manualshive.com logo in svg

Cisco TELEPRESENCE MANAGEMENT SUITE SECURE SERVER, Configuration Manual

The Cisco TelePresence Management Suite Secure Server is a state-of-the-art solution for managing and securing your telepresence network. Ensure smooth operations with our comprehensive Configuration Manual, available for free download from our website. Simplify setup and maximize performance with this user-friendly manual designed to optimize your experience.

Share
Download
background image

Securing Windows Server 2003 tasks 

Cisco TMS Secure Server Configuration Guide 13.0 

Page 27 of 34 

 

 

Policy 

Security Setting 

System cryptography: Force strong key 
protection for user keys stored on the computer 

User must enter a password each time they use a 
key 

System cryptography: Use FIPS compliant 
algorithms for encryption, hashing, and signing 

Disabled

5

 

System objects: Default owner for objects 
created by members of the Administrators group 

Object creator 

System objects: Require case insensitivity for 
non-Windows subsystems 

Enabled 

System objects: Strengthen default permissions 
of internal system objects (e.g. Symbolic Links) 

Enabled 

System settings: Optional subsystems 

 

System settings: Use Certificate Rules on 
Windows Executables for Software Restriction 
Policies 

Enabled 

Set event viewer history 

The Event Viewer is logging events on the server, such as login attempts and changes to policies. The 
Event Viewer is found under Start > Control Panel > Administrative Tools > Event Viewer. Specific 
events related to Cisco TMS are found under the TANDBERG folder. For each of the event types, the 
log files should be set to retain informative amounts of data, but they must be limited to prevent 
attacks from filling up the disk.  

1. 

To set the size of the log file, right-click each event type. 

2. 

Select Properties

3. 

Set the Maximum log size to 131072 KB. 

4. 

Select Overwrite events as needed. 

Remove any file shares 

1.  Go to Windows Start > Control Panel > Administrative Tools > Computer Management.  

2.  Expand System Tools and Shared Folders and select Shares. Under Shares several hidden 

shares are set up by default.  

3.  Remove all except the IPC$ share. If you have 

disabled the Server service in the previous steps

no shares will be available. 

 
Windows Server creates, by default, administrative shares of your local drives during startup. As soon 
as the Server service is started these shares are activated, so in order to remove the shares a registry 
key must be created. To do this, create the following key in the Registry Editor:  
 

1. 

Go to Start > Run and type ‘regedit’. This will open the Registry Editor. 

2. 

Browse to 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters 

3. 

Right-click in the left-hand side of the window 

4. 

Select New>DWORD value. 

                                                      

 

 

5

 You may enable this setting. The consequence of enabling it is that you need version 5.2 of the 

Remote Desktop client (XP comes with 5.1) to remotely administrate the server, and you need to 
enable TLS 1.0 in your browser for SSL access.  

Summary of Contents for TELEPRESENCE MANAGEMENT SUITE SECURE SERVER

Page 1: ...Cisco TelePresence Management Suite Secure Server Hardening Windows Server 2003 for Cisco TMS 13 0 Product Configuration Guide D13148 08 December 2010 ...

Page 2: ...e Windows Firewall 17 Apply appropriate file ACLs 18 Audit policy 20 User rights assignment 21 Security options 23 Set event viewer history 27 Remove any file shares 27 Screen saver 28 Disable dump file creation 28 Miscellaneous registry changes 28 Protect the registry from anonymous access 28 Disable 8 3 file format compatibility 28 Clear paging file at shutdown 29 Disable Autorun from CD 29 Prot...

Page 3: ...nts 15 Table 4 Required port exceptions 17 Table 5 Required program exceptions 18 Table 6 Summary of audit policy settings 21 Table 7 List of recommended user rights settings 21 Table 8 Recommended security options 24 Table 9 Hardening the TCP IP stack 29 Table 10 Extensions to leave enabled 30 Table 11 Nodes to select when applying permissions 31 Table 12 Extensions to remove 31 ...

Page 4: ...ve update for Windows 2003 SP1 Changes Removal of Windows 2000 specific references Updated formatting and reorganization Removed incorrect IIS anonymous restrictions Added SQL Server Service Accounts Added Cisco TMS Service Accounts Revision 8 Updated information and visual template Revision 9 Stage 1 rebranding Revision 10 Stage 2 rebranding new product names ...

Page 5: ...ncreased the security of a default installation of Windows 2003 SP2 compared to Windows 2000 or earlier If you still wish to further tighten the security of your installed servers Microsoft provides guidelines on hardening servers based on several degrees of strength and the task that the server will perform This document is intended to provide instruction on how to harden a Windows 2003 server fo...

Page 6: ... This document does not guarantee that your server is secure from attacks even if you have applied all the changes described Cisco is not responsible for potential harm that attackers might cause nor any damage caused to your server by following the steps outlined in this document ...

Page 7: ...Install the latest Windows Service Pack As each Service Pack from Microsoft includes all security fixes known to date it is vital that the latest version is installed Update your baseline server to the latest Service Pack for Windows 4 Install the appropriate post Service Pack security updates Update the server to the latest available post Service Pack security updates and any relevant hot fixes Y...

Page 8: ...n your user groups and default system permissions before rolling out Cisco TMS into production 9 Check and apply security fixes for SQL and IIS Run Windows Update again to check for any updates for any additional components that have been installed along with Cisco TMS Check the Microsoft SQL Server website and install any updates for the SQL Server engine This concludes the basic installation The...

Page 9: ...the Event Log is checked regularly for any attempts to use the dummy administrator account 2 Set strong password and lockout policies To change the password policies go to Windows Start Control Panel Administrative Tools Local Security Policy Note Domain level policy settings may override these settings Password rules Choose Account Policies Password Policy and apply the following changes Set the ...

Page 10: ...S Service User Account Create a Cisco TMS Service Account Cisco TMS will install its services to run as the Local System account To run at lowest possible privileges a local Windows account will be configured Create a local Windows User to act as the service account for Cisco TMS Services and the Cisco TMS website Use a strong password and a username of your choice The placeholder name tmsserviceu...

Page 11: ...r Provisioning OpenDS import tmp 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Control 3 Full Control tms installdir Provisioning OpenDS locks 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Control 3 Full Control tms installdir Provisioning OpenDS logs 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Contro...

Page 12: ...msserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 Full Control 4 Read tms installdir wwwTMS Data Snapshot 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 Full Control 4 Read tms installdir wwwTMS Data Software 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 ...

Page 13: ...s Start Control Panel Administrative Tools Services Locate the services whose names start with TMS For each of these service do the following 1 Double click the service to open the properties window 2 Select the Log On tab and select This Account 3 Enter the account details for the tmsserviceuser account 4 Click OK 5 Right click the service 6 Select Restart to have the changes take effect Note The...

Page 14: ...nt Include Accessories and Utilities N Application Server Application Server Console N ASP NET Y Enable network COM access Y Enable network DTC access N Internet Information Services Y see second table for details Message Queuing N Certificate Services N E mail Services N Fax Services N Indexing Services N Internet Explorer Enhanced Security Configuration For administrator groups Y For all other u...

Page 15: ...To reduce the attack surface of the Cisco TMS server all Windows Services that are not required by Cisco TMS should in general be disabled Go to Windows Start Control Panel Administrative Tools Services Disable the services in the following list 1 Right click each of them 2 Under the General tab click Properties and select Disabled for Startup type The status should then be displayed as Disabled u...

Page 16: ...ager Kerberos Key Distribution Center Virtual Disk Service License Logging WebClient Messenger Windows Audio NetMeeting Remote Desktop Sharing Windows Cardspace Network DDE Windows Image Acquisition WIA Network DDE DSDM Windows Management Instrumentation Driver Extensions Network Location Awareness Windows Presentation Foundation Font Cache 3 0 0 0 Network Provisioning Service Windows User Mode Dr...

Page 17: ...nchecked and disabled Configuring TCP IP To further secure the server the Internet Protocol TCP IP protocol settings must be configured correctly 1 Go to Windows Start Control Panel Network Connections Local Area Connection 2 Under the General tab click the Properties button 3 Click Internet Protocol TCP IP 4 Click the Advanced button 5 Select the WINS tab disable any WINS servers that have been d...

Page 18: ...for port 3389 TCP This is however a security risk If practical you can reduce this risk by only allowing traffic on port 3389 from particular IP addresses or the local subnet This is done by selecting the exception and clicking on Edit and then Change scope Apply appropriate file ACLs A clean install of Windows Server 2003 has secure ACLs on the file system To secure the server even further give t...

Page 19: ...ctory MSSQL 1 MS SQL repldata 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQLUSER Computer Name InstanceName 1 Full 2 Full 3 Full sql directory MSSQL 1 MS SQL Template Data 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQLUSER Computer Name InstanceName 1 Full 2 Full 3 Full Program Files Microsoft SQL Server 80 tools 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQL...

Page 20: ...s 3 SYSTEM 1 Full 2 Read Execute 3 Full systemroot Config 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 Read List 3 Full systemroot System3 2 systemroot System3 2 LogFiles systemroot System3 2 InetSrv 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 Read Execute 3 Full systemroot System 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 ...

Page 21: ...olicy determines whether to log changes to user rights assignment policies trust policies and audit policies Log only successes Audit privilege use Failure The Audit privilege use policy determines whether to log use of a user right Failures should be logged as a failed privilege use can indicate an attempted security breach Audit process tracking No Auditing The Audit process tracking policy dete...

Page 22: ...e the system time SeSystemTimePrivilege Administrators Create a pagefile SeCreatePagefilePrivilege Administrators Create a token object SeCreateTokenPrivilege Create global objects SeCreateGlobalPrivilege Administrators SERVICE Create permanent shared objects SeCreatePermanentPrivilege Debug programs SeDebugPrivilege Deny access to this computer from the network SeDenyNetworkLogonRight Support_388...

Page 23: ...s Modify firmware environment values SeSystemEnvironmentPrivilege Administrators Perform Volume Maintenance Tasks SeManageVolumePrivilege Administrators Profile single process SeProfileSingleProcessPrivilege Administrators Profile system performance SeSystemProfilePrivilege Administrators Remove computer from docking station SeUndockPrivilege Administrators Replace a process level token SeAssignPr...

Page 24: ...trictions in Security Descriptor Definition Language Not Defined Devices Allow undock without having to log on Disabled Devices Allowed to format and eject removable media Administrators Devices Prevent users from installing printer drivers Enabled Devices Restrict CD ROM access to locally logged on user only Disabled Devices Restrict floppy access to locally logged on user only Disabled Devices U...

Page 25: ...kstation Enabled Interactive logon Require smart card Disabled Interactive logon Smart card removal behavior Lock Workstation Microsoft network client Digitally sign communications always Disabled Microsoft network client Digitally sign communications if server agrees Enabled Microsoft network client Send unencrypted password to third party SMB servers Disabled Microsoft network server Amount of i...

Page 26: ...nymous access to Named Pipes and Shares Enabled Network access Shares that can be accessed anonymously Network access Sharing and security model for local accounts Classic Local users Network security Do not store LAN Manager hash value on next password change Enabled Network security Force logoff when logon hours expire Disabled Network security LAN Manager authentication level Send NTMLv2 respon...

Page 27: ...mounts of data but they must be limited to prevent attacks from filling up the disk 1 To set the size of the log file right click each event type 2 Select Properties 3 Set the Maximum log size to 131072 KB 4 Select Overwrite events as needed Remove any file shares 1 Go to Windows Start Control Panel Administrative Tools Computer Management 2 Expand System Tools and Shared Folders and select Shares...

Page 28: ...p file creation If the system crashes a dump file can provide a hacker with sensitive information To disable the dump file creation 1 Go to Windows Start Control Panel System Under the Advanced tab 2 Under Startup and Recovery click the Settings button 3 Select none under Write Debugging Information Miscellaneous registry changes To edit settings used to secure the server edit the registry on the ...

Page 29: ...ControlSet Services Cdrom Modify Value Name Autorun Value Type REG_DWORD Value 0 Protection against denial of service attacks In order to harden the TCP IP stack go into the following hive Under HKEY_LOCAL_MACHINE System CurrentControlSet Services Tcpip Parameters create the values shown in Table 9 Table 9 Hardening the TCP IP stack Registry entry Format Value EnableICMPRedirect DWORD 0 SynAttackP...

Page 30: ...Delete the default installed examples Delete the following directories and their contents from the file system of your Cisco TMS server InetPub AdminScripts WINDOWS System32 Inetsrv iisadmpwd WINDOWS web printers Delete all files under InetPub wwwroot but do not delete the directory Disable unneeded web extensions 1 Go to Windows Start Control Panel Administrative Tools Internet Information Servic...

Page 31: ...de Select to Inherit TMSAgent Yes Pwx No TMS Yes TMS Public No TMSConferenceAPI No XAPSite No Note You cannot remove anonymous access to the entire website Anonymous access is required on several nodes so that devices can send data to Cisco TMS Applying permissions as stated above from a standard Cisco TMS installation will maintain the required access rights Delete unused application mappings 1 G...

Page 32: ...on Services IIS Manager 2 Expand the website Cisco TMS is installed in 3 Right click the XAPDLL directory 4 Click Delete to delete the files and directory TMS Install Dir wwwtms public XAPSite Optional Remove Polycom Endpoint support If you are not managing Polycom Endpoints you can remove the portions required to support them to reduce surface area of the public website 1 Go to Windows Start Cont...

Page 33: ...S Optional Remove XAPDLL Optional Remove Polycom Endpoint support Continued monitoring It is important that the server s logs be continually audited to monitor for undesired behavior or attempts to break into the server The Windows Event Viewer can be used to monitor the security audits enabled and the IIS logs can be used for additional information regarding access to the website The IIS Logs can...

Page 34: ...ES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INA...

Reviews:

No comments

Related manuals for TELEPRESENCE MANAGEMENT SUITE SECURE SERVER

3M 740 Software preview
740
Brand: 3M Pages: 3
IBM System Storage DS3000 Installation Manual preview
System Storage DS3000
Brand: IBM Pages: 38
Adobe ACROBAT 3D Manual preview
ACROBAT 3D
Brand: Adobe Pages: 822
Altigen AltiWare OE 4.6 Administration Manual preview
AltiWare OE 4.6
Brand: Altigen Pages: 518
NETGEAR GS110TP - ProSafe Gigabit Smart Switch Installation Manual preview
GS110TP - ProSafe Gigabit Smart Switch
Brand: NETGEAR Pages: 2
Siemens OC130S Installation Instructions Manual preview
OC130S
Brand: Siemens Pages: 11
Siemens ID Mouse V 3.1 User Manual preview
ID Mouse V 3.1
Brand: Siemens Pages: 28
Siemens ROS User Manual preview
ROS
Brand: Siemens Pages: 32
Siemens OpenScape Xpressions PhoneMail User Manual preview
OpenScape Xpressions PhoneMail
Brand: Siemens Pages: 110
Roxio Toast 6 Titanium Getting Started Manual preview
Toast 6 Titanium
Brand: Roxio Pages: 132
Navman SPiN 100 User Manual preview
SPiN 100
Brand: Navman Pages: 52
Online Media Technologies AVS DVD Copy Manual preview
AVS DVD Copy
Brand: Online Media Technologies Pages: 46
Autodesk 225A1-05A111-1001 - AutoCAD Electrical 2009 Getting Started preview
225A1-05A111-1001 - AutoCAD Electrical 2009
Brand: Autodesk Pages: 255
Red Hat ENTERPRISE LINUX AS 2.1 - Installation Manual preview
ENTERPRISE LINUX AS 2.1 -
Brand: Red Hat Pages: 210
Red Hat ENTERPRISE LINUX 5.3 - RELEASE MANIFEST Release Note preview
ENTERPRISE LINUX 5.3 - RELEASE MANIFEST
Brand: Red Hat Pages: 240
FieldServer FS-8704-13 Driver Manual preview
FS-8704-13
Brand: FieldServer Pages: 19
Oce XMPie User Manual preview
XMPie
Brand: Oce Pages: 22
MACROMEDIA COLDFUSION 4.5-DEVELOPING WEB Develop Manual preview
COLDFUSION 4.5-DEVELOPING WEB
Brand: MACROMEDIA Pages: 380

Brands by name

Popular brands

Load more brands