Cisco TELEPRESENCE MANAGEMENT SUITE SECURE SERVER, Configuration Manual

Page 1: ...Cisco TelePresence Management Suite Secure Server Hardening Windows Server 2003 for Cisco TMS 13 0 Product Configuration Guide D13148 08 December 2010 ...

Page 2: ...e Windows Firewall 17 Apply appropriate file ACLs 18 Audit policy 20 User rights assignment 21 Security options 23 Set event viewer history 27 Remove any file shares 27 Screen saver 28 Disable dump file creation 28 Miscellaneous registry changes 28 Protect the registry from anonymous access 28 Disable 8 3 file format compatibility 28 Clear paging file at shutdown 29 Disable Autorun from CD 29 Prot...

Page 3: ...nts 15 Table 4 Required port exceptions 17 Table 5 Required program exceptions 18 Table 6 Summary of audit policy settings 21 Table 7 List of recommended user rights settings 21 Table 8 Recommended security options 24 Table 9 Hardening the TCP IP stack 29 Table 10 Extensions to leave enabled 30 Table 11 Nodes to select when applying permissions 31 Table 12 Extensions to remove 31 ...

Page 4: ...ve update for Windows 2003 SP1 Changes Removal of Windows 2000 specific references Updated formatting and reorganization Removed incorrect IIS anonymous restrictions Added SQL Server Service Accounts Added Cisco TMS Service Accounts Revision 8 Updated information and visual template Revision 9 Stage 1 rebranding Revision 10 Stage 2 rebranding new product names ...

Page 5: ...ncreased the security of a default installation of Windows 2003 SP2 compared to Windows 2000 or earlier If you still wish to further tighten the security of your installed servers Microsoft provides guidelines on hardening servers based on several degrees of strength and the task that the server will perform This document is intended to provide instruction on how to harden a Windows 2003 server fo...

Page 6: ... This document does not guarantee that your server is secure from attacks even if you have applied all the changes described Cisco is not responsible for potential harm that attackers might cause nor any damage caused to your server by following the steps outlined in this document ...

Page 7: ...Install the latest Windows Service Pack As each Service Pack from Microsoft includes all security fixes known to date it is vital that the latest version is installed Update your baseline server to the latest Service Pack for Windows 4 Install the appropriate post Service Pack security updates Update the server to the latest available post Service Pack security updates and any relevant hot fixes Y...

Page 8: ...n your user groups and default system permissions before rolling out Cisco TMS into production 9 Check and apply security fixes for SQL and IIS Run Windows Update again to check for any updates for any additional components that have been installed along with Cisco TMS Check the Microsoft SQL Server website and install any updates for the SQL Server engine This concludes the basic installation The...

Page 9: ...the Event Log is checked regularly for any attempts to use the dummy administrator account 2 Set strong password and lockout policies To change the password policies go to Windows Start Control Panel Administrative Tools Local Security Policy Note Domain level policy settings may override these settings Password rules Choose Account Policies Password Policy and apply the following changes Set the ...

Page 10: ...S Service User Account Create a Cisco TMS Service Account Cisco TMS will install its services to run as the Local System account To run at lowest possible privileges a local Windows account will be configured Create a local Windows User to act as the service account for Cisco TMS Services and the Cisco TMS website Use a strong password and a username of your choice The placeholder name tmsserviceu...

Page 11: ...r Provisioning OpenDS import tmp 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Control 3 Full Control tms installdir Provisioning OpenDS locks 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Control 3 Full Control tms installdir Provisioning OpenDS logs 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Contro...

Page 12: ...msserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 Full Control 4 Read tms installdir wwwTMS Data Snapshot 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 Full Control 4 Read tms installdir wwwTMS Data Software 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 ...

Page 13: ...s Start Control Panel Administrative Tools Services Locate the services whose names start with TMS For each of these service do the following 1 Double click the service to open the properties window 2 Select the Log On tab and select This Account 3 Enter the account details for the tmsserviceuser account 4 Click OK 5 Right click the service 6 Select Restart to have the changes take effect Note The...

Page 14: ...nt Include Accessories and Utilities N Application Server Application Server Console N ASP NET Y Enable network COM access Y Enable network DTC access N Internet Information Services Y see second table for details Message Queuing N Certificate Services N E mail Services N Fax Services N Indexing Services N Internet Explorer Enhanced Security Configuration For administrator groups Y For all other u...

Page 15: ...To reduce the attack surface of the Cisco TMS server all Windows Services that are not required by Cisco TMS should in general be disabled Go to Windows Start Control Panel Administrative Tools Services Disable the services in the following list 1 Right click each of them 2 Under the General tab click Properties and select Disabled for Startup type The status should then be displayed as Disabled u...

Page 16: ...ager Kerberos Key Distribution Center Virtual Disk Service License Logging WebClient Messenger Windows Audio NetMeeting Remote Desktop Sharing Windows Cardspace Network DDE Windows Image Acquisition WIA Network DDE DSDM Windows Management Instrumentation Driver Extensions Network Location Awareness Windows Presentation Foundation Font Cache 3 0 0 0 Network Provisioning Service Windows User Mode Dr...

Page 17: ...nchecked and disabled Configuring TCP IP To further secure the server the Internet Protocol TCP IP protocol settings must be configured correctly 1 Go to Windows Start Control Panel Network Connections Local Area Connection 2 Under the General tab click the Properties button 3 Click Internet Protocol TCP IP 4 Click the Advanced button 5 Select the WINS tab disable any WINS servers that have been d...

Page 18: ...for port 3389 TCP This is however a security risk If practical you can reduce this risk by only allowing traffic on port 3389 from particular IP addresses or the local subnet This is done by selecting the exception and clicking on Edit and then Change scope Apply appropriate file ACLs A clean install of Windows Server 2003 has secure ACLs on the file system To secure the server even further give t...

Page 19: ...ctory MSSQL 1 MS SQL repldata 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQLUSER Computer Name InstanceName 1 Full 2 Full 3 Full sql directory MSSQL 1 MS SQL Template Data 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQLUSER Computer Name InstanceName 1 Full 2 Full 3 Full Program Files Microsoft SQL Server 80 tools 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQL...

Page 20: ...s 3 SYSTEM 1 Full 2 Read Execute 3 Full systemroot Config 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 Read List 3 Full systemroot System3 2 systemroot System3 2 LogFiles systemroot System3 2 InetSrv 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 Read Execute 3 Full systemroot System 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 ...

Page 21: ...olicy determines whether to log changes to user rights assignment policies trust policies and audit policies Log only successes Audit privilege use Failure The Audit privilege use policy determines whether to log use of a user right Failures should be logged as a failed privilege use can indicate an attempted security breach Audit process tracking No Auditing The Audit process tracking policy dete...

Page 22: ...e the system time SeSystemTimePrivilege Administrators Create a pagefile SeCreatePagefilePrivilege Administrators Create a token object SeCreateTokenPrivilege Create global objects SeCreateGlobalPrivilege Administrators SERVICE Create permanent shared objects SeCreatePermanentPrivilege Debug programs SeDebugPrivilege Deny access to this computer from the network SeDenyNetworkLogonRight Support_388...

Page 23: ...s Modify firmware environment values SeSystemEnvironmentPrivilege Administrators Perform Volume Maintenance Tasks SeManageVolumePrivilege Administrators Profile single process SeProfileSingleProcessPrivilege Administrators Profile system performance SeSystemProfilePrivilege Administrators Remove computer from docking station SeUndockPrivilege Administrators Replace a process level token SeAssignPr...

Page 24: ...trictions in Security Descriptor Definition Language Not Defined Devices Allow undock without having to log on Disabled Devices Allowed to format and eject removable media Administrators Devices Prevent users from installing printer drivers Enabled Devices Restrict CD ROM access to locally logged on user only Disabled Devices Restrict floppy access to locally logged on user only Disabled Devices U...

Page 25: ...kstation Enabled Interactive logon Require smart card Disabled Interactive logon Smart card removal behavior Lock Workstation Microsoft network client Digitally sign communications always Disabled Microsoft network client Digitally sign communications if server agrees Enabled Microsoft network client Send unencrypted password to third party SMB servers Disabled Microsoft network server Amount of i...

Page 26: ...nymous access to Named Pipes and Shares Enabled Network access Shares that can be accessed anonymously Network access Sharing and security model for local accounts Classic Local users Network security Do not store LAN Manager hash value on next password change Enabled Network security Force logoff when logon hours expire Disabled Network security LAN Manager authentication level Send NTMLv2 respon...

Page 27: ...mounts of data but they must be limited to prevent attacks from filling up the disk 1 To set the size of the log file right click each event type 2 Select Properties 3 Set the Maximum log size to 131072 KB 4 Select Overwrite events as needed Remove any file shares 1 Go to Windows Start Control Panel Administrative Tools Computer Management 2 Expand System Tools and Shared Folders and select Shares...

Page 28: ...p file creation If the system crashes a dump file can provide a hacker with sensitive information To disable the dump file creation 1 Go to Windows Start Control Panel System Under the Advanced tab 2 Under Startup and Recovery click the Settings button 3 Select none under Write Debugging Information Miscellaneous registry changes To edit settings used to secure the server edit the registry on the ...

Page 29: ...ControlSet Services Cdrom Modify Value Name Autorun Value Type REG_DWORD Value 0 Protection against denial of service attacks In order to harden the TCP IP stack go into the following hive Under HKEY_LOCAL_MACHINE System CurrentControlSet Services Tcpip Parameters create the values shown in Table 9 Table 9 Hardening the TCP IP stack Registry entry Format Value EnableICMPRedirect DWORD 0 SynAttackP...

Page 30: ...Delete the default installed examples Delete the following directories and their contents from the file system of your Cisco TMS server InetPub AdminScripts WINDOWS System32 Inetsrv iisadmpwd WINDOWS web printers Delete all files under InetPub wwwroot but do not delete the directory Disable unneeded web extensions 1 Go to Windows Start Control Panel Administrative Tools Internet Information Servic...

Page 31: ...de Select to Inherit TMSAgent Yes Pwx No TMS Yes TMS Public No TMSConferenceAPI No XAPSite No Note You cannot remove anonymous access to the entire website Anonymous access is required on several nodes so that devices can send data to Cisco TMS Applying permissions as stated above from a standard Cisco TMS installation will maintain the required access rights Delete unused application mappings 1 G...

Page 32: ...on Services IIS Manager 2 Expand the website Cisco TMS is installed in 3 Right click the XAPDLL directory 4 Click Delete to delete the files and directory TMS Install Dir wwwtms public XAPSite Optional Remove Polycom Endpoint support If you are not managing Polycom Endpoints you can remove the portions required to support them to reduce surface area of the public website 1 Go to Windows Start Cont...

Page 33: ...S Optional Remove XAPDLL Optional Remove Polycom Endpoint support Continued monitoring It is important that the server s logs be continually audited to monitor for undesired behavior or attempts to break into the server The Windows Event Viewer can be used to monitor the security audits enabled and the IIS logs can be used for additional information regarding access to the website The IIS Logs can...

Page 34: ...ES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INA...