manualshive.com logo in svg

Cisco TELEPRESENCE MANAGEMENT SUITE SECURE SERVER, Configuration Manual

The Cisco TelePresence Management Suite Secure Server is a state-of-the-art solution for managing and securing your telepresence network. Ensure smooth operations with our comprehensive Configuration Manual, available for free download from our website. Simplify setup and maximize performance with this user-friendly manual designed to optimize your experience.

Share
Download
background image

Securing Windows Server 2003 tasks 

Cisco TMS Secure Server Configuration Guide 13.0 

Page 24 of 34 

 

 

Table 8 Recommended security options 

Policy 

Security Setting 

Accounts: Administrator account status 

Enabled 

Accounts: Guest account status 

Disabled 

Accounts: Limit local account use of blank 
passwords to console logon only 

Enabled 

Accounts: Rename administrator account 

(Rename to a unique name and delete 
description) 

Accounts: Rename guest account 

(Rename to a unique name) 

Audit: Audit the access of global system objects 

Disabled 

Audit: Audit the use of Backup and Restore 
privilege 

Disabled 

Audit: Shut down system immediately if unable 
to log security audits 

Enabled  

Note: This setting creates some overhead. 

DCOM: Machine Access Restrictions in Security 
Descriptor Definition Language 

Not Defined 

DCOM: Machine Launch Restrictions in Security 
Descriptor Definition Language 

Not Defined 

Devices: Allow undock without having to log on 

Disabled 

Devices: Allowed to format and eject removable 
media 

Administrators 

Devices: Prevent users from installing printer 
drivers 

Enabled 

Devices: Restrict CD-ROM access to locally 
logged-on user only 

Disabled 

Devices: Restrict floppy access to locally 
logged-on user only 

Disabled 

Devices: Unsigned driver installation behavior 

Warn but allow installation 

Domain controller: Allow server operators to 
schedule tasks 

Not defined 

Domain controller: LDAP server signing 
requirements 

Not defined 

Domain controller: Refuse machine account 
password changes 

Not defined 

Domain member: Digitally encrypt or sign 
secure channel data (always) 

Enabled 

Domain member: Digitally encrypt secure 
channel data (when possible) 

Enabled 

Domain member: Digitally sign secure channel 
data (when possible) 

Enabled 

Domain member: Disable machine account 
password changes 

Disabled 

Domain member: Maximum machine account 
password age 

30 Days 

Summary of Contents for TELEPRESENCE MANAGEMENT SUITE SECURE SERVER

Page 1: ...Cisco TelePresence Management Suite Secure Server Hardening Windows Server 2003 for Cisco TMS 13 0 Product Configuration Guide D13148 08 December 2010 ...

Page 2: ...e Windows Firewall 17 Apply appropriate file ACLs 18 Audit policy 20 User rights assignment 21 Security options 23 Set event viewer history 27 Remove any file shares 27 Screen saver 28 Disable dump file creation 28 Miscellaneous registry changes 28 Protect the registry from anonymous access 28 Disable 8 3 file format compatibility 28 Clear paging file at shutdown 29 Disable Autorun from CD 29 Prot...

Page 3: ...nts 15 Table 4 Required port exceptions 17 Table 5 Required program exceptions 18 Table 6 Summary of audit policy settings 21 Table 7 List of recommended user rights settings 21 Table 8 Recommended security options 24 Table 9 Hardening the TCP IP stack 29 Table 10 Extensions to leave enabled 30 Table 11 Nodes to select when applying permissions 31 Table 12 Extensions to remove 31 ...

Page 4: ...ve update for Windows 2003 SP1 Changes Removal of Windows 2000 specific references Updated formatting and reorganization Removed incorrect IIS anonymous restrictions Added SQL Server Service Accounts Added Cisco TMS Service Accounts Revision 8 Updated information and visual template Revision 9 Stage 1 rebranding Revision 10 Stage 2 rebranding new product names ...

Page 5: ...ncreased the security of a default installation of Windows 2003 SP2 compared to Windows 2000 or earlier If you still wish to further tighten the security of your installed servers Microsoft provides guidelines on hardening servers based on several degrees of strength and the task that the server will perform This document is intended to provide instruction on how to harden a Windows 2003 server fo...

Page 6: ... This document does not guarantee that your server is secure from attacks even if you have applied all the changes described Cisco is not responsible for potential harm that attackers might cause nor any damage caused to your server by following the steps outlined in this document ...

Page 7: ...Install the latest Windows Service Pack As each Service Pack from Microsoft includes all security fixes known to date it is vital that the latest version is installed Update your baseline server to the latest Service Pack for Windows 4 Install the appropriate post Service Pack security updates Update the server to the latest available post Service Pack security updates and any relevant hot fixes Y...

Page 8: ...n your user groups and default system permissions before rolling out Cisco TMS into production 9 Check and apply security fixes for SQL and IIS Run Windows Update again to check for any updates for any additional components that have been installed along with Cisco TMS Check the Microsoft SQL Server website and install any updates for the SQL Server engine This concludes the basic installation The...

Page 9: ...the Event Log is checked regularly for any attempts to use the dummy administrator account 2 Set strong password and lockout policies To change the password policies go to Windows Start Control Panel Administrative Tools Local Security Policy Note Domain level policy settings may override these settings Password rules Choose Account Policies Password Policy and apply the following changes Set the ...

Page 10: ...S Service User Account Create a Cisco TMS Service Account Cisco TMS will install its services to run as the Local System account To run at lowest possible privileges a local Windows account will be configured Create a local Windows User to act as the service account for Cisco TMS Services and the Cisco TMS website Use a strong password and a username of your choice The placeholder name tmsserviceu...

Page 11: ...r Provisioning OpenDS import tmp 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Control 3 Full Control tms installdir Provisioning OpenDS locks 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Control 3 Full Control tms installdir Provisioning OpenDS logs 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Contro...

Page 12: ...msserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 Full Control 4 Read tms installdir wwwTMS Data Snapshot 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 Full Control 4 Read tms installdir wwwTMS Data Software 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 ...

Page 13: ...s Start Control Panel Administrative Tools Services Locate the services whose names start with TMS For each of these service do the following 1 Double click the service to open the properties window 2 Select the Log On tab and select This Account 3 Enter the account details for the tmsserviceuser account 4 Click OK 5 Right click the service 6 Select Restart to have the changes take effect Note The...

Page 14: ...nt Include Accessories and Utilities N Application Server Application Server Console N ASP NET Y Enable network COM access Y Enable network DTC access N Internet Information Services Y see second table for details Message Queuing N Certificate Services N E mail Services N Fax Services N Indexing Services N Internet Explorer Enhanced Security Configuration For administrator groups Y For all other u...

Page 15: ...To reduce the attack surface of the Cisco TMS server all Windows Services that are not required by Cisco TMS should in general be disabled Go to Windows Start Control Panel Administrative Tools Services Disable the services in the following list 1 Right click each of them 2 Under the General tab click Properties and select Disabled for Startup type The status should then be displayed as Disabled u...

Page 16: ...ager Kerberos Key Distribution Center Virtual Disk Service License Logging WebClient Messenger Windows Audio NetMeeting Remote Desktop Sharing Windows Cardspace Network DDE Windows Image Acquisition WIA Network DDE DSDM Windows Management Instrumentation Driver Extensions Network Location Awareness Windows Presentation Foundation Font Cache 3 0 0 0 Network Provisioning Service Windows User Mode Dr...

Page 17: ...nchecked and disabled Configuring TCP IP To further secure the server the Internet Protocol TCP IP protocol settings must be configured correctly 1 Go to Windows Start Control Panel Network Connections Local Area Connection 2 Under the General tab click the Properties button 3 Click Internet Protocol TCP IP 4 Click the Advanced button 5 Select the WINS tab disable any WINS servers that have been d...

Page 18: ...for port 3389 TCP This is however a security risk If practical you can reduce this risk by only allowing traffic on port 3389 from particular IP addresses or the local subnet This is done by selecting the exception and clicking on Edit and then Change scope Apply appropriate file ACLs A clean install of Windows Server 2003 has secure ACLs on the file system To secure the server even further give t...

Page 19: ...ctory MSSQL 1 MS SQL repldata 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQLUSER Computer Name InstanceName 1 Full 2 Full 3 Full sql directory MSSQL 1 MS SQL Template Data 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQLUSER Computer Name InstanceName 1 Full 2 Full 3 Full Program Files Microsoft SQL Server 80 tools 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQL...

Page 20: ...s 3 SYSTEM 1 Full 2 Read Execute 3 Full systemroot Config 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 Read List 3 Full systemroot System3 2 systemroot System3 2 LogFiles systemroot System3 2 InetSrv 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 Read Execute 3 Full systemroot System 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 ...

Page 21: ...olicy determines whether to log changes to user rights assignment policies trust policies and audit policies Log only successes Audit privilege use Failure The Audit privilege use policy determines whether to log use of a user right Failures should be logged as a failed privilege use can indicate an attempted security breach Audit process tracking No Auditing The Audit process tracking policy dete...

Page 22: ...e the system time SeSystemTimePrivilege Administrators Create a pagefile SeCreatePagefilePrivilege Administrators Create a token object SeCreateTokenPrivilege Create global objects SeCreateGlobalPrivilege Administrators SERVICE Create permanent shared objects SeCreatePermanentPrivilege Debug programs SeDebugPrivilege Deny access to this computer from the network SeDenyNetworkLogonRight Support_388...

Page 23: ...s Modify firmware environment values SeSystemEnvironmentPrivilege Administrators Perform Volume Maintenance Tasks SeManageVolumePrivilege Administrators Profile single process SeProfileSingleProcessPrivilege Administrators Profile system performance SeSystemProfilePrivilege Administrators Remove computer from docking station SeUndockPrivilege Administrators Replace a process level token SeAssignPr...

Page 24: ...trictions in Security Descriptor Definition Language Not Defined Devices Allow undock without having to log on Disabled Devices Allowed to format and eject removable media Administrators Devices Prevent users from installing printer drivers Enabled Devices Restrict CD ROM access to locally logged on user only Disabled Devices Restrict floppy access to locally logged on user only Disabled Devices U...

Page 25: ...kstation Enabled Interactive logon Require smart card Disabled Interactive logon Smart card removal behavior Lock Workstation Microsoft network client Digitally sign communications always Disabled Microsoft network client Digitally sign communications if server agrees Enabled Microsoft network client Send unencrypted password to third party SMB servers Disabled Microsoft network server Amount of i...

Page 26: ...nymous access to Named Pipes and Shares Enabled Network access Shares that can be accessed anonymously Network access Sharing and security model for local accounts Classic Local users Network security Do not store LAN Manager hash value on next password change Enabled Network security Force logoff when logon hours expire Disabled Network security LAN Manager authentication level Send NTMLv2 respon...

Page 27: ...mounts of data but they must be limited to prevent attacks from filling up the disk 1 To set the size of the log file right click each event type 2 Select Properties 3 Set the Maximum log size to 131072 KB 4 Select Overwrite events as needed Remove any file shares 1 Go to Windows Start Control Panel Administrative Tools Computer Management 2 Expand System Tools and Shared Folders and select Shares...

Page 28: ...p file creation If the system crashes a dump file can provide a hacker with sensitive information To disable the dump file creation 1 Go to Windows Start Control Panel System Under the Advanced tab 2 Under Startup and Recovery click the Settings button 3 Select none under Write Debugging Information Miscellaneous registry changes To edit settings used to secure the server edit the registry on the ...

Page 29: ...ControlSet Services Cdrom Modify Value Name Autorun Value Type REG_DWORD Value 0 Protection against denial of service attacks In order to harden the TCP IP stack go into the following hive Under HKEY_LOCAL_MACHINE System CurrentControlSet Services Tcpip Parameters create the values shown in Table 9 Table 9 Hardening the TCP IP stack Registry entry Format Value EnableICMPRedirect DWORD 0 SynAttackP...

Page 30: ...Delete the default installed examples Delete the following directories and their contents from the file system of your Cisco TMS server InetPub AdminScripts WINDOWS System32 Inetsrv iisadmpwd WINDOWS web printers Delete all files under InetPub wwwroot but do not delete the directory Disable unneeded web extensions 1 Go to Windows Start Control Panel Administrative Tools Internet Information Servic...

Page 31: ...de Select to Inherit TMSAgent Yes Pwx No TMS Yes TMS Public No TMSConferenceAPI No XAPSite No Note You cannot remove anonymous access to the entire website Anonymous access is required on several nodes so that devices can send data to Cisco TMS Applying permissions as stated above from a standard Cisco TMS installation will maintain the required access rights Delete unused application mappings 1 G...

Page 32: ...on Services IIS Manager 2 Expand the website Cisco TMS is installed in 3 Right click the XAPDLL directory 4 Click Delete to delete the files and directory TMS Install Dir wwwtms public XAPSite Optional Remove Polycom Endpoint support If you are not managing Polycom Endpoints you can remove the portions required to support them to reduce surface area of the public website 1 Go to Windows Start Cont...

Page 33: ...S Optional Remove XAPDLL Optional Remove Polycom Endpoint support Continued monitoring It is important that the server s logs be continually audited to monitor for undesired behavior or attempts to break into the server The Windows Event Viewer can be used to monitor the security audits enabled and the IIS logs can be used for additional information regarding access to the website The IIS Logs can...

Page 34: ...ES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INA...

Reviews:

No comments

Related manuals for TELEPRESENCE MANAGEMENT SUITE SECURE SERVER

Omron CX-SUPERVISOR V3 Brochure preview
CX-SUPERVISOR V3
Brand: Omron Pages: 5
Sun Microsystems 2005Q2 Quick Start Manual preview
2005Q2
Brand: Sun Microsystems Pages: 38
AVG 8.5 ANTI-VIRUS - LINUX-FREEBSD REV 85.2 User Manual preview
8.5 ANTI-VIRUS - LINUX-FREEBSD REV 85.2
Brand: AVG Pages: 234
Fujitsu ETERNUS VSS Hardware Provider 2.1 User Manual preview
ETERNUS VSS Hardware Provider 2.1
Brand: Fujitsu Pages: 134
Fujitsu ATLAS V14 User Manual preview
ATLAS V14
Brand: Fujitsu Pages: 302
Fujitsu PFU Rack2-Filer User Manual preview
PFU Rack2-Filer
Brand: Fujitsu Pages: 463
Fujitsu Eternus web GUI User Manual preview
Eternus web GUI
Brand: Fujitsu Pages: 635
Fujitsu ETERNUS User Manual preview
ETERNUS
Brand: Fujitsu Pages: 64
FARONICS INSIGHT - Manual preview
INSIGHT -
Brand: FARONICS Pages: 43
Sawgrass Aficio GX7000 Getting Started Manual preview
Aficio GX7000
Brand: Sawgrass Pages: 48
Tascam HS-P82 Release Note preview
HS-P82
Brand: Tascam Pages: 6
Navman Smart V3 User Manual preview
Smart V3
Brand: Navman Pages: 53
Tech Source RAPTOR 1100T - X11R6.1 FOR AIX Installation Manual preview
RAPTOR 1100T - X11R6.1 FOR AIX
Brand: Tech Source Pages: 40
DigiDesign Synchronic Manual preview
Synchronic
Brand: DigiDesign Pages: 68
MACROMEDIA DIRECTOR MX-USING DIRECTOR MX Use Manual preview
DIRECTOR MX-USING DIRECTOR MX
Brand: MACROMEDIA Pages: 624
IBM PERFORMANCE MANAGEMENT FOR POWER SYSTEMS - GRAPH REFERENCE DOCUMENT... Reference preview
PERFORMANCE MANAGEMENT FOR POWER SYSTEMS - GRAPH REFERENCE DOCUMENT...
Brand: IBM Pages: 109
National Instruments Instrument Driver NI-DMM Quick Reference preview
Instrument Driver NI-DMM
Brand: National Instruments Pages: 12
IBM WebSphere Adapters User Manual preview
WebSphere Adapters
Brand: IBM Pages: 226

Brands by name

Popular brands

Load more brands