background image

Installation 

Cisco TMS Secure Server Configuration Guide 13.0 

Page 7 of 34 

 

 

Installation 

Pre-install considerations 

We strongly recommend installing Cisco TMS on a dedicated server. Using Cisco TMS server for 
other purposes or services will reduce the effectiveness of any security initiative.  

 

The outline presented in this document assumes Cisco TMS is the only application installed on 
the server. 

 

The server should be physically placed in a room that is inaccessible to unauthorized persons. 

 

The server should never be a domain controller. 

 

The security recommendation is to install Cisco TMS using a local instance of SQL Server. This 
reduces the surface area of the SQL server and keeps all communications between the 
application and the database off the network. Installations looking to use an external SQL Server 
should consider using SSL to secure the database traffic between the Cisco TMS Server and the 
SQL Server. 

For additional Microsoft documentation regarding SSL and SQL, see 

How SQL Server uses a 

certificate when the Force Protocol Encryption option is turned on

 

Installing baseline configuration 

1. 

Install Windows 2003 SP2- When installing the server; create two partitions on the server. 
One is the system partition, usually C:\ where Windows and IIS is installed. The second partition 
is used by Cisco TMS. Install Windows Server 2003 with Service Pack 2 (SP2) using the default 
settings. Be sure to format the partitions NTFS when performing the initial setup of Windows. 

2. 

Install anti-virus software and updates - Protect the new server by installing your choice of 
enterprise anti-virus software package. It is important that you keep up–to-date on the latest 
virus signatures. Take note of anti-virus features that control/prevent sending of email via 
SMTP. Cisco TMS requires the ability to send mail via SMTP (TCP Port 25). 

3. 

Install the latest Windows Service Pack - As each Service Pack from Microsoft includes all 
security fixes known to date it is vital that the latest version is installed. Update your baseline 
server to the latest Service Pack for Windows. 

4. 

Install the appropriate post-Service Pack security updates - Update the server to the latest 
available post-Service Pack security updates and any relevant hot-fixes. You can subscribe to 
the e-mail service where Microsoft sends administrators information about security issues and 
hot-fixes available for patching security holes- Go to: 

http://www.microsoft.com/technet/security/bulletin/notify.mspx

 

5. 

Join server to Domain – Join the new server to the domain it will be used with. 

6. 

Optional – Install SQL Server 2005 - If you are planning on running a full edition of SQL 
Server 2005 rather than the express edition installed with Cisco TMS, install SQL Server at this 
time to the second partition of the server. The server must be installed in Mixed Authentication 
mode – choose a strong password for the SA account. Only the SQL Engine component and its 
dependencies are required. 

7. 

Install Cisco TMS - Install the latest version of Cisco TMS. When running the installer, choose 
the custom option to allow greater control of the installation.  
If no SQL Server was previously installed, specify to install the SQL Server locally with a strong 
SA password.  
Specify the installation paths of the SQL Server and Cisco TMS directories to be on the second 
partition of your server. As part of the installation, IIS and SQL Server may be installed. 

8. 

Secure Default Groups for Cisco TMS – As part of the default installation of Cisco TMS, all 
new users are automatically added to the Site Administrators group and the Users group. 
Both groups have full permissions to all facilities.  
To establish one user as the only Site Administrator, do the following:  

a.  Log in as that user, go to Administrative Tools > User Administration > Default Groups 

and set Users to be the only default group. All new users that log in to Cisco TMS will now 

Содержание TELEPRESENCE MANAGEMENT SUITE SECURE SERVER

Страница 1: ...Cisco TelePresence Management Suite Secure Server Hardening Windows Server 2003 for Cisco TMS 13 0 Product Configuration Guide D13148 08 December 2010 ...

Страница 2: ...e Windows Firewall 17 Apply appropriate file ACLs 18 Audit policy 20 User rights assignment 21 Security options 23 Set event viewer history 27 Remove any file shares 27 Screen saver 28 Disable dump file creation 28 Miscellaneous registry changes 28 Protect the registry from anonymous access 28 Disable 8 3 file format compatibility 28 Clear paging file at shutdown 29 Disable Autorun from CD 29 Prot...

Страница 3: ...nts 15 Table 4 Required port exceptions 17 Table 5 Required program exceptions 18 Table 6 Summary of audit policy settings 21 Table 7 List of recommended user rights settings 21 Table 8 Recommended security options 24 Table 9 Hardening the TCP IP stack 29 Table 10 Extensions to leave enabled 30 Table 11 Nodes to select when applying permissions 31 Table 12 Extensions to remove 31 ...

Страница 4: ...ve update for Windows 2003 SP1 Changes Removal of Windows 2000 specific references Updated formatting and reorganization Removed incorrect IIS anonymous restrictions Added SQL Server Service Accounts Added Cisco TMS Service Accounts Revision 8 Updated information and visual template Revision 9 Stage 1 rebranding Revision 10 Stage 2 rebranding new product names ...

Страница 5: ...ncreased the security of a default installation of Windows 2003 SP2 compared to Windows 2000 or earlier If you still wish to further tighten the security of your installed servers Microsoft provides guidelines on hardening servers based on several degrees of strength and the task that the server will perform This document is intended to provide instruction on how to harden a Windows 2003 server fo...

Страница 6: ... This document does not guarantee that your server is secure from attacks even if you have applied all the changes described Cisco is not responsible for potential harm that attackers might cause nor any damage caused to your server by following the steps outlined in this document ...

Страница 7: ...Install the latest Windows Service Pack As each Service Pack from Microsoft includes all security fixes known to date it is vital that the latest version is installed Update your baseline server to the latest Service Pack for Windows 4 Install the appropriate post Service Pack security updates Update the server to the latest available post Service Pack security updates and any relevant hot fixes Y...

Страница 8: ...n your user groups and default system permissions before rolling out Cisco TMS into production 9 Check and apply security fixes for SQL and IIS Run Windows Update again to check for any updates for any additional components that have been installed along with Cisco TMS Check the Microsoft SQL Server website and install any updates for the SQL Server engine This concludes the basic installation The...

Страница 9: ...the Event Log is checked regularly for any attempts to use the dummy administrator account 2 Set strong password and lockout policies To change the password policies go to Windows Start Control Panel Administrative Tools Local Security Policy Note Domain level policy settings may override these settings Password rules Choose Account Policies Password Policy and apply the following changes Set the ...

Страница 10: ...S Service User Account Create a Cisco TMS Service Account Cisco TMS will install its services to run as the Local System account To run at lowest possible privileges a local Windows account will be configured Create a local Windows User to act as the service account for Cisco TMS Services and the Cisco TMS website Use a strong password and a username of your choice The placeholder name tmsserviceu...

Страница 11: ...r Provisioning OpenDS import tmp 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Control 3 Full Control tms installdir Provisioning OpenDS locks 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Control 3 Full Control tms installdir Provisioning OpenDS logs 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 1 Full Control 2 Full Contro...

Страница 12: ...msserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 Full Control 4 Read tms installdir wwwTMS Data Snapshot 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 Full Control 4 Read tms installdir wwwTMS Data Software 1 LocalMachine Administrators 2 SYSTEM 3 tmsserviceuser 3 Authenticated Users 1 Full Control 2 Full Control 3 ...

Страница 13: ...s Start Control Panel Administrative Tools Services Locate the services whose names start with TMS For each of these service do the following 1 Double click the service to open the properties window 2 Select the Log On tab and select This Account 3 Enter the account details for the tmsserviceuser account 4 Click OK 5 Right click the service 6 Select Restart to have the changes take effect Note The...

Страница 14: ...nt Include Accessories and Utilities N Application Server Application Server Console N ASP NET Y Enable network COM access Y Enable network DTC access N Internet Information Services Y see second table for details Message Queuing N Certificate Services N E mail Services N Fax Services N Indexing Services N Internet Explorer Enhanced Security Configuration For administrator groups Y For all other u...

Страница 15: ...To reduce the attack surface of the Cisco TMS server all Windows Services that are not required by Cisco TMS should in general be disabled Go to Windows Start Control Panel Administrative Tools Services Disable the services in the following list 1 Right click each of them 2 Under the General tab click Properties and select Disabled for Startup type The status should then be displayed as Disabled u...

Страница 16: ...ager Kerberos Key Distribution Center Virtual Disk Service License Logging WebClient Messenger Windows Audio NetMeeting Remote Desktop Sharing Windows Cardspace Network DDE Windows Image Acquisition WIA Network DDE DSDM Windows Management Instrumentation Driver Extensions Network Location Awareness Windows Presentation Foundation Font Cache 3 0 0 0 Network Provisioning Service Windows User Mode Dr...

Страница 17: ...nchecked and disabled Configuring TCP IP To further secure the server the Internet Protocol TCP IP protocol settings must be configured correctly 1 Go to Windows Start Control Panel Network Connections Local Area Connection 2 Under the General tab click the Properties button 3 Click Internet Protocol TCP IP 4 Click the Advanced button 5 Select the WINS tab disable any WINS servers that have been d...

Страница 18: ...for port 3389 TCP This is however a security risk If practical you can reduce this risk by only allowing traffic on port 3389 from particular IP addresses or the local subnet This is done by selecting the exception and clicking on Edit and then Change scope Apply appropriate file ACLs A clean install of Windows Server 2003 has secure ACLs on the file system To secure the server even further give t...

Страница 19: ...ctory MSSQL 1 MS SQL repldata 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQLUSER Computer Name InstanceName 1 Full 2 Full 3 Full sql directory MSSQL 1 MS SQL Template Data 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQLUSER Computer Name InstanceName 1 Full 2 Full 3 Full Program Files Microsoft SQL Server 80 tools 1 LocalMachine Administrators 2 SYSTEM 3 SQLServer2005MSSQL...

Страница 20: ...s 3 SYSTEM 1 Full 2 Read Execute 3 Full systemroot Config 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 Read List 3 Full systemroot System3 2 systemroot System3 2 LogFiles systemroot System3 2 InetSrv 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 Read Execute 3 Full systemroot System 1 LocalMachine Administrators 2 LocalMachine Users 3 SYSTEM 1 Full 2 ...

Страница 21: ...olicy determines whether to log changes to user rights assignment policies trust policies and audit policies Log only successes Audit privilege use Failure The Audit privilege use policy determines whether to log use of a user right Failures should be logged as a failed privilege use can indicate an attempted security breach Audit process tracking No Auditing The Audit process tracking policy dete...

Страница 22: ...e the system time SeSystemTimePrivilege Administrators Create a pagefile SeCreatePagefilePrivilege Administrators Create a token object SeCreateTokenPrivilege Create global objects SeCreateGlobalPrivilege Administrators SERVICE Create permanent shared objects SeCreatePermanentPrivilege Debug programs SeDebugPrivilege Deny access to this computer from the network SeDenyNetworkLogonRight Support_388...

Страница 23: ...s Modify firmware environment values SeSystemEnvironmentPrivilege Administrators Perform Volume Maintenance Tasks SeManageVolumePrivilege Administrators Profile single process SeProfileSingleProcessPrivilege Administrators Profile system performance SeSystemProfilePrivilege Administrators Remove computer from docking station SeUndockPrivilege Administrators Replace a process level token SeAssignPr...

Страница 24: ...trictions in Security Descriptor Definition Language Not Defined Devices Allow undock without having to log on Disabled Devices Allowed to format and eject removable media Administrators Devices Prevent users from installing printer drivers Enabled Devices Restrict CD ROM access to locally logged on user only Disabled Devices Restrict floppy access to locally logged on user only Disabled Devices U...

Страница 25: ...kstation Enabled Interactive logon Require smart card Disabled Interactive logon Smart card removal behavior Lock Workstation Microsoft network client Digitally sign communications always Disabled Microsoft network client Digitally sign communications if server agrees Enabled Microsoft network client Send unencrypted password to third party SMB servers Disabled Microsoft network server Amount of i...

Страница 26: ...nymous access to Named Pipes and Shares Enabled Network access Shares that can be accessed anonymously Network access Sharing and security model for local accounts Classic Local users Network security Do not store LAN Manager hash value on next password change Enabled Network security Force logoff when logon hours expire Disabled Network security LAN Manager authentication level Send NTMLv2 respon...

Страница 27: ...mounts of data but they must be limited to prevent attacks from filling up the disk 1 To set the size of the log file right click each event type 2 Select Properties 3 Set the Maximum log size to 131072 KB 4 Select Overwrite events as needed Remove any file shares 1 Go to Windows Start Control Panel Administrative Tools Computer Management 2 Expand System Tools and Shared Folders and select Shares...

Страница 28: ...p file creation If the system crashes a dump file can provide a hacker with sensitive information To disable the dump file creation 1 Go to Windows Start Control Panel System Under the Advanced tab 2 Under Startup and Recovery click the Settings button 3 Select none under Write Debugging Information Miscellaneous registry changes To edit settings used to secure the server edit the registry on the ...

Страница 29: ...ControlSet Services Cdrom Modify Value Name Autorun Value Type REG_DWORD Value 0 Protection against denial of service attacks In order to harden the TCP IP stack go into the following hive Under HKEY_LOCAL_MACHINE System CurrentControlSet Services Tcpip Parameters create the values shown in Table 9 Table 9 Hardening the TCP IP stack Registry entry Format Value EnableICMPRedirect DWORD 0 SynAttackP...

Страница 30: ...Delete the default installed examples Delete the following directories and their contents from the file system of your Cisco TMS server InetPub AdminScripts WINDOWS System32 Inetsrv iisadmpwd WINDOWS web printers Delete all files under InetPub wwwroot but do not delete the directory Disable unneeded web extensions 1 Go to Windows Start Control Panel Administrative Tools Internet Information Servic...

Страница 31: ...de Select to Inherit TMSAgent Yes Pwx No TMS Yes TMS Public No TMSConferenceAPI No XAPSite No Note You cannot remove anonymous access to the entire website Anonymous access is required on several nodes so that devices can send data to Cisco TMS Applying permissions as stated above from a standard Cisco TMS installation will maintain the required access rights Delete unused application mappings 1 G...

Страница 32: ...on Services IIS Manager 2 Expand the website Cisco TMS is installed in 3 Right click the XAPDLL directory 4 Click Delete to delete the files and directory TMS Install Dir wwwtms public XAPSite Optional Remove Polycom Endpoint support If you are not managing Polycom Endpoints you can remove the portions required to support them to reduce surface area of the public website 1 Go to Windows Start Cont...

Страница 33: ...S Optional Remove XAPDLL Optional Remove Polycom Endpoint support Continued monitoring It is important that the server s logs be continually audited to monitor for undesired behavior or attempts to break into the server The Windows Event Viewer can be used to monitor the security audits enabled and the IIS logs can be used for additional information regarding access to the website The IIS Logs can...

Страница 34: ...ES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INA...

Отзывы: