While you can only do so much with access to the server, you can block RDP to it (best practice) and force MFA on local accounts in Veeam.
Here is the snag: To turn on MFA you cannot use Groups, so you need to add your Administrator (or anyone else) individually, set Veeam permissions, and remove the default Administrators group.
To skip/block any account from requiring MFA, you click on “this is a service account” and it won’t force MFA.
You then turn on MFA for the system, which enables MFA for the user that needs it and everyone else that is not a “service account”. It will prompt them with an app code, which you can cut and paste into an app such as mobile authenticator or ITGlue.
If access to that account is lost, you can reset MFA with another Veeam admin account. While this might not necessarily stop a malicious third party from trashing the on-premises server, it can help protect from remote access, your cloud repositories, and credentials with another layer.
Below is a deep dive of how to enable Veeam 12 MFA: