Cisco TELEPRESENCE MANAGEMENT SUITE SECURE SERVER - CONFIGURATION GUIDE... User manual
Cisco TelePresence
Management Suite
Secure Server
Hardening Windows Server 2003 for
Cisco TMS 13.0
Product Configuration Guide
D13148.08
December 2010
Document revision history
Cisco TMS Secure Server Configuration Guide 13.0 Page 2 of 34
Contents
References and related documents ........................................................................................................ 5
Preface .................................................................................................................................................... 5
Pre-install considerations ........................................................................................................................ 7
Installing baseline configuration ..............................................................................................................7
File system............................................................................................................................................... 9
Administrator account.............................................................................................................................. 9
Set strong password and lockout policies............................................................................................... 9
Secure the SQL Server ......................................................................................................................... 10
Use Local Service User..................................................................................................................10
Disable Network Protocols ............................................................................................................. 10
Cisco TMS Service User Account .........................................................................................................10
Create a Cisco TMS Service Account............................................................................................10
Assign file ACLs for Cisco TMS directories....................................................................................10
Configure Cisco TMS Services to use Service Account ................................................................12
Remove unnecessary user accounts .................................................................................................... 13
Remove unnecessary windows components........................................................................................ 14
Disable unnecessary windows services................................................................................................ 15
Network services ................................................................................................................................... 17
Configuring TCP/IP ........................................................................................................................ 17
Configuring the Windows Firewall.................................................................................................. 17
Apply appropriate file ACLs................................................................................................................... 18
Audit policy ............................................................................................................................................ 20
User rights assignment.......................................................................................................................... 21
Security options..................................................................................................................................... 23
Set event viewer history ........................................................................................................................27
Remove any file shares.........................................................................................................................27
Screen saver ......................................................................................................................................... 28
Disable dump file creation.....................................................................................................................28
Miscellaneous registry changes ............................................................................................................ 28
Protect the registry from anonymous access................................................................................. 28
Disable 8.3 file format compatibility................................................................................................28
Clear paging file at shutdown......................................................................................................... 29
Disable Autorun from CD ............................................................................................................... 29
Protection against denial of service attacks...................................................................................29
Check status of logon screen shutdown button .............................................................................29
Enable logging on the website ..............................................................................................................30
Delete the default installed examples....................................................................................................30
Disable unneeded web extensions........................................................................................................ 30
Steps to repeat after Cisco TMS installs and upgrades........................................................................30
Set proper authentication methods ................................................................................................ 30
Delete unused application mappings .............................................................................................31
Optional - Configure Cisco TMS to use HTTPS.............................................................................32
Optional - Remove XAPDLL........................................................................................................... 32
Optional - Remove Polycom Endpoint support.............................................................................. 32
Cisco TMS upgrades............................................................................................................................. 33
Continued monitoring ............................................................................................................................ 33
Up to date patching ...............................................................................................................................33
Document revision history
Cisco TMS Secure Server Configuration Guide 13.0 Page 3 of 34
Tables
Table 1 Service account file ACLs ........................................................................................................ 11
Table 2 Windows components .............................................................................................................. 14
Table 3 IIS components......................................................................................................................... 15
Table 4 Required port exceptions .........................................................................................................17
Table 5 Required program exceptions ..................................................................................................18
Table 6 Summary of audit policy settings.............................................................................................. 21
Table 7 List of recommended user rights settings. ...............................................................................21
Table 8 Recommended security options............................................................................................... 24
Table 9 Hardening the TCP/IP stack.....................................................................................................29
Table 10 Extensions to leave enabled ..................................................................................................30
Table 11 Nodes to select when applying permissions..........................................................................31
Table 12 Extensions to remove............................................................................................................. 31
Document revision history
Cisco TMS Secure Server Configuration Guide 13.0 Page 4 of 34
Document revision history
Revision 7 Update for Cisco TMS 12
Comprehensive update for Windows 2003 SP1 Changes
Removal of Windows 2000 specific references
Updated formatting and reorganization
Removed incorrect IIS anonymous restrictions
Added SQL Server Service Accounts
Added Cisco TMS Service Accounts
Revision 8 Updated information and visual template.
Revision 9 Stage 1 rebranding.
Revision 10 Stage 2 rebranding – new product names.
General
Cisco TMS Secure Server Configuration Guide 13.0 Page 5 of 34
General
References and related documents
Windows Server 2003 Security Guide (Microsoft Corporation)
Windows 2003 Threats and Countermeasures Guide (Microsoft Corporation)
Knowledge Base article 823659 Client, service, and program incompatibilities that may occur
when you modify security settings and user rights assignments
Professional Server Pages 3.0 (WROX)
Knowledge Base article 2222473 Registry Settings for Windows File Protection (Microsoft
Corporation)
ISA Server and IIS Server (Microsoft Corporation)
Securing (Hardening) Windows Servers (Business Advisory Services Information Security)
Port Assignments foe Commonly-Used Services (Microsoft Corporation)
Windows 2003 Server TCP/IP Core Networking Guide (Microsoft Corporation)
Windows 2003 Group Policy (Microsoft Corporation)
SQL Server 2005 - Setting Up Windows Service Accounts (Microsoft Corporation)
Preface
Cisco TelePresence Management Suite (Cisco TMS) is scalable, easy-to-use and integrates with
existing applications to increase the value of your video network. It provides complete visibility and
centralized control for on-site and remote video systems. Cisco TMS supports management,
deployment, and scheduling of the entire video network, including telepresence, from one single
product.
Hardening a server reduces its exposed services, enforces stricter policies on behavior, and removes
components or functionality not essential to the server’s task. Through the Trustworthy Computing
Initiative Microsoft has significantly increased the security of a default installation of Windows 2003
SP2 compared to Windows 2000 or earlier. If you still wish to further tighten the security of your
installed servers Microsoft provides guidelines on hardening servers based on several degrees of
strength and the task that the server will perform.
This document is intended to provide instruction on how to harden a Windows 2003 server for the
tightest security, that Microsoft terms ‘Specialized Security – Limited Functionality’ while still
maintaining compatibility with the Cisco TMS application.
Hardening a server to this level reduces functionality of the server. Weigh your needs against these
changes before attempting to harden a server. This reduction in functionality will affect other policies
and methods one may normally expect to have available with Windows Server.
Take care when modifying the server as mistakes could render it unusable. A rebuild will be necessary
for recovery. The methods used in this document will allow no access to the Windows Server itself
except for users who are administrators. Additional information on risks regarding these changes are
available in the Microsoft Security Guide and Threats and Countermeasures documentation listed at
the beginning of this document.
This document describes
The installation of Windows.
The process of adding Cisco TMS.
How to secure Windows and IIS for a stand-alone installation of Cisco TMS.
The descriptions provided here apply to Windows 2003 SP2 and Cisco TMS version 12 and newer.
For versions older than Cisco TMS version 12, we recommend starting with a new Windows 2003
SP2server and upgrading to the latest version of Cisco TMS v12 to take advantage of the security
updates integrated into these products.
General
Cisco TMS Secure Server Configuration Guide 13.0 Page 6 of 34
IMPORTANT: This document does not guarantee that your server is secure from attacks even if you
have applied all the changes described. Cisco is not responsible for potential harm that attackers
might cause, nor any damage caused to your server by following the steps outlined in this document.
Installation
Cisco TMS Secure Server Configuration Guide 13.0 Page 7 of 34
Installation
Pre-install considerations
We strongly recommend installing Cisco TMS on a dedicated server. Using Cisco TMS server for
other purposes or services will reduce the effectiveness of any security initiative.
The outline presented in this document assumes Cisco TMS is the only application installed on
the server.
The server should be physically placed in a room that is inaccessible to unauthorized persons.
The server should never be a domain controller.
The security recommendation is to install Cisco TMS using a local instance of SQL Server. This
reduces the surface area of the SQL server and keeps all communications between the
application and the database off the network. Installations looking to use an external SQL Server
should consider using SSL to secure the database traffic between the Cisco TMS Server and the
SQL Server.
For additional Microsoft documentation regarding SSL and SQL, see How SQL Server uses a
certificate when the Force Protocol Encryption option is turned on
Installing baseline configuration
1. Install Windows 2003 SP2- When installing the server; create two partitions on the server.
One is the system partition, usually C:\ where Windows and IIS is installed. The second partition
is used by Cisco TMS. Install Windows Server 2003 with Service Pack 2 (SP2) using the default
settings. Be sure to format the partitions NTFS when performing the initial setup of Windows.
2. Install anti-virus software and updates - Protect the new server by installing your choice of
enterprise anti-virus software package. It is important that you keep up–to-date on the latest
virus signatures. Take note of anti-virus features that control/prevent sending of email via
SMTP. Cisco TMS requires the ability to send mail via SMTP (TCP Port 25).
3. Install the latest Windows Service Pack - As each Service Pack from Microsoft includes all
security fixes known to date it is vital that the latest version is installed. Update your baseline
server to the latest Service Pack for Windows.
4. Install the appropriate post-Service Pack security updates - Update the server to the latest
available post-Service Pack security updates and any relevant hot-fixes. You can subscribe to
the e-mail service where Microsoft sends administrators information about security issues and
hot-fixes available for patching security holes- Go to:
http://www.microsoft.com/technet/security/bulletin/notify.mspx
5. Join server to Domain – Join the new server to the domain it will be used with.
6. Optional – Install SQL Server 2005 - If you are planning on running a full edition of SQL
Server 2005 rather than the express edition installed with Cisco TMS, install SQL Server at this
time to the second partition of the server. The server must be installed in Mixed Authentication
mode – choose a strong password for the SA account. Only the SQL Engine component and its
dependencies are required.
7. Install Cisco TMS - Install the latest version of Cisco TMS. When running the installer, choose
the custom option to allow greater control of the installation.
If no SQL Server was previously installed, specify to install the SQL Server locally with a strong
SA password.
Specify the installation paths of the SQL Server and Cisco TMS directories to be on the second
partition of your server. As part of the installation, IIS and SQL Server may be installed.
8. Secure Default Groups for Cisco TMS – As part of the default installation of Cisco TMS, all
new users are automatically added to the Site Administrators group and the Users group.
Both groups have full permissions to all facilities.
To establish one user as the only Site Administrator, do the following:
a. Log in as that user, go to Administrative Tools > User Administration > Default Groups
and set Users to be the only default group. All new users that log in to Cisco TMS will now
Installation
Cisco TMS Secure Server Configuration Guide 13.0 Page 8 of 34
only be added to the group Users.
To set permissions for users in this group
b. Go to Administrative Tools > User Administration > Groups. Next click Set Permissions
for the Users group and check the appropriate checkboxes.
Take time to properly design your user groups and default system permissions before rolling
out Cisco TMS into production.
9. Check and apply security fixes for SQL and IIS - Run Windows Update again to check for
any updates for any additional components that have been installed along with Cisco TMS.
Check the Microsoft SQL Server website and install any updates for the SQL Server engine.
This concludes the basic installation. The remainder of the document will address securing this
installation without breaking the Cisco TMS Server’s functionality.
Securing Windows Server 2003 tasks
Cisco TMS Secure Server Configuration Guide 13.0 Page 9 of 34
Securing Windows Server 2003 tasks
File system
Ensure the file system for all hard disks is NTFS. Avoid using FAT, FAT 32 or FAT 32x file systems, as
these file systems do not support the same level of access control and security that the NTFS does.
This relates to all partitions on the server and not just the boot partition.
Administrator account
Password - Make sure that the administrator account has a strong password. A strong password is a
long pass phrase that combines upper and lower case letters, numbers and symbols.
Rename the administrative account - Rename the administrator account to a less obvious name,
and delete or change its description. Even though this will not stop all hackers, it makes their job more
difficult.
Create a dummy administrator account - It is also a good idea to create a dummy administrator
account in addition to the true administrator account. When creating the dummy administrator remove
any privileges associated with the account and set a long and complex password. Finally, take away
all associated privileges by removing the dummy administrator
1
account from the User group after it
has been created. Make sure the Event Log is checked regularly for any attempts to use the dummy
administrator account.
2
Set strong password and lockout policies
To change the password policies go to Windows Start > Control Panel > Administrative Tools >
Local Security Policy.
Note: Domain level policy settings may override these settings.
Password rules - Choose Account Policies >Password Policy, and apply the following changes:
Set the Minimum password length to at least 8 characters
Set the Minimum password age to at least 1 day
Set the Maximum password age to no more than 180 days
Set the Enforce password history to at least 5
This forces the administrator to change the password every 180 days, ensures the previous five
passwords cannot be reused and that passwords cannot be changed more than once a day.
Account lockout policy – Choose Account Policies > Account Lockout Policy, and apply the
following changes:
Set the Account lockout threshold to no more than 3
Set the Account lockout duration to at least 15 minutes
Set the Reset Account lockout counter after to at least 15 minutes
This will disable any account for at least 15 minutes if the number of login attempts to the said account
exceeds 3. This will deter hackers from using brute force attacks on the accounts.
1
Your newly created administrator account, not the inbuilt account supplied by Windows as this has now been
renamed.
2
Setting up the logging is described in section Error! Reference source not found..
Securing Windows Server 2003 tasks
Cisco TMS Secure Server Configuration Guide 13.0 Page 10 of 34
Secure the SQL Server
SQL Server 2005 installs by default in a local-only configuration designed to reduce surface area.
These additional steps will further reduce exposure by lowering privileges and protocols.
Use Local Service User
SQL Server installs by default to run as the NETWORK SERVICE user. SQL Server also creates user
groups to simplify assigning permissions when SQL is installed. It will create the user group
SQLServer2005MSSQLUser$ComputerName$InstanceName. To reduce privileges of the user
running SQL, create a local Windows user to act as the service account for SQL Server with a strong
password and a username of your choice. The placeholder name sqlserviceuser will be referenced
through the remainder of this document to refer to this account.
1. In the Start Menu, open Microsoft SQL Server 2005’ Program Group > Configuration Tools
> SQL Server Configuration Manager.
2. Click SQL Server 2005 Services and double-click ‘SQL Server [InstanceName]’ to open the
properties.
3. Select Log on as -> This account and enter the account information for sqlserviceuser.
4. Click OK to save changes and restart the service.
Disable Network Protocols
In the SQL Server Configuration Manager.expand the SQL Server 2005 Network Configuration
tab and select ‘Protocols for [InstanceName]’. Disable all protocols except Shared Memory by right-
clicking on them and selecting Disable.
If changes are made you must restart the SQL Engine to have changes take effect.
Cisco TMS Service User Account
Create a Cisco TMS Service Account
Cisco TMS will install its services to run as the Local System account. To run at lowest possible
privileges, a local Windows account will be configured. Create a local Windows User to act as the
service account for Cisco TMS Services and the Cisco TMS website. Use a strong password and a
username of your choice. The placeholder name tmsserviceuser will be referenced through the
remainder of this document to refer to this account.
1. In the Start menu, open Administrative Tools > Local Security Policy.
2. Expand the Local Policy > User Rights Assignment in the tree navigator.
3. Right- click Log on as a Service in the list to the right.
4. Click the Add User or Group button and add the tmsserviceuser account by typing in this
name.
5. Click Check Names.
6. Click OK to save and add tmsserviceuser and OK to save changes to Local Security settings.
Assign file ACLs for Cisco TMS directories
Table 1 below lists the required ACLs for the Cisco TMS directories on the Cisco TMS server. When
editing these ACLs, remove any additional permissions not listed in the table except for inherited
permissions. Inherited permissions will be modified in a later section. Permissions added here are
described assuming inheritance is allowed on all child directories. Child directories with only inherited
permissions are not listed.
To set permissions to a folder in Windows Explorer:
1. Right-click the folder, select Sharing and Security from the drop-down menu,
2. Select the Security tab and set permissions as shown in the table below for each group/user.
Note: This step must be repeated after any future Cisco TMS installations or upgrades as the installer
will default these directories back to the default permissions.
Securing Windows Server 2003 tasks
Cisco TMS Secure Server Configuration Guide 13.0 Page 11 of 34
Table 1 Service account file ACLs
Directory
User/Group
Permission
<tms installdir>\ 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
1) Full Control
2) Full Control
3) Read & Execute
<tms installdir>\OldConferenceAPI 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Read & Execute
4) Read
<tms installdir>\Provisioning\web 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Read & Execute
4) Read
<tms
installdir>\Provisioning\OpenDS\bak 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
1) Full Control
2) Full Control
3) Full Control
<tms
installdir>\Provisioning\OpenDS\config 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
1) Full Control
2) Full Control
3) Full Control
<tms
installdir>\Provisioning\OpenDS\db 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
1) Full Control
2) Full Control
3) Full Control
<tms
installdir>\Provisioning\OpenDS\import
-tmp
1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
1) Full Control
2) Full Control
3) Full Control
<tms
installdir>\Provisioning\OpenDS\locks 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
1) Full Control
2) Full Control
3) Full Control
<tms
installdir>\Provisioning\OpenDS\logs 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
1) Full Control
2) Full Control
3) Full Control
<tms installdir>\wwwProvisioning 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Read & Execute
4) Read
<tms installdir>\wwwTMS 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Read & Execute
4) Read
<tms
installdir>\wwwTMS\Data\CompanyLo
go
1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Full Control
4) Read
<tms installdir>\wwwTMS\Data\Export 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Full Control
4) Read
<tms
installdir>\wwwTMS\Data\ExternalSou
rceFiles
1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Full Control
4) Read
Securing Windows Server 2003 tasks
Cisco TMS Secure Server Configuration Guide 13.0 Page 12 of 34
Directory
User/Group
Permission
<tms installdir>\wwwTMS\Data\Image 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Full Control
4) Read
<tms installdir>\wwwTMS\Data\Logo 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Full Control
4) Read
<tms installdir>\wwwTMS\Data\Logs 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
1) Full Control
2) Full Control
3) Full Control
<tms installdir>\wwwTMS\Data\Map 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Full Control
4) Read
<tms
installdir>\wwwTMS\Data\ReleaseKey 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Full Control
4) Read
<tms
installdir>\wwwTMS\Data\Reports 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Full Control
4) Read
<tms
installdir>\wwwTMS\Data\Snapshot 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Full Control
4) Read
<tms
installdir>\wwwTMS\Data\Software 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Full Control
4) Read
<tms
installdir>\wwwTMS\Data\SystemImag
es
1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Full Control
4) Read
<tms
installdir>\wwwTMS\Data\TempFiles 1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Full Control
4) Read
<tms
installdir>\wwwTMS\Public\data\SOFT
WARE
3
1) LocalMachine\Administrators
2) SYSTEM
3) tmsserviceuser
3) Authenticated Users
1) Full Control
2) Full Control
3) Full Control
4) Read
Configure Cisco TMS Services to use Service Account
Configure the tmsserviceuser to run the ASP.NET application pool for Cisco TMS.
3
This directory is configurable in TMS’s Administrative Settings. If a custom directory is used, update the
permissions as necessary
Securing Windows Server 2003 tasks
Cisco TMS Secure Server Configuration Guide 13.0 Page 13 of 34
1. Open a command prompt and navigate to the .NET 2 installation folder. This normally is
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
2. Use the aspnet_regiis tool to register the service user to access the required IIS elements with
aspnet_regiis –ga <username>
aspnet_regiis –ga tmsserviceuser
3. Open Windows Start > Control Panel > Administrative Tools > Internet Information
Services (IIS) Manager
4. Under the name of the local server, expand the Application Pools folder.
5. Right- click TMSNet20AppPool and select Properties.
6. Select the Identity tab.
7. In Application Pool identity select Configurable
8. Browse or enter the tmsserviceuser for User Name and the password of this user.
9. Click OK to close the window
10. Right-Click the Server in the IIS Manager, go to All Tasks and select Restart IIS to restart the
IIS Server
Open Windows Start > Control Panel > Administrative Tools > Services
Locate the services whose names start with ‘TMS’. For each of these service do the following:
1. Double-click the service to open the properties window.
2. Select the Log On tab and select This Account.
3. Enter the account details for the tmsserviceuser account
4. Click OK.
5. Right-click the service
6. Select Restart to have the changes take effect.
Note: These steps must be repeated after any future Cisco TMS installations or upgrades as the
installer will default these services back to the default settings.
Remove unnecessary user accounts
To remove unnecessary user accounts go to Windows Start > Control Panel > Administrative Tools
> Computer Management> System Tools > Local Users and Groups.
Disable all accounts except
Your renamed Administrator account
IWAM_<machinename>
ASPNET
Sqlserviceuser
Your administrator account
IUSR_<machine-name>
tmsserviceuser
At the very least the ‘Guest’ account (disabled by default) should not be active.
Disabling an account is done by:
1. Right-click the account name.
2. Selecting Properties .
3. Under the General tab check the checkbox Account is disabled.
Securing Windows Server 2003 tasks
Cisco TMS Secure Server Configuration Guide 13.0 Page 14 of 34
Remove unnecessary windows components
To reduce the attack surface of the Cisco TMS server, ensure that Windows Components that are not
required by Cisco TMS are not installed.
Go to Windows Start > Control Panel >Add or Remove Programs > Add/Remove Windows
Components. The following table lists the Windows Components. An Nin the Include column
indicates that the component should be unchecked in the Windows Components Wizard. To display
subcomponents, highlight the Windows Component and click the Details button.
Table 2 Windows components
Component
Subcomponent
Include
Accessories and Utilities N
Application Server Application Server Console N
ASP.NET Y
Enable network COM+ access Y
Enable network DTC access N
Internet Information Services Y (see second
table for details)
Message Queuing N
Certificate Services
N
E-mail Services
N
Fax Services
N
Indexing Services
N
Internet Explorer Enhanced Security
Configuration For administrator groups Y
For all other user groups Y
Management and Monitoring Tools Connection Manager Administration
Kit N
Connection Point Services N
Network Monitor Tools N
Simple Network Management
Protocol Y
WMI SNMP Provider N
WMI Windows Installer Provider N
Networking Services
N
Other Network and File Services
N
Remote Installation Services
N
Remote Storage
N
Security Configuration Wizard
Y
Terminal Server
N
Terminal Services Licensing
N
UDDI Services
N
Update Root Certificates
Y
Securing Windows Server 2003 tasks
Cisco TMS Secure Server Configuration Guide 13.0 Page 15 of 34
Component
Subcomponent
Include
Windows Media Services
N
Table 3 IIS components
Component
Subcomponent
Include
Background Intelligent Transfer
Service (BITS) Server Extensions N
Common Files Y
File Transfer Protocol (FTP) Service N
FrontPage 2002 Server Extensions N
Internet Information Services Manager Y
Internet Printing N
NNTP Service N
SMTP N
World Wide Web Services Active Server Pages Y
Internet Data Connector N
Remote Administration (HTML) N
Remote Desktop Web Connection N
Serve Side Includes N
WebDAV Publishing N
World Wide Web Service Y
Disable unnecessary windows services
To reduce the attack surface of the Cisco TMS server, all Windows Services that are not required by
Cisco TMS should in general be disabled.
Go to Windows Start > Control Panel > Administrative Tools >Services.
Disable the services in the following list.
1. Right-click each of them.
2. Under the General tab, click Properties and select Disabled for Startup type.
The status should then be displayed as Disabled under the Status column in the list of Windows
services.
Alerter
Portable Media Serial Number Service
Application Experience Lookup Service
Print Spooler
Application Layer Gateway Service
Remote Access Auto Connection Manager
Application Management
Remote Desktop Help Session Manager
Automatic Updates
Remote Procedure Call (RPC) Locator
Background Intelligent Transfer Service
Remote Registry
ClipBook
Resultant Set of Policy Provider
COM+ System Application
Routing and Remote Access
Securing Windows Server 2003 tasks
Cisco TMS Secure Server Configuration Guide 13.0 Page 16 of 34
Distributed File System
Secondary Logon
Distributed Link Tracking Client
Shell Hardware Detection
Distributed Link Tracking Server
Smart Card
Distributed Transaction Coordinator
Special Administration Console Helper
Error Reporting Services
SQL Server Active Directory Helper
File Replication
SQL Server Browser
Help and Support
SQL Server VSS Writer
HID Input Service
Telephony
IMAPI CD-Burning COM Service
Terminal Services Session Directory
Indexing Service
Themes
Intersite Messaging
Upload Manager
Kerberos Key Distribution Center
Virtual Disk Service
License Logging
WebClient
Messenger
Windows Audio
NetMeeting Remote Desktop Sharing
Windows Cardspace
Network DDE
Windows Image Acquisition (WIA)
Network DDE DSDM
Windows Management Instrumentation
Driver Extensions
Network Location Awareness
Windows Presentation Foundation Font
Cache 3.0.0.0
Network Provisioning Service
Windows User Mode Driver Framework
Net.TCP Port Sharing Service
WinHTTP Web Proxy Auto-Discovery
Service
NTLM Security Support Provider
Wireless Configuration
Performance Logs and Alerts
The following services are not needed by Cisco TMS and can be disabled, but may be needed
depending on your environment:
Computer Browser
DHCP Client
Microsoft Software Shadow Copy Provider
Server
SQL Server VSS Writer
Task Scheduler
Securing Windows Server 2003 tasks
Cisco TMS Secure Server Configuration Guide 13.0 Page 17 of 34
Uninterruptible Power Supply
Volume Shadow Copy
Network services
In general any services not required by Cisco TMS should not be running on the Cisco TMS server in
order to reduce the attack surface of the server. This is particularly important for network services.
1. Go to Windows Start > Control Panel > Network Connections. Ensure that only the ‘Local
Area Connection’ is available.
2. Select this connection.
3. Under the General tab, click the Properties button.
4. Make sure Internet Protocol (TCP/IP) is enabled.
5. Client for Microsoft Networks should be enabled if you wish to allow domain administrators to
log into the server.
6. File and Printer Sharing for Microsoft Networks is not recommended, but may be required if
you want to create shares to transfer files over the network (like Software packages or Cisco
TMS Upgrades) to the Cisco TMS server.
7. Make sure any other services are unchecked and disabled.
Configuring TCP/IP
To further secure the server the Internet Protocol (TCP/IP) protocol settings must be configured
correctly.
1. Go to Windows Start > Control Panel > Network Connections > Local Area Connection.
2. Under the General tab, click the Properties button.
3. Click Internet Protocol (TCP/IP).
4. Click the Advanced button.
5. Select the WINS tab, disable any WINS servers that have been defined and uninstall WINS
itself.
6. Click the Disable NetBIOS over TCP/IP radio button.
Configuring the Windows Firewall
Windows Server 2003 with SP1 comes with Windows Firewall, which should be used to block
unsolicited incoming TCP/IP traffic. The firewall will be enabled by default if Windows was installed
from SP1 media or newer.
To make sure it is enabled:
1. Go to Windows Start > Control Panel > Windows Firewall.
2. Select the On radio button.
To configure what incoming traffic to allow,
1. Click the Exceptions tab.
2. For each port to allow, click Add Port.
3. Select the proper protocol.
4. Specify the port number.
5. Enter a description.
Table 4 lists the port exceptions required for the Cisco TMS server.
Table 4 Required port exceptions
Port
Protocol
Service
80 TCP HTTP
161 UDP SNMP
Securing Windows Server 2003 tasks
Cisco TMS Secure Server Configuration Guide 13.0 Page 18 of 34
Port
Protocol
Service
162 UDP SNMP traps
389 TCP LDAP
443 TCP SSL over HTTP
636 TCP Secure LDAP
4444 TCP OpenDS Administration
8989 TCP OpenDS Replication
In addition, exceptions have to be made for some of the Cisco TMS services to ensure that incoming
traffic on the ports that Cisco TMS services listen to are not blocked.
1. Click Add Program.
2. Click the browse button.
3. Navigate to [INSTALLDIR]\TANDBERG\TMS\Services, where INSTALLDIR is the directory
where you installed Cisco TMS.
4. Select the service .exe files as shown below.
Table 5 Required program exceptions
Service executa
ble
Ports listened to
TMSDatabaseScannerService.exe
8086/TCP and 1025/TCP
TMSLiveService.exe 8085/TCP
TMSPLCMDirectoryService.exe 3601/TCP
TMSSNMPService.exe 2009/UDP
If you are using Remote Desktop for remote management of the server, you need to add an exception
for port 3389/TCP. This is, however, a security risk. If practical, you can reduce this risk by only
allowing traffic on port 3389 from particular IP addresses or the local subnet. This is done by selecting
the exception and clicking on Edit and then Change scope.
Apply appropriate file ACLs
A clean install of Windows Server 2003 has secure ACLs on the file system. To secure the server
even further give the following access permissions to the different user groups. Verify the settings
against this list. Do not set Root(\) permissions recursively, as this will have the undesired effect of
permissions being inherited by all sub directories.
Note: SQL Directories will vary based on your installation so full paths are not shown here.
Directory
U
ser/Group
Permission
Root (\) (...) 1) LocalMachine\Administrators
2) SYSTEM
3) LocalMachine\Users
1) Read & Write
2) Read &Execute
3) Read
\Program Files (...) 1) LocalMachine\Administrators
2) SYSTEM 1) Full
2) Full
\<sql
directory>\MSSQL.1 1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Read &Execute
\<sql
directory>\MSSQL.1\MS 1) LocalMachine\Administrators
2) SYSTEM 1) Full
2) Full
Securing Windows Server 2003 tasks
Cisco TMS Secure Server Configuration Guide 13.0 Page 19 of 34
Directory
U
ser/Group
Permission
SQL 3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName 3) Read &Execute
\<sql
directory>\MSSQL.1\MS
SQL\Backup
1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Full
\<sql
directory>\MSSQL.1\MS
SQL\Binn
1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Read &Execute
\<sql
directory>\MSSQL.1\MS
SQL\Data
1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Full
\<sql
directory>\MSSQL.1\MS
SQL\Install
1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Read &Execute
\<sql
directory>\MSSQL.1\MS
SQL\LOG
1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Full
\<sql
directory>\MSSQL.1\MS
SQL\repldata
1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Full
\<sql
directory>\MSSQL.1\MS
SQL\Template Data
1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Full
\Program Files\Microsoft
SQL Server\80\tools 1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Read &Execute
\Program Files\Microsoft
SQL Server\80\com 1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Read &Execute
\Program Files\Microsoft
SQL Server\90\com 1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Read &Execute
\Program Files\Microsoft
SQL Server\90\dts 1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Read &Execute
\Program Files\Microsoft
SQL Server\90\sdk 1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Read
\Program Files\Microsoft 1) LocalMachine\Administrators 1) Full
Securing Windows Server 2003 tasks
Cisco TMS Secure Server Configuration Guide 13.0 Page 20 of 34
Directory
U
ser/Group
Permission
SQL Server\90\Setup
Bootstrap 2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
2) Full
3) Read &Execute
\Program Files\Microsoft
SQL Server\90\Shared 1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Read &Execute
\Program Files\Microsoft
SQL
Server\90\Shared\Error
Dumps
1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Read &Write
\Program Files\Microsoft
SQL Server\90\tools 1) LocalMachine\Administrators
2) SYSTEM
3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName
1) Full
2) Full
3) Read &Execute
%systemroot% (usually
\WINDOWS) 1) LocalMachine\Administrators
2) LocalMachine\Users
3) SYSTEM
1) Full
2) Read &Execute
3) Full
%systemroot%\Config 1) LocalMachine\Administrators
2) LocalMachine\Users
3) SYSTEM
1) Full
2)Read &List
3) Full
%systemroot%\System3
2
%systemroot%\System3
2\LogFiles
%systemroot%\System3
2\InetSrv
1) LocalMachine\Administrators
2) LocalMachine\Users
3) SYSTEM
1) Full
2) Read & Execute
3) Full
%systemroot%\System 1) LocalMachine\Administrators
2) LocalMachine\Users
3) SYSTEM
1) Full
2) Read & Execute
3) Full
%systemroot%\Repair 1) LocalMachine\Administrators
2)SYSTEM 1)Full
2)Full
\Documents and
Settings 1) LocalMachine\Administrators
2) LocalMachine\Users
3) SYSTEM
1) Full
2) Read
3) Full
Verify that the following files have these permissions:
File
User/Group
Permission
C:\AUTOEXEC.bat 1) LocalMachine\Administrators
2) SYSTEM 1) Full
2) Read & Execute
C:\CONFIG.SYS 1) LocalMachine\Administrators
2) SYSTEM 1) Full
2) Read & Execute
Audit policy
The Audit policy defines which security events get logged.
To access the auditing, go to Windows Start > Control Panel > Administrative Tools > Local
Security Policy > Local Policies > Audit Policy.
Other manuals for TELEPRESENCE MANAGEMENT SUITE SECURE SERVER - CONFIGURATION GUIDE...
1
This manual suits for next models
1
Table of contents
Other Cisco Software manuals
Cisco
Cisco Network Assistant User manual
Cisco
Cisco Signaling Interface H.323 User manual
Cisco
Cisco CISCO1811 User manual
Cisco
Cisco ACTIVE NETWORK ABSTRACTION - BROCHURE WHATS NEW IN RELEASE... User manual
Cisco
Cisco TELEPRESENCE MANAGEMENT SUITE EXTENSION 2.2 - FOR MICROSOFT... Service manual
Cisco
Cisco 861W - Integrated Services Router Wireless User manual
Cisco
Cisco SMART BUSINESS COMMUNICATIONS SYSTEM - FEATURE ... Owner's manual
Cisco
Cisco Craft Works Interface User manual
Cisco
Cisco Catalyst Series Switch 2940 User manual
Cisco
Cisco CallManager Release 3.0(10 User manual
Cisco
Cisco CSACSE-1111-K9 - Secure Access Control Server Solution... User manual
Cisco
Cisco CVPN3002-8E-K9 - Fast Ethernet VPN Gateway User manual
Cisco
Cisco C8510-CHAS5-RF - Catalyst 8510 Campus Switch Router Modular Expansion... Installation and operating instructions
Cisco
Cisco CONFERENCING EXTENSIONS - ADMINISTRATOR GUIDE FOR MICROSOFT... Service manual
Cisco
Cisco 2509 - Router - EN User manual
Cisco
Cisco OL-4015-08 User manual
Cisco
Cisco PIX 520 - PIX Firewall 520 Reference guide
Cisco
Cisco AS5200 - Universal Access Server How to use
Cisco
Cisco DVD-ROM Installation and operation manual
Cisco
Cisco TELEPRESENCE MANAGEMENT SUITE EXTENSION - FOR IBM LOTUS NOTES... User manual
Popular Software manuals by other brands
Steinberg
Steinberg Cubase SL 3 Operation manual
Polycom
Polycom GlobalManagementSystem Frequently asked questions
Sony
Sony CLIE PEG-UX40 user guide
AVG
AVG 9.0 INTERNET SECURITY BUSINESS EDITION - V... user manual
Nortel
Nortel Voice Mail Software guide
VMware
VMware VSHIELD APP 1.0.0 UPDATE 1 - API quick start guide
Philips
Philips TV Video Accessories Software upgrade instructions
DataCard
DataCard Tru Photo datasheet
Novell
Novell GROUPWISE 7 - 04-2007 manual
Mitsubishi
Mitsubishi WiFi-Doc Client for iOS user manual
Texas Instruments
Texas Instruments TI-83 Plus Silver Edition Guide book
AVG
AVG ANTI-VIRUS 2011 - REV 2011.07 user manual