Security Best Practices Guide for Cisco Unified ICM ... · Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Releases 8.x October 2011 Americas

Security Best Practices Guide

for Cisco Unified ICM/Contact Center Enterprise & HostedReleases 8.x

October 2011

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0833

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE.ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTEDWITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OFANY PRODUCTS.THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKETTHAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THESOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) aspart of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED"AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISINGFROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES,INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USETHIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Ciscotrademarks, go to http://www.cisco.com/go/trademarksCCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, andLearn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco,the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, NetworkingAcademy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, andTransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. Any Internet Protocol(IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in thedocument are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationshipbetween Cisco and any other company. (1110R)Copyright 2011 Cisco Systems, Inc. All rights reserved.

http://www.cisco.com/go/trademarks

Table of Contents

Preface ...........................................................................................................................................................1Purpose .....................................................................................................................................................1Audience ....................................................................................................................................................2Organization ..............................................................................................................................................2Related Documentation..............................................................................................................................3Product Naming Conventions.....................................................................................................................4Conventions................................................................................................................................................5Obtaining Documentation and Submitting a Service Request...................................................................6Documentation Feedback...........................................................................................................................6

1. Encryption Support.....................................................................................................................................7User and Agent Passwords........................................................................................................................7Call Variables and Extended Call Variables................................................................................................7Internet Script Editor, Agent Re-skilling and WebView...............................................................................8CTI OS C++/COM Toolkit...........................................................................................................................8Cisco Contact Center SNMP Management Service...................................................................................9Additional Encryption..................................................................................................................................9

2. IPsec and NAT Support.............................................................................................................................11About IPsec..............................................................................................................................................11About NAT................................................................................................................................................12Support for IPsec in Tunnel Mode............................................................................................................12Support for IPsec in Transport Mode........................................................................................................13

System Requirements.........................................................................................................................13Supported Communication Paths .......................................................................................................13Configuring IPsec Policy......................................................................................................................15

IPsec Connection to Unified CM...............................................................................................................17Monitoring IPsec Activity..........................................................................................................................17

IPsec Monitor.......................................................................................................................................17IPsec Logging......................................................................................................................................17Network Monitoring..............................................................................................................................18System Monitoring ..............................................................................................................................18

Support for NAT........................................................................................................................................19NAT and CTI OS.......................................................................................................................................19IPsec and NAT Transparency...................................................................................................................20Additional IPsec References....................................................................................................................20

3. Applying IPsec with the Network Isolation Utility.......................................................................................21About IPsec..............................................................................................................................................21Deploying IPsec Manually Versus Deploying It Via the Network Isolation Utility......................................22About the Cisco Network Isolation Utility..................................................................................................22An Illustration of Network Isolation Utility Deployment.............................................................................23How the Network Isolation Utility Works...................................................................................................23

IPsec Terminology................................................................................................................................23The Network Isolation Utility Process..................................................................................................24

About Encrypting Traffic............................................................................................................................25How to Deploy the Network Isolation Feature..........................................................................................26

Important Deployment Tips..................................................................................................................26Sample Deployment.............................................................................................................................26Devices That Must Communicate with One Another...........................................................................31

Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Releases 8.x

i

Typical Boundary Devices....................................................................................................................33Caveats....................................................................................................................................................34How to Do a Batch Deployment...............................................................................................................35How to Run the Network Isolation Utility from the Command Line...........................................................35How to Monitor the Network Security.......................................................................................................40Troubleshooting the Network Isolation IPsec Policy.................................................................................40

4. Windows Server 2003 and Windows Server 2008 R2 Firewall Configuration...........................................41Cisco Firewall Configuration Utility Prerequisites.....................................................................................42Using the Cisco Firewall Configuration Utility...........................................................................................43Verifying New Windows Firewall Settings.................................................................................................43Configuring Windows Server 2003 Firewall to Communicate with Active Directory.................................44

Configuring Domain Controller Ports...................................................................................................44Restrict FRS Traffic to a Specific Static Port........................................................................................44Restrict Active Directory Replication Traffic to a Specific Port.............................................................45Configure Remote Procedure Call (RPC) Port Allocation....................................................................45Windows Server 2000 and 2003 Firewall Ports...................................................................................46Testing Connectivity.............................................................................................................................46Validating Connectivity.........................................................................................................................47

Understanding the CiscoICMfwConfig_exc.xml File.................................................................................47Troubleshooting Windows Firewall............................................................................................................48

Windows Server 2003 General Troubleshooting Notes.......................................................................48Windows Firewall Interferes with Router Private Interface Communication.........................................48Windows Firewall Shows Dropped Packets but no Unified ICM or Unified CCE Failures Are Evident.49Undo Firewall Settings.........................................................................................................................49

5. Automated Security Hardening Settings on Windows Server 2003..........................................................51Applying/Removing ICM Security Settings...............................................................................................52

Applying ICM Security Settings During Setup.....................................................................................52Manually Installing Cisco ICM Security Settings..................................................................................52Rolling Back Security Settings.............................................................................................................53

Account Policies Settings.........................................................................................................................54Password Policy...................................................................................................................................54Account Lockout Policy........................................................................................................................54Kerberos Policy....................................................................................................................................55

Local Policies............................................................................................................................................55Audit Policy..........................................................................................................................................55User Rights Assignment......................................................................................................................56Security Options..................................................................................................................................58

Event Log.................................................................................................................................................65System Services.......................................................................................................................................65

Settings for System Services...............................................................................................................66Registry....................................................................................................................................................72File System...............................................................................................................................................73

6. Applying Security with the Cisco Unified Contact Center Security Wizard...............................................75About the Cisco Unified Contact Center Security Wizard.........................................................................75Configuration and Restrictions.................................................................................................................76How to use the Wizard..............................................................................................................................76Example Security Wizard Usage..............................................................................................................77Example Windows Hardening Configuration Panels................................................................................78Example Windows Firewall Configuration Panels.....................................................................................81Example Network Isolation Configuration Panels.....................................................................................84


ii

Example SQL Hardening Panels..............................................................................................................88

7. Updating Microsoft Windows ....................................................................................................................91Microsoft Security Updates......................................................................................................................91Microsoft Service Pack Policy...................................................................................................................92

Configuring the Server to use an Alternate Windows Update Server..................................................92

8. SQL Server Hardening..............................................................................................................................95SQL Server Hardening Suggestions........................................................................................................95

Top Hardening Suggestions.................................................................................................................95SQL Server Users and Authentication.................................................................................................98

SQL Server 2005 Security Considerations...............................................................................................99Automated SQL 2005 Hardening.........................................................................................................99SQL Server Security Hardening Utility...............................................................................................100Manual SQL 2005 Server Hardening.................................................................................................101

9. Cisco SSL Encryption Utility...................................................................................................................103About the SSL Encryption Utility............................................................................................................103

Installing SSL During Setup...............................................................................................................104SSL Encryption Utility in Standalone Mode.......................................................................................104Enabling the Transport Layer Security (TLS) 1.0 Protocol.................................................................106

10. Network Access Protection...................................................................................................................107How NAP works......................................................................................................................................108Impact of using Microsoft Windows NAP with Unified CCE....................................................................108

Network Policy Server .......................................................................................................................108Unified CCE Servers and NAP .........................................................................................................108Unified CCE Client Machines and NAP ............................................................................................109

Additional NAP References....................................................................................................................109

11. Intrusion Prevention and Cisco Security Agent.....................................................................................111What are Cisco Security Agent Policies?...............................................................................................111Types of Agents......................................................................................................................................112

Managed Agent.................................................................................................................................112Standalone Agent..............................................................................................................................112

12. Microsoft Baseline Security Analyzer....................................................................................................113Security Update Scan Results................................................................................................................114Windows Scan Results...........................................................................................................................114Internet Information Services (IIS) Scan Results...................................................................................115SQL Server Scan Results......................................................................................................................116Desktop Application Scan Results..........................................................................................................117

13. Auditing ................................................................................................................................................119How to View Auditing Policies.................................................................................................................119Security Log...........................................................................................................................................120Real-Time Alerts.....................................................................................................................................120SQL Server Auditing Policies..................................................................................................................120

SQL Server C2 Security Auditing......................................................................................................120Active Directory Auditing Policies...........................................................................................................120

14. General Antivirus Guidelines and Recommendations...........................................................................123Guidelines and Recommendations.........................................................................................................124Unified ICM/Unified CCE Maintenance Parameters...............................................................................125

Logger Recommendations ................................................................................................................125


iii

Distributor Recommendations...........................................................................................................125CallRouter and PG Recommendations..............................................................................................126Other Scheduled Tasks Recommendations.......................................................................................126

File Type Exclusion Recommendations..................................................................................................126

15. Remote Administration..........................................................................................................................127Windows Terminal Services (Remote Desktop).....................................................................................127

Remote Desktop Protocol..................................................................................................................128Securing the RDP-TCP Connection..................................................................................................128Per-User Terminal Services Settings.................................................................................................129

pcAnywhere............................................................................................................................................129Restricting Access to Internal Machines............................................................................................130Preventing unauthorized connections to a pcAnywhere host............................................................130Protecting the data stream during a remote control session.............................................................132Preventing unauthorized changes to the installed product................................................................132Identifying security risks....................................................................................................................133Logging events during a remote control session...............................................................................133

VNC........................................................................................................................................................133TRIDIA VNC Pro.....................................................................................................................................133

16. Additional Security Best Practices........................................................................................................135Additional Cisco Call Center Applications..............................................................................................135

Cisco Unified ICM WebView..............................................................................................................135Cisco Unified ICM CTI Object Server (CTI OS).................................................................................136Cisco Agent Desktop (CAD)..............................................................................................................136Cisco Unified ICM Router..................................................................................................................136Peripheral Gateways (PGs) and Unified CCE Agent Login...............................................................137CTI OS and Monitor Mode Connection..............................................................................................137

Microsoft Internet Information Server (IIS).............................................................................................137Hardening IIS for use with WebView and Internet Script Editor on Windows Server 2000 Platforms.137

Sybase EAServer (Jaguar) Hardening...................................................................................................140Starting Jaguar Manager...................................................................................................................140Changing Jaguar Password...............................................................................................................141Restart WebView/Services................................................................................................................142

WMI Service Hardening.........................................................................................................................142WMI namespace-level security:.........................................................................................................142Additional WMI Security Considerations............................................................................................143

SNMP Hardening....................................................................................................................................143Toll Fraud Prevention..............................................................................................................................144Syskey....................................................................................................................................................145Third-Party Security Providers................................................................................................................145Third-Party Management Agents............................................................................................................145

Index ...........................................................................................................................................................147


iv

List of Figures

Figure 1: Example Network Isolation Deployment.........................................................................................................23

Figure 2: Example Contact Center Enterprise System....................................................................................................27

Figure 3: Example Phase 1 - Step 1 IPSec Deployment..................................................................................................27

Figure 4: Example Tusted Device Isolation.....................................................................................................................28





Figure 9: Example IPSec Deployment - Overall Design.................................................................................................30

Figure 10: Security Wizard Welcome Window................................................................................................................78

Figure 11: Windows Hardening Introduction Panel........................................................................................................79

Figure 12: Windows Hardening Template Options Panel................................................................................................79

Figure 13: Windows Hardening Confirmation Panel.......................................................................................................80

Figure 14: Windows Hardening Status Panel..................................................................................................................81

Figure 15: Windows Firewall Wizard Introduction Panel................................................................................................81

Figure 16: Windows Firewall Configuration Options Panel............................................................................................82

Figure 17: Windows Firewall Confirmation Panel..........................................................................................................83

Figure 18: Windows Firewall Status Panel......................................................................................................................83

Figure 19: Network Isolation Introductory Panel............................................................................................................84

Figure 20: Trusted Devices Configuration Panel.............................................................................................................85

Figure 21: Boundary Device Configuration Panel..........................................................................................................86

Figure 22: Network Isolation Confirmation Panel..........................................................................................................87

Figure 23: Network Isolation Status Panel......................................................................................................................87

Figure 24: SQL Hardening Introduction Panel................................................................................................................88

Figure 25: Security Action Panel.....................................................................................................................................89

Figure 26: SQL Hardening Confirmation Panel..............................................................................................................89

Figure 27: SQL Hardening Status Panel..........................................................................................................................90

Figure 28: SSL Config Utility - Configuration Tab.......................................................................................................105

Figure 29: SSL Config Utility - Certificate Administration Tab...................................................................................106


v


vi

Preface

Purpose

This document describes security hardening configuration guidelines for Cisco Unified IntelligentContact Management (Unified ICM) Release 8.0(1) on Windows Server 2003 and WindowsServer 2008 R2. The term “Unified ICM” includes: Unified Contact Center Enterprise/Hosted(Unified CCE/CCH), Cisco Unified System Contact Center Enterprise (Unified SCCE), andCisco Unified Intelligent Contact Management Enterprise/Hosted. Optional Unified ICMapplications that apply to these server configurations are also addressed here, with the exceptionof the following: Cisco Unified Web Interaction Manager (Unified WIM), Media Blender (whennot co-resident with a Peripheral Gateway (PG); if co-resident with a PG then these best practicesare applicable), Dynamic Content Adapter and Cisco Unified E-Mail Interaction Manager(Unified EIM). References throughout this document to “Unified ICM/Cisco Unified ContactCenter Enterprise (Unified CCE)” will assume the aforementioned configurations. Anyaccompanying applications that make up the customer’s particular solution, whether Ciscoprovided—such as PSO applications—or provided by a Cisco partner, have not been approvedfor use with these security hardening recommendations. Special testing and qualification mustbe considered to ensure that recommended security configurations do not hinder the operationof those applications.

Note: The information in this guide does not pertain to specifics of Cisco Unified System ContactCenter Enterprise (Unified SCCE) deployments. The Cisco IPCC Enterprise Web AdministrationTool is used for administering Unified SCCE. (Unified SCCE Release 7.5 is supported in the8.0(1) solution.)

The configurations presented in this document represent parameters used internally within Ciscoto develop and test the applications. Other than the base Operating System and applicationinstallations, any deviation from this set cannot be guaranteed to provide a compatible operatingenvironment. It is important to note recommendations contained in this document will not alwaysbe uniformly implemented; some implementations—as based on corporate policy, specific ITutilities (for example, backup accounts) or other external guidelines—may modify or limit theapplication of these guidelines.


1

Note: Operating System Security Hardening for Release 8.0(1) is supported on Windows Server2003 only.

Audience

This document is primarily intended for server administrators and OS and application installers.

It is assumed that the target reader of this document is an experienced administrator familiarwith Windows Server 2003 and Windows Server 2003 installations. It is further assumed thatthe reader is fully familiar with the applications that make up the Unified ICM/Unified CCEsolution, as well as with the installation and administration of these systems. It is the intent ofthese best practices to additionally provide a consolidated view of securing the various third-partyapplications on which the Cisco contact center applications depend. If vendor recommendationsdiffer from these guidelines, following such recommendations may result in systems that arenot protected from malicious attacks.

Organization

This document is organized into the following chapters:

DescriptionChapter

A brief overview of the encryption methods used in UnifiedICM/Unified CCE.

Chapter 1, “Encryption Support” (page 7)

Security best practices for deploying IPsec and Network AddressTranslation (NAT) in an Unified ICM/Unified CCE environment.

Chapter 2, “IPsec and NAT Support” (page 11)

Details on how to deploy a preconfigured IPsec policy for UnifiedICM/CCE environment.

Chapter 3, “Applying IPsec with the NetworkIsolation Utility” (page 21)

The use of Windows Firewall and details about the CiscoWindows Firewall configuration script.

Chapter 4, “Windows Server 2003 and WindowsServer 2008 R2 Firewall Configuration” (page 41)

Specific details of the settings changed when using the CiscoSecurity Template for Windows Server 2003.

Chapter 5,“ Automated Security Hardening Settingson Windows Server 2003” (page 51)

Details on how to use the Security Wizard to configure varioussecurity features.

Chapter 6, “Applying Security with the Cisco UnifiedContact Center Security Wizard” (page 75)

Security Best Practices to use when updating Windows Server2003.

Chapter 7,“Updating Microsoft Windows” (page 91)

Security Best Practices for SQL Server.Chapter 8, “SQL Server Hardening” (page 95)

Details on using the SSL Encryption Utility.Chapter 9, “Cisco SSL Encryption” Utility (page 103)

Using Cisco Security Agent for Host Intrusion Detection.Chapter 10, “Intrusion Prevention and Cisco SecurityAgent” (page 111)


2

Preface

Audience

DescriptionChapter

Example of what to expect when running MBSA on a typicalUnified ICM Server.

Chapter 11, “Microsoft Baseline Security Analyzer(MBSA)” (page 113)

Security Best Practices for setting Auditing Policies on UnifiedICM/CCE Servers.

Chapter 12, “Auditing” (page 119)

General Antivirus guidelines and recommendations.Chapter 13, “General Antivirus Guidelines andRecommendations” (page 123)

Security Best Practices to consider when using various remoteadministration applications.

Chapter 14, “Remote Administration” (page 127)

Additional Security Best Practices for:Chapter 15, “Additional Security Best Practices” (page135)

• Additional Cisco Call Center Applications

• Microsoft Internet Information Server

• Sybase EAServer (Jaguar)

• RMS Listener Hardening

• WMI Service Hardening

• SNMP Service Hardening

• Toll Fraud Prevention

• Syskey

• Third-Party Security Providers

• Third-Party Management Agents

Related Documentation

Documentation for Cisco Unified ICM/Contact Center Enterprise & Hosted, as well as relateddocumentation, is accessible from Cisco.com at: http://www.cisco.com/cisco/web/psa/default.html.

Related documentation includes the documentation sets for Cisco CTI Object Server (CTI OS),Cisco Agent Desktop (CAD), Cisco Agent Desktop Browser Edition (CAD-BE), Cisco UnifiedContact Center Management Portal, Cisco Unified Customer Voice Portal (CVP), Cisco UnifiedIP IVR, Cisco Unified Intelligence Center, and Cisco Support Tools. The following list providesmore information.


3

Preface

Related Documentation

http://www.cisco.com/cisco/web/psa/default.html


• For documentation for the Cisco Unified Contact Center products mentioned above, go tohttp://www.cisco.com/cisco/web/psa/default.html, click Voice and UnifiedCommunications, then click Customer Collaboration, and then click Cisco Unified ContactCenter Products or Cisco Unified Voice Self-Service Products, then click the product oroption you are interested in.

• For troubleshooting tips for the Cisco Unified Contact Center Products mentioned above, goto http://docwiki.cisco.com/wiki/Category:Troubleshooting, and then click the productor option you are interested in.

• Documentation for Cisco Unified Communications Manager is accessible from: http://www.cisco.com/cisco/web/psa/default.html.

• Technical Support documentation and tools are accessible from: http://www.cisco.com/en/US/support/index.html.

• The Product Alert tool is accessible from (login required): http://www.cisco.com/cgi-bin/Support/FieldNoticeTool/field-notice.

• For information about the Cisco software support methodology, see Software Release andSupport Methodology: ICM/IPCC available at (login required): http://www.cisco.com/en/US/partner/products/sw/custcosw/ps1844/prod_bulletins_list.html.

• For a detailed list of language localizations, see the Cisco Unified ICM/Contact CenterProduct and System Localization Matrix available at the bottom of the following page: http://www.cisco.com/en/US/products/sw/custcosw/ps1001/prod_technical_reference_list.html.

Product Naming Conventions

In this release, the product names listed in the table below have changed. The New Name (longversion) is reserved for the first instance of that product name and in all headings. The NewName (short version) is used for subsequent instances of the product name.

Note: This document uses the naming conventions provided in each GUI, which means that insome cases the old product name is in use.

New Name (short version)New Name (long version)Old Product Name

Unified CCECisco Unified Contact CenterEnterprise

Cisco IPCC Enterprise Edition

Unified SCCECisco Unified System Contact CenterEnterprise

Cisco System IPCC Enterprise Edition

Unified CCHCisco Unified Contact Center HostedCisco IPCC Hosted Edition

Unified ICMECisco Unified Intelligent ContactManagement Enterprise

Cisco Intelligent Contact Management(ICM) Enterprise Edition

Unified ICMHCisco Unified Intelligent ContactManagement Hosted

Cisco Intelligent Contact Management(ICM) Hosted Edition


4

Preface

Product Naming Conventions


http://docwiki.cisco.com/wiki/Category:Troubleshooting



http://www.cisco.com/en/US/support/index.html

http://www.cisco.com/en/US/support/index.html

http://www.cisco.com/cgi-bin/Support/FieldNoticeTool/field-notice

http://www.cisco.com/cgi-bin/Support/FieldNoticeTool/field-notice

http://www.cisco.com/en/US/partner/products/sw/custcosw/ps1844/prod_bulletins_list.html

http://www.cisco.com/en/US/partner/products/sw/custcosw/ps1844/prod_bulletins_list.html

http://www.cisco.com/en/US/products/sw/custcosw/ps1001/prod_technical_reference_list.html

http://www.cisco.com/en/US/products/sw/custcosw/ps1001/prod_technical_reference_list.html

New Name (short version)New Name (long version)Old Product Name

Unified CMCisco Unified CommunicationsManager

Cisco CallManager/Cisco UnifiedCallManager

Conventions

This manual uses the following conventions:

DescriptionConvention

Boldface font is used to indicate commands, such as userentries, keys, buttons, and folder and submenu names. Forexample:

boldface font

• Choose Edit > Find.

• Click Finish.

Italic font is used to indicate the following:italic font

• To introduce a new term; for example: A skill group is acollection of agents who share similar skills

• For emphasis; for example: Do not use the numerical namingconvention

• A syntax value that the user must replace; for example: IF(condition, true-value, false-value)

• A book title; for example: Refer to the Cisco CRSInstallation Guide

Window font, such as Courier, is used for the following:window font

• Text as it appears in code or that the window displays; forexample: <html><title>Cisco Systems,Inc. </title></html>

• Navigational text when selecting menu options; for example:ICM Configuration Manager > Tools> Explorer

Tools > Agent Explorer

Angle brackets are used to indicate the following:< >

• For arguments where the context does not allow italic, suchas ASCII output

• A character string that the user enters but that does not appearon the window such as a password


5

Preface

Conventions

Obtaining Documentation and Submitting a Service Request

For information about obtaining documentation, submitting a service request, and gatheringadditional information, see the monthly What's New in Cisco Product Documentation, whichalso lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to What's New in Cisco Product Documentation as a Really Simple Syndication (RSS)feed and set content to be delivered directly to your desktop using a reader application. TheRSS feeds are a free service and Cisco currently supports RSS version 2.0.

Documentation Feedback

You can provide comments about this document by sending an email message to the followingaddress:

[email protected] (mailto:[email protected])

We appreciate your comments.


6

Preface

Obtaining Documentation and Submitting a Service Request

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

mailto:[email protected]

Encryption SupportThis chapter describes the types of encryption used in the Unified ICM system. The conceptshelp you to understand how encryption is used in the Unified ICM/Unified CCE environment.

This chapter contains the following topics:

• User and Agent Passwords, page 7• Call Variables and Extended Call Variables, page 7• Internet Script Editor, Agent Re-skilling and WebView, page 8• CTI OS C++/COM Toolkit, page 8• Cisco Contact Center SNMP Management Service, page 9• Additional Encryption, page 9

User and Agent Passwords

Unified ICM/Unified CCE systems are highly distributed applications composed of many nodeand server applications. Application user and contact center agent passwords are stored in theLogger databases as well as the Distributor databases as an RSA Data Security, Inc. MD5Message-Digest Algorithm hash. When passed from one server node to another, such as froma Peripheral Gateway to a Router, or from a Distributor to a Router or a Logger, the passwordsare passed as MD5 hashes as opposed to clear text.

Call Variables and Extended Call Variables

To protect data sent in call variables or expanded call context (ECC) variables, Unified ICMrelies on IPsec and the deployment of IPsec policies between servers running Windows Server2003. In a Unified CCE environment, the establishment of an IPsec channel between the CiscoUnified Communications Manager (Unified CM) and the Peripheral Gateway is also supported.The recommended integrity algorithm is SHA-1 and the encryption algorithm is 3DES. The


7

Chapter 1

recommended Internet Key Exchange (IKE) security algorithm is a minimum of Diffie-HellmanGroup 2 for a 1024-bit key or 2048-bit key if processing power allows it.

See Also

IPsec and NAT Support on page 11

Internet Script Editor, Agent Re-skilling and WebView

Unified ICM supports, as a default on Windows Server 2003, the encryption of traffic for usersaccessing the Unified ICM Internet Script Editor, Web Setup, Agent Re-skilling, and WebViewapplications so that all user logins and optionally session traffic done from a remote machineare protected from snooping. The applications that implement the Transport Layer Security(TLS) v1.0 protocol using the OpenSSL libraries are HTTP based.

The Agent Re-skilling and Internet Script Editor web applications will also be deployed andenabled for 128-bit SSL encryption in IIS 6.0 as a default so that all supervisor logins, userlogins, and data exchanged is protected across the network.

For more information on enabling certain Cipher Suites in IIS see the article KB 245030 (http://support.microsoft.com/?kbid=245030).

See Also

Cisco SSL Encryption Utility on page 103Cisco WebView Documentation

CTI OS C++/COM Toolkit

The CTI OS (C++/COM toolkit) and CAD agent desktops implement TLS v1.0 protocol usingthe OpenSSL libraries to protect data exchanged between the agent desktop to the CTI ObjectServer. A Cipher suite is used for authentication, key exchange, and stream encryption. TheCipher suite is as follows:

• Key exchange: Diffie-Hellman

• Authentication: RSA

• Encryption: AES (128)

• Message digest algorithm: SHA1

Refer to the CTI OS System Manager's Guide for Cisco Unified ICM/Contact Center Enterprise& Hosted and Cisco CAD Installation Guide for more configuration details.


8

Chapter 1: Encryption Support

Internet Script Editor, Agent Re-skilling and WebView

http://support.microsoft.com/?kbid=245030

Cisco Contact Center SNMP Management Service

Unified ICM/Unified CCE includes a Simple Network Management Protocol (SNMP v3) agentto support authentication and encryption (privacy) provided by SNMP Research International.The Cisco implementation exposes the configuration of the communication with a managementstation to be authenticated using the SHA-1 digest algorithms and for all SNMP messages tobe encrypted using one of the following three protocols:

• 3DES

• AES-192

• AES-256

See Also

SNMP Hardening on page 143SNMP Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted

Additional Encryption

In addition to the various areas of application-level encryption provided in the Unified ICMsuite of applications, Cisco supports the deployment of the solution across sites running CiscoIOS IPsec in Tunnel Mode with HMAC-SHA1 Authentication (ESP-SHA-HMAC) and 3DESEncryption (ESP-3DES).

See Also

IPsec and NAT Support on page 11


9


Cisco Contact Center SNMP Management Service


10


Additional Encryption

IPsec and NAT Support

About IPsec

Internet Protocol security (IPsec) is a framework of open standards for ensuring private, securecommunications over Internet Protocol (IP) networks, through the use of cryptographic securityservices.

Note: IPsec can be deployed in many different ways. The purpose of this chapter is to explainwhat IPsec is and how to secure selected communication paths using IPsec. The chapter onApplying IPsec with the Network Isolation Utility (page 21) explains a specific, more restricted,but automated way of applying IPsec to secure the entire traffic to and from the server. TheNetwork Isolation Utility also saves you a lot of work in applying IPsec. However, if you usethis utility to apply IPsec, be sure to read this chapter to understand the various IPsec deploymentoptions and to use the one that is the most beneficial for your environment.

For more information, see http://www.cisco.com/go/ipsec and http://technet.microsoft.com/en-us/network/bb531150.aspx

Implementing IPsec in a Unified ICM/Unified CCE environment means finding a balancebetween ease of deployment and usability and protecting sensitive information from unauthorizedaccess.

Finding the proper balance requires the following:

• Assessing the risk and determining the appropriate level of security for your organization

• Identifying valuable information

• Defining security policies that use your risk management criteria and protect the identifiedinformation

• Determining how the policies can best be implemented within the existing organization


11

Chapter 2

http://www.cisco.com/go/ipsec

http://technet.microsoft.com/en-us/network/bb531150.aspx

http://technet.microsoft.com/en-us/network/bb531150.aspx

• Ensuring that management and technology requirements are in place

Security considerations are also influenced by the way the application will be used or deployed.For example, the required security might differ depending on whether certain UnifiedICM/Unified CCE servers will be deployed in a single data center or across a number of sitesthat may or may not communicate across trusted networks. The security framework in WindowsServer 2003 is designed to fulfill the most stringent security requirements. However, softwarealone might be less effective without careful planning and assessment, effective securityguidelines, enforcement, auditing, and sensible security policy design and assignment.

About NAT

Network Address Translation (NAT) is a mechanism for conserving registered IP addresses inlarge networks and simplifying IP addressing management tasks. As its name implies, NATtranslates IP addresses within private “internal” networks to “legal” IP addresses for transportover public “external” networks (such as the Internet). Incoming traffic is translated back fordelivery within the inside network.

The section in this chapter beginning with Support for NAT (Network Address Translation)(page 19) describes the Unified ICM and Unified CCE NAT support.

Support for IPsec in Tunnel Mode

Due to increased security concerns in the deployment of data and voice networks alike, UnifiedICM and Unified CCE deployments now add support for IPsec between Central Controller sitesand remote Peripheral (PG) sites. This secure network implementation implies a distributedmodel where the WAN connection is secured via IPsec tunnels. The testing undertaken in thisrelease was limited to configuration of Cisco IOS IPsec in Tunnel Mode, meaning only theCisco IP Routers (IPsec peers) between the two sites were part of the secure channelestablishment. All data traffic is encrypted across the WAN link but un-encrypted on the localarea networks. In Tunnel Mode, traffic flow confidentiality is ensured between IPsec peerswhich, in this case, are the IOS Routers connecting a central site to a remote site.

The qualified specifications for the IPsec configuration are as follows:

• HMAC-SHA1 Authentication (ESP-SHA-HMAC)

• 3DES Encryption (ESP-3DES)

The common recommendation for QoS networks is to classify and apply QoS features basedon packet header information before traffic is tunnel encapsulated and/or encrypted.

More detailed resources on Cisco IOS IPsec functionality are available at: http://www.cisco.com/go/ipsec


12

Chapter 2: IPsec and NAT Support

About NAT



Support for IPsec in Transport Mode

System Requirements

Following are the system requirements for IPsec Support in Transport Mode:

• Cisco Unified ICM Release 8.0(1)

• Microsoft Windows Server 2003

• Intel PRO/100 S Server Adapter P/N PILA8470C3

Note:

• IPsec offload network adapters accelerate the cryptographic operations used to secure IPsecpackets, thereby minimizing the performance costs for encryption. As a result, IPsec-securedTCP/IP connections can achieve a similar rate of throughput as TCP/IP connections that arenot secured using IPsec. If the hardware acceleration cards cannot be used, IPsec encryptionwill increase CPU load, and decrease throughput.

• Unified ICM Release 8.0(1) support for IPsec is contingent on the use of network interfacecards that support IPsec offloads. The card listed in the System Requirements list has beentested and is recommended.

See Also

For more information about the benefits of using IPsec hardware offload adapters, see “IntelPRO/100S Network Adapter, IPsec Offload Performance and Comparison,” at http://www.intel.com/Assets/PDF/whitepaper/intel_ipsec_final.pdf.

Supported Communication Paths

Unified ICM Release 8.0(1) supports deploying IPsec in a Windows Server 2003 operatingenvironment to secure server-to-server communication. The support is limited to the followinglist of nodes, which exchange customer-sensitive data.

1. NAM Router and CICM Router

2. Unified ICM Router Side A and Unified ICM Logger Side A (visible path)

3. Unified ICM Router Side B andUnified ICM Logger Side B (visible path)

4. Unified ICM Router Side A andUnified ICM Router Side B (private path)

5. Unified ICM Logger Side A andUnified ICM Logger Side B (private path)

6. Unified ICM Router and Unified ICM Peripheral Gateway (PG)


13



http://www.intel.com/Assets/PDF/whitepaper/intel_ipsec_final.pdf


a. Unified ICM Router Side A and Unified ICM PG Side A

b. Unified ICM Router Side A andUnified ICM PG Side B

c. Unified ICM Router Side B andUnified ICM PG Side A

d. Unified ICM Router Side B and Unified ICM PG Side B

7. Unified ICM Router and Administrator & Data Server (Primary/Secondary) with HistoricalData Server (HDS)

a. Unified ICM Router Side A andUnified ICM Administrator & Data Server(Primary/Secondary) with HDS

b. Unified ICM Router Side B and Unified ICM Administrator & Data Server(Primary/Secondary) with HDS

8. Unified ICM Router and Unified ICM Administration Server, Real-time and HistoricalData Server, and Detail Data Server (Primary/Secondary)

a. Unified ICM Router Side A andUnified ICM Administration Server, Real-time andHistorical Data Server, and Detail Data Server (Primary/Secondary)

b. Unified ICM Router Side B and Unified ICM Administration Server, Real-Time andHistorical Data Server, and Detail Data Server (Primary/Secondary)

9. Unified ICM Logger and Unified ICM Administrator & Data Server (Primary/Secondary)with HDS

a. Unified ICM Logger Side A andUnified ICM Administrator & Data Server(Primary/Secondary) with HDS

b. Unified ICM Logger Side B and Unified ICM Administrator & Data Server(Primary/Secondary) with HDS

10. Unified ICM Logger and Unified ICM Administration Server, Real-time and HistoricalData Server, and Detail Data Server (Primary/Secondary)

a. Unified ICM Logger Side A and Unified ICM Administration Server, Real-time andHistorical Data Server, and Detail Data Server (Primary/Secondary)

b. Unified ICM Logger Side B andUnified ICM Administration Server, Real-time andHistorical Data Server, and Detail Data Server (Primary/Secondary)

11. Unified ICM PG Side A and Unified ICM PG Side B

a. visible path

b. private path

12. Unified ICM PG Side A/B and Unified CM (Unified CCE)


14



For the preceding identified server communication paths, consider a High security level as ageneral basis for planning an IPsec deployment.

See Also

Be sure to consult the Microsoft Knowledge Base article KB 810207 (http://support.microsoft.com/kb/810207/EN-US/) for important information about changes in WindowsServer 2003 IPsec support from Windows Server 2000 support of IPsec.

Configuring IPsec Policy

Windows Server 2003 IPsec policy configuration is the translation of security requirements toone or more IPsec policies.

Each IPsec policy consists of one or more IPsec rules. Each IPsec rule consists of the following:

• A selected filter list

• A selected filter action

• Selected authentication methods

• A selected connection type

• A selected tunnel setting

There are multiple ways to configure IPsec policies but the following is the most direct method:

Create a new policy and define the set of rules for the policy, adding filter lists and filter actionsas required. In this method, you create an IPsec policy first and then add and configure rules.Add filter lists (specifying traffic types) and filter actions (specifying how the traffic is treated)during rule creation.

An IPsec Security Policy must be created for each communication path and on each end (onevery server). Provide the following when creating and editing the properties of each IPsecpolicy using the IP Security Policy Wizard.

1. Name

2. Description (optional)

3. Do not Activate the default response rule

4. IP Security Rule ( add Rule using the Add Wizard)

– Tunnel Endpoint ( do not specify a tunnel)

– Network Type: All network connections

5. IP Filter List


15



http://support.microsoft.com/kb/810207/EN-US/

– Name

– Description (optional)

– Add IP Filter using the Add Wizard

Description (optional)

Source address: A specific IP Address (differs based on the path)

Destination address: A specific IP Address (differs based on the path)

IP Protocol type: Any

– Add Filter Action using the Add Wizard

Name

Description (optional)

Filter Action General Options: Negotiate security

Do not communicate with computers that do not support IPsec

IP Traffic Security: Integrity and encryption - Integrity algorithm: SHA1 - Encryptionalgorithm: 3DES

– Authentication Method: Active Directory _Kerberos V5 protocol (Default)

Note:

• X509 certificates can also be used in a production environment dependingon customer preference. With Unified ICM requiring Active Directoryin all deployment models, relying on Kerberos as the authenticationmethod will not require any extra security credential management. ForPG to Cisco Call Manager (CCM) connections use an X509 presharedkey.

• For enhanced security, the use of preshared key authentication is notrecommended because it is a relatively weak authentication method. Inaddition, preshared keys are stored in plain text. It is recommended thatyou use preshared keys only for testing. For more information, seePreshared key authentication at http://technet.microsoft.com/en-us/library/cc782582(WS.10).aspx

6. Key Exchange Security Method - IKE Security Algorithms (Defaults)

– Integrity algorithm: SHA1

– Encryption algorithm: 3DES

– Diffie-Hellman group: Medium (DH Group 2, 1024-bit key)


16



http://technet.microsoft.com/en-us/library/cc782582(WS.10).aspx


Note:

• For enhanced security, do not use Diffie-Hellman Group 1, whichprovides 768 bits of keying strength. For maximum security, use Group2048 (high), which provides 2,048 bits of keying strength. StrongDiffie-Hellman groups combined with longer key lengths increase thecomputational difficulty of determining a secret key. For moreinformation, see Key exchange methods at http://technet.microsoft.com/en-us/library/cc759504(WS.10).aspx

• For information about general best practices for security, see bestpractices for security at http://technet.microsoft.com/en-us/library/dd560764(WS.10).aspx

• Using longer key lengths results in more CPU processing overhead.

IPsec Connection to Unified CM

On Unified CCE Systems, when the Unified CM is not in the same domain as the Unified ICMsystem, you are unable to use Kerberos for authentication. You must use X.509 certificates.

Monitoring IPsec Activity

IPsec Monitor

IP Security Monitor (ipsecmon) can be used to monitor IPsec on a Windows Server 2003operating system. The details about the IPsec Monitor can be found in Microsoft article KB324269 (http://support.microsoft.com/kb/324269).

IPsec Logging

If your policies do not work correctly, you might need to enable the logging of the IPsec securityassociation process. This is called an Oakley log. The log is difficult to read, but it can help youtrack down the location of the failure in the process. The following steps enable IPsec logging.

Step 1 Choose Start > Run.

Step 2 Type Regedt32 and click OK to get into the Registry Editor.

Step 3 Double-click HKEY_LOCAL_MACHINE.

Step 4 Navigate to System\CurrentControlSet\Services\PolicyAgent.

Step 5 Double-click Policy Agent.


17


IPsec Connection to Unified CM



http://technet.microsoft.com/en-us/library/dd560764(WS.10).aspx


http://support.microsoft.com/kb/324269


Step 6 Right-click in the right-hand pane and choose Edit > Add Key.

Step 7 Enter Oakley as the key name (case sensitive).

Step 8 Double-click Oakley.

Step 9 Right-click in the left-hand pane and choose New > DWORD Value.

Step 10 Enter the value name EnableLogging (case sensitive).

Step 11 Double-click the value and set the DWORD to 1. Click OK.

Step 12 Go to a command prompt and type net stop policyagent & net start policyagent.

Step 13 Find the log in %windir%\debug\Oakley.log

Network Monitoring

The Network Monitor component (netmon) that ships with Windows Server 2003 can captureframes that are sent to or from the computer on which Network Monitor is installed. For moreinformation, refer to Microsoft documentation at http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_netmnintro.asp

System Monitoring

The built-in Performance console (perfmon) provides the ability to monitor network activityalong with the other performance data on the system. Treat network components as another setof hardware resources to observe as part of your normal performance-monitoring routine.

Network activity can influence the performance not only of your network components but alsoof your system as a whole. Be sure to monitor other resources along with network activity, suchas disk, memory, and processor activity. System Monitor enables you to track network andsystem activity using a single tool. Use the following counters as part of your normal monitoringconfiguration:

Table 1: System Monitoring Counters

Cache\Data Map Hits %

Cache\Fast Reads/sec

Cache\Lazy Write Pages/sec

Logical Disk\% Disk Space

Memory\Available Bytes


18


Monitoring IPsec Activity

http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_netmnintro.asp

http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_netmnintro.asp

Memory\Nonpaged Pool Allocs

Memory\Nonpaged Pool Bytes

Memory\Paged Pool Allocs

Memory\Paged Pool Bytes

Processor(_Total)\% Processor Time

System\Context Switches/sec

System\Processor Queue Length

Processor(_Total)\Interrupts/sec

Support for NAT

NAT is a mechanism for conserving registered IP addresses in large networks and simplifyingIP addressing management tasks. NAT translates IP addresses within private “internal” networksto “legal” IP addresses for transport over public “external” networks (such as the Internet). NATalso translates the incoming traffic “legal” delivery addresses to the IP addresses within theinside network.

Release 8.0(1) continues support for deployment of IP Phones (Unified CCE) across NAT.Cisco has also tested locating remote Peripheral (PG) servers on a NAT network remote fromthe Central Controller servers (Routers and Loggers). The qualification of NAT support for PGservers was limited to a network infrastructure implementing Cisco IP Routers with NATfunctionality.

Agent Desktops are supported in a NAT environment, except when silent monitoring is used.Silent Monitoring is not supported under NAT; see the section on NAT and CTI OS below.

More detailed resources on how to configure NAT can be found at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

More details on how to deploy IP Phones across NAT can be found at the following link: http://cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guides_list.html

NAT and CTI OS

CTI OS Silent Monitor does not work in a production environment when all of the servers ofthe Unified CCE (Administration & Data Server, PG , CTI OS Server and Unified CM) arelocated on a remote data center with a private addressing scheme and the agent/supervisor


19


Support for NAT

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

http://cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guides_list.html

http://cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guides_list.html

desktops and hard IP phones are on the call center network that also has its own address schemewhile both networks (data center and call center) are joined together using NAT.

The two main problems that are identified in this environment are as follows:

• The CTI toolkit Agent Desktop cannot sniff any VoIP packets from the PC port on the IPphone, because the IP address used on the packet filter is the translated address sent by UnifiedCM. The problem is that the address belongs to the address scheme at the data center networkand not on the call center network space. Note that this problem is not particular to CTI OSbut also affects applications written using GED-188 directly that rely on the RTP Stated/Stopevents.

• The IP address the CTI toolkit Supervisor Desktop provides the CTI toolkit Agent Desktopfor it to forward sniffed VoIP packets is an address on the data center address space. TheCTI toolkit Supervisor Desktop obtains its IP address from the eClientIdentifyEvent sent byCTI OS Server to the supervisor workstation when it initiates its session with CTI OS Server.The IP address included in the event is the translated address in the data center network, notthat of the call center network.

IPsec and NAT Transparency

The IPsec NAT Transparency feature introduces support for IPsec traffic to travel through NATor Port Address Translation (PAT) points in the network by addressing many knownincompatibilities between NAT and IPsec. NAT Traversal (NAT-T) is a feature that isautodetected by VPN devices. There are no configuration steps for a router running Cisco IOSSoftware Release 12.2(13)T and later. If both VPN devices are NAT-T capable, then NAT-Tis autodetected and autonegotiated.

Additional IPsec References

Additional IPsec references can be found on the web at:

• IPsec Architecture - http://technet.microsoft.com/en-us/library/bb726946.aspx

• Windows Server 2003 IPsec Documentation - http://technet.microsoft.com/en-us/library/cc779969(WS.10).aspx

• Intel PRO/100S Network Adapter, IPsec Offload Performance and Comparison - http://www.intel.com/Assets/PDF/whitepaper/intel_ipsec_final.pdf


20


IPsec and NAT Transparency

http://technet.microsoft.com/en-us/library/bb726946.aspx





Applying IPsec with the Network Isolation UtilityThis chapter contains the following topics:

• About IPsec, page 21• Deploying IPsec Manually Versus Deploying It Via the Network Isolation Utility, page 22• About the Cisco Network Isolation Utility, page 22• An Illustration of Network Isolation Utility Deployment, page 23• How the Network Isolation Utility Works, page 23• About Encrypting Traffic, page 25• How to Deploy the Network Isolation Feature, page 26• Caveats, page 34• How to Do a Batch Deployment, page 35• How to Run the Network Isolation Utility from the Command Line, page 35• How to Monitor the Network Security, page 40• Troubleshooting the Network Isolation IPsec Policy, page 40

About IPsec

Internet Protocol Security (IPsec) is a security standard developed jointly by Microsoft, Cisco,and many other Internet Engineering Task Force (IETF) contributors. It provides integrity(authentication) and encryption between any two nodes, which could be endpoints or a gateways.IPsec is application independent because it works at layer 3 of the network. This is particularlyuseful for large and distributed applications like Unified ICM because it provides securitybetween the application nodes independent of the application.

For some introductory information on IPsec, see:

• Frequently Asked Questions (http://www.microsoft.com/technet/network/ipsec/ipsecfaq.mspx)


21

Chapter 3

http://www.microsoft.com/technet/network/ipsec/ipsecfaq.mspx

• Whitepaper on Internet Protocol Security for Microsoft Windows Server 2003 (http://www.microsoft.com/downloads/details.aspx?FamilyID=E6590330-D903-4BDD-9655-81B86DF655E4&displaylang=en&displaylang=en)

Deploying IPsec Manually Versus Deploying It Via the Network Isolation Utility

The Network Isolation Utility, described in this chapter, automates much of the work you needto do to secure a Unified ICM/Unified CCE environment using IPsec. The Network Isolationutility deploys a preconfigured IPsec policy on Unified ICM and Unified CCE servers thatsecures the entire network traffic to or from those servers. Network connectivity is restrictedto only those severs that share the same policy or are explicitly listed as exceptions. If you wishto secure network traffic only between selected communication paths, then refer to the manualsteps described in the chapter on IPsec and NAT Support (page 11).

About the Cisco Network Isolation Utility

The Cisco Network Isolation Utility uses the Windows IPsec feature to isolate Unified ICMdevices (for example, the router, the logger, and the peripheral gateway device) from the restof the network. The utility creates a Network Isolation IPsec policy, which, when it is deployed,sets Unified ICM devices as Trusted and authenticates and optionally encrypts all traffic betweenTrusted Devices. Traffic between Trusted Devices continues to flow normally without anyadditional configuration. All traffic to or from devices outside the Trusted Devices is deniedunless it is classified as coming from or going to a Boundary Device.

A Boundary Device is a device without an IPsec policy that is allowed access to a TrustedDevice. These devices typically include the Domain Controller, the Unified CM, default gatewaydevices, CTI OS desktops, WebView clients, serviceability devices, and remote-access computers.

Each Trusted Device has its own list of Boundary Devices, which is defined either by separateIP addresses or subnets or ports.

The Network Isolation policy uses the IPsec ESP (Encapsulating Security Payload) protocolfor integrity and encryption. The cipher suite deployed is as follows:

• IP Traffic Security:


– Encryption algorithm: 3DES

• Key Exchange Security:


– Encryption algorithm: 3DES (optional)

– Diffie-Hellman group: High (2048-bit key)


22

Chapter 3: Applying IPsec with the Network Isolation Utility

Deploying IPsec Manually Versus Deploying It Via the Network Isolation Utility

http://www.microsoft.com/downloads/details.aspx?FamilyID=E6590330-D903-4BDD-9655-81B86DF655E4&displaylang=en&displaylang=en

An Illustration of Network Isolation Utility Deployment

Figure 1: Example Network Isolation Deployment

How the Network Isolation Utility Works

To understand the Network Isolation Utility design and how it works, make sure you understandthe following:

• IPsec Terminology (page 23)

• The Network Isolation Utility Process (page 24)

IPsec Terminology

The following list provides information about IPsec terminology:

• Policy

An IPsec policy is a collection of one or more rules that determine IPsec behavior. In WindowsServer 2003, multiple policies can be created but only one policy can be assigned (active) ata time.

• Rules


23


An Illustration of Network Isolation Utility Deployment

Each rule is made up of a FilterList, FilterAction, Authentication Method, TunnelSetting,and ConnectionType.

• Filter List

A set of filters that match IP packets based on source and destination IP address, protocol,and port.

• Filter Action

A filter action, identified by a Filter List, defines the security requirements for the datatransmission.

• Authentication Method

An authentication method defines the requirements for how identities are verified incommunications to which the associated rule applies.

For fuller definitions of Microsoft Windows IPsec terminology, see Overview of IPsec PolicyConcepts (http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipsec/ipsecapa.mspx).

The Network Isolation Utility Process

The Network Isolation Utility must be run separately on each Trusted Device. Do not run theutility on Boundary Devices.

To allow traffic to or from Boundary Devices, the Boundary Devices list on each Trusted Devicemust be configured manually.

After the Network Isolation IPsec policy is deployed on a device, that device is set as Trustedand traffic flows freely between it and any other Trusted Device without any additionalconfiguration.

When run, the Network Isolation Utility does the following:

1. Removes any IPsec policies that are already on that computer. This is to avoid conflictsso the new policy matches on all Unified ICM devices for a successful deployment.

2. Creates a Cisco Unified Contact Center (Network Isolation) IPSec policy in the WindowsIPsec policy store.

3. Creates the following two rules for the policy:

a. Trusted Devices Rule This rule involves the following items:

Trusted Devices Filter List: all traffic. One filter that matches all traffic.

Trusted Devices Filter Action: Require security. Authenticate using the integrityalgorithm SHA1 and optionally encrypt using encryption algorithm 3DES.


24


How the Network Isolation Utility Works

http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipsec/ipsecapa.mspx

http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipsec/ipsecapa.mspx

Authentication Method: The authentication method used to create trust betweencomputers is a Preshared Key.

The Preshared Key can be a string of words, numbers, or characters except the doublequote symbol. The minimum length for this key is 36 characters.

b. Boundary Devices Rule The Boundary Devices Rule involves the following twoitems:

Boundary Devices Filter List: (empty by default)

Boundary Devices Filter Action: Permit traffic without IPsec policy. BoundaryDevices do not require IPsec to communicate with Trusted Devices.

4. The Network Isolation Utility stores a copy of the Cisco Unified Contact Center IPsecpolicy in an XML file located in Network Isolation utility folder:<systemdrive>:\CiscoUtils\NetworkIsolation\CiscoICMIPsecConfig.XML

The XML files stores the policy state and the Boundary Device list. It does not store thepreshared key.

5. The Network Isolation Utility Logs all commands and actions in a log file at:<SystemDrive>:\CiscoUtils\NetworkIsolation\Logs\CiscoICMNetworkIsolation.

log

The utility keeps one copy of the log file and appends all commands and actions to anypreviously created logs.

About Encrypting Traffic

The Network Isolation policy allows only those computers that have the same preshared key tointeract. However, if encryption is not enabled, then, although an outside hacker cannot accessa trusted computer, the hacker might be able to see the traffic coming and going from thatcomputer. Therefore, you can also encrypt that traffic if you want to.

Note:

• You cannot encrypt traffic to one Trusted Device alone. You must encrypt traffic on eitherall Trusted Devices or none. The reason is that if only one computer has encrypted traffic,then none of the other Trusted Devices will understand it.

• Cisco strongly recommends the use of encryption offload network interface cards when IPsecis enabled with encryption so that performance is not impacted by the encryption software.See IPsec and NAT Support (page 11) for more details.


25


About Encrypting Traffic

How to Deploy the Network Isolation Feature

Be aware of the following when designing your deployment plan for the Network Isolationfeature:

• Important Deployment Tips (page 26)

• Sample Deployment (page 26)

• Devices That Must Communicate with One Another (page 31)

• Typical Boundary Devices (page 33)

Important Deployment Tips

No configuration is needed on Boundary Devices. All the configuration is done on TrustedDevices. The Network Isolation Utility configures Trusted Devices to interact with other TrustedDevices and with Boundary Devices. Because the network isolation feature is applied on onedevice at a time, and because this feature instantly limits communication with other devicesafter it is applied, you need to carefully plan how to deploy this feature before using it or youcould accidentally stop your network from working. It is advisable to write a deployment planbefore you implement the Network Isolation feature. Deploy this feature therefore only duringa maintenance window and review the Caveats (page 34) before writing your deployment plan.

Sample Deployment

The following is one sample deployment. Phase one of the deployment is to deploy the policyon the CallRouter, Logger, and Administration & Data Server and to put the Peripheral Gateway(PG) subnets in the CallRouter’s Boundary Devices list. Phase two of the deployment is toremove the PGs from the CallRouter’s Boundary Device list simultaneously as the policy isdeployed on the PGs.

1. Start with a fully functional Unified ICM or Unified CCE system that has no IPsec policydeployment.


26



Figure 2: Example Contact Center Enterprise System

2. Set the CallRouter, the Logger, and the Administration & Data Server as Trusted Devicesby running the Network Isolation Utility on each of them.

Figure 3: Example Phase 1 - Step 1 IPSec Deployment

This process leaves the Trusted Devices as network isolated.


27



Figure 4: Example Tusted Device Isolation

3. Add the infrastructure servers and clients as Boundary Devices.


4. Put the Peripheral Gateway (PG) subnets in the CallRouter’s Boundary Devices list.


28




5. Then set the PGs as Trusted Devices and simultaneously remove them from the CallRouterBoundary list.

Note: After the policy is deployed on a PG, that PG is a Trusted Device. Therefore, it isimperative that the PG be removed from the Router Boundary Device list because acommunication path (in this case, between the router and the PG) cannot be set as bothTrusted and Boundary.



29



6. Add Unified CM or ACD server, the DNS, and the agent desktops as Boundary Deviceson both PGs.


When you are finished, all Unified ICM Trusted Devices will communicate only witheach other and their respective Boundary Devices (the domain controller, the DNS, theUnified CM, and so on). Any network attack from outside will not reach the TrustedDevices, unless it is routed through the Boundary Devices.

Figure 9: Example IPSec Deployment - Overall Design


30



Devices That Must Communicate with One Another

Each device in the following list must be able to have two-way communication with each devicein its sublist. These devices can be set as either Trusted or Boundary Devices:

• CallRouter

– CallRouter (on the other side in a duplex system)

– Logger

– Administration & Data Server/Historical Database Server

– NAM Router

– Peripheral Gateway (on both sides in a duplex system)

– Application Gateway

– Database Server

– Network Gateway

• Logger

– Historical Database Server/Administration & Data Server

– CallRouter

– Campaign Manager

– Dialer

• Peripheral Gateway

– Multichannel/Multimedia Server

– CallRouter (on both sides in a duplex system)

– Peripheral Gateway (on the other side in a duplex system)

– Unified CM

– Administration & Data Server legacy PIMS/switches

• CTI OS Server and CTI OS Clients

– CTI OS Server (on the other side in a duplex system)

– Peripheral Gateway


31



– CTI OS Agent desktops

– Cisco Agent Desktop

– All CTI Clients

• Silent Monitor Server

– CTI OS Server (on the other side in a duplex system)

– Peripheral Gateway

– CTI OS Agent desktops

– Cisco Agent Desktop

– All CTI Clients

• Administration & Data Server/Historical Database Server


– Router

– Logger

– WebView Server

– Custom Application Server

– CON API Clients

– Internet Script Editor Clients/Webskilling

– 3rd Party Clients/SQL party

• Administration Server, Real-time and Historical Data Server, and Detail Data Server(AW-HDS-DDS)


– Router

– Logger

– WebView Server

– Custom Application Server

– Internet Script Editor Clients/Webskilling

– Third-Party Clients/SOL party


32



• WebView Server

– Administration & Data Server/Historical Database Server

– Clients

– 3rd Party Software Server

– Open Software Server

Typical Boundary Devices

The following is a list of Boundary Devices that you will typically need to allow normalfunctioning of a Unified ICM system:

• Domain Controllers for RTR, LGR, Administration & Data Server or HDS, and PGs

Configuration Example:

Boundary Device: Domain Controller IP Address

Traffic Direction: Outbound

Protocol: Any

Port: Not Applicable

• DNS, WINS, Default Gateway

• Remote Access or Remote Management for every Trusted Device (VNC, pcAnywhere,Remote Desktop Connection, SNMP)

Configuration Example for VNC:

Boundary Device: Any host

Traffic Direction: Inbound

Protocol: TCP

Port: 5900

• Communications Manager Cluster for PGs

Configuration Example:

Boundary Device: A specific IP Address (or Subnet)

Traffic Direction: Outbound

Protocol: TCP


33



Port: All ports

• Agent Desktops

Configuration Example for CTI OS Server:

Boundary Device: A Subnet


Protocol: TCP

Port: 42028

• WebView Clients

Configuration Example for WebView Server:

Boundary Device: A Subnet


Protocol: TCP

Port: 80 and 443

Caveats

You must carefully plan deployments so that the policy is applied to all machines at the sametime. Otherwise, you can accidentally isolate a device.

• Important: Enabling the policy remotely will block remote access unless a provision is madein the Boundary Device list for remote access. You must add a Boundary Device for remoteaccess before enabling the policy remotely.

• Important: You must add all domain controllers as Boundary Devices or your domain loginwill fail and your Unified ICM services will also fail to start or you may see delayed logintimes. This list of domain controllers should include all domains in which the Unified ICMapplication is installed as well as all domains in which Web Setup tool, configuration andWebview users and supervisors exist.

• Adding a new device as Boundary Device (for example, a new Domain Controller) requiresa change to the policy on all Trusted Devices that need access to this new device withoutIPsec.

• A change in the Preshared Key must be invoked on all Trusted Devices.

• If you enable encryption on only one Trusted Device, that device will not be able tocommunicate with the other Trusted Devices because its network traffic will be encrypted.Enable encryption on all or none of the Trusted Devices.


34


Caveats

• Avoid the use the Windows IPsec policy MMC plug-in to make any changes to the IPsecpolicy. The Network Isolation Utility maintains its own copy of the policy, and, wheneverexecuted, the utility reverts to its last saved configuration, ignoring any changes made outsidethe utility (or the Security Wizard).

• While the Network Isolation Utility does not interfere with applications that run on thenetwork, run it only during the application maintenance window because it can potentiallydisrupt connectivity when you are setting up the network security.

• If your network is behind a firewall, then you must configure the firewall to:

– Allow IP protocol number 50, which is the ESP (Encapsulating Security Protocol).

– Allow UDP source and destination traffic on port 500 for the IKE protocol.

• If you are using the NAT protocol, you must configure the firewall to forward traffic on UDPsource and destination port 4500 for UDP-ESP encapsulation.

• Any changes made to the application port usage, such as a web server port, must also bereflected in the policy.

• Deploy the Network Isolation Policy after the Unified ICM or the Unified Contact Centerapplication is configured and confirmed to be working.

How to Do a Batch Deployment

You can use the following XML file to help speed up deployment when a common set ofBoundary Devices must be added to all Trusted Devices:

<system drive>:\CiscoUtils\NetworkIsolation\CiscoICMIPsecConfig.XML

This XML file contains the list of Boundary Devices and policy state, on one Trusted Device.You can use this to replicate the policy on other Trusted Devices.

For example, when setting up your PGs as Trusted Devices, you may first want to completeconfiguring one Unified ICM PG. Next, you can copy the XML file from that configured PGto the rest of your Unified ICM PGs, and then run the Isolation Utility (or the Security Wizard)on the other PGs to replicate the same Boundary Device list on all your PGs.

How to Run the Network Isolation Utility from the Command Line

You can run the Network Isolation Utility either from the command line or from the UnifiedContact Center Security Wizard.

Note: It is recommended that you use the Security Wizard for initial policy creation ormodification. You can use the command line for batch deployment.


35


How to Do a Batch Deployment

To run the utility from the command line, go to the C:\CiscoUtils\NetworkIsolation directory,where the utility is located, and run it from there:

C:\CiscoUtils\NetworkIsolation>

The following is the command-line syntax for enabling the policy on Trusted Devices:

cscript ICMNetworkIsolation.vbe <arguments>

Note: You must use cscript to invoke the script.

You can add Boundary Devices with multiple filters. You can filter them by:

• IP Address: Individual IP addresses or by an entire subnet of devices

• Dynamically detected devices: DNS, WINS, DHCP, Default Gateway

Windows dynamically detects the IP address of these devices and keeps the filter list updated

• Direction of traffic: inbound or outbound

• Protocol: TCP, UDP, ICMP, or any protocol

• Port (only if TCP or UDP is selected): a specific port or all ports

In the syntax:

• angle brackets < > = required

• square brackets [ ] = optional

• pipe or bar | = any one of the items between the bars

The following table lists the command syntax for all uses of the command.

Table 2: The Network Isolation Utility Command Syntax for Each Argument

FunctionSyntax and ExampleArgument Name

Displays the syntax for the command.cscript ICMNetworkIsolation.vbe /?HELP

ENABLE POLICY Creates a new policy or enables an existing onefrom the stored policy XML file.

cscript ICMNetworkIsolation.vbe /enablePolicy<36+ characters PreSharedKey in double quotes>[/encrypt]

Optionally enables encryption of the networktraffic data.Note: The only non-supported character for use

in the PresharedKey is double quotes because thatCreates a new policy in Windows IPsec policystore and adds all Boundary Devices listed in

character marks the beginning and end of the key.You can enter any other character within the key.

the XML file. If the XML file does not exist,then it creates a new XML file. The /encryptoption overrides the value set in the XML file.

For example:


36




cscript ICMNetworkIsolation.vbe /

enablePolicy

“myspecialpresharedkey123456789mnbvcx”

Note: The add, remove, and delete arguments make a backup of the XML file and name it xml.lastconfig before carryingout their function.

Adds to the Boundary Device list the type ofdevice specified.

cscript ICMNetworkIsolation.vbe /addBoundaryDNS|WINS|DHCP|GATEWAY

ADD BOUNDARY

The type can be specified as DNS, WINS,DHCP, or GATEWAY.

For example:


addBoundary DNS The utility recognizes DNS, WINS, DHCP, andGATEWAY as the Domain Name System

This example adds the DNS server to the BoundaryDevice list.

(DNS) device, the Windows Internet NameService (WINS) device, the Dynamic HostConfiguration Protocol (DHCP) device, and thedefault Gateway (GATEWAY) devicerespectively.

The Windows operating system dynamicallydetects a change in IP address for each of thepreceding types of devices and dynamicallyupdates the Boundary filter list accordingly.

Adds to the Boundary Device list any devicethat matches the following criteria:

cscript ICMNetworkIsolation.vbe/addAnyHostBoundary <Outbound|Inbound><TCP|UDP> <PortNumber>

• One of the specified traffic directions(outbound or inbound).For example:


addAnyHostBoundary Inbound TCP 5900• One of the specified protocols Transmission

Control Protocol (TCP) or User DatagramProtocol (UDP).

This example allows VNC access from allmachines. • The specified port.

Adds to the Boundary Device list the IP addressof a device that has the following configuration:

cscript ICMNetworkIsolation.vbe/addIPAddrBoundary <IP address><Outbound|Inbound> <TCP|UDP|ICMP|Any>[All|PortNumber] • (required) The specified IP address.

For example: • (required) One of the specified trafficdirections (outbound or inbound).


addIPAddrBoundary 10.86.121.160

Outbound Any

• (required) One of the specified protocols(required): Transmission Control Protocol(TCP), User Datagram Protocol (UDP),Internet Control Message Protocol (ICMP),or any protocol.

This example allows all outbound traffic to adevice with the specified IP address.


37




• (optional) any port or a specified port if theselected protocol is TCP or UDP.

Adds to the Boundary Device list the subnetthat has the following configuration:

cscript ICMNetworkIsolation.vbe/addSubnetBoundary <StartingIP address><Subnet Mask> <Outbound|Inbound><TCP|UDP|ICMP|Any> [All|PortNumber] • (required) The starting IP address of the

following specified range.For example:

• (required) The specified subnet mask (a rangeof logical addresses within an address space).cscript ICMNetworkIsolation.vbe /

addSubnetBoundary

10.86.0.0.255.255.0.0 Inbound TCP

42028

• (required) One of the specified trafficdirections (outbound or inbound).

This example allows a CTI OS Server to listen foragent desktops on the 10.86.x.x network.

• (required) One of the specified protocolsTransmission Control Protocol (TCP), UserDatagram Protocol (UDP), Internet ControlMessage Protocol (ICMP), or any protocol.

• (optional) any port or a specified port if TCPor UDP is selected as the protocol.

Removes from the Boundary Device list thetype of device specified.

cscript ICMNetworkIsolation.vbe/removeBoundary DNS|WINS|DHCP|GATEWAY

REMOVEBOUNDARY

The type can be specified as DNS, WINS,DHCP, or GATEWAY.

For example:


removeBoundary GATEWAY The utility recognizes DNS, WINS, DHCP, andGATEWAY as the Domain Name System(DNS) device, the Windows Internet NameService (WINS) device, the Dynamic HostConfiguration Protocol (DHCP) device, and thedefault Gateway (GATEWAY) devicerespectively.

The Windows operating system dynamicallydetects a change in IP address for each of thepreceding types of devices and dynamicallyupdates the Boundary filter list accordingly.

Removes from the Boundary Device list anyhost device at the specified IP address thatmatches the following criteria:

cscript ICMNetworkIsolation.vbe/removeAnyHostBoundary <Outbound|Inbound><TCP|UDP> <PortNumber>

For example: • One of the specified traffic directions(outbound or inbound).


38





removeAnyHostBoundary Inbound TCP

5900

• One of the specified protocols (TCP or UDP).

• The specified port number for internet traffic.

Removes from the Boundary Device list thedevice at the specified IP address that has thefollowing configuration:

cscript ICMNetworkIsolation.vbe/removeIPAddrBoundary <IP address><Outbound|Inbound> <TCP|UDP|ICMP|Any>[All|PortNumber]

• (required) The specified IP address.For example:

(required) One of the specified trafficdirections (outbound or inbound).cscript ICMNetworkIsolation.vbe /

removeIPAddrBoundary 10.86.121.160

Outbound Any • (required) One of the specified protocols(TCP, UDP, ICMP, or any protocol).

• (optional) any port or a specified port if TCPor UDP is the specified protocol.

Removes from the Boundary Device list all thedevices at the specified IP address that have thefollowing configuration:

cscript ICMNetworkIsolation.vbe/removeSubnetBoundary <StartingIP address><Subnet Mask> <Outbound|Inbound><TCP|UDP|ICMP|Any> [All|PortNumber]

• (required) The starting IP address of thefollowing specified range.For example:


removeSubnetBoundary

10.86.0.0.255.255.0.0 Inbound Any

• (required) The specified subnet mask.

• (required) One of the specified trafficdirections (outbound or inbound).

• (required) One of the specified protocols(TCP, UDP, ICMP, or any protocol).

• (optional) a port or a specified port.

Disables the Unified ICM Network IsolationIPsec policy on the computer. However, thepolicy is not deleted and it can be re-enabled.


disablePolicy

DISABLE POLICY

This option is helpful when troubleshootingnetwork problems.

If you are having a network connectivityproblem with your contact center application,and you do not know what is causing theproblem, you might want to disable the policyto help you clarify the source of your problem.If you are still having the problem with the


39




policy disabled, then the policy is not the causeof your problem.

Deletes the Unified ICM Network IsolationSecurity policy from the Windows IPsec policy


deletePolicy

DELETE POLICY

store and renames the XML file toCiscoICMIPsecConfig.xml.lastconfig.

How to Monitor the Network Security

Use IP Security Monitor (ipsecmon) to monitor IPsec on a Windows device 2003 operatingsystem. Details on the use of IPsec Monitor can be found in the article KB 324269 (http://support.microsoft.com/kb/324269)

Troubleshooting the Network Isolation IPsec Policy

Following are the steps to troubleshoot the Network Isolation IPsec policy:

1. Disable the policy and confirm whether the network problem you experienced still exists.

Shutting down the policy might not be an option on a highly distributed system. So, it isvery important that the policy is deployed after the Unified ICM application is completelyconfigured and tested.

2. Check whether an IP address or port specified in the Boundary Device list was modifiedafter the policy was deployed.

3. Check whether a communication path is set as Trusted and Boundary.

An overlap of both will cause communication to fail.

4. Confirm by looking in the <systemdrive>:\CiscoUtils\NetworkIsolation\CiscoICMIPsecConfig.XML file whether the requiredBoundary Devices are listed as Boundary Devices. Preferably, use the Security Wizard(see Applying Security with the Cisco Unified Contact Center Security Wizard (page 75))to check the Boundary Devices.

5. Changes made to the IPsec policy directly from the Windows MMC console are notreflected in the utility (or in the Security Wizard) .

The Enable Policy option will always overwrite the IPsec policy store with the configurationstored in the XML file.

6. Check for the caveats listed in Caveats (page 34).


40


How to Monitor the Network Security


Windows Server 2003 and Windows Server 2008R2 Firewall ConfigurationWindows Server 2003 SP2+ and Windows Server 2008 R2 include Windows Firewall. WindowsFirewall is a stateful host firewall that drops all unsolicited incoming traffic; that is to say, trafficthat is not sent in response to a request of the computer (solicited traffic), or traffic that has notbeen specified as allowed (excepted traffic). This behavior of Windows Firewall provides alevel of protection from malicious users and programs that use unsolicited incoming traffic toattack computers.

Note: Unless otherwise noted, the instructions in this chapter pertain to both Windows Server2003 SP2+ and Windows Server 2008 R2 SP1+.

More information can be found in the Microsoft Windows Firewall Operations Guide (http://technet.microsoft.com/en-us/library/cc739696(WS.10).aspx).

If you are using IPsec, consult the following Microsoft TechNet article on Managing IPSecand Multicast Settings (http://technet.microsoft.com/en-us/library/cc779589(WS.10).aspx).

Note: Windows Firewall is disabled by default on systems that have been upgraded to SP1.Systems that have a new installation of Windows Server 2003 that already include SP2 (knownas a slipstream installation) and Windows Server 2008 R2 have Windows Firewall enabled bydefault.

You may enable Windows Firewall on your Unified ICM/Unified CCE Servers; however, youmust ensure that all required ports are open so that the Unified ICM/Unified CCE componentsinstalled on the server can function properly.

Cisco provides a utility to automatically allow all traffic from Unified ICM/Unified CCEapplications on a Windows Server 2003 SP2, Windows Server 2003 R2, and Windows Server2008 R2. Additionally, the utility can open ports for common third-party applications used inthe Unified ICM/Unified CCE environment. The script reads the list of ports in the file%SYSTEMDRIVE%\CiscoUtils\FirewallConfig\CiscoICMfwConfig_exc.xml and


41

Chapter 4




uses the directive contained therein to modify the firewall settings. See below for moreinformation on the CiscoICMfwConfig_exc.xml file.

The utility allows all traffic from Unified ICM/ Unified CCE applications by adding the relevantapplications to the list of excepted programs and services. When the excepted application runs,Windows Firewall monitors the ports on which the program listens and automatically adds thoseports to the list of excepted traffic.

The script can allow traffic from the third-party applications by adding the application portnumber to the list of excepted traffic. However, you must edit the CiscoICMfwConfig_exc.xml file to enable these ports.

Ports/Services enabled by default:

• 80/TCP and 443/TCP - HTTP/HTTPS (when IIS or TomCat (for Web Setup) is installed)

• Microsoft Remote Desktop

• File and Print Sharing Exception (refer to the Microsoft technet article Enable or disablethe File and Printer Sharing exception (http://technet.microsoft.com/en-us/library/cc728347(WS.10).aspx)).

Optional ports you can open:

• 5900/TCP - VNC

• 5800/TCP - Java Viewer

• 21800/TCP - Tridia VNC Pro (encrypted remote control)

• 5631/TCP and 5632/UDP - pcAnywhere

Note: The XML file may be configured to add port based exceptions outside of this list.


• Cisco Firewall Configuration Utility Prerequisites, page 42• Using the Cisco Firewall Configuration Utility, page 43• Verifying New Windows Firewall Settings, page 43• Configuring Windows Server 2003 Firewall to Communicate with Active Directory, page

44• Understanding the CiscoICMfwConfig_exc.xml File, page 47• Troubleshooting Windows Firewall, page 48

Cisco Firewall Configuration Utility Prerequisites

The following must be installed before using the Firewall configuration utility:

1. Windows Server 2003 Service Pack 2 or Windows Server 2008 R2 SP1+


42

Chapter 4: Windows Server 2003 and Windows Server 2008 R2 Firewall Configuration




2. Unified ICM/CCE Version 8.0(1) components

Note: Any subsequent installation of any new component to the Application installation willrequire reconfiguring the Windows Firewall. This involves removing the configuration previouslyapplied and rerunning the Windows firewall configuration utility.

Using the Cisco Firewall Configuration Utility

You can run the Cisco Firewall Configuration Utility either from the command line or from theUnified Contact Center Security Wizard. For instructions on how to run the utility from theSecurity Wizard, see Applying Security with the Cisco Unified Contact Center Security Wizard(page 75).

Warning: If you attempt to run this utility from a remote session, such as VNC, you maybe “locked out” after the firewall starts. If possible, perform any firewall-related work atthe computer because network connectivity may be severed for some remote applications.

Use the Cisco Firewall Configuration Utility on each server running a Unified ICM component.To use the utility:

Step 1 Stop all application services.

Step 2 From a command prompt, on Windows Server 2003 run cscript%SYSTEMDRIVE%\CiscoUtils\FirewallConfig\CiscoICMfwConfig.vbe, or on WindowsServer 2008 R2 run %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\ConfigFirewall.bat.

Step 3 If this is the first time the script has run, then it will run register.bat for Windows Server2003 or configfirewall.bat for Windows Server 2008 R2, and will ask you to rerun theapplication using the same command as above. Rerun the script as if instructed to do so.

Note: When using a Windows Server 2003 system, if you subsequently rerun the script and itsays that it is (again) running for the first time, and to (again) rerun the script, then manuallyrun the register.bat file from the command line.

Step 4 A confirmation dialog box appears. Click OK.

The script verifies the Windows Firewall service is installed, then starts it if it is not running.

It then updates the firewall with the ports and services specified in the file%SYSTEMDRIVE%\CiscoUtils\FirewallConfig\CiscoICMfwConfig_exc.xml

Step 5 Reboot the server.

Verifying New Windows Firewall Settings

You can verify that the Unified ICM components and ports have been added to the WindowsFirewall exception list by following these steps:


43



Step 1 Choose Start > Settings > Control Panel > Windows Firewall when using Windows Server2003, or select Administrative Tools > Windows Firewall with Advanced Security whenusing Windows Server 2008 R2.

The Windows Firewall dialog box appears.

Step 2 Click the Exceptions tab of the Windows Firewall dialog box for Windows Server 2003, orselect the Inbound and Outbound Rules tab of the Windows Firewall dialog box for WindowsServer 2008 R2.

Step 3 Scroll through the list of excepted applications. Several Unified ICM executables now appearon the list as well as any ports or services defined in the configuration file.

Configuring Windows Server 2003 Firewall to Communicate with Active Directory

You need to open up the ports used by domain controllers (DCs) for communication via LDAPand other protocols to ensure Active Directory is able to communicate through a firewall.

Be sure to consult the Microsoft Knowledge Base (KB) KB179442 ( (http://support.microsoft.com/kb/179442/en-us) for important information about configuring firewallfor Domains and Trusts.

To establish secure communications between DCs and Unified ICM Services you need to definethe following ports for outbound and inbound exceptions on the firewall:

• Ports that are already defined

• Variable ports (high ports) for use with Remote Procedure Calls (RPC)

Configuring Domain Controller Ports

The following port definitions must be defined on all DCs within the demilitarized zone (DMZ)that might be replicating to external DCs. It is important that you define the ports on all DCsin the domain.

Restrict FRS Traffic to a Specific Static Port

Be sure to consult the Microsoft Knowledge Base (KB) KB319553 (http://support.microsoft.com/kb/319553/en-us) for more information about restricting File Replication Service (FRS) trafficto a specific static port.

Step 1 Start Registry Editor (regedit.exe).

Step 2 Locate and then click the following key in the registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters


44



(http://support.microsoft.com/kb/179442/en-us

http://support.microsoft.com/kb/319553/en-us

Step 3 Add the following registry values:

• New: Reg_DWORD

• Name: RPC TCP/IP Port Assignment

• Value: 10000 (decimal)

Restrict Active Directory Replication Traffic to a Specific Port

Be sure to consult the Microsoft Knowledge Base (KB) KB224196 (http://support.microsoft.com/kb/224196/en-us) for more information about restricting Active Directory replication traffic toa specific port.


Step 2 Locate and then click the following key in the registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters


• New: Reg_DWORD

• Name: RPC TCP/IP Port

• Value: 10001 (decimal)

Configure Remote Procedure Call (RPC) Port Allocation

Be sure to consult the Microsoft Knowledge Base (KB) KB154596 (http://support.microsoft.com/kb/154596/en-us ) for more information about configuring RPC port allocation.


Step 2 Locate and then click the following key in the registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc

Step 3 Add the Internet key.


• Ports: MULTI_SZ: 10002-10200

• PortsInternetAvailable: REG_SZ : Y

• UseInternetPorts: REG_SZ : Y


45





Windows Server 2000 and 2003 Firewall Ports

Be sure to consult the Microsoft Knowledge Base (KB) KB179442 (http://support.microsoft.com/kb/179442/en-us ) for a detailed description of the ports that are used to configure a firewall fordomains and trusts.

Table 3: Windows Server 2000 and 2003 Firewall Ports

ServiceProtocolProtocolServer Port

RPC Connector Helper(machines connect to

RPCTCP135

determine which high port touse)

NetBIOS NameUDPTCP137

NetBIOS NetLogon andBrowsing

UDP138

NetBIOS Session139

NTPUDP123

LDAPTCP389

LDAP SSLUDPTCP636

LDAP GC3268

LDAP GC SSL3269

Wins Replication42

DNSUDPTCP53

KerberosUDPTCP88

SMB over IP (Microsoft-DS)UDPTCP445

RPC NTFRSTCP10000

RPC NTDSTCP10001

RPC - Dynamic High OpenPorts

TCP10002 - 10200

ICMP

Testing Connectivity

To test connectivity and show the FRS configuration in Active Directory, use the Ntfrsult tool.

Step 1 From the command line, run the Windows File Replication utility: Ntfrsutl version<server_name>.


46




When communications between the domain controllers are configured properly, the Ntfrsutloutput shows the FRS configuration in Active Directory.

Validating Connectivity

To validate connectivity between the domain controllers, use the Portqry tool.

Visit the following Microsoft Web site to obtain the Portqry tool:http://download.microsoft.com/download/3/f/4/3f4c6a54-65f0-4164-bdec-a3411ba24d3a/PortQryUI.exe(http://download.microsoft.com/download/3/f/4/3f4c6a54-65f0-4164-bdec-a3411ba24d3a/PortQryUIexe).

Step 1 Download the PortQryUI.exe and run the tool.

Step 2 Select the destination CD or PDC.

Step 3 Select Domains and Trusts.

Step 4 Use the response from PortQry to verify the ports are open.

Be sure to consult the Microsoft Knowledge Base (KB) KB832919 (http://support.microsoft.com/kb/832919/en-us ) for more information about PortQry features and functionality.

Understanding the CiscoICMfwConfig_exc.xml File

The CiscoICMfwConfig_exc.xml file is a standard XML file that contains the list of applications,services, and ports that the Cisco Firewall Script uses to modify the Windows Firewall so thatthe firewall works properly in the Unified ICM/Unified CCE environment.

The file consists of three main parts:

• Services—The services that are allowed access through the firewall.

• Ports—The ports that the firewall should open.

This is conditional depending on the installation of IIS in the case of TCP/80 and TCP/443.

• Applications—The applications that are not allowed access through the firewall.

The script automatically excludes all of the applications listed in theCiscoICMfwConfig_exc.xml file.

Note: The behavior of the Applications section is opposite to that of the other two sectionsin the file. The Ports and Services sections allow access, whereas the Application sectiondenies access.


47


Understanding the CiscoICMfwConfig_exc.xml File

http://download.microsoft.com/download/3/f/4/3f4c6a54-65f0-4164-bdec-a3411ba24d3a/PortQryUIexe


You can manually add additional services or ports to the CiscoICMfwConfig_exc.xml file andrerun the script to reconfigure Windows Firewall; for example, if you wanted to allow yourJaguar server connections from port 9000 (CORBA), then you could add a line within the<Ports> part of the file to open port 9000 on the Windows Firewall:

<Port Number="9000" Protocol="TCP" Name="CORBA" />.

Note: This would only be needed if remote Jaguar administration is required. In most cases thisis not needed.

On Windows Server 2003, you could also use the standard Windows Firewall mechanism toadd or deny the ports or applications by clicking the Exceptions tab of the Windows FirewallControl Panel Applet and clicking Add Port or Add Program. On Windows Server 2008 R2,you could use Windows Firewall with Advanced Security to add or deny the ports orapplications.

Some commonly used ports are listed in the file; however they are commented out. In XML,comments (ignored code) are surrounded by the  tags respectively. Anything withinthose tags is ignored. You can easily enable one of the commonly used ports by cutting it outof the commented section and pasting it after the closing comment tag (-->), but before the</Ports> tag.

Troubleshooting Windows Firewall

The following notes and tasks can aid you if you have trouble with Windows Firewall.

Windows Server 2003 General Troubleshooting Notes

Some general troubleshooting notes for Windows Firewall:

1. Running the CiscoICMfwConfig application for the first time requires that it be run twiceto allow for the registration of FirewallLib.dll. In some cases, a time lapse is needed forthe registration to complete, especially on a slower system.

2. If the registration fails, it is possible the .NET framework is not installed correctly. Verifythe following path and files exist:

%windir%\Microsoft.NET\Framework\v1.1.4322\regasm.exe

%windir%\Microsoft.NET\Framework\v1.1.4322\gacutil.exe

3. Change %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\Register.bat as neededto meet the environment.

Windows Firewall Interferes with Router Private Interface Communication

Indication: The MDS fails to connect from the Side-A router to Side-B router on the privateinterface IP Addresses (Isolated) only when the Windows Firewall is enabled.


48



Problem: Windows Firewall is preventing the application (mdsproc.exe) from sending trafficto the remote host on the private network.

Recommended Action: Configure static routes on both Side-A and Side-B routers for theprivate addresses (high and non-high).

Windows Firewall Shows Dropped Packets but no Unified ICM or Unified CCE Failures Are Evident

Indication: The Windows Firewall Log shows dropped packets but the Unified ICM andUnified CCE applications do not exhibit any application failures.

Problem: The Windows Firewall is designed to log any and all traffic destined to the host whenthe traffic either is not allowed or it is sent to a port that no allowed application is listening on.

Recommended Action: Review the pfirewall.log file closely to determine the source anddestination IP Addresses and Ports. Use netstat or tcpview to determine what processeslisten/connect on what ports.

Undo Firewall Settings

You can use the firewall configuration utility to undo the last application of the firewall settings.You will need the CiscoICMfwConfig_undo.xml file.

Note: The undo file is written only if the configuration is completed successfully. Manualcleanup may be necessary using the Windows Firewall Control Panel Applet if this file doesnot exist.

To undo the firewall settings:

Step 1 Stop all application services.

Step 2 Open a command window by choosing Start > Run and entering CMD in the dialog window.Click OK.

Step 3 Enter the following command cd %SYSTEMDRIVE%\CiscoUtils\FirewallConfig

Step 4 Enter cscript CiscoICMfwConfig.vbe undo for Windows Server 2003, or enterUndoConfigFirewall.bat for Windows Server 2008 R2.



49




50



Automated Security Hardening Settings on WindowsServer 2003The Unified ICM/CCE and Unified SCCE Setup programs can automatically apply a majorityof the Cisco-recommended Windows hardening settings on Windows Server 2003 Systems withService Pack 2 or later.

Note: Automated security hardening is not supported on Windows Server 2008 R2.

Unified ICM/CCE is qualified to work only on a standard retail (or OEM) packaged installationof Windows Server 2003 (Standard or Enterprise), with or without Cisco Security Hardening.Cisco provides its own security hardening policy to secure the standard Windows image forUnified ICM/CCE. Cisco does not support Unified ICM/CCE on a customized Windows image(that is, a corporate image) or when custom security hardening has been applied. Customizedimage of the Windows operating system or customer security hardening can cause the UnifiedICM/CCE application to fail.

The settings detailed below are automatically applied when you choose to use the automatedhardening feature in setup. All of the following settings appear under the ComputerConfiguration > Windows Settings > Security Settings category of settings.

In addition to automatically applying the settings during setup, the script can be used to upgradethe current ICM security template if there is one already installed, and it can roll back thetemplate to previous versions of the security settings. The script can also roll back the securitysettings to the settings originally on the server before any security settings were applied.

Note: The ICM Security Hardening template enables FIPS complaint encryption policy. Thisimpacts the following areas of the operating system that can impact Unified ICM operation:

• Microsoft Internet Information Services (IIS)

• Microsoft Internet Explorer

• Terminal Services using the Remote Desktop Connection


51

Chapter 5

For more information on how FIPS compliancy affects:

• The Microsoft operating system, see the Microsoft Knowledge Base (KB) article KB811833(http://support.microsoft.com/kb/811833).

• Unified ICM, see Cisco SSL Encryption Utility (page 103).

• Terminal Services, see Remote Administration (page 127).


• Applying/Removing ICM Security Settings, page 52• Account Policies Settings, page 54• Local Policies, page 55• Event Log, page 65• System Services, page 65• Registry, page 72• File System, page 73

Applying/Removing ICM Security Settings

There are several ways in which you can install, upgrade, and roll back security settings:

Applying ICM Security Settings During Setup

The Unified ICM and Unified SCCE Setup applications determine if ICM Security Hardeningis applied, and if it is not, prompt you to apply ICM security settings during Unified ICMinstallation. Choosing Yes applies the ICM security settings as defined in the current securitytemplate. Choosing No results in no security setting changes.

If ICM Security Hardening is already applied, but the template version of the security settingsis older than the one available to Web Setup tool, Setup prompts you to update the securitysettings to the new template version. Choosing YES applies the new version of the securitysettings, while at the same time creating a rollback script so you can revert to the earlier templatesettings at a later time. Choosing No results in no security settings being changed.

Manually Installing Cisco ICM Security Settings

On Windows Server 2003 you can run the Security Hardening Utility either from the commandline or from the Unified Contact Center Security Wizard. For instructions on how to run theutility from the Security Wizard, see Applying Security with the Cisco Unified Contact CenterSecurity Wizard (page 75).

You can manually install the latest Cisco ICM security settings template at any time by runningthe ICMSecurityHardening VBS script. The script is located in%SYSTEMDRIVE%\CiscoUtils\SecurityTemplates.


52

Chapter 5: Automated Security Hardening Settings on Windows Server 2003



Note:

• You must use cscript from the command line to invoke the script.

• This script is not supported on Windows Server 2008 R2.

To manually apply a Cisco ICM Security Setting template:

Step 1 From the command line type in cscript%SYSTEMDRIVE%\CiscoUtils\SecurityTemplates\ICMSecurityHardening.vbe

HARDEN


Rolling Back Security Settings

You can manually roll back to a previous version of the system security settings to prior securitystate by using the ICMSecurityHardening script. Each time the security hardening script is runa rollback file is created. The “1” extension denotes that it is the baseline settings for the serverbefore hardening was applied. A new rollback file is created with each subsequent update ofthe security template. The are numbered consecutively, “2”, “3”, “4”, and so on.

Warning: The ICMSecurityHardening script cannot roll back changes made to RegistryValues and File System security settings.

To roll back to a previous version of the security settings:

Step 1 If: You want to roll back all the settings contained in a security template:

Then: From the command line type in cscript%SYSTEMDRIVE%\CiscoUtils\SecurityTemplates\ICMSecurityHardening.vbe

ROLLBACK <ROLLBACKFILE>

If: You want to only roll back settings in a particular area:

Then: From the command line type in cscript%SYSTEMDRIVE%\CiscoUtils\SecurityTemplates\ICMSecurityHardening.vbe

ROLLBACK <ROLLBACKFILE> <AREA>

Where <ROLLBACKFILE> is the name of the file from which you want to roll back the settings.and <AREA> is one of the following section names; SECURITYPOLICY, USER_RIGHTS,SERVICES


See Also

Account Policies Settings on page 54


53



Local Policies on page 55Event Log on page 65System Services on page 65

Account Policies Settings

The following settings are applied in Computer Configuration > Windows Settings > AccountPolicies.

Note: Account policies are overwritten by the domain policy by default. Applying the CiscoUnified ICM Security Template has no effect. These settings are only significant when themachine is not a member of a domain. Cisco recommends that you set the Default DomainGroup Policy with these settings.

When a value is listed as Not Defined it means that the setting is not changed from what waspreviously set before the automated hardening script runs.

The security settings can be viewed in the Local Security Policy Snap-in.

Password PolicyTable 4: Password Policy Settings

Value: 8.0(1)Setting

24 passwords rememberedEnforce password history

90 daysMaximum password age

1 dayMinimum password age

12 charactersMinimum password length

EnabledPasswords must meet complexity requirements

DisabledStore password using reversible encryption forall users in the domain

Account Lockout PolicyTable 5: Lockout Policy Settings


15 minutesAccount lockout duration

3 invalid logon attemptsAccount lockout threshold


54


Account Policies Settings


15 minutesReset account lockout counter after

Kerberos PolicyTable 6: Kerberos Policy Settings


Not DefinedEnforce user logon restrictions

Not DefinedMaximum lifetime for service ticket

Not DefinedMaximum lifetime for user ticket

Not DefinedMaximum lifetime for user ticket renewal

Not DefinedMaximum tolerance for computer clocksynchronization

Local Policies

Audit PolicyTable 7: Audit Policy Settings


Success, FailureAudit account logon events

Success, FailureAudit account management

Not definedAudit directory service access

Success, FailureAudit logon events

FailureAudit object access

Success, FailureAudit policy change

FailureAudit privilege use

Not definedAudit process tracking

Success, FailureAudit system events


55


Local Policies

User Rights AssignmentTable 8: User Rights Settings


Not DefinedAccess this computer from the network(SeNetworkLogonRight)

Not DefinedAct as part of the operating system(SeTcbPrivilege)

AdministratorsAdd workstations to domain(SeMachineAccountPrivilege)

LOCAL SERVICE,NETWORK SERVICE,Administrators

Adjust memory quotas for a process(SeIncreaseQuotaPrivilege)

NullAllow logon locally (SeInteractiveLogonRight)

AdministratorsAllow logon Through Terminal Services(SeRemoteInteractiveLogonRight)

AdministratorsBack up files and directories (SeBackupPrivilege)

UsersBypass traverse checking(SeChangeNotifyPrivilege)

AdministratorsChange the system time (SeSystemTimePrivilege)

AdministratorsCreate a pagefile (SeCreatePagefilePrivilege)

NullCreate a token object (SeCreateTokenPrivilege)

Not DefinedCreate global objects (SeCreateGlobalPrivilege)

NullCreate permanent shared objects(SeCreatePermanentPrivilege)

AdministratorsDebug programs (SeDebugPrivilege)

ANONYMOUS LOGON; Built-inAdministrator; Guest; Guests;Support_388945a0

Deny access to this computer from the network(SeDenyNetworkLogonRight)

Guest; Guests; Support_388945a0Deny logon as a batch job(SeDenyBatchLogonRight)


56


Local Policies


NullDeny logon as a service(SeDenyServiceLogonRight)

GuestsDeny logon locally(SeDenyInteractiveLogonRight)

Built-in Administrator; Guest; Guests;Support_388945a0

Deny log on Through Terminal Services(SeDenyRemoteInteractiveLogonRight)

AdministratorsEnable computer and user accounts to be trustedfor delegation (SeEnableDelegationPrivilege)

AdministratorsForce shutdown from a remote system(SeRemoteShutdownPrivilege)

LOCAL SERVICE,NETWORK SERVICEGenerate security audits (SeAuditPrivilege)

Not DefinedImpersonate a client after authentication(SeImpersonatePrivilege)

AdministratorsIncrease scheduling priority(SeIncreaseBasePriorityPrivilege)

AdministratorsLoad and unload device drivers(SeLoadDriverPrivilege)

AdministratorsLock pages in memory (SeLockMemoryPrivilege)

NullLog on as a batch job (SeBatchLogonRight)

Not DefinedLog on as a service (SeServiceLogonRight)

AdministratorsManage auditing and security log(SeSecurityPrivilege)

AdministratorsModify firmware environment values(SeSystemEnvironmentPrivilege)

AdministratorsPerform Volume Maintenance Tasks(SeManageVolumePrivilege)

AdministratorsProfile single process(SeProfileSingleProcessPrivilege)


57


Local Policies


AdministratorsProfile system performance(SeSystemProfilePrivilege)

AdministratorsRemove computer from docking station(SeUndockPrivilege)

LOCAL SERVICE,NETWORK SERVICEReplace a process level token(SeAssignPrimaryTokenPrivilege)

AdministratorsRestore files and directories (SeRestorePrivilege)

AdministratorsShut down the system (SeShutdownPrivilege)

NullSynchronize directory service data(SeSynchAgentPrivilege)

AdministratorsTake ownership of files or other objects(SeTakeOwnershipPrivilege)

Security Options

Most of the following settings can be viewed by running secpol.msc on a Windows Server2003; however, not all MSS settings are shown by default. Consult the Threats andCountermeasures: Security Settings in Windows Server 2003 and Windows XP document, whichis available at microsoft.com, for details on viewing all of the available security settings in theMicrosoft Local Security Settings console.

Note: ICM Security Hardening will rename the local Administrator account to xAdministrator.Therefore, any service running under the local Administrator account will fail to start after thesystem is hardened. As a secure practice, avoid using the local Administrator account for anyservice. However, if you must use the local Administrator account, then you must change theaccount username for the service to continue function after hardening is applied.

Table 9: Security Options Settings


Not DefinedAccounts: Administrator account status

DisabledAccounts: Guest account status

EnabledAccounts: Limit local account use of blankpasswords to console logon only

xadministratorAccounts: Rename administrator account


58


Local Policies

microsoft.com


xguestAccounts: Rename guest account

DisabledAudit: Audit the access of global system objects

DisabledAudit: Audit the use of Backup and Restoreprivilege

Not definedAudit: Shut down system immediately if unableto log security audits

DisabledDevices: Allow undock without having to log on

AdministratorsDevices: Allowed to format and eject removablemedia

EnabledDevices: Prevent users from installing printerdrivers

EnabledDevices: Restrict CD-ROM access to locallylogged-on user only

EnabledDevices: Restrict floppy access to locallylogged-on user only

Warn but allow installationDevices: Unsigned driver installation behavior

Not DefinedDomain controller: Allow server operators toschedule tasks

Not DefinedDomain controller: LDAP server signingrequirements

Not DefinedDomain controller: Refuse machine accountpassword changes

Not DefinedDomain member: Digitally encrypt or sign securechannel data (always)

EnabledDomain member: Digitally encrypt secure channeldata (when possible)

EnabledDomain member: Digitally sign secure channeldata (when possible)


59


Local Policies


DisabledDomain member: Disable machine accountpassword changes

30 daysDomain member: Maximum machine accountpassword age

EnabledDomain member: Require strong (Windows Server2003 or later) session key

EnabledInteractive logon: Do not display last user name

DisabledInteractive logon: Do not requireCTRL+ALT+DEL

This system is restricted to authorized users.Individuals attempting unauthorized accesswill be prosecuted.

Interactive logon: Message text for usersattempting to log on

IT IS AN OFFENSE TO CONTINUEWITHOUT PROPER AUTHORIZATION.

Interactive logon: Message title for usersattempting to log on

0 logonsInteractive logon: Number of previous logons tocache (in case domain controller is not available)

14 daysInteractive logon: Prompt user to change passwordbefore expiration

EnabledInteractive logon: Require Domain Controllerauthentication to unlock workstation

Not DefinedInteractive logon: Require smart card

Lock WorkstationInteractive logon: Smart card removal behavior

Not DefinedMicrosoft network client: Digitally signcommunications (always)

EnabledMicrosoft network client: Digitally signcommunications (if server agrees)

DisabledMicrosoft network client: Send unencryptedpassword to third-party SMB servers

15 minutesMicrosoft network server: Amount of idle timerequired before suspending session


60


Local Policies


EnabledMicrosoft network server: Digitally signcommunications (always)

EnabledMicrosoft network server: Digitally signcommunications (if client agrees)

EnabledMicrosoft network server: Disconnect clients whenlogon hours expire

DisabledNetwork access: Allow anonymous SID/Nametranslation

EnabledNetwork access: Do not allow anonymousenumeration of SAM accounts

EnabledNetwork access: Do not allow anonymousenumeration of SAM accounts and shares

EnabledNetwork access: Do not allow storage ofcredentials or .NET Passports for networkauthentication

DisabledNetwork access: Let Everyone permissions applyto anonymous users

Not DefinedNetwork access: Named Pipes that can be accessedanonymously

Not DefinedNetwork access: Remotely accessible registrypaths

Not DefinedNetwork access: Remotely accessible registrypaths and subpaths

EnabledNetwork access: Restrict anonymous access toNamed Pipes and Shares

Not DefinedNetwork access: Shares that can be accessedanonymously

Classic—local users authenticate asthemselves

Network access: Sharing and security model forlocal accounts

EnabledNetwork security: Do not store LAN Managerhash value on next password change


61


Local Policies


EnabledNetwork security: Force logoff when logon hoursexpire

Send NTLMv2 response only\refuse LM &NTLM

Network security: LAN Manager authenticationlevel

Negotiate signingNetwork security: LDAP client signingrequirements

Require 128-bit encryptionNetwork security: Minimum session security forNTLM SSP based (including secure RPC) clients

Require 128-bit encryptionNetwork security: Minimum session security forNTLM SSP based (including secure RPC) servers

DisabledRecovery console: Allow automatic administrativelogon

DisabledRecovery console: Allow floppy copy and accessto all drives and all folders

DisabledShutdown: Allow system to be shut down withouthaving to log on

EnabledShutdown: Clear virtual memory pagefile

User must enter a password each time theyuse a key

System cryptography: Force strong key protectionfor user keys stored on the computer

EnabledSystem cryptography: Use FIPS compliantalgorithms for encryption, hashing, and signing

Not DefinedSystem objects: Default owner for objects createdby members of the Administrators group

EnabledSystem objects: Require case insensitivity fornon-Windows subsystems

EnabledSystem objects: Strengthen default permissionsof internal system objects (e.g. Symbolic Links)

Not DefinedSystem settings: Use Certificate Rules onWindows Executables for Software RestrictionPolicies


62


Local Policies


10MSS: (AFD DynamicBacklogGrowthDelta)Number of connections to create when additionalconnections are necessary for Winsockapplications (10 recommended)

Note: MSS settings are not displayed by defaultin the Local Security Policy or Security Templatessnap-in. Manual configuration is required toimplement this.

EnabledMSS: (AFD EnableDynamicBacklog) Enabledynamic backlog for Winsock applications(recommended)

20000MSS: (AFD MaximumDynamicBacklog)Maximum number of ‘quasi-free’ connections forWinsock applications

20MSS: (AFD MinimumDynamicBacklog)Minimum number of free connections for Winsockapplications (20 recommended for systems underattack, 10 otherwise)

DisabledMSS: (AutoAdminLogon) Enable AutomaticLogon (not recommended)

DisabledMSS: (AutoShareWks) Enable AdministrativeShares (not recommended except for highly secureenvironments)

Highest Protection, source routing isautomatically disabled.

MSS: (DisableIPSourceRouting) IP source routingprotection level (protects against packet spoofing)

EnabledMSS: (DisableSavePassword) Prevent the dial-uppassword from being saved (recommended)

DisabledMSS: (EnableDeadGWDetect) Allow automaticdetection of dead network gateways (could leadto DoS)

DisabledMSS: (EnableICMPRedirect) Allow ICMPredirects to override OSPF generated routes

DisabledMSS: (EnablePMTUDiscovery) Allow automaticdetection of MTU size (possible DoS by anattacker using a small MTU)


63


Local Policies


Not Defined - (not recommended except forhighly secure environments)

MSS: (Hidden) Hide Computer From the BrowseList

300000 or 5 minutes (recommended)MSS: (KeepAliveTime) How often keep-alivepackets are sent in milliseconds

Not DefinedMSS: (NoDefaultExempt) EnableNoDefaultExempt for IPsec Filtering(recommended)

255, disable autorun for all drivesMSS: (NoDriveTypeAutoRun) Disable Autorunfor all drives

EnabledMSS: (NoNameReleaseOnDemand) Allow thecomputer to ignore NetBIOS name releaserequests except from WINS servers

DisabledMSS: (NtfsDisable8dot3NameCreation) Enablethe computer to stop generating 8.3 style filenames

DisabledMSS: (PerformRouterDiscovery) Allow IRDP todetect and configure DefaultGateway addresses(could lead to DoS)

EnabledMSS: (SafeDllSearchMode) Enable Safe DLLsearch mode (recommended)

0MSS: (ScreenSaverGracePeriod) The time inseconds before the screen saver grace periodexpires (0 recommended)

Connections time sooner if a SYN attack isdetected by the server

MSS: (SynAttackProtect) Syn attack protectionlevel (protects against DoS)

3 & 6 seconds, half-open connectionsdropped after 21 seconds

MSS:(TCPMaxConnectResponseRetransmissions)SYN-ACK retransmissions when a connectionrequest is not acknowledged

3MSS: (TCPMaxDataRetransmissions) How manytimes unacknowledged data is retransmitted (3recommended, 5 is default)

5MSS: (TCPMaxPortsExhausted) How manydropped connect requests to initiate SYN attackprotection (5 is recommended)


64


Local Policies


90%MSS: (WarningLevel) Percentage threshold forthe security event log at which the system willgenerate a warning

Event Log

Table 10: Event Log Settings


81920 kilobytesMaximum application log size

81920 kilobytesMaximum security log size

81920 kilobytesMaximum system log size

EnabledRestrict guest access to application log

EnabledRestrict guest access to security log

EnabledRestrict guest access to system log

Seven daysRetain application log

Seven daysRetain security log

Seven daysRetain system log

As NeededRetention method for application log

As NeededRetention method for security log

As NeededRetention method for system log

System Services

Note: ICM Security Template modifies permissions for the Alerter and ClipBook services. TheAdministrators group and the SYSTEM group permissions for the Alerter and ClipBook servicesare set to allow full control; all other permissions are revoked.


65


Event Log

Settings for System Services

Table 11: System Services Settings

Startup TypeService NameFull Service Name

DisabledCORRTSvc.NET Framework Support Service

DisabledAlerterAlerter

DisabledALGApplication Layer Gateway Service

DisabledAppMgmtApplication Management

Disabledaspnet_stateASP .NET State Service

AutomaticwuauservAutomatic Updates

ManualBITSBackground Intelligent TransferService

DisabledCertSvcCertificate Services

DisabledNWCWorkstationClient Service for NetWare

DisabledClipSrvClipBook

DisabledClusSvcCluster Service

ManualCOMSysAppCOM+ System Application

AutomaticEventSystemCOM+Event Services

DisabledBrowserComputer Browser

AutomaticCryptSvcCyrptographic Services

AutomaticDcomLaunchDCOM Server Process Launcher

AutomaticDhcpDHCP Client

DisabledDHCPServerDHCP Server

DisabledDfsDistributed File System


66


System Services


DisabledTrkWksDistributed Link Tracking Client

DisabledTrkSvrDistributed Link Tracking Server

ManualMSDTCDistributed Transaction Coordinator

AutomaticDnscacheDNS Client

DisabledDNSDNS Server

DisabledERSvcError Reporting Service

AutomaticEventlogEvent Log

DisabledFastUserSwitchingCompatibilityFast User Switching Compatibility

DisabledFaxFax Service

DisabledNtFrsFile Replication

DisabledMacFileFile Server for Macintosh

DisabledMSFtpsvcFTP Publishing Service

DisabledhelpsvcHelp and Support

Not DefinedHTTPFilterHTTP SSL

DisabledHidServHuman Interface Device Access

DisabledIASJetIAS Jet Database Access

Not DefinedIISADMINIIS Admin Service

DisabledImapiServiceIMAPI CD-Burning COM Service

DisabledcisvcIndexing Service

DisabledIrmonInfrared Monitor

DisabledIASInternet Authentication Service


67


System Services


AutomaticSharedAccessInternet Connection Firewall(ICF)/Internet Connection Sharing(ICS)

Not DefinedIsmServIntersite Messaging

Disabled6to4IP Version 6 Helper Service

AutomaticPolicyAgentIPSec Policy Agent (IPSec Service)

Not DefinedKdcKerberos Key Distribution Center

DisabledSALDMLED/LCD Manager

DisabledLicenseServiceLicense Logging Service

ManualdmserverLogical Disk Manager

ManualDmadminLogical Disk ManagerAdministrative Service

Not DefinedmsmqMessage Queuing

DisabledmqdsMessage Queuing Down LevelClients

DisabledMqtgsvcMessage Queuing Triggers

DisabledMessengerMessenger

DisabledPOP3SVCMicrosoft POP3 Service

ManualSwPrvMS Software Shadow Copy Provider

DisabledMSSEARCHMSSEARCH

DisabledMSSQL$UDDIMSSQL$UDDI

DisabledMSSQLServerADHelperMSSQLServerADHelper

AutomaticNetlogonNetlogon

DisabledmnmsrvcNetMeeting Remote Desktop Sharing


68


System Services


ManualNetmanNetwork Connections

DisabledNetDDENetwork DDE

DisabledNetDDEdsdmNetwork DDE DSDM

ManualNLANetwork Location Awareness (NLA)

DisabledNntpSvcNetwork News Transfer Protocol(NNTP)

DisabledxmlprovNetwork Provisioning Service

AutomaticNtLmSspNTLM Security Support Provider

ManualSysmonLogPerformance Logs and Alerts

AutomaticPlugPlayPlug and Play

DisabledWmdmPmSNPortable Media Serial Number

DisabledMacPrintPrint Server for Macintosh

Not DefinedSpoolerPrint Spooler

AutomaticProtectedStorageProtected Storage

DisabledRasAutoRemote Access Auto ConnectionManager

ManualRasManRemote Access Connection Manager

DisabledsrvcSurgRemote Administration Service

DisabledRDSessMgrRemote Desktop Help SessionManager

DisabledBINLSVCRemote Installation

AutomaticRpcSsRemote Procedure Call (RPC)

Not DefinedRpcLocatorRemote Procedure Call (RPC)Locator


69


System Services


AutomaticRemoteRegistryRemote Registry Service

DisabledappmgrRemote Server Manager

DisabledAppmonRemote Server Monitor

DisabledRemote_Storage_User_LinkRemote Storage Notification

DisabledRemote_Storage_ServerRemote Storage Server

ManualNtmsSvcRemovable Storage

DisabledRSoPProvResultant Set of Policy Provider

DisabledRemoteAccessRouting and Remote Access

DisablednwsapagentSAP Agent

DisabledseclogonSecondary Logon

AutomaticSamSsSecurity Accounts Manager

AutomaticlanmanserverServer

DisabledSPTimerSharePoint Timer Service

DisabledShellHWDetectionShell Hardware Detection

DisabledSMTPSVCSimple Mail Transport Protocol(SMTP)

DisabledSimpTcpSimple TCP/IP Services

DisabledGrovelerSingle Instance Storage Groveler

DisabledSCardSvrSmart Card

DisabledSNMPSNMP Service

DisabledSNMPTRAPSNMP Trap Service

DisabledSacsvrSpecial Administration ConsoleHelper


70


System Services


Not DefinedSQLAgent$WEBDBSQLAgent$* (* UDDI or WebDB)

AutomaticSENSSystem Event Notification

AutomaticScheduleTask Scheduler

AutomaticLmHostsTCP/IP NetBIOS Helper Service

DisabledLPDSVCTCP/IP Print Server

Not DefinedTapiSrvTelephony

DisabledTlntSvrTelnet

ManualTermServiceTerminal Services

DisabledTermServLicensingTerminal Services Licensing

DisabledTssdisTerminal Services Session Directory

DisabledThemesThemes

DisabledtftpdTrivial FTP Daemon

Not DefinedUPSUninterruptible Power Supply

DisabledUploadmgrUpload Manager

DisabledVDSVirtual Disk Service

ManualVSSVolume Shadow Copy

DisabledelementmgrWeb Element Manager

DisabledWebClientWebClient

DisabledAudioSrvWindows Audio

Not DefinedSharedAccessWindows Firewall/InternetConnection Sharing

DisabledStiSvcWindows Image Acquisition (WIA)

ManualMSIServerWindows Installer


71


System Services


DisabledWINSWindows Internet Name Service(WINS)

AutomaticwinmgmtWindows ManagementInstrumentation

ManualWmiWindows ManagementInstrumentation Driver Extensions

DisabledWmcCdsWindows Media Connect

DisabledWmcCdsLsWindows Media Connect (WMC)Helper Service

DisabledWMServerWindows Media Services

DisabledWindowsSystemResourceManagerWindows System Resource Manager

AutomaticW32TimeWindows Time

DisabledUMWdfWindows User Mode DriverFramework

DisabledWinHttpAutoProxySvcWinHTTP Web ProxyAuto-Discovery Service

DisabledWinSIPWinSIP

DisabledWZCSVCWireless Configuration

ManualWmiApSrvWMI Performance Adapter

AutomaticlanmanworkstationWorkstation

Not DefinedW3SVCWorld Wide Web Publishing Service

Registry

The ICM Security template modifies the access auditing for the following registry keys.

Warning: The ICMSecurityHardening script cannot roll back changes made to Registryauditing.


72


Registry

Table 12: Registry Keys

AuditingGroup or User NameObject Name

Access FailureEveryoneHKLM\Software

Access FailureEveryoneHKLM\System

File System

The ICM security template modifies the access auditing for the following files.

Warning: The ICMSecurityHardening script cannot roll back changes made to File Systemaccess permissions.

Table 13: Files with Modified Access Auditing

PermissionsGroup or User NameObject Name

Full Control (Thisfolder, subfolders andfiles)

Administrator, SYSTEM%SystemDrive%

Full Control (Subfoldersand files only)

CREATOR OWNER%SystemDrive%

Read and Execute (Thisfolder, subfolders andfiles)

Users%SystemDrive%

Full ControlAdministrator, SYSTEMarp.exe

Full ControlAdministrator, SYSTEMat.exe

Full ControlAdministrator, SYSTEMattrib.exe

Full ControlAdministrator, SYSTEMcacls.exe

Full ControlAdministrator, SYSTEMdebug.exe

Full ControlAdministrator, SYSTEMedlin.exe

Full ControlAdministrator, SYSTEMeventtriggers.exe

Full ControlAdministrator, SYSTEMftp.exe

Full ControlAdministrator, SYSTEMnbtstst.exe

Full ControlAdministrator, SYSTEMnet.exe

Full ControlAdministrator, SYSTEMnet1.exe

Full ControlAdministrator, SYSTEMnetsh.exe

Full ControlAdministrator, SYSTEMnetstat.exe

Full ControlAdministrator, SYSTEMnslookup.exe

Full ControlAdministrator, SYSTEMntbackup.exe

Full ControlAdministrator, SYSTEMrcp.exe


73


File System

PermissionsGroup or User NameObject Name

Full ControlAdministrator, SYSTEMreg.exe

Full ControlAdministrator, SYSTEMregedt.exe

Full ControlAdministrator, SYSTEMregini.exe

Full ControlAdministrator, SYSTEMregsvr32.exe

Full ControlAdministrator, SYSTEMrexec.exe

Full ControlAdministrator, SYSTEMroute.exe

Full ControlAdministrator, SYSTEMrsh.exe

Full ControlAdministrator, SYSTEMsc.exe.exe

Full ControlAdministrator, SYSTEMsecedit.exe

Full ControlAdministrator, SYSTEMsubst.exe

Full ControlAdministrator, SYSTEMsysteminfo.exe

Full ControlAdministrator, SYSTEMtelnet.exe

Full ControlAdministrator, SYSTEMtftp.exe

Full ControlAdministrator, SYSTEMtlntsvr.exe


74


File System

Applying Security with the Cisco Unified ContactCenter Security WizardThis chapter contains the following topics:

• About the Cisco Unified Contact Center Security Wizard, page 75• Configuration and Restrictions, page 76• How to use the Wizard, page 76• Example Security Wizard Usage, page 77• Example Windows Hardening Configuration Panels, page 78• Example Windows Firewall Configuration Panels, page 81• Example Network Isolation Configuration Panels, page 84• Example SQL Hardening Panels, page 88

About the Cisco Unified Contact Center Security Wizard

The Cisco Unified Contact Center Security Wizard is a security deployment tool for UnifiedICM/CCE that simplifies security configuration through its step-by-step wizard-based approach.

The Security Wizard is a new graphical user interface you can use to configure security bymeans of the following Unified ICM/CCE security command-line utilities:

• The Windows Hardening Utility

• The Windows Firewall Utility

• The Network Isolation Utility

• The SQL Hardening Utility


75

Chapter 6

The Windows Hardening and Windows Firewall utility are two command-line security utilitiesthat have existed since the 7.0 release. The Network Isolation Utility was introduced after theICM 7.2 release, and the SQL Hardening utility was introduced in ICM 7.5 release.

For the descriptions of each of these utilities, see the following chapters/sections in this guide:

• Automated Windows Hardening Settings on Windows Server 2003 (page 51)

• Windows Server 2003 Firewall Configuration (page 41)

• Applying IPSec with the Network Isolation Utility (page 75)

• Automated SQL 2005 Hardening (page 99)

Configuration and Restrictions

The following are Security Wizard restrictions:

• While the Security Wizard does not interfere with applications that run on the network, runthe Security Wizard only during the application maintenance window because it can potentiallydisrupt connectivity when you are setting up the network security.

• The Security Wizard works on a Windows Server 2003 platform only.

• The Firewall Configuration Utility and the Network Isolation Utility must be configured afterUnified ICM is installed on the network. For more details, see Windows Server 2003 FirewallConfiguration (page 41) and Applying IPsec with the Network Isolation Utility (page 21).

How to use the Wizard

The Security Wizard is installed by the ICM-CCE-CCH Installer and is placed in the“%SYSTEMDRIVE%\CiscoUtils\UCCSecurityWizard” directory. You must be a serveradministrator to use the features in the Security Wizard.

You can run the wizard using the shortcut installed under Start > Programs > Cisco UnifiedCCE Tools > Security Wizard.

Note:

• When you run the wizard, CSA service must be stopped.

• Before you use the wizard, read the chapters in this guide about each of the utilities includedin the wizard to understand what the utilities do.

When running the Security Wizard, you are provided with a menu list of the security utilities(the Security Hardening, the Windows Firewall, Network Isolation Utility, and SQL Utility),and you run each, one at a time.


76

Chapter 6: Applying Security with the Cisco Unified Contact Center Security Wizard

Configuration and Restrictions

You can go back and forth on any menu selection to understand what each one contains. However,after you click the Next button for any particular feature, then you must either completeconfiguration or click cancel to go back to the Welcome page.

The Security Wizard is self-explanatory; with each utility having an introductory panel,configuration panel or panels, a confirmation panel, and a status panel. The following listprovides brief explanations of these panels:

• Introductory panel:

– Briefly describes what the specific utility does.

– Warns if security utility files are missing or not installed.

– Allows you to switch between utilities until you click the Next button.

• Configuration panel(s): Lists the options you can select to configure the utility and gathersyour configuration input.

• Confirmation panel: Allows you to confirm your configuration choices or to go back andmake changes.

After you have entered all the required input, the confirmation panel is displayed and theNext button is replaced with the Finish button. This indicates that this is your last chance tomake a change to your configuration selections.

After you click finish, you can no longer go back.

• Status panel:

– Displays the configuration command with all of its required arguments.

– Displays the streaming output of the configuration command while it is executing in thebackground.

– Displays “Configuration Complete” and enables the “Go back to Welcome Panel” buttonafter the command execution is complete.

The defaults are set to the recommended values and warnings are displayed if you make aselection that could cause a problem.

In the rare event that the back-end utility script dies, a temporary text file, created in theUCCSecurityWizard folder is not deleted. This text file contains command-line output, and youcan use this file to debug the issue.

Example Security Wizard Usage

The following image shows the Cisco Unified Contact Center Security Wizard introductorypanel.


77


Example Security Wizard Usage

Figure 10: Security Wizard Welcome Window

The Security Wizard requires the command line utilities to be installed on the system to configuresecurity. It will detect if a utility is not installed and notify the user.

The Security Wizard can execute on all Unified ICM or Unified CCE servers but will not executeon a Domain Controller.

Example Windows Hardening Configuration Panels

The following image (figure 11) shows the introductory panel for Windows security hardening.


78



Figure 11: Windows Hardening Introduction Panel

You can switch between utilities until you click the Next button at the bottom of the utilitypanel.

Bolded titles in the left menu bar indicate the selected utility and the selected step within thatutility.

The following image shows the Windows Hardening security template options.

Figure 12: Windows Hardening Template Options Panel

In the Windows Hardening Security Template Options window, you can:


79



• Apply the ICM Security Hardening template.

• Roll back part of or all of a previously applied ICM Security Hardening template.

The Rollback File selection list is dynamically populated. See Automated Security HardeningSettings on Windows Server 2003 (page 51) for complete descriptions of the precedingconfiguration options.

The following image shows the confirmation panel for Windows Hardening.

Figure 13: Windows Hardening Confirmation Panel

At this point, you can still change any configuration selections. After you click Finish, you canno longer change your selections.

The following image (figure 14) shows the Windows Hardening status panel.


80



Figure 14: Windows Hardening Status Panel

The status bar at the top of the panel tells you when the configuration is complete.

You may see some command-line windows open and close. That is normal in some commandwindows as different commands are executed.

Example Windows Firewall Configuration Panels

The following image shows the introductory panel for the Windows Firewall Wizard.

Figure 15: Windows Firewall Wizard Introduction Panel


81



You will get a message in this panel if the selected utility has not been installed on your system.

The following image shows the Firewall configuration panel.

Figure 16: Windows Firewall Configuration Options Panel

In the Security Wizard Firewall Configuration panel, you can:

• Configure a Windows firewall for your Unified ICM or Unified CCE system

• Undo firewall configuration settings that were previously applied

• Restore to Windows Default

Warning: The Default Windows firewall configuration is not compatible with the UnifiedICM application.

• Disable the Windows firewall.

• Edit the Unified ICM Firewall Exceptions XML file. Clicking the Edit ICM FirewallExceptions XML button opens that XML file in Notepad. You must save the file and closeit before continuing with the wizard.

The Window Firewall Configuration Utility:

• Automatically detects Unified ICM components installed and configures the WindowsFirewall accordingly.

Must be executed after the Unified ICM application is installed.

• Can add custom exceptions such as an exception for VNC.

• Is installed by default on all Unified ICM and Unified CCE servers.


82



See Windows Server 2003 Firewall Configuration (page 41) for a complete description of theseconfiguration options.

The following image shows the confirmation panel for Windows Firewall configuration.

Figure 17: Windows Firewall Confirmation Panel

The following image shows the status panel for Windows Firewall configuration.

Figure 18: Windows Firewall Status Panel


83



Example Network Isolation Configuration Panels

The following image shows the introductory panel for the Network Isolation utility.

Figure 19: Network Isolation Introductory Panel

The Security Wizard is the preferred choice for deploying the Network Isolation Utility whenconfiguring it for the first time, or when editing an existing policy.

The Security Wizard interface has the following advantages:

• You can be guided by configuration panels that dynamically change according your input.

• You can browse the current policy.

• You can see the current Network Isolation configuration and edit it if you need to.

• You can add multiple Boundary Devices through a single Security Wizard panel. To addmultiple Boundary Devices in the CLI, you must create a separate command for each devicethat you want to add.

You must run the Network Isolation Utility on every server that will be set as a Trusted Device.There is no need to run the utility on Boundary Devices.

For a complete description of the Network Isolation Utility, see Applying IPsec with the NetworkIsolation Utility (page 21).

The following image (figure 20) shows the configuration panel for Trusted Devices.


84



Figure 20: Trusted Devices Configuration Panel

This panel and the next panel are loaded from the last configuration saved in the XML NetworkIsolation configuration file (not the Windows IPsec policy store), if it is available.

The Trusted Devices panel:

• Shows the current status of the policy.

• Can be used to enable, modify, browse, or disable the policy.

Note:

• To enable or modify a device as Trusted you must enter a Preshared Key of 36characters or more. The length of the key typed in is displayed and updated as youenter it to help you enter the correct length.

• You can permanently delete the Network Isolation Utility policy only through thecommand line.

You must use the same Preshared Key on all Trusted Devices or else network connectivitybetween the Trusted Devices will fail.

The next image (figure 21) shows the Network Isolation Boundary Devices panel.


85



Figure 21: Boundary Device Configuration Panel

The Boundary Device panel (Figure 21) and the preceding panel are loaded from the lastconfiguration saved in the XML Network Isolation configuration file (not the Windows IPsecpolicy store), if it is available.

In the Boundary Devices panel:

• The content of the panel is dynamically modified based on the selection made in the previouspanel:

– If in the previous panel you have disabled the policy, then the panel elements displayedhere are disabled.

– If in the previous panel you have selected the browse option, then only the Boundary Listof devices is enabled for browsing purposes.

• You can add or remove multiple boundary devices.

• You can add dynamically detected devices through check boxes.

• You can add manually specified devices through a port, an IP address, or a subnet. Afterspecifying the device, you must click Add Device to add the device.

The Add button validates the data and checks for duplicate entries before proceeding further.

• You can remove a device from the Boundary Devices by selecting it in the Devices List andclicking Remove Selected.

You can narrow down the exception based on:

• Direction of traffic: Outbound or Inbound


86



• Protocol: TCP, UDP, ICMP

• Any port (only if TCP or UDP selected)

• A specific port or All ports

Figure 22 shows the confirmation panel for the Network Isolation utility.

Figure 22: Network Isolation Confirmation Panel

The following image shows the Network Isolation status panel.

Figure 23: Network Isolation Status Panel


87



Example SQL Hardening Panels

The following image shows the introductory panel for the SQL Hardening utility.

Figure 24: SQL Hardening Introduction Panel

You can use the SQL Hardening wizard to:

• Apply the SQL Server 2005 security hardening.

• Upgrade from a previously applied hardening.

• Roll back previously applied hardening.

For more information on SQL Server hardening, see the section Automated SQL 2005 Hardening(page 99).

Figure 25 shows the SQL Hardening Security Action panel.


88



Figure 25: Security Action Panel

In the SQL Hardening Security Action panel, you can:

• Apply or Upgrade SQL Server 2005 Security Hardening

• Roll back Previously Applied SQL Server 2005 Security Hardening

Note: The Rollback will be disabled if there is no prior history of SQL Server 2005 securityhardening or if the hardening was already rolled back.

Figure 26: SQL Hardening Confirmation Panel


89



Figure 26 shows the SQL Hardening Confirmation panel. At this point, you can still changeany configuration selections, but after you click Finish, you can no longer change your selections.

The following image shows the SQL Hardening status panel.

Figure 27: SQL Hardening Status Panel

The status bar at the top of the panel tells you when the configuration is complete.


90



Updating Microsoft WindowsNote: For the currently supported Windows operating system software, see the latest Hardware& System Software Specification (Bill of Materials) for Cisco Unified ICM/Contact CenterEnterprise & Hosted, Release 8.0(1) available at:http://www.cisco.com/en/US/products/sw/custcosw/ps1001/products_user_guide_list.html(http://www.cisco.com/en/US/products/sw/custcosw/ps1001/products_user_guide_list.html).


• Microsoft Security Updates, page 91• Microsoft Service Pack Policy, page 92

Microsoft Security Updates

Automatically applying security and software update patches from third-party vendors is notwithout risk. Although the risk is generally small, subtle changes in functionality or additionallayers of code may alter the overall performance of Cisco Contact Center products.

Cisco recommends that Contact Center customers assess all security patches released byMicrosoft and install those deemed appropriate for their environments. Customers are specificallycautioned not to automatically enable Microsoft Windows Update. The update schedule canconflict with other Unified ICM/Unified CCE activity. Customers should consider usingMicrosoft Software Update Service or similar patch management products to selectively applyCritical and Important security patches and follow the Microsoft guidelines regarding when andhow they should apply these updates.


91

Chapter 7

http://www.cisco.com/en/US/products/sw/custcosw/ps1001/products_user_guide_list.html

Microsoft Service Pack Policy

Do not automatically apply Microsoft Service Packs for the Operating system or SQL Server.Cisco qualifies service packs through extensive testing and defines compatible service packsin the Hardware & System Software Specification (Bill of Materials) document for each product.

The Microsoft Windows Automatic Update Client can be configured to poll a server that isrunning Microsoft Software Update Services (SUS) or Windows Server Update Services inplace of the default Windows Update website to retrieve updates.

This is the recommended approach to be able to selectively approve updates and determinewhen they get deployed on production servers.

To use Automatic Updates with a server that is running Software Update Services, see theSoftware Update Services Deployment white paper. To view this white paper, visit the followingMicrosoft website: http://www.microsoft.com/windowsserversystem/updateservices/techinfo/previous/susdeployment.mspx

Configuring the Server to use an Alternate Windows Update Server

To configure the server to use an alternate Windows Update server:

Step 1 Select Start > Run and type regedit in the dialog box. Click OK.

Warning: If you use Registry Editor incorrectly, you may cause serious problems thatmay require you to reinstall your operating system. Cisco cannot guarantee that you cansolve problems that result from using the Registry Editor incorrectly. Use the RegistryEditor at your own risk and make backups as appropriate.

Step 2 In regedit, locate and then click the following key in the registry:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Step 3 Edit (or add) the following setting:

Value name: UseWUServer

Registry Value Type: Reg_DWORD

Value data: Set this value to 1 to configure Automatic Updates to use a server that is runningSoftware Update Services instead of Windows Update.

Step 4 To determine the server that is running SUS that your client computers and servers go to fortheir updates, add the following registry values to the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\

Value name: WUServer


92

Chapter 7: Updating Microsoft Windows


http://www.microsoft.com/windowsserversystem/updateservices/techinfo/previous/susdeployment.mspx

http://www.microsoft.com/windowsserversystem/updateservices/techinfo/previous/susdeployment.mspx

Registry Value Type: Reg_SZ

This value sets the SUS server by HTTP name (for example, http://IntranetSUS).

Value name: WUStatusServer

Registry Value Type: Reg_SZ

This value sets the SUS statistics server by HTTP name


93




94



SQL Server Hardening

SQL Server Hardening Suggestions

Top Hardening Suggestions

Top Hardening Suggestions:

1. Do not install SQL Server on an Active Directory Domain Controller.

2. In a multitier environment, run Web logic and business logic on separate computers. Forexample, WebView servers can be deployed on a dedicated server not shared with anAdministration & Data Server .

3. Install the latest applicable SQL Server service pack and security updates. Refer to theHardware & System Software Specification (Bill of Materials) for Cisco UnifiedICM/Contact Center Enterprise & Hosted, Release 8.0(1) for the compatible service packfor your product.

4. Set a strong password for the ‘sa’ account before installing ICM see SQL Server Usersand Authentication (page 98)).

5. Always install SQL Server service to run using a least privilege account. Never installSQL Server to run using the built-in Local System account. Follow the steps below tomodify the SQL Server service account.

Note: The following assumes the SQL Server has been installed previously with the serviceconfigured to run as the ‘LocalSystem’Account. It is possible that these steps can beshortened if the SQL Server is installed initially to run using a least privileged account.Refer to the Staging Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted,Release 8.x(y) for more information about how to properly install SQL Server using aDomain User Account to run the MSSQL Server service.


95

Chapter 8

a. Create a Windows domain user account (for example, <domain>\SQLServiceAcct>).(Refer to the Staging Guide for Cisco Unified ICM/Contact Center Enterprise &Hosted, Release 8.x(y) for details.) Appropriate file system permissions (Modify)must be given to this user account for the \mssql\data directory to be able to create,expand or delete databases as needed by the ‘icmdba’ application.

b. Configure Security Account Delegation in Active Directory (Users folder) for thisaccount:

From the ‘Account’ property page, select ‘Account is trusted for delegation’.

Make sure ‘Account is sensitive and cannot be delegated’ is NOT selected.

c. Configure Security Account Delegation in Active Directory (Computers folder) foreach machine that has SQL (or MSDE) installed:

Select ‘Trust computer for delegation’ on the ‘General’ property page.

d. Have a Domain Administrator configure Security Account Delegation using theSetSPN utility from the Windows Server 2003 resource kit to set a Service PrincipalName as follows:

List the existing SPN for the machine by typing the following at a command prompt:setspn -L <machine>

Delete any existing SPN for the MSSQLSvc entry by typing the following at acommand prompt: setspn -D "MSSQLSvc/<machine:port>

<serviceaccountname>" <machine> 1

Create a new SPN entry for the MSSQLSvc entry by typing the following at acommand prompt: setspn -A "MSSQLSvc/<machine:port><serviceaccountname>" <machine>

e. Add the domain user account created in Step a. to the NTFS permissions for theOperating System and data partitions at the root level (For example, C:\). Allow allpermissions, except Full Control.

Note: The SQL Server 2005 automated hardening utility, and the ICMDBA tool,will automatically ensure this permission is appropriately granted.

f. Finally, add this domain user account created in Step a. to the Registry permissionsfor the HKEY_LOCAL_MACHINE\Software, HKEY_LOCAL_MACHINE\Systemand HKEY_USERS hives, giving it Full Control.

g. From the SQL Server Configuration Manager (for SQL Server 2005), configure theSQL Server service to run as the domain user account created in Step a. (e.g.,<domain>\SQLServiceAcct>).

6. SQL Server Agent Service MUST be enabled and set to Automatic for databasemaintenance functioning in Unified ICM.

1) The string inside quotes must match exactly what is seen in the List command:: setspn -L <machine>


96

Chapter 8: SQL Server Hardening


Note: Applying SQL Server security updates or hotfixes may require that the SQL ServerAgent service be disabled. It is recommended that this service be reset to ‘disabled’ beforeperforming the update. When the update has completed, stop the service and set it backto ‘enabled’.

7. In all releases before 7.5, the Distributed Transaction Coordinator, MSDTC, is disabled(this is done by default by the automated server hardening in the Cisco Unified ICMSecurity Template Settings shipped with 7.0, 7.1, and 7.2).

However, from ICM 7.5 onwards, MSDTC services must be set to manual (done by defaultby the automated server hardening in the Cisco Unified ICM Security Template shippedwith ICM 7.5 and 8.0).

Note: The SQLServerAgent and MSDTC services may be used for Third-Party Backupsolutions; therefore we recommend checking the Backup Agents system requirementsbefore disabling these services.

8. Use NTFS directory security with EFS for SQL Server data directories. EFS must be setwhile logged in under the account credentials that the SQL service will run under (e.g.,<domain>\SQLServiceAcct>). From the Local Policy editor, temporarily grant ‘logonlocally’ privileges to this account to enable EFS then remove this right after logging off.

Warning: Only enable EFS if there is a concern with data theft; there will be a performanceimpact.

Note: In order to copy and send the data to other parties, it will be necessary to back upthe database to a different directory that is not encrypted to ensure that the receiving partyis able to read the data in the backup. This can be accomplished by backing up the databasefrom the SQL Server Enterprise Manager.

9. Disable the SQL guest account.

10. Restrict sysadmin membership to your Unified ICM administrators.

11. Block TCP port 1433 and UDP port 1434 at the firewall except for when the Administration& Data Server is not in the same security zone as the Logger.

12. Protection by good housekeeping:

a. Run the KillPwd utility to remove password data from setup files. Detailed instructionson how to run this utility can be found in the Microsoft article KB 263968 (http://support.microsoft.com/default.aspx?scid=kb;en-us;263968).

b. Delete or secure old setup files: Delete or archive the following files after installation:sqlstp.log, sqlsp.log, and setup.iss in the <systemdrive>:\Program Files\MicrosoftSQL Server\MSSQL\Install folder for a default installation, and the<systemdrive>:\Program Files\Microsoft SQL Server\ MSSQL$<InstanceName>\Install folder for named instances.

If the current system is an upgrade from SQL Server 7.0, delete the following files:setup.iss in the %Windir% folder, and sqlsp.log in the Windows Temp folder.


97



http://support.microsoft.com/default.aspx?scid=kb;en-us;263968

13. Change the recovery actions of the Microsoft SQL Server service to restart after a failure.

14. Remove all sample databases, e.g., Pubs and Northwind.

15. Enable auditing for failed logins.

SQL Server Users and Authentication

When creating a user for the SQL Server account, create Windows accounts with the lowestpossible privileges for running SQL Server services. It is preferable that this be done during theinstallation of SQL Server.

During installation, SQL Server Database Engine is set to either Windows Authentication modeor SQL Server and Windows Authentication mode. If Windows Authentication mode is selectedduring installation, the sa login is disabled. If you later change authentication mode to SQLServer and Windows Authentication mode, the sa login remains disabled. To enable the sa login,use the ALTER LOGIN statement. For additional details see:http://msdn.microsoft.com/en-us/library/ms188670.aspx

The local user or the domain user account that is created to function as the SQL Server serviceaccount follows the Windows or domain password policy respectively. It is imperative that astrict password policy is applied on this account. However, do not set the password to expire,because SQL Server service will cease to function and that in turn will cause the Administration& Data Server to fail.

The password and account settings may be governed by the site requirements. At the least, thefollowing settings are recommended:

Table 14: Password and Account Settings

ValueSetting

24 passwords rememberedEnforce Password History

12 charactersMinimum Password Length

EnabledPassword Complexity

1 dayMinimum Password Age

15 minutesAccount Lockout Duration

3 invalid logon attemptsAccount Lockout Threshold

15 minutesReset Account Lockout Counter After

Note: The service account password must explicitly be set to Not expire.

Use Windows Only authentication if possible. Cisco Contact Center applications use Windowsauthentication to access SQL Server. Cisco understands that some third-party applications mayrequire SQL Server authentication to run properly, but if you are not using any third-partyproducts to access SQL Server, then use Windows Only authentication, rather than mixed modeauthentication.

Note: Windows Only authentication is enforced through SQL Server 2005 automated hardening.


98



http://msdn.microsoft.com/en-us/library/ms188670.aspx

http://msdn.microsoft.com/en-us/library/ms188670.aspx

Using mixed mode authentication can increase security risks.

During web setup, if the sa password is found to be blank, a randomly generated strong passwordis generated and used to secure the sa account. This randomly generated sa password isdisplayed only once during the install. Make note of the password because it is not presentedagain. Resetting of the sa account password may be done after installation by logging on to theSQL Server using a Windows Local Administrator account.

SQL Server 2005 Security Considerations

Microsoft SQL Server 2005 is far more secure by design, default, and deployment than MicrosoftSQL Server 2000. Microsoft SQL Server 2005 provides a much more granular access controland a new utility to manage attack surface, and runs with lower privileges. To make the best ofthe security features provided by Microsoft SQL Server 2005, the database administrator mustfollow the best practices as described below in the “Automated SQL 2005 Hardening” and the“Manual SQL 2005 Hardening” sections.

Automated SQL 2005 Hardening

The first step in securing the deployment is to install and enable only those components orfeatures that are required all the time. If a feature is required only for certain limited activity,disable that feature during regular operation and enabled it only as needed.

Cisco provides the SQL Server Security Hardening utility to automatically disable unwantedSQL Server services and features. Unified ICM/Unified CCE Setup and Upgrade prompt theuser to run the SQL Server Security Hardening utility in the same manner as it does for WindowsSecurity Hardening.

SQL Server 2005 breaks down the server functionality into more granular services. The followingtable lists them with the secure deployment recommendations, which are automatically set bythe SQL Server Security Hardening utility:

Table 15: Server Functionality

Startup TypeService

AutomaticSQL Server Database Engine

DisabledSQL Server Active Directory Helper

AutomaticSQL Server Agent

AutomaticSQL Server FullText Search

DisabledSQL Server Browser

DisabledSQL Server VSS Writer

The above settings can be viewed or modified using SQL Server Surface Area Configuration –Services and Connection tool.


99



The following table lists the various features available in SQL Server 2005 and the state thatthey must be configured in to secure the deployment for Unified ICM. These are automaticallyset by the SQL Server Security Hardening utility:

Table 16: Available Features

EnabledFeature

NAd-hoc Remote Queries (use of OPENROWSET andOPENDATASOURCE)

NCLR Integration

NDAC (Dedicated Administrator Connection for remoteaccess)

NDatabase Mail

NNative XML Web Service (access over HTTP)

NOLE Automation

NService Broker (to communicate between instances)

NSQL Mail

NWeb Assistant (Deprecated in SQL Server 2005)

NXp_cmdshell

The above settings can be viewed or modified using the SQL Server Surface Area Configuration– Features tool.

The SQL Server Security Hardening utility also:

• Enforces Windows Only authentication mode.

• Verifies that the Named Pipe (np) is listed before TCP/IP (tcp) in the SQL Server ClientNetwork Protocol Order.

SQL Server Security Hardening Utility

The SQL Server Security Hardening utility allows you to harden or roll back the SQL Serversecurity on Logger and Administration & Data Server/HDS components. The Harden optiondisables unwanted services and features, as explained in the “Automated SQL 2005 Hardening”section above. If the latest version of the security settings are already applied, then the Hardenoption does not change anything. The Rollback option allows you to return to the state of SQLservices and features that existed prior to your applying the last hardening.

The SQL Server Security Hardening utility is launched via Setup, by default, to harden the SQLServer security. However, you can run it manually, as described below.

Utility Location

The utility is located at:


100



%SYSTEMDRIVE%\CiscoUtils\SQLSecurity

Harden SQL Server

From the command line type in

Perl ICMSQLSecurity.pl HARDEN

Note: The current SQL Server configuration will be backed up to<ICMInstallDrive>:\CiscoUtils\SQLSecurity\ICMSQLSEcurity.bkp before the utility appliesthe SQL Server hardening.

Roll Back SQL Server Security Hardening

The ROLLBACK command rolls back to the previous SQL Server configuration, if hardeningwas applied before.

To roll back to the previous SQL Server configuration, from the command line type in

Perl ICMSQLSecurity.pl ROLLBACK

Note: The following security hardening settings are not removed when:

1. SQL Server security mode is currently set to Windows Only Authentication.

2. SQL Server user ‘sa’ is set to random password.

3. SQLVSSWriter, SQLBrowser and MSSQLServerADHelper services are disabled.

You can be roll back these settings manually using SQL Server Management Studio tool.

No Argument

If no argument is used with the command line, usage help is displayed.

Output Log

All output logs are saved in the file:

%SYSTEMDRIVE%\CiscoUtils\SQLSecurity\Logs\ICMSQLSecurity.log

Manual SQL 2005 Server Hardening

By default, SQL Server 2005 disables VIA endpoint and limits the Dedicated AdministratorConnection ( DAC) to local access. Also, by default, all logins have GRANT permission forCONNECT using Shared Memory, Named Pipes, TCP/IP and VIA endpoints. Unified ICMrequires only Named Pipes and TCP/IP endpoints.


101



• Enable both Named Pipes and TCP/IP endpoints during SQL Server 2005 setup. Make sureNamed Pipes has a higher order of priority than TCP/IP.

Note: The SQL Server Security Hardening utility will check for the availability and orderof these endpoints.

• Disable access to all endpoints that are not required. For instance: Deny connect permissionto VIA endpoint for all users/groups who have access to the database.


102



Cisco SSL Encryption Utility

About the SSL Encryption Utility

In Unified ICM release 8.0(1), Unified ICM web servers are configured for secure access(HTTPS) using SSL. Cisco provides an application called the SSL Encryption Utility(SSLUtil.exe) to help with the task of configuring web servers for use with SSL.

Note: This utility is only supported on servers running Windows Server 2003.

The operations performed by the SSL encryption utility can also be accomplished by the operatingsystem facilities such as IIS; however the Cisco utility simplifies the process.

SSLUtil.exe is located in the <ICMInstallDrive>\icm\bin folder. The SSL Encryption Utilitycan be invoked in either standalone mode or automatically as part of setup.

The SSL Encryption Utility generates log messages pertaining to the operations that it performs.When it is running as part of setup, log messages are written to the setup log file. When theutility is in standalone mode, the log messages are displayed on the SSL Utility Window andfile <SystemDrive>\temp\SSLUtil.log.

The SSL Encryption Utility performs two major functions:

• SSL Configuration

• SSL Certificate Administration

SSL is available only for Unified ICM web applications installed on Windows Server 2003.The Unified ICM/Unified CCE web applications that can be configured for SSL are:

• WebView

• Unified SCCE


103

Chapter 9

• Internet Script Editor

• Agent Re-skilling

Installing SSL During Setup

By default, setup enables SSL for Unified CCE Web Administration (Unified SCCE), InternetScript Editor and Agent Re-skilling applications. SSL can be configured for WebView duringsetup. By default, Authentication mode is selected for WebView during setup. For more detailon SSL for WebView application, refer to “SSL Configuration at Web Setup tool” in WebViewInstallation and Administration Guide. If the SSL settings are changed via other means such asIIS manager while the SSL Configuration Utility is open, those changes are not reflected in theSSL Configuration Utility unless it is closed and reopened.

The SSL Configuration Utility also facilitates creation of self-signed certificates and installationof the created certificate in IIS. A certificate may also be removed from IIS using this tool.When invoked as part of setup, the SSL Configuration Utility sets SSL port in IIS to 443 if itis found to be blank.

If you want to use SSL for Agent Re-skilling or Internet Script Editor, you can just accept thedefault settings during installation and the supported servers will use SSL.

If you want to use SSL in WebView, leave Enable Encryption checked. You can further specifysession encryption (all traffic is encrypted, not just the authentication process) during theWebView setup process; note that this increases server load significantly.

When the utility runs during setup a self-signed certificate is generated (using OpenSSL),imported into the Local Machine Store, and installed on the web server. Virtual directories areenabled and configured for SSL with 128-bit encryption.

Note: During setup, if a certificate exists or the web Server is found to have an existing servercertificate installed, a log entry is added and no changes take effect. Any certificate managementchanges must be done using the utility in standalone mode or directly using the IIS ServicesManager.

SSL Encryption Utility in Standalone Mode

In standalone mode, the SSL Configuration Utility displays the list of Unified ICM instancesinstalled on the local machine. When Unified ICM instance is selected, the web applicationsinstalled and their SSL settings are displayed. You can then alter the SSL settings for the webapplication.

The following image shows the SSL Encryption Utility configuration tab:


104

Chapter 9: Cisco SSL Encryption Utility


Figure 28: SSL Config Utility - Configuration Tab

The SSL Configuration Utility also facilitates creation of self-signed certificates and installationof the created certificate in IIS. A certificate may also be removed from IIS using this tool.When invoked as part of setup, the SSL Configuration Utility sets SSL port in IIS to 443 if itis found to be blank.

The following image shows the certificate administration tab of the Encryption Utility:


105



Figure 29: SSL Config Utility - Certificate Administration Tab

Enabling the Transport Layer Security (TLS) 1.0 Protocol

The ICM security template enables FIPS-compliant strong encryption, which requires the TLS1.0 protocol be enabled instead of SSL 2.0 or SSL 3.0. To ensure web browser connectivity toa hardened Webview, Dynamic Re-skilling (Agent Re-skilling), and Unified SCCE Webconfigserver over HTTPS using Internet Explorer, you need to enable TLS 1.0 protocol.

Step 1 Launch Internet Explorer.

Step 2 From the Tools menu, select Internet Options.

Step 3 Click the Advanced tab.

Step 4 Scroll to Security and check the Use TLS 1.0 check box.

Be sure to consult the Microsoft Knowledge Base (KB) KB 811833 (http://support.microsoft.com/kb/811833 )for additional information about security settings.

Note: If security hardening is applied when the Internet Explorer is not configured to supportthe TLS 1.0 protocol, the Web browser will not be unable to connect to the Web server. Anerror message indicates that the page is either unavailable or that the Web site might beexperiencing technical difficulties.


106




Network Access ProtectionNetwork Access Protection (NAP) is a platform and solution introduced in Windows Server2008 R2 that helps to maintain the network’s overall integrity by controlling access to networkresources based on a client computer’s compliance with system health policies. Examples ofsystem health policies include making sure that clients have the latest antivirus definitions andsecurity updates installed, a firewall installed and enabled, etc. If a client is not compliant withthe network health requirements, NAP can be configured to limit the client’s network access.NAP also provides a mechanism to automatically bring the client back to compliance.

The NAP server validates the clients’ health using the system health policies.

The NAP server is supported on Windows Server 2008 R2.

The NAP client is supported on the following operating systems:

• Windows Server 2008 R2

• Windows 7

• Windows Vista

• Windows XP with Service Pack 3 (SP3)


• How NAP works, page 108• Impact of using Microsoft Windows NAP with Unified CCE, page 108• Additional NAP References, page 109


107

Chapter 10

How NAP works

When a NAP client attempts to connect to the network, the client’s health state is validatedagainst the health requirement policies defined in the Network Policy Server (NPS).

If a client is not compliant with the defined health policies, the administrator can choose to limitthe client’s access to a restricted network. This restricted network ideally contains health updateresources for the client to gain compliance. In this limited access environment, only clients thatcomply with the health requirement policies are allowed unlimited access to the network.However, the administrator can also define exceptions.

The administrator can choose to configure a monitoring-only environment where thenoncompliant client can still be granted full network access. In this environment, the compliantstate for each client is logged.

The administrator can also choose to automatically update noncompliant clients with missingsoftware updates to help ensure compliance. In a limited access environment, noncompliantclients will have restricted network access until the updates and configuration changes arecompleted. In a monitoring-only environment, noncompliant clients will have full access to thenetwork before they are updated with the required changes.

With all these options available, administrators can configure a solution that is best tailored tothe needs of their networks.

Note: The Microsoft literature contains important information about NAP that the user shouldread to better understand this platform. For the latest information, refer to the Network AccessProtection (Microsoft TechNet) at http://technet.microsoft.com/en-us/network/bb545879

Impact of using Microsoft Windows NAP with Unified CCE

Network Policy Server

As a general rule, do not use a Unified CCE server for any other purpose than for Unified CCEapproved software. Therefore, do not run the Network Policy Server on any Unified CCEmachine such as ICM, CVP, and so on.

Unified CCE Servers and NAP

NAP can be used in a few different ways. The following are some deployment options a usermay consider to use with Unified CCE.

• Unified CCE Servers using a limited access environment - NOT RECOMMENDED


108

Chapter 10: Network Access Protection

How NAP works

http://technet.microsoft.com/en-us/network/bb545879

Warning: In this model, the Unified CCE servers such as the ICM PG, ICM Router, ICMLogger, and ICM AW/HDS would become inaccessible if they fall out of compliance. Thiswould cause the entire call center to go down until machines become compliant again.

• Unified CCE Server uses monitoring-only environment

This mode could be useful for keeping track of the health status on the Unified CCE servers.

• Unified CCE Servers that are exempt from health validation

In this mode, the Unified CCE servers will work in a NAP environment but will not becomeinaccessible from the network. All communications to and from the Unified CCE serverswould not be affected by the Unified CCE server’s state of health.

Unified CCE Client Machines and NAP

The following contains information regarding Unified CCE Client Machines and NAP:

• Unified CCE client machines using limited access environment

Systems in this environment must be compliant with all policies that are setup by the networkadministrator. For example, if an agent desktop is in this environment then the agent wouldnot be able to sign in or contact the Agent PG in any way until the client machine becomescompliant with the NAP policies that are active.

• Unified CCE client machines using monitoring-only environment

Same as above for Unified CCE Servers.

• Unified CCE Client machines that are exempt from health validation

Same as above for Unified CCE Servers.

Additional NAP References

For more information about NAP, refer to the following:

• Network Access Protection Design Guide: http://technet.microsoft.com/en-us/library/dd125338(WS.10).aspx

• Windows Server 2008 R2 Networking and Network Access Protection (NAP) by MicrosoftPress

• Cisco NAC and Microsoft NAP Interoperability Architecture http://www.cisco.com/en/US/netsol/ns812/index.html


109





http://www.cisco.com/en/US/netsol/ns812/index.html

http://www.cisco.com/en/US/netsol/ns812/index.html


110



Intrusion Prevention and Cisco Security AgentThe Cisco Security Agent (CSA) provides Host Intrusion Detection and prevention for servers.As high-visibility network security attacks such as Code Red and the SQL Slammer worm haveshown, traditional host and desktop security technologies are limited in their capability to combatthe effects of new and evolving virus attacks. Unlike traditional signature matching securitytechnologies, CSA analyzes virus behavior to provide robust protection with reduced operationalcosts. By identifying and preventing malicious behavior before it occurs, CSA removes potentialknown and unknown (“Day Zero”) security risks that threaten enterprise networks andapplications.

Note: Do not view CSA as providing complete security for servers running Cisco Unified ICM.Rather, view CSA as an additional line of defense which, when used with other standard defensessuch as virus-scanning software, firewalls, and the documented guidelines, as providing enhancedsecurity for Unified ICM servers.


• What are Cisco Security Agent Policies?, page 111• Types of Agents, page 112

What are Cisco Security Agent Policies?

The Cisco Security Agent provides protection for Windows platforms based on a set of rules,or policies, that you set. Policies define which actions on the system and network are allowedand denied. Cisco Security Agent checks actions that use system or network resources andblocks denied actions.

You define policies to control access to system and network resources based on the followingparameters:

• Which resource is being accessed


111

Chapter 11

• Which operation is being invoked

• Which process is invoking the action

Cisco has defined a policy for CSA to protect servers without interfering with the normaloperations of Unified ICM. You can download this policy from the Cisco Website (www.cisco.com).

Note: If you do use CSA, then consult the following guide for important information regardinginstalling Unified ICM/ Unified CCE applications using their default paths. Installing UnifiedICM/Unified CCE application to their default paths minimizes any issues that may arise out ofusing CSA with supported applications that have been installed in non-default locations.

See Also

Cisco Security Agent Installation/Deployment Guide for Cisco Unified ICM/Contact CenterEnterprise & Hosted

Types of Agents

You can use Cisco Security Agent as either a Standalone Agent or a Managed Agent.

Managed Agent

A Managed Agent reports all significant events to a centralized Management Center.

The Management Center serves multiple agents and servers simultaneously. The ManagementCenter allows you to monitor and protect multiple servers using a browser-based console.

The Managed Agent is appropriate if you are using third-party software that is not approved byCisco for Unified ICM servers. If this is the case, it is recommended that you purchase andinstall the CSA Management Center, and then import the Unified ICM policy (page 111) andcustomize it to allow the third-party applications to operate.

Standalone Agent

The CSA Standalone Agent provides the same protections and the Managed Agent, but doesnot report events back to the Management Center. Furthermore, the Standalone Agent uses astatic policy (page 111) that you cannot modify.

The Standalone Agent for Unified ICM is available free of charge from Cisco.

See Also

Cisco Security Agent on the Cisco Web Site (www.cisco.com/go/csa)


112

Chapter 11: Intrusion Prevention and Cisco Security Agent

Types of Agents

www.cisco.com

www.cisco.com/go/csa

Microsoft Baseline Security AnalyzerThe Microsoft Baseline Security Analyzer (MBSA) checks computers running MicrosoftWindows Server 2003, Windows Server XP, or Windows NT 4.0 for common securitymisconfigurations.

The following are the scanning options selected for Cisco Unified ICM Real-Time Distributorrunning one or more web applications (foe example, Internet Script Editor, WebView, orAgent-Reskilling).

• Windows operating system (OS) checks

• IIS checks

• SQL checks

• Security update checks

• Password checks

This report is provided to show an example of the results of running the MBSA tool against aCisco Unified ICM server that is running the majority of Microsoft Server Applications supportedby the tool.


• Security Update Scan Results, page 114• Windows Scan Results, page 114• Internet Information Services (IIS) Scan Results, page 115• SQL Server Scan Results, page 116• Desktop Application Scan Results, page 117


113

Chapter 12

Security Update Scan Results

The following table provides an example of security update scan results:

Table 17: Security Update Scan Results

ResultIssueScore

No critical security updates are missing.Windows Security Updates

No critical security updates are missing.IIS Security Updates

Instance (default): No critical security updates aremissing.

SQL Server/MSDE Security Updates

No critical security updates are missing.MDAC Security Updates

No critical security updates are missing.MSXML Security Updates

No Microsoft Office products are installed.Office Security Updates

Windows Scan Results

The following table shows Windows scan results:

Table 18: Vulnerabilities

ResultIssueScore

Automatic Updates are managed through Group Policy on this computer.Automatic Updates

More than 2 Administrators were found on this computer.Administrators

Note: This warning can be ignored given that the Cisco Unified ICMapplication requires the addition of certain groups to the LocalAdministrators group, therefore triggering this event. It is recommendedthat you review the Result Details and remove any known unnecessaryaccounts.

Some user accounts (1 of 7) have non-expiring passwords.Password Expiration


114

Chapter 12: Microsoft Baseline Security Analyzer

Security Update Scan Results

ResultIssueScore

Note: When the server is properly configured to require expiring passwords,this warning will typically find the Guest account to have a non-expiringpassword even though the account is disabled. This warning can be ignored.

Windows Firewall is enabled and has exceptions configured. WindowsFirewall is enabled on all network connections.

Windows Firewall

Some user accounts (1 of 7) have blank or simple passwords, or could notbe analyzed.

Local Account Password Test

All hard drives (1) are using the NTFS file system.File System

Autologon is not configured on this computer.Autologon

The Guest account is disabled on this computer.Guest Account

Computer is properly restricting anonymous access.Restrict Anonymous

The following table provides additional scan information:

Table 19: Additional System Information

ResultIssueScore

Logon Success and Logon Failure auditing are both enabled.Auditing

Some potentially unnecessary services are installed.Services

2 share(s) are present on your computer.Shares

Computer is running Windows Server 2003 or greater.Windows Version

Internet Information Services (IIS) Scan Results

The following table shows IIS scan results:


115


Internet Information Services (IIS) Scan Results


ResultIssueScore

The IIS Lockdown tool was developed for IIS 4.0, 5.0, and5.1, and is not needed for new Windows Server 2003installations running IIS 6.0.

IIS Lockdown Tool

IIS sample applications are not installed.Sample Applications

IISADMPWD virtual directory is not present.IISAdmin Virtual Directory

Parent paths are not enabled.Parent Paths

The MSADC and Scripts virtual directories are not present.MSADC and Scripts Virtual Directories

Table 21: Additional System Information

ResultIssueScore

IIS is not running on a domain controller.Domain Controller Test

All web and FTP sites are using the recommended loggingoptions.

IIS Logging Enabled

SQL Server Scan Results

The following table shows SQL Server scan results:

Instance (default)


ResultIssueScore

BUILTIN\Administrators group is part of sysadmin role.Sysadmin role members

Note: This is acceptable because the Cisco Unified ICM applicationadds certain groups to the local Administrators account on the serverwhich require dbo access to the database.

No more than 2 members of sysadmin role are present.Sysadmins


116


SQL Server Scan Results

ResultIssueScore

SQL Server, SQL Server Agent, MSDE and/or MSDE Agent serviceaccounts are not members of the local Administrators group and donot run as LocalSystem.

Service Accounts

The ‘sa’ password and SQL service account password are not exposedin text files.

Exposed SQL Server/MSDEPassword

SQL Server and/or MSDE is not running on a domain controller.Domain Controller Test

SQL Server and/or MSDE authentication mode is set to WindowsOnly.

SQL Server/MSDE Security Mode

The Everyone group does not have more than Read access to the SQLServer and/or MSDE registry keys.

Registry Permissions

CmdExec is restricted to sysadmin only.CmdExec role

Permissions on the SQL Server and/or MSDE installation folders areset properly.

Folder Permissions

The Guest account is not enabled in any of the databases.Guest Account

The check was skipped because SQL Server and/or MSDE is operatingin Windows Only authentication mode.

SQL Server/MSDE AccountPassword Test

Desktop Application Scan Results

The following table shows desktop application scan results:


ResultIssueScore

Internet Explorer zones have secure settings for all users.IE Zones

The use of Internet Explorer is restricted for administratorson this server.

IE Enhanced Security Configuration forAdministrators

The use of Internet Explorer is restricted fornon-administrators on this server.

IE Enhanced Security Configuration forNon-Administrators

No Microsoft Office products are installedMacro Security


117




118



AuditingYou can set auditing policies to track significant events, such as account logon attempts. Alwaysset Local policies.

Note: Domain auditing policies always overwrite local auditing policies. Make the two sets ofpolicies identical where possible.

To set local auditing policies, select Start > Programs > Administrative Tools > Local SecurityPolicies.

Note: Automated Security Hardening on Windows Server 2003 (as described in Chapter 4)configures the Unified ICM/ Unified CCE server with the recommended auditing settings. SeeLocal Policies - Audit Policy (page 55)


• How to View Auditing Policies, page 119• Security Log, page 120• Real-Time Alerts, page 120• SQL Server Auditing Policies, page 120• Active Directory Auditing Policies, page 120

How to View Auditing Policies

Step 1 Choose Start > Programs > Administrative Tools > Local Security Policies.

the Local Security Settings window opens.

Step 2 In the tree in the left pane, select and expand Local Policies.

Step 3 In the tree under Local Policies, select Audit Policy.

The different auditing policies appear in the left pane.


119

Chapter 13

Step 4 View or change the auditing policies by double-clicking the policy name.

Security Log

After setting auditing policies, it is recommended that you view the security log once a week.You need to look for unusual activity such as Logon failures or Logon successes with unusualaccounts.

To view the Security Log, choose Start > Programs > Administrative Tools > Event Viewer.

Real-Time Alerts

MSFT Windows provides the SNMP Event Translator facility, which lets you translate eventsin the Windows eventlog into real-time alerts by converting the event into an SNMP trap. Useevntwin.exe or evntcmd.exe to configure SNMP traps.

Be sure to consult Microsoft TechNet http://technet.microsoft.com/en-us/library/cc759390(WS.10).aspx for additional information about configuring the translation of eventsto traps.

Refer to the Cisco SNMP Installation and Basic Configuration guide for information aboutconfiguring SNMP trap destinations.

SQL Server Auditing Policies

For general SQL Server auditing policies, see SQL server Auditing at Microsoft (http://www.microsoft.com/technet/security/prodtech/sqlserver/sql2kaud.mspx).

SQL Server C2 Security Auditing

C2 security is a government rating for security in which the system has been certified fordiscretionary resource protection and auditing capability.

Cisco does not support C2 auditing for SQL Server in the Unified ICM/Unified CCEenvironment. Cisco cannot guarantee that enabling C2 auditing on SQL Server will not havesignificant negative impact on the system. For more information on C2 Auditing, see C2 AuditMode Option (http://msdn.microsoft.com/en-us/library/ms187634(SQL.90).aspx).

Active Directory Auditing Policies

It is recommended that you audit Active Directory account management and logins, and monitoraudit logs for unusual activity.


120

Chapter 13: Auditing

Security Log



http://www.microsoft.com/technet/security/prodtech/sqlserver/sql2kaud.mspx

http://msdn.microsoft.com/en-us/library/ms187634(SQL.90).aspx

http://msdn.microsoft.com/en-us/library/ms187634(SQL.90).aspx

The following table contains the recommended and default DC Audit policies.

Table 24: Active Directory Audit Policy Recommendations

CommentsRecommended

Setting

Default SettingPolicy

Account logon events are generated when a domainuser account is authenticated on a DomainController.

Success and FailureNo auditingAudit account logonevents

Account management events are generated whensecurity principal accounts are created, modified,or deleted.

SuccessNot definedAudit accountmanagement

Directory services access events are generatedwhen an Active Directory object with a SystemAccess Control List (SACL) is accessed.

SuccessNo auditingAudit directory serviceaccess

Logon events are generated when a domain userinteractively logs onto a Domain Controller or

Success and FailureNo auditingAudit logon events

when a network logon to a Domain Controller isperformed to retrieve logon scripts and policies.

(No change)No auditingAudit object access

Policy change events are generated for changes touser rights assignment policies, audit policies, ortrust policies.

SuccessNo auditingAudit policy change

(No change)No auditingAudit privilege use

(No change)No auditingAudit process tracking

System events are generated when a user restartsor shuts down the Domain Controller or when an

SuccessNo auditingAudit system events

event occurs that affects either the system securityor the security log.


121




122



General Antivirus Guidelines and RecommendationsCisco recommends that you only use the approved Anti-Virus (AV) software products withUnified ICM/ Unified CCE, as described in this part.

Warning: Often, the default AV configuration settings increase CPU load and memoryand disk usage, adversely affecting software performance. Therefore it is critical that youfollow the guidelines in this part when using AV software with Unified ICM/ Unified CCE.Refer to the Hardware & System Software Specification (Bill of Materials) for Cisco UnifiedICM/Contact Center Enterprise & Hosted, Release 8.0(1) is available at http://www.cisco.com/en/US/products/sw/custcosw/ps1844/products_implementation_design_guides_list.html

Viruses are unpredictable and Cisco cannot assume responsibility for the consequences of virusattacks on mission-critical applications. Take particular care for systems that use MicrosoftInternet Information Server (IIS) such as WebView.

Note:

• Ensure that your corporate Anti-Virus strategy includes specific provisions for any serverpositioned outside the corporate firewall or subject to frequent connections to the publicInternet.

• Refer to the Hardware & System Software Specification (Bill of Materials) for Cisco UnifiedICM/Contact Center Enterprise & Hosted, Release 8.0(1) for the application and versionqualified and approved for your release of Unified ICM/ Unified CCE.

Many of the default AV configuration settings can adversely affect product performance as aresult of increased CPU load, memory, and disk usage by the Anti-Virus software program.Cisco tests specific configurations to maximize product performance.


• Guidelines and Recommendations, page 124• Unified ICM/Unified CCE Maintenance Parameters, page 125• File Type Exclusion Recommendations, page 126


123

Chapter 14

http://www.cisco.com/en/US/products/sw/custcosw/ps1844/products_implementation_design_guides_list.html

http://www.cisco.com/en/US/products/sw/custcosw/ps1844/products_implementation_design_guides_list.html

Guidelines and Recommendations

Anti-virus applications have numerous configuration options that allow very granular controlof what data is scanned, and how the data is scanned on a server.

With any anti-virus product, configuration is a balance of scanning versus the performance ofthe server. The more you choose to scan, the greater the potential performance overhead. Therole of the system administrator is to determine what the optimal configuration requirementswill be for installing an anti-virus application within a particular environment. Refer to yourparticular anti-virus product documentation for more detailed configuration information.

The following list highlights some general best practices:

• Update AV software scanning engines and definition files on a regular basis, following yourorganization’s current policies.

• Upgrade to the latest supported version of the third-party anti-virus application. Newerversions improve scanning speed over previous versions, resulting in lower overhead onservers.

• Avoid scanning of any files accessed from remote drives (such as network mappings or UNCconnections). Where possible, ensure that each of these remote machines has its own anti-virussoftware installed, thus keeping all scanning local. With a multitiered antivirus strategy,scanning across the network and adding to the network load should not be required.

• Schedule full scans of systems by AV software only during scheduled maintenance windows,and when the AV scan will not interrupt other Unified ICM maintenance activities.

• Do not set AV software to run in an automatic or background mode for which all incomingdata or modified files are scanned in real time.

• Due to the higher scanning overhead of heuristics scanning over traditional anti-virus scanning,use this advanced scanning option only at key points of data entry from untrusted networks(such as email and Internet gateways).

• Real-time or on-access scanning can be enabled, but only on incoming files (when writingto disk). This is the default setting for most anti-virus applications. Implementing on-accessscanning on file reads will yield a higher impact on system resources than necessary in ahigh-performance application environment.

• While on-demand and real-time scanning of all files gives optimum protection, thisconfiguration does have the overhead of scanning those files that cannot support maliciouscode (for example, ASCII text files). Cisco recommends excluding files or directories offiles, in all scanning modes, that are known to present no risk to the system.

• Schedule regular disk scans only during low-usage times and at times when applicationactivity is lowest.

• Disable the email scanner if the server does not use email.


124

Chapter 14: General Antivirus Guidelines and Recommendations

Guidelines and Recommendations

• Additionally, set the AV software to block port 25 to block any outgoing email.

• Block IRC ports.

• If your AV software has spyware detection and removal, then enable this feature. Cleaninfected files, or delete them (if these files cannot be cleaned).

• Enable logging in your AV application. Limit the log size to 2 MB.

• Set your AV software to scan compressed files.

• Set your AV software to not use more than 20% CPU utilization at any time.

• When a virus is found, the first action is to clean the file, the second to delete or quarantinethe file.

• If it is available in your AV software, enable buffer overflow protection.

• Set your AV software to start on system startup.

Unified ICM/Unified CCE Maintenance Parameters

Before scheduling AV software activity on Unified ICM/Unified CCE Servers, note that a fewparameters control the application activity at specific times. Ensure that Anti-Virus softwareconfiguration settings do not schedule “Daily Scans,” “Automatic DAT Updates,” and “AutomaticProduct Upgrades” during the times specified below.

Logger Recommendations

Do not schedule AV software activity to coincide with the time specified in the following Loggerregistry keys:

• HKLM\SOFTWARE\Cisco Systems, Inc.\ICM\<inst>\Logger<A/B>\Recovery\CurrentVersion\Purge\Schedule\Schedule Value Name: Schedule

• HKLM\SOFTWARE\Cisco Systems, Inc.\ICM\<inst>\Logger<A/B>\Recovery\CurrentVersion\UpdateStatistics\Schedule Value Name: Schedule

Distributor Recommendations

Do not schedule AV software activity to coincide with the time specified in the followingDistributor registry keys:

• HKLM\SOFTWARE\Cisco Systems, Inc. \ICM\<inst>\Distributor\RealTimeDistributor\CurrentVersion\Recovery\CurrentVersion\Purge\Schedule Value Name: Schedule


125


Unified ICM/Unified CCE Maintenance Parameters

• HKLM\SOFTWARE\Cisco Systems, Inc. \ICM\<inst>\Distributor\RealTimeDistributor\CurrentVersion\Recovery\CurrentVersion\UpdateStatistics\Schedule Value Name: Schedule

CallRouter and PG Recommendations

On the CallRouter and Peripheral Gateway (PG), do not schedule AV program tasks:

• During times of heavy or peak call load.

• At the half hour and hour marks, because Unified ICM processes increase during those times.

Other Scheduled Tasks Recommendations

You can find other scheduled Unified ICM process activities on Windows by inspecting theScheduled Tasks Folder. Try to ensure that scheduled AV program activity does not conflictwith those Unified ICM scheduled activities.

File Type Exclusion Recommendations

There are a number of binary files that are written to during the operation of Unified ICMprocesses that have little risk of virus infection.

Omit files with the following file extensions from the drive and on-access scanning configurationof the AV program:

• *.hst applies to PG

• *.ems applies to ALL


126


File Type Exclusion Recommendations

Remote AdministrationThis section describes recommended practices for remote administration.

Note:

• Use of any remote administration applications can cause adverse effects during load.

• Use of remote administration tools that employ encryption can impact server performance.The performance level impact is tied to the level of encryption used. More encryption resultsin more impact to the server performance.


• Windows Terminal Services (Remote Desktop), page 127• pcAnywhere, page 129• VNC, page 133• TRIDIA VNC Pro, page 133

Windows Terminal Services (Remote Desktop)

Terminal Services permits users to remotely execute applications on Microsoft Windows Server2003 from a wide range of devices over virtually any type of network connection. It can beenabled to run in either Application Server or Remote Administration modes. Unified ICM/Unified CCE only supports Remote Administration mode.

Remote Desktop can be used for remote administration of ICM-CCE-CCH server if used with/admin option (or /console in older version clients), only. The /admin (aka /console) connectsto the local console session.

Using the Remote Desktop Console session, you can:

• Run Configuration Tools


127

Chapter 15

• Run Script Editor, though the recommended approach is to use Internet Script Editor

Note: Remote Desktop without the console option is not supported.

Note: If you apply Cisco ICM Security Hardening to your system, then you need to upgradeyour Remote Desktop Clients to 5.2 or later. Remote Desktop Client 5.2 or later is required toconnect to a server with FIPS Compliant algorithms enabled. Older versions of Remote Desktopclient do not support FIPS compliant algorithms which the Cisco Unified ICM Security Hardeningutility enables. For more information about FIPS compliant algorithms and security settings,see the Microsoft Knowledge Base articles KB 11770 (http://support.microsoft.com/kb/811770)and KB 81183 (http://support.microsoft.com/kb/811833) .

Remote Desktop Protocol

Communication between the server and the client will use native Remote Desktop Protocol(RDP) encryption. By default, all data sent is protected by encryption based on the maximumkey strength supported by the client.

RDP is the preferred remote control protocol due to its security and low performance impact.

Windows Server 2003 Terminal Services provides the ability to connect to and shadow a consolesession thereby replacing the need to pcAnywhere or VNC. From a command line:

Remote Desktop Connection:mstsc /v:<server[:port]> /admin

Remote Desktop client prior to 6.0: mstsc /v:<server[:port]> /console

Securing the RDP-TCP Connection

You can configure the properties of the terminal server RDP-TCP connection to provide betterprotection. Run Terminal Services Configurator, select Connections, and then select RDP-TCP.

Step 1 Restrict the number of client sessions that can remain active on the server.

From the Network Adapter tab, select Maximum connections and set the limit on the numberof concurrent connections.

Step 2 Set session time limits.

From the Sessions tab, check the first of three Override User Settings check box and set valuesfor each of the following (all values are recommendations; use values that work best withinyour organization):

1. End a disconnected session, 1 or 5 minutes

2. Active session limit, 1 or 2 days

3. Idle session limit, 30 minutes


128

Chapter 15: Remote Administration

Windows Terminal Services (Remote Desktop)



Step 3 Set permissions for users and groups on the terminal server.

Use the Permissions tab to add users, groups and computers access limits and permissions. ClickAdd, select the user, group or computer name, and then set one of three basic permissions:

1. Full Control (given to administrators and the system; allows logging onto the terminalserver, modifying the connection parameters, connecting to a session, getting sessioninformation, resetting or ending a session, logging off other users, remotely controllingother users’ sessions, sending messages to other users, and disconnecting sessions).

2. User Access (given to ordinary users; allows logging onto the terminal server, gettingsession info, connecting to a session or sending messages to other user sessions).

3. Guest Access (for restricted users; allows logging onto the terminal server)

Step 4 Optionally, restrict reconnections of a disconnected session to the client computer from whichthe user originally connected.

From the Sessions tab, check the last of three Override User Settings check boxes and set Allowreconnection from previous client.

Step 5 Optionally, configure encryption levels to High.

From the General tab, set Encryption level to High. Use this option only if there is a risk ofunauthorized monitoring of the communications.

Per-User Terminal Services Settings

You can configure a number of per-user terminal services settings for each user. Using ActiveDirectory Users and Computers, right click on a user and then select properties.

Step 1 On the Terminal Services Profile tab, set a user’s right to logon to terminal server by settingthe Allow logon to terminal server checkbox. Optionally, create a profile and set a path to aterminal services home directory.

Step 2 On the Sessions tab, set session active and idle time outs.

Step 3 On the Remote Control tab, set whether a remote session can be remotely viewed and controlledby administrators and whether a user’s permission is required.

pcAnywhere

NOTE: The following discussion applies to all approved versions of pcAnywhere.2

2) Refer to the Bill of Materials for the versions qualified and approved for your release of ICM.


129


pcAnywhere

Security is one of the most important considerations in implementing a remote control solution.

pcAnywhere addresses security in the following ways:

1. Restricting access to internal machines

2. Preventing unauthorized connections to a pcAnywhere host

3. Protecting the data stream during a remote control session

4. Preventing unauthorized changes to the installed product

5. Identifying security risks

6. Logging events during a remote control session

pcAnywhere is a trademark of Symantec, Inc. For details, see http://www.symantec.com/pcanywhere/.

Restricting Access to Internal Machines

One of the best ways to ensure security is to restrict connections from outside your organization.pcAnywhere is the only remote control product to provide the following ways to accomplishthis objective:

• Limiting connections to a specific TCP/IP address range—pcAnywhere hosts can beconfigured to only accept TCP/IP connections that fall within a specified range of addresses.

• Serialization - A feature that enables the embedding of a security code into the pcAnywherehost and remote objects created. This security code must be present on both ends for aconnection to be made.

Preventing unauthorized connections to a pcAnywhere host

The first line of defense in creating a secure remote computing environment is to preventunauthorized users from connecting to the host. pcAnywhere provides a number of securityfeatures to help you achieve this objective.

Table 25: pcAnywhere Security Features

Authentication is the process of taking a user’s credentials and verifying them againsta directory or access list to determine if the user is authorized to connect to the system.

Authentication

pcAnywhere now requires a password for all host sessions. This security feature preventsusers from inadvertently launching an unprotected host session.

Mandatory passwords

pcAnywhere lets dial-up users specify a call-back number for remote control sessions.In a normal pcAnywhere session, the remote connects to the host, and the session begins.

Callback security (for dial-upconnections)


130


pcAnywhere

http://www.symantec.com/pcanywhere/

http://www.symantec.com/pcanywhere/

When callback is enabled, the remote calls the host, but then the host drops the connectionand calls back the remote at the specified phone number.

Table 26: General pcAnywhere Security Settings

DescriptionChange toDefaultSettings

With pcAnywhere, host users can preventremote users from reconnecting to the host

(optional)noRestrict connections after an endof session

if the session is stopped due to a normal orabnormal end of session.

YesYesWait for anyone

Yesnoand secure by

(lock computer)

Table 27: Security Options - Connection Options


This feature prompts the host user to acknowledge the remotecaller and permit or reject the connection. By enabling this feature,

(optional)noPrompt to confirmconnection

users can know when someone is connecting to their hostcomputer. This will depend on the remote administration policyof whether users must be physically present at the server beingremotely accessed.

Table 28: Security Options - Login Options


Lets you use a combination of uppercase and lowercase lettersin a password. This setting applies to pcAnywhereAuthentication only.

yesnoMake password case sensitive

pcAnywhere lets host users limit the number of times a remoteuser can attempt to login during a single session to protectagainst hacker attacks.

33Limit login attempts per call

Similarly, host users can limit the amount of time that a remoteuser has to complete a login to protect against hacker anddenial of service attacks.

13Limit time to complete login


131


pcAnywhere

Table 29: Security Options - Session Options


Limits time of connection. pcAnywhere lets host userslimit the amount of time that a remote caller can stay

Yes

(2 Minutes)

noDisconnect if inactive

connected to the host to protect against denial of serviceattacks and improper use.

Protecting the data stream during a remote control session

Encryption prevents the data stream (including the authorization process) from being viewedusing readily available tools.

pcAnywhere offers three levels of encryption:

• pcAnywhere encryption

• Symmetric encryption

• Public key encryption

Table 30: Encryption Configuration


Lists the following encryption options:Symmetric<none>Level

None: Sends data without encrypting it.

pcAnywhere encoding: Scrambles the data using a mathematicalalgorithm so that it cannot be easily interpreted by a third party.

Symmetric: Encrypts and decrypts data using a cryptographic key.

Public key: Encrypts and decrypts data using a cryptographic key.Both the sender and recipient must have a digital certificate and anassociated public/private key pair.

Refuses a connection with a computer that uses a lower level ofencryption than the one you selected.

YesnoDeny lower encryptionlevel

Encrypts only the remote user’s identity during the authorizationprocess. This option is less secure than encrypting an entire session.

nonoEncrypt user ID andpassword only

Preventing unauthorized changes to the installed product

Integrity checking is a feature that, when enabled, verifies that the host and remote objects, DLLfiles, executables, and registry settings have not been changed since the initial installation. If


132


pcAnywhere

pcAnywhere detects changes to these files on a computer, pcAnywhere will not run. This securityfeature guards against hacker attacks and employee changes that might hurt security.

Identifying security risks

The Symantec Remote Access Perimeter Scanner (RAPS) lets administrators scan their networkand telephone lines to identify unprotected remote access hosts and plug security holes. Thistool provides administrators with a way to access the vulnerability of their network in terms ofremote access products. Using RAPS, you can automatically shut down an active pcAnywherehost that is not password protected and inform the user.

Logging events during a remote control session

You can log every file and program that is accessed during a remote control session for securityand auditing purposes. Previous versions only tracked specific pcAnywhere tasks such as loginattempts and activity within pcAnywhere. The centralized logging features in pcAnywhere letyou log events to pcAnywhere log, NT Event Log (NT, Windows Server 2003), or an SNMPmonitor.

VNC

SSH Server allows the use of VNC through an encrypted tunnel to create secure remote controlsessions. However, this configuration is currently not supported by Cisco. The performanceimpact of running an SSH server has not been determined.

TRIDIA VNC Pro

Tridia VNC Pro provides the same level of use a regular VNC but adds additional securityfeatures such as enhanced password security, viewer logs and 1024-bit encryption. For moreinformation about TRIDIA VNC Pro see http://www.tridiavncpro.com/.


133


VNC

http://www.tridiavncpro.com/


134


TRIDIA VNC Pro

Additional Security Best PracticesThis chapter lists additional security best practices.

In addition to these, you can find other ICM security considerations in the chapter on such inthe Setup and Configuration Guide for Cisco Unified Contact Center Hosted at Cisco UnifiedContact Center Hosted Install and Upgrade Guides (http://www.cisco.com/en/US/products/sw/custcosw/ps5053/prod_installation_guides_list.html).


• Additional Cisco Call Center Applications, page 135• Microsoft Internet Information Server (IIS), page 137• Sybase EAServer (Jaguar) Hardening, page 140• WMI Service Hardening, page 142• SNMP Hardening, page 143• Toll Fraud Prevention, page 144• Syskey, page 145• Third-Party Security Providers, page 145• Third-Party Management Agents, page 145

Additional Cisco Call Center Applications

Security best practices for additional Cisco Call Center applications are as follows:

Cisco Unified ICM WebView

The WebView Installation and Administration Guide contains the following security-relateddocumentation:


135

Chapter 16

http://www.cisco.com/en/US/products/sw/custcosw/ps5053/prod_installation_guides_list.html

http://www.cisco.com/en/US/products/sw/custcosw/ps5053/prod_installation_guides_list.html

• “Creating a WebView Administrator,” “Supervisors and WebView Reports,” and “SettingUp WebView Users” which describes login, domain, and password security for WebViewusers.

• “Supervisors and WebView Reports” also describes how a supervisor can see only their ownagents.

• “WebView User’s Password Expiration and Domain Security Settings” describes WebView(Unified ICM) users as taking their security setting from the domain on which they are created.The domain also sets the expiration date on the password.

• WebView online help:

Under saving reports: From the Security drop-down menu, select either Shared or Private.If you select Shared, all WebView users can access the report. If you select Private, only youcan access the report. Under Viewing graphical reports and using the Job Scheduler is adiscussion of the mechanics involved in order to allow viewing graphical reports and use ofthe Job Scheduler in a Microsoft Internet Explorer browser — which requires that all ActiveXControls and plug-ins be enabled in the browser’s security settings.

Note: Starting with release 7.0(0), WebView now supports SSL for both Sessions andAuthentication.

Cisco Unified ICM CTI Object Server (CTI OS)

In the CTI OS System Manager's Guide for Cisco Unified ICM/Contact Center Enterprise &Hosted:

• Desktop Users: the section “Desktop User Accounts” contains instructions for configuringprivileges for desktop users.

Cisco Agent Desktop (CAD)

The Cisco Agent Desktop Documentation, found within the Unified CCE Documentation Set(http://www.cisco.com/univercd/cc/td/doc/product/icm/ipccente/index.htm) .

Privileges: Required privileges of various kinds are discussed in the CAD installation guide andthe CAD administrator user’s guide.

Cisco Unified ICM Router

The file dbagent.acl is an internal file that users should not edit. This file, however, must havethe READ permission set so that it can allow users to connect to the router’s real-time feed.The file works in the background without users being aware of it.


136

Chapter 16: Additional Security Best Practices

Additional Cisco Call Center Applications

http://www.cisco.com/univercd/cc/td/doc/product/icm/ipccente/index.htm

Peripheral Gateways (PGs) and Unified CCE Agent Login

As of Release 8.0(1), there is a rate limit of Unified CCE agent login attempts with incorrectpassword. By default, the agent account is disabled for 15 minutes after three incorrect passwordattempts, counted over a period of 15 minutes.

This default can be changed through the use of registry keys. The registry keys are under:

HKLM\SOFTWARE\Cisco Systems,Inc.\\ICM\<inst>\PG(n)[A/B]\PG\CurrentVersion\PIMS\pim(n)\EAGENTData\Dynamic

AccountLockoutDuration—Default—After the account is locked out as a result of unsuccessfullogin attempts, this is the number of minutes the account will remain locked out.

AccountLockoutResetCountDuration—Default 15—Number of minutes before theAccountLockoutThreshold count goes back to zero. This is applicable when the account doesnot get locked out, but you have unsuccessful login attempts that are less thanAccountLockoutThreshold.

AccountLockoutThreshold—Default 3—Number of unsuccessful login attempts after whichthe account is locked out.

CTI OS and Monitor Mode Connection

As of release 8.0(1), there is a rate limit on Monitor Mode connection. When TLS is enabledand a password is required, Monitor Mode is disabled for 15 minutes after three incorrectpassword attempts (configurable). Counter resets on a valid login. Refer to the CTI OS SystemManager's Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted for moreinformation.

Microsoft Internet Information Server (IIS)

Internet Information Server (IIS) is required only for two applications making up the UnifiedICM/Unified CCE solution targeted in this document, WebView and Internet Script Editor.Disable, or do not install the service on any other node except for the Distributor. There aresome exceptions in multimedia configuration of the solution. In this case, product documentationand system requirements must be followed.

Hardening IIS for use with WebView and Internet Script Editor on Windows Server 2000 Platforms

Note: These hardening suggestions apply only to Windows Server 2000. The Windows Server2003 version of IIS is more secure than the version of IIS found in Windows Server 2000.

The following is a list of the top Hardening Suggestions:


137



Step 1 IIS is used as an intranet-only HTTP server for the Unified ICM product. It is expected that afirewall is deployed to protect external connections to the server.

Step 2 Install the most recent compatible service pack and updates.

Note: Refer to the Hardware & System Software Specification (Bill of Materials) for CiscoUnified ICM/Contact Center Enterprise & Hosted, Release 8.0(1) for the compatible servicepack for your product.

Step 3 Disable the following nonessential services:

• File Transfer Service

• E-mail Service

• News Service

Note: This can be accomplished using the IIS Lockdown tool as described below. However,Windows Server 2003 does not enable these extra services by default when IIS is installed.Verify that these services are not installed or that they are disabled.

The following subcomponents of Internet Information Services (IIS) must be selected duringthe installation of the web server:

• Common Files

• Internet Information Services Snap-In—for management purposes

• Internet Services Manager (HTML)—for management purposes

• World Wide Web Server

Step 4 Run the IISLockDown tool:

1. Select Static Web server template and check “View template settings” check box.

Note: On systems that do not require IIS you can use this tool to disable IIS by selectingthe ‘Server that does not require IIS’ template option.

2. Disable all services except Web service.

3. Disable all unneeded script extensions.

4. Select all additional security options except for “Scripts.”

Note: Note that all selected virtual directories must be removed with the exception of the“Scripts” virtual directory.

5. Install URLScan.

Step 5 Click Finish to complete the wizard.


138



Edit <system_directory>\system32\inetsrv\urlscan\urlscan.ini as follows:

1. Change “AllowDotInPath=0” to “AllowDotInPath=1”.

2. Add “POST” to the [AllowVerbs] section.

3. Remove all entries under [DenyUrlSequences] section.

In addition to the above edits, the following additional changes are required depending onwhether WebView or Internet Script Editor or both are going to be running on the computer.

WebView Only - No Changes Required

Internet Script Editor Only:

1. Change “UseAllowExtensions=0” to “UseAllowExtensions=1”

2. Add these entries to [AllowExtensions]

– .dll

– .ese

WebView and Internet Script Editor:

1. Change “UseAllowExtensions=0” to “UseAllowExtensions=1”

2. Add these entries to [AllowExtensions]

– .jhtml

– .jsp

– .AdminServlet

– .js

– .css

– .cab

– .psr

– .xml

– .zip

– .jar

– .


139



Note: This entry is a “dot.”

– .exe

– .dll

Step 6 Setting Registry permissions

Warning: If you use Registry Editor incorrectly, you may cause serious problems thatmay require you to reinstall your operating system. Cisco cannot guarantee that you cansolve problems that result from using the Registry Editor incorrectly. Use the RegistryEditor at your own risk and make backups as appropriate.

Use RegEdt32 to set the permissions depending on whether only WebView or only InternetScript Editor or both are going to be running on the computer.

1. WebView Only:

Add the “IUSR_<machine_name>” account to have Read only rights to theHKEY_LOCAL_MACHINE\Software and HKEY_LOCAL_MACHINE\System hives.

2. Internet Script Editor Only:

Add the “IWAM_<machine_name>” account to have Read only rights to theHKEY_LOCAL_MACHINE\Software and HKEY_LOCAL_MACHINE\System hives.

3. WebView and Internet Script Editor:

Implement both of the “WebView Only” and “Internet Script Editor Only” sections above.

Sybase EAServer (Jaguar) Hardening

Jaguar is used by some Unified ICM/Unified CCE products such as WebView. Use theseguidelines for hardening Jaguar with WebView after the installation of Unified ICM and 3rdParty Tools.

Starting Jaguar Manager

To start Jaguar Manager:

Step 1 Choose Start > Program > Sybase > EAServer 5.1 > Jaguar Manager to launch “JaguarManager” Application from the WebView Server Machine.

Step 2 After the Jaguar Manager starts, select on Tools > Connect > Jaguar Manager.

Step 3 In the resulting dialog box replace “localhost” in the “Host Name” field with the actual hostnameor host IP address.


140



Step 4 Click the Connect button.

Changing Jaguar Password

The password used to connect to the Jaguar service is changed in Jaguar Administration and inthe jagconnection.properties file. The guidelines provided below to accomplish this are alsoprovided in the reporting documentation (refer to the WebView Installation and AdministrationGuide).

Note: If the password is changed, any subsequent reinstallation of Unified ICM on a WebViewserver will prompt the user for the Jaguar Password.

The ‘jagadmin’ password is modified in two steps:

Step 1 Modify ‘jagadmin’ password on EAServer.

1. Using the tree on the left pane of Jaguar Manager, navigate to Jaguar Manager > Servers> Jaguar.

2. After selecting ‘Jaguar node, choose File >Server Properties… menu.

3. In the server properties dialog box, select Security tab.

4. Click the Set jagadmin Password button.

5. In the ‘Administrator Password’ dialog box:

– Leave ‘Old jagadmin Password’ blank.

– Enter new password in the ‘New jagadmin Password’ and ‘Verify N jagadminPassword’ fields.

6. Click OK.

Step 2 Modify ‘jagadmin’ password at WebView.

1. Using Windows Explorer, navigate to ‘<SybdaseHome>\EAServer\html\classes\com\cisco\atg is typically ‘C:\ProgramFiles\Sybase’).

2. Open file ‘jagconnection.properties’ using Notepad or WordPad.

3. Locate ‘JAGCONNECT_JAGUAR_ADMIN_PWD’ key in the properties file. By defaultit is blank.

4. Enter the new jagadmin password from Step 1 above in clear text. The modified key shouldlook like ‘JAGCONNECT_JAGUAR_ADMIN_PWD=<new password>’


141



Note: The password entered in clear text gets encrypted when WebView runs for first time afterthe change.

Restart WebView and Jaguar after you have changed the password. See the following sectionfor more details.

Restart WebView/Services

Step 1 Close Jaguar Manager.

Step 2 Restart ‘Jaguar’ service from Windows Services panel.

Step 3 Restart ‘IIS Admin’ service from Windows Services panel (this will also restart ‘World WideWeb’ service automatically).

See Also

The Windows Firewall may block port 9000 (Jaguar Manager Tool - CORBA). If you wish toopen port 9000 see Understanding the CiscoICMfwConfig_exc.xml File (page 47) to learn howto use the Cisco Firewall tool to open the port.

WMI Service Hardening

Windows Management Instrumentation (WMI) is used to manage Windows systems. WMIsecurity is an extension of the security subsystem built into Windows operating systems. WMIsecurity includes: WMI namespace-level security; Distributed COM (DCOM) security; andStandard Windows OS security.

WMI namespace-level security:

To configure the WMI namespace-level security:

Step 1 Launch the %SYSTEMROOT%\System32\Wmimgmt.msc MMC control.

Step 2 Right-click the WMI Control icon and select properties.

Step 3 Select the Security properties page.

Step 4 Select the Root folder and press the Security button.

Step 5 Remove EVERYONE from the selection list then press the OK button.

Only <machine>\Administrators should have ALL rights.


142


WMI Service Hardening

Additional WMI Security Considerations

The WMI services are set to ‘Manual’ startup by default. These services are used by Third-PartyManagement agents to capture system data and must not be disabled unless specifically required.

Perform DCOM security configuration in a manner that is consistent with your scriptingenvironment. Refer to the WMI security documentation for additional details on using DCOMsecurity.

Additional References:

• How to Set WMI Namespace Security in Windows Server 2003asp (http://support.microsoft.com/default.aspx?scid=kb;en-us;325353)

• Securing a Remote WMI Connection (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/securing_a_remote_wmi_connection.asp)

SNMP Hardening

Refer to the SNMP Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted for detailson installation, setting the community names, usernames, and trap destinations.

Although the Microsoft Management and Monitoring Tools subcomponents are necessary forSNMP manageability, the Microsoft native SNMP service will be disabled during Web Setuptool and its functionality replaced by a more secure agent infrastructure. The administrator mustnot attempt to re-enable the Microsoft SNMP service because this may cause conflicts with theCisco-installed SNMP agents.

Explicitly disable the Microsoft SNMP trap service. It is not recommended that Unified ICM/Unified CCE servers run management software for collecting SNMP traps, thus, the MicrosoftSNMP trap service is not necessary.

Versions 1 and 2c of the SNMP protocol are less secure than version 3. SNMP version 3 featuresa significant step forward in security. For Unified ICME and Unified CCE hosts located oninternal networks behind corporate firewalls, it is desirable to enable SNMP manageability byperforming the additional configuration and hardening recommendations listed below:

1. Create SNMP v1/v2c community strings or SNMP v3 user names using a combination ofupper, and lowercase characters. DO NOT use the common “public” and/or “private”community strings. Create names that are difficult to guess.

2. Use of SNMP v3 is highly preferred. Always enable authentication for each SNMP v3username. The use of a privacy protocol is also encouraged.

3. Limit the number of hosts that are allowed to connect to SNMP manageable devices.


143


SNMP Hardening

http://support.microsoft.com/default.aspx?scid=kb;en-us;325353

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/securing_a_remote_wmi_connection.asp

4. Configure community strings and usernames on manageable devices to accept SNMPrequests only from those hosts running SNMP management applications. (This is donevia the SNMP agent configuration tool when defining community strings and usernames.)

5. Enable sending of SNMP traps for authentication failures. This will alert you to potentialattackers trying to “guess” community strings and/or user names.

SNMP manageability is installed on Unified ICM/Unified CCE servers and is executing bydefault. However, for security reasons, SNMP access is denied until the configuration stepsenumerated above have been completed.

As an alternative that provides a much higher level of security, customers may choose toconfigure IPsec filters and an IPsec policy for SNMP traffic between an SNMP managementstation and SNMP agents. Follow the Microsoft recommendations on how to accomplish this.For more information on IPsec policy for SNMP traffic refer to Microsoft knowledge basearticle: Q324261.

Toll Fraud Prevention

Toll fraud is a serious issue in the Telecommunications Industry. The fraudulent use oftelecommunications technology can be very expensive for a company, and it is essential thatthe Telecom Administrator take the necessary precautions to prevent this. For Unified CCEenvironments, resources are available on Cisco.com providing some basic information to lockdown Unified CM systems and to mitigate against toll fraud.

In Unified ICM, the primary concern is in using dynamic labels in the label node of a UnifiedICM script. If the dynamic label is constructed from information entered by a caller (such aswith Run External Script), then it is possible to construct labels of the following form:

• 9.....

• 9011....

• etc.

These labels might cause the call to be sent to outside lines or even to international numbers.If the dial plans configured in the routing client would allow such numbers to go through, andthe customer does not want such labels to be used, then the Unified ICM script must check forvalid labels before using them.

A simple example is an ICM script that prompts the caller with “If you know your party’sextension, enter it now,” and then uses the digits entered blindly in a dynamic label node. It ispossible that the call could be transferred anywhere. If this behavior is not desired, then eitherthe Unified ICM routing script or the routing client’s dial plan must check for and disallowinvalid numbers.

An example of a Unified ICM script check is an “If” node that uses an expression such as

substr (Call.CallerEnteredDigits, 1, 1) = "9"


144


Toll Fraud Prevention

The True branch of this node would then branch back to ask the caller again. The False branchwould allow the call to proceed. This is, of course, only an example. Each customer must decidewhat is allowed, or not, based on their own environment.

Unified ICM does not normally just transfer calls to arbitrary phone numbers. Numbers haveto be explicitly configured as legal destinations, or alternatively the Unified ICM routing scriptcan contain logic that causes the call to be transferred to a phone number that is contained in ascript variable. It is possible for a script to be written in such a way that a caller enters a seriesof digits and the script treats it as a destination phone number and asks the routing client totransfer the call to that number. Our recommendation is to add logic to such a script to makesure the requested destination phone number is reasonable.

Syskey

Syskey enables the encryption of the account databases. It is recommended that you use Syskeyto secure any local account database.

Note: When configuring Syskey, you must use the System Generated Password and StoreStartup Key Locally options in the Startup Key dialog box.

Third-Party Security Providers

Cisco has qualified Unified ICM software with the Operating System implementations of NTLM,Kerberos V and IPsec security protocols.

Cisco does not support other third-party security provider implementations.

Third-Party Management Agents

Some server vendors include in their server operating system installations agents to provideconvenient server management and monitoring.

For example:

• HP ProLiant Servers run Insight Management Agents for Windows.

• IBM provides the IBM Director Agent.

These and other agents enable the gathering of detailed inventory information about servers,including operating system, memory, network adapters, and hardware.

While Cisco recognizes such agents can be of value, due to performance impact considerations,Cisco does not currently support their use on mission-critical Unified ICM/Unified CCE servers.


145


Syskey

Warning: You must configure agents in accordance to the Anti-Virus policies (page 123)described in this document. Do not execute Polling or intrusive scans during peak hours,but rather schedule these activities for maintenance windows.

Note: Install SNMP services as recommended by these third-party management applicationsto take full advantage of the management capabilities provided with your servers. Failing toinstall, or disabling, SNMP prevents enterprise management applications from receiving hardwareprefailure alerts and disables certain application functions such as advanced ProLiant statuspolling, inventory reporting, and version control in HP Insight Manager.

See Also

HPInsight Management Agents User Guide (ftp://ftp.compaq.com/pub/products/servers/management/imaug.pdf) HP Software Security Customer Advisories (http://h18013.www1.hp.com/products/servers/management/mgtsw-advisory.html)


146


Third-Party Management Agents

ftp://ftp.compaq.com/pub/products/servers/management/imaug.pdf

http://h18013.www1.hp.com/products/servers/management/mgtsw-advisory.html

Index

about encrypting traffic....25

account policies settings....54

account lockout policy....54

kerberos....55

password policy....54

agent reskilling....8

anti-virus guidelines....123

anti-virus recommendations....123

auditing....119

viewing auditing policies....119

batch deployment....35

boundary devices....33

call variables and extended call variables....7

cisco contact center snmp management service....9

Cisco firewall configuration utility

prerequisites....42

troubleshooting for Windows Server 2003....48

using....43

verifying....43

Cisco network isolation utility....22

process....24

working....23

Cisco SSL encryption utility....103

encrypting in standalone mode....104

installing during setup....104

cti os c++/com toolkit....8

Deploying Network Isolation Feature....26

encryption support....7

event log....65

file system....73

internet script editor....8

IPsec....11

IPSec

about IPSec....11

configuring IPSec policy....15

logging....17

monitor....17

monitoring IPSec activity....17

terminology....23

local policies....55

audit policy....55

Microsoft Baseline Security Analyzer (MBSA)....113

Microsoft windows

updating....91

monitoring network security....40

NAT....11

about NAT....12

network monitoring....18

per-user terminal services settings....129

preventing

unauthorized connections to a pcAnywhere host...130

preventing

unauthorized changes to the installed product....132

real-time alerts....120

recommendations....124

CallRouter and PG ....126

distributor....125

file type exclusion....126

logger....125

other scheduled tasks....126

registry....72

remote administration....127

Remote desktop....128

scan results

desktop application....117

internet information services ....115

security update....114


Index 147

Index

SQL server....116

windows....114

securing RDP-TCP connection....128

security best practices....135

security hardening settings

on Windows Server 2003....51

security hardening utility

manual hardening....101

security log....120

security wizard....75

configurations and restrictions....76

using....76

settings

security hardening for Windows Server 2003....51

SQL server 2005

automated hardening....99

security considerations....99

security hardening utility....100

SQL server hardening....95

top hardening....95

support for IPSec

in transport mode....13

in tunnel mode....12

Sybase EAServer (Jaguar) hardening....140

changing Jaguar password....141

starting Jaguar manager ....140

system monitoring....18

third-party management agents....145

user and agent passwords....7

WebView....8

windows server 2003 and 2008 firewall configuration...41

WMI service hardening....142


Index 148

Index

Documents

Security Best Practices Guide for Cisco Unified ICM ... · Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Releases 8.x October 2011 Americas