and reboot the server manually.
This can be automatically if you are sure no backup-jobs or replication-jobs are running anymore. Therefore a second maintenance window for updating the VBR server and components is necessary.
#Veeam backup best practices full
This because backups are mostly running during the night and full backups during the weekend. This maintenance window is mostly not available for the backup server and components. This maintenance windows is often at night or during the weekend, especially for critical production servers. This is mostly being performed in a maintenance window that is discussed with the management of the company. Also often they are being rebooted automatically. Often Windows updates are being installed automatically using GPO’s or other mechanisms on Windows servers. You could think, that’s obvious, but I can assure you, in smaller environments you can see everything ?Ĥ – Schedule maintenance for Windows Updates on all Veeam components
#Veeam backup best practices software
So only install software needed for Veeam and nothing else. The backup server must be a dedicated one with only 1 role! No other roles (like WSUS, anti-virus management, file-server !!!, domain-controller !!!, …) are being performed by this server. The server where VBR is implemented should have only 1 role, the role of Veeam backup server! You can use then the management-interface (ILO, iDRAC, …) of the server (in case of a physical server) or the console (HyperV, vSphere, …) in case of a virtual machine.ģ – Do not use other roles on the backup server You can go even further : disable the RDP service. Only log on to the VBR server using RDP for upgrading Veeam or installing manually updates or firmware (in case of a physical backup server). Try to use a regular (no local admin permissions) local user on the VBR server connecting to it. From there you can connect to the VBR server using this console. Use instead the Veeam console installed on a management server. The VBR-server is then a member of this management domain and not the production domain.ĭo the same for other Veeam components (proxy-servers, repositories, …)Īvoid using RDP on the VBR server. If the VBR server is member of a workgroup this can be eliminated.įor larger environments, it is recommended to implement a separate management domain. Also if this domain-user is being logged on to his client and has admin-access to the VBR server, ransomware can also being activated on drives of the VBR server. Why? If ransomware is nested in a roaming profile of a domain-user connecting to the domain-joined VBR server, this malware can be activated on the VBR server and impact the backups. There are of course more things possible, but it’s a start.ġ – Do not domain-join the backup server in the production domainĪ best-practice is to put the VBR server in a workgroup and not AD domain-joined for smaller environments. I will give you here 10 tips you can implement. The first thing that comes in mind, is to harden your Veeam Backup & Replication server as much as possible. Next to this rule, one of the first things to keep in mind is to protect as much as possible your backups because those can save you when you are being attachked and you need them.
It is always important to implement the golden 3-2-1-1-0 rule (in detail explained in a former post of me – 3-2-1-1-0 Golden Backup Rule – Orbid365). More en more companies are being a victim of malware, ransomware or even hackers.