Cisco TELEPRESENCE MANAGEMENT SUITE SECURE SERVER Скачать руководство пользователя | Manualshive

Страница: 17 / 34

background image

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0

Page 17 of 34

Uninterruptible Power Supply

Volume Shadow Copy

Network services

In general any services not required by Cisco TMS should not be running on the Cisco TMS server in
order to reduce the attack surface of the server. This is particularly important for network services.

1.

Go to Windows Start > Control Panel > Network Connections. Ensure that only the ‘Local
Area Connection’ is available.

2.

Select this connection.

3.

Under the General tab, click the Properties button.

4.

Make sure Internet Protocol (TCP/IP) is enabled.

5.

Client for Microsoft Networks should be enabled if you wish to allow domain administrators to
log into the server.

6.

File and Printer Sharing for Microsoft Networks is not recommended, but may be required if
you want to create shares to transfer files over the network (like Software packages or Cisco
TMS Upgrades) to the Cisco TMS server.

7.

Make sure any other services are unchecked and disabled.

Configuring TCP/IP

To further secure the server the Internet Protocol (TCP/IP) protocol settings must be configured
correctly.

1.

Go to Windows Start > Control Panel > Network Connections > Local Area Connection.

2.

Under the General tab, click the Properties button.

3.

Click Internet Protocol (TCP/IP).

4.

Click the Advanced button.

5.

Select the WINS tab, disable any WINS servers that have been defined and uninstall WINS
itself.

6.

Click the Disable NetBIOS over TCP/IP radio button.

Configuring the Windows Firewall

Windows Server 2003 with SP1 comes with Windows Firewall, which should be used to block
unsolicited incoming TCP/IP traffic. The firewall will be enabled by default if Windows was installed
from SP1 media or newer.

To make sure it is enabled:

1.

Go to Windows Start > Control Panel > Windows Firewall.

2.

Select the On radio button.

To configure what incoming traffic to allow,

1.

Click the Exceptions tab.

2.

For each port to allow, click Add Port.

3.

Select the proper protocol.

4.

Specify the port number.

5.

Enter a description.

Table 4 lists the port exceptions required for the Cisco TMS server.

Table 4 Required port exceptions

Port

Protocol

Service

80

TCP

HTTP

161

UDP

SNMP

«
...
15
16
17
18
19
...
»

Содержание TELEPRESENCE MANAGEMENT SUITE SECURE SERVER

Страница 1: ...Cisco TelePresence Management Suite Secure Server Hardening Windows Server 2003 for Cisco TMS 13 0 Product Configuration Guide D13148 08 December 2010 ...

Страница 2: ...e Windows Firewall 17 Apply appropriate file ACLs 18 Audit policy 20 User rights assignment 21 Security options 23 Set event viewer history 27 Remove any file shares 27 Screen saver 28 Disable dump file creation 28 Miscellaneous registry changes 28 Protect the registry from anonymous access 28 Disable 8 3 file format compatibility 28 Clear paging file at shutdown 29 Disable Autorun from CD 29 Prot...

Страница 3: ...nts 15 Table 4 Required port exceptions 17 Table 5 Required program exceptions 18 Table 6 Summary of audit policy settings 21 Table 7 List of recommended user rights settings 21 Table 8 Recommended security options 24 Table 9 Hardening the TCP IP stack 29 Table 10 Extensions to leave enabled 30 Table 11 Nodes to select when applying permissions 31 Table 12 Extensions to remove 31 ...

Страница 4: ...ve update for Windows 2003 SP1 Changes Removal of Windows 2000 specific references Updated formatting and reorganization Removed incorrect IIS anonymous restrictions Added SQL Server Service Accounts Added Cisco TMS Service Accounts Revision 8 Updated information and visual template Revision 9 Stage 1 rebranding Revision 10 Stage 2 rebranding new product names ...

Страница 5: ...ncreased the security of a default installation of Windows 2003 SP2 compared to Windows 2000 or earlier If you still wish to further tighten the security of your installed servers Microsoft provides guidelines on hardening servers based on several degrees of strength and the task that the server will perform This document is intended to provide instruction on how to harden a Windows 2003 server fo...

Страница 6: ... This document does not guarantee that your server is secure from attacks even if you have applied all the changes described Cisco is not responsible for potential harm that attackers might cause nor any damage caused to your server by following the steps outlined in this document ...

Страница 7: ...Install the latest Windows Service Pack As each Service Pack from Microsoft includes all security fixes known to date it is vital that the latest version is installed Update your baseline server to the latest Service Pack for Windows 4 Install the appropriate post Service Pack security updates Update the server to the latest available post Service Pack security updates and any relevant hot fixes Y...

Страница 8: ...n your user groups and default system permissions before rolling out Cisco TMS into production 9 Check and apply security fixes for SQL and IIS Run Windows Update again to check for any updates for any additional components that have been installed along with Cisco TMS Check the Microsoft SQL Server website and install any updates for the SQL Server engine This concludes the basic installation The...

Страница 9: ...the Event Log is checked regularly for any attempts to use the dummy administrator account 2 Set strong password and lockout policies To change the password policies go to Windows Start Control Panel Administrative Tools Local Security Policy Note Domain level policy settings may override these settings Password rules Choose Account Policies Password Policy and apply the following changes Set the ...

Страница 10: ...S Service User Account Create a Cisco TMS Service Account Cisco TMS will install its services to run as the Local System account To run at lowest possible privileges a local Windows account will be configured Create a local Windows User to act as the service account for Cisco TMS Services and the Cisco TMS website Use a strong password and a username of your choice The placeholder name tmsserviceu...

Страница 11: ...r Provisioning OpenDS import tmp 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Control 3 Full Control tms installdir Provisioning OpenDS locks 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Control 3 Full Control tms installdir Provisioning OpenDS logs 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Contro...

Страница 12: ...msserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 Full Control 4 Read tms installdir wwwTMS Data Snapshot 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 Full Control 4 Read tms installdir wwwTMS Data Software 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 ...

Страница 13: ...s Start Control Panel Administrative Tools Services Locate the services whose names start with TMS For each of these service do the following 1 Double click the service to open the properties window 2 Select the Log On tab and select This Account 3 Enter the account details for the tmsserviceuser account 4 Click OK 5 Right click the service 6 Select Restart to have the changes take effect Note The...

Страница 14: ...nt Include Accessories and Utilities N Application Server Application Server Console N ASP NET Y Enable network COM access Y Enable network DTC access N Internet Information Services Y see second table for details Message Queuing N Certificate Services N E mail Services N Fax Services N Indexing Services N Internet Explorer Enhanced Security Configuration For administrator groups Y For all other u...

Страница 15: ...To reduce the attack surface of the Cisco TMS server all Windows Services that are not required by Cisco TMS should in general be disabled Go to Windows Start Control Panel Administrative Tools Services Disable the services in the following list 1 Right click each of them 2 Under the General tab click Properties and select Disabled for Startup type The status should then be displayed as Disabled u...

Страница 16: ...ager Kerberos Key Distribution Center Virtual Disk Service License Logging WebClient Messenger Windows Audio NetMeeting Remote Desktop Sharing Windows Cardspace Network DDE Windows Image Acquisition WIA Network DDE DSDM Windows Management Instrumentation Driver Extensions Network Location Awareness Windows Presentation Foundation Font Cache 3 0 0 0 Network Provisioning Service Windows User Mode Dr...

Страница 17: ...nchecked and disabled Configuring TCP IP To further secure the server the Internet Protocol TCP IP protocol settings must be configured correctly 1 Go to Windows Start Control Panel Network Connections Local Area Connection 2 Under the General tab click the Properties button 3 Click Internet Protocol TCP IP 4 Click the Advanced button 5 Select the WINS tab disable any WINS servers that have been d...

Страница 18: ...for port 3389 TCP This is however a security risk If practical you can reduce this risk by only allowing traffic on port 3389 from particular IP addresses or the local subnet This is done by selecting the exception and clicking on Edit and then Change scope Apply appropriate file ACLs A clean install of Windows Server 2003 has secure ACLs on the file system To secure the server even further give t...

Страница 19: ...ctory MSSQL 1 MS SQL repldata 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQLUSER Computer Name InstanceName 1 Full 2 Full 3 Full sql directory MSSQL 1 MS SQL Template Data 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQLUSER Computer Name InstanceName 1 Full 2 Full 3 Full Program Files Microsoft SQL Server 80 tools 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQL...

Страница 20: ...s 3 SYSTEM 1 Full 2 Read Execute 3 Full systemroot Config 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 Read List 3 Full systemroot System3 2 systemroot System3 2 LogFiles systemroot System3 2 InetSrv 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 Read Execute 3 Full systemroot System 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 ...

Страница 21: ...olicy determines whether to log changes to user rights assignment policies trust policies and audit policies Log only successes Audit privilege use Failure The Audit privilege use policy determines whether to log use of a user right Failures should be logged as a failed privilege use can indicate an attempted security breach Audit process tracking No Auditing The Audit process tracking policy dete...

Страница 22: ...e the system time SeSystemTimePrivilege Administrators Create a pagefile SeCreatePagefilePrivilege Administrators Create a token object SeCreateTokenPrivilege Create global objects SeCreateGlobalPrivilege Administrators SERVICE Create permanent shared objects SeCreatePermanentPrivilege Debug programs SeDebugPrivilege Deny access to this computer from the network SeDenyNetworkLogonRight Support_388...

Страница 23: ...s Modify firmware environment values SeSystemEnvironmentPrivilege Administrators Perform Volume Maintenance Tasks SeManageVolumePrivilege Administrators Profile single process SeProfileSingleProcessPrivilege Administrators Profile system performance SeSystemProfilePrivilege Administrators Remove computer from docking station SeUndockPrivilege Administrators Replace a process level token SeAssignPr...

Страница 24: ...trictions in Security Descriptor Definition Language Not Defined Devices Allow undock without having to log on Disabled Devices Allowed to format and eject removable media Administrators Devices Prevent users from installing printer drivers Enabled Devices Restrict CD ROM access to locally logged on user only Disabled Devices Restrict floppy access to locally logged on user only Disabled Devices U...

Страница 25: ...kstation Enabled Interactive logon Require smart card Disabled Interactive logon Smart card removal behavior Lock Workstation Microsoft network client Digitally sign communications always Disabled Microsoft network client Digitally sign communications if server agrees Enabled Microsoft network client Send unencrypted password to third party SMB servers Disabled Microsoft network server Amount of i...

Страница 26: ...nymous access to Named Pipes and Shares Enabled Network access Shares that can be accessed anonymously Network access Sharing and security model for local accounts Classic Local users Network security Do not store LAN Manager hash value on next password change Enabled Network security Force logoff when logon hours expire Disabled Network security LAN Manager authentication level Send NTMLv2 respon...

Страница 27: ...mounts of data but they must be limited to prevent attacks from filling up the disk 1 To set the size of the log file right click each event type 2 Select Properties 3 Set the Maximum log size to 131072 KB 4 Select Overwrite events as needed Remove any file shares 1 Go to Windows Start Control Panel Administrative Tools Computer Management 2 Expand System Tools and Shared Folders and select Shares...

Страница 28: ...p file creation If the system crashes a dump file can provide a hacker with sensitive information To disable the dump file creation 1 Go to Windows Start Control Panel System Under the Advanced tab 2 Under Startup and Recovery click the Settings button 3 Select none under Write Debugging Information Miscellaneous registry changes To edit settings used to secure the server edit the registry on the ...

Страница 29: ...ControlSet Services Cdrom Modify Value Name Autorun Value Type REG_DWORD Value 0 Protection against denial of service attacks In order to harden the TCP IP stack go into the following hive Under HKEY_LOCAL_MACHINE System CurrentControlSet Services Tcpip Parameters create the values shown in Table 9 Table 9 Hardening the TCP IP stack Registry entry Format Value EnableICMPRedirect DWORD 0 SynAttackP...

Страница 30: ...Delete the default installed examples Delete the following directories and their contents from the file system of your Cisco TMS server InetPub AdminScripts WINDOWS System32 Inetsrv iisadmpwd WINDOWS web printers Delete all files under InetPub wwwroot but do not delete the directory Disable unneeded web extensions 1 Go to Windows Start Control Panel Administrative Tools Internet Information Servic...

Страница 31: ...de Select to Inherit TMSAgent Yes Pwx No TMS Yes TMS Public No TMSConferenceAPI No XAPSite No Note You cannot remove anonymous access to the entire website Anonymous access is required on several nodes so that devices can send data to Cisco TMS Applying permissions as stated above from a standard Cisco TMS installation will maintain the required access rights Delete unused application mappings 1 G...

Страница 32: ...on Services IIS Manager 2 Expand the website Cisco TMS is installed in 3 Right click the XAPDLL directory 4 Click Delete to delete the files and directory TMS Install Dir wwwtms public XAPSite Optional Remove Polycom Endpoint support If you are not managing Polycom Endpoints you can remove the portions required to support them to reduce surface area of the public website 1 Go to Windows Start Cont...

Страница 33: ...S Optional Remove XAPDLL Optional Remove Polycom Endpoint support Continued monitoring It is important that the server s logs be continually audited to monitor for undesired behavior or attempts to break into the server The Windows Event Viewer can be used to monitor the security audits enabled and the IIS logs can be used for additional information regarding access to the website The IIS Logs can...

Страница 34: ...ES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INA...

Отзывы:

Нет отзывов

Похожие инструкции для TELEPRESENCE MANAGEMENT SUITE SECURE SERVER

ADMINISTRATION KIT 6.0

Бренд: KAPERSKY Страницы: 115

DEEP FREEZE - INTEGRATING WITH NOVELL ZENWORKS...

Бренд: FARONICS Страницы: 23

BMP5 Direct SDK

Бренд: Campbell Страницы: 32

DRUMBEAT 2000 ECOMMERCE EDITION

Бренд: MACROMEDIA Страницы: 238

Бренд: Qlogic Страницы: 180

Бренд: Casio Страницы: 18

CoPilot CoPilot Live Smartphone

Бренд: ALK Страницы: 42

SmartNode Series

Бренд: Patton electronics Страницы: 655

Бренд: Bosch Страницы: 40

Divar Archive Player

Бренд: Bosch Страницы: 10

Бренд: Bosch Страницы: 86

DINION IP 5000 MP

Бренд: Bosch Страницы: 112

Call Detail Reporting

Бренд: Altigen Страницы: 97

Altiware OE 4.5

Бренд: Altigen Страницы: 455

Pro Tools M-Powered 7

Бренд: M-Audio Страницы: 74

Бренд: SAP Страницы: 31

Бренд: AirLive Страницы: 19

Бренд: GRASS VALLEY Страницы: 1

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды