Security Best Practices Guide For ICM and IPCC Enterprise & Hosted Editions

Security Best Practices Guide
for ICM and IPCC Enterprise & Hosted Editions

ICM Software Releases 7.0(0), 7.1(1), and 7.2(1)
July 2007
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0833
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE.
ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED
WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF
ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET
THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED
"AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING
FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES,
INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE
THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn
is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco,
the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy,
Network Registrar, Packet, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath
are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0705R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
Copyright © 2007 Cisco Systems, Inc. All rights reserved.
Table of Contents
Preface ...........................................................................................................................................................1
Purpose .....................................................................................................................................................1
Audience ....................................................................................................................................................2
Organization ..............................................................................................................................................2
Related Documentation .............................................................................................................................3
Conventions................................................................................................................................................4
Obtaining Documentation...........................................................................................................................5
Cisco.com..............................................................................................................................................5
Product Documentation DVD.................................................................................................................5
Ordering Documentation........................................................................................................................5
Documentation Feedback...........................................................................................................................6
Product Alerts and Field Notices ...............................................................................................................6
Cisco Product Security Overview...............................................................................................................6
Reporting Security Problems in Cisco Products ...................................................................................7
Obtaining Technical Assistance..................................................................................................................7
Cisco Technical Support & Documentation Website..............................................................................8
Submitting a Service Request...............................................................................................................8
Definitions of Service Request Severity.................................................................................................9
Obtaining Additional Publications and Information.....................................................................................9
1. Encryption Support...................................................................................................................................11
User and Agent Passwords......................................................................................................................11
Call Variables and Extended Call Variables..............................................................................................11
Internet Script Editor, Agent Reskilling and WebView..............................................................................12
CTI OS C++/COM Toolkit.........................................................................................................................12
Cisco Contact Center SNMP Management Service.................................................................................13
Cisco Support Tools..................................................................................................................................13
Additional Encryption................................................................................................................................13
2. IPSec and NAT Support............................................................................................................................15
Support for IPSec (IP Security) in Tunnel Mode.......................................................................................16
Support for IPSec (IP Security) in Transport Mode...................................................................................17
System Requirements.........................................................................................................................17
Supported Communication Paths .......................................................................................................17
Configuring IPSec Policy.....................................................................................................................18
IPSec Connection to Cisco CallManager.................................................................................................21
Monitoring IPSec Activity..........................................................................................................................21
IPSec Monitor......................................................................................................................................21
IPSec Logging.....................................................................................................................................21
Network Monitoring..............................................................................................................................22
System Monitoring ..............................................................................................................................22
Securing Support Tools Using IPSEC......................................................................................................23
Support Tools IPSEC Configuration Example............................................................................................?
Support for NAT (Network Address Translation).......................................................................................24
NAT and CTI OS.......................................................................................................................................24
IPSec and NAT Transparency...................................................................................................................25
Additional IPSec References....................................................................................................................25
3. Windows Server 2003 Firewall Configuration............................................................................................27
Cisco Firewall Configuration Utility Prerequisites.....................................................................................28
Security Best Practices Guide for ICM and IPCC Enterprise & Hosted Editions ICM Software Releases 7.0(0), 7.1(1), and 7.2(1)
i
Using the Cisco Firewall Configuration Utility...........................................................................................29
Verifying New Windows Firewall Settings.................................................................................................29
Configuring Windows Server 2003 Firewall to Communicate With Active Directory................................30
Configuring Domain Controller Ports...................................................................................................30
Restrict FRS Traffic to a Specific Static Port........................................................................................30
Restrict Active Directory replication traffic to a specific port................................................................31
Configure Remote Procedure Call (RPC) port allocation....................................................................31
Windows Server 2000 and 2003 Firewall Ports...................................................................................31
Testing Connectivity.............................................................................................................................32
Validating Connectivity.........................................................................................................................32
Understanding the CiscoICMfwConfig_exc.xml File.................................................................................33
Troubleshooting Windows Firewall............................................................................................................34
General Troubleshooting Notes............................................................................................................34
Windows Firewall Interferes with Router Private Interface Communication.........................................34
Windows Firewall Shows Dropped Packets but no ICM or IPCC Failures are Evident........................34
Undo Firewall Settings.........................................................................................................................35
4. Automated Security Hardening Settings on Windows Server 2003..........................................................37
Applying/Removing Cisco ICM Security Settings.....................................................................................38
Applying Cisco ICM Security Settings During Setup...........................................................................38
Manual Installation of Cisco ICM Security Settings.............................................................................38
Rolling Back Security Settings.............................................................................................................39
Account Policies Settings.........................................................................................................................40
Password Policy...................................................................................................................................40
Account Lockout Policy........................................................................................................................40
Kerberos Policy....................................................................................................................................41
Local Policies............................................................................................................................................41
Audit Policy..........................................................................................................................................41
User Rights Assignment......................................................................................................................42
Security Options..................................................................................................................................45
Event Log.................................................................................................................................................53
System Services.......................................................................................................................................54
Settings for System Services...............................................................................................................54
Registry....................................................................................................................................................61
File System...............................................................................................................................................61
5. Updating Microsoft Windows ....................................................................................................................63
Microsoft Security Updates......................................................................................................................63
Microsoft Service Pack Policy...................................................................................................................65
Configuring the Server to use an Alternate Windows Update Server..................................................65
6. SQL Server Hardening..............................................................................................................................67
SQL Server Hardening Suggestions........................................................................................................67
Top Hardening Suggestions.................................................................................................................67
SQL Server Users and Authentication.................................................................................................69
7. Cisco SSL Encryption Utility.....................................................................................................................71
About the SSL Encryption Utility..............................................................................................................71
Installing SSL During Setup.................................................................................................................72
SSL Encryption Utility in Standalone Mode.........................................................................................72
Enabling the Transport Layer Security (TLS) 1.0 Protocol...................................................................74
8. Intrusion Prevention and Cisco Security Agent.........................................................................................75
What are Cisco Security Agent Policies?.................................................................................................75
ii
Types of Agents........................................................................................................................................76
Managed Agent...................................................................................................................................76
Standalone Agent................................................................................................................................76
9. Microsoft Baseline Security Analyzer (MBSA)..........................................................................................79
Security Update Scan Results..................................................................................................................80
Windows Scan Results.............................................................................................................................80
Internet Information Services (IIS) Scan Results.....................................................................................81
SQL Server Scan Results........................................................................................................................82
Desktop Application Scan Results............................................................................................................83
10. Auditing ..................................................................................................................................................85
How to View Auditing Policies...................................................................................................................85
Security Log.............................................................................................................................................86
Real-Time Alerts.......................................................................................................................................86
SQL Server Auditing Policies....................................................................................................................86
SQL Server C2 Security Auditing........................................................................................................86
Active Directory Auditing Policies.............................................................................................................87
11. General Anti-Virus Guidelines and Recommendations...........................................................................89
Guidelines and Recommendations...........................................................................................................90
ICM/IPCC Software Maintenance Parameters.........................................................................................91
Logger Recommendations ..................................................................................................................91
Distributor Recommendations.............................................................................................................92
Router and PG Recommendations......................................................................................................92
Other Scheduled Tasks Recommendations.........................................................................................92
File Type Exclusion Recommendations....................................................................................................92
12. Remote Administration............................................................................................................................93
Windows Terminal Services (Remote Desktop).......................................................................................93
Remote Desktop..................................................................................................................................93
Securing the RDP-TCP Connection....................................................................................................94
Per-User Terminal Services Settings...................................................................................................95
pcAnywhere..............................................................................................................................................95
Restricting access to internal machines..............................................................................................96
Preventing unauthorized connections to a pcAnywhere host..............................................................96
Protecting the data stream during a remote control session...............................................................97
Preventing unauthorized changes to the installed product..................................................................98
Identifying security risks......................................................................................................................98
Logging events during a remote control session.................................................................................98
VNC..........................................................................................................................................................99
TRIDIA VNC Pro.......................................................................................................................................99
13. Additional Security Best Practices........................................................................................................101
Additional Cisco Call Center Applications..............................................................................................101
Cisco ICM WebView..........................................................................................................................101
Cisco ICM CTI Object Server (CTI OS).............................................................................................102
Cisco Agent Desktop (CAD)..............................................................................................................102
Microsoft Internet Information Server (IIS).............................................................................................102
Hardening IIS for use with WebView and Internet Script Editor on Windows 2000 Platforms...........102
Sybase EAServer (Jaguar) Hardening...................................................................................................105
Starting Jaguar Manager...................................................................................................................105
Changing Jaguar Password...............................................................................................................105
Restart WebView/Services................................................................................................................106
iii
RMS Listener Hardening........................................................................................................................107
WMI Service Hardening.........................................................................................................................108
WMI namespace-level security:.........................................................................................................108
Additional WMI Security Considerations............................................................................................109
SNMP Hardening....................................................................................................................................109
Toll Fraud Prevention..............................................................................................................................110
Syskey....................................................................................................................................................111
Third-Party Security Providers................................................................................................................111
Third-Party Management Agents............................................................................................................111
iv
List of Figures
Figure 1: SSL Config Utility - Configuration Tab...........................................................................................................73
Figure 2: SSL Config Utility - Certificate Administration Tab.......................................................................................73
v
vi
Preface
Purpose
This document describes security hardening configuration guidelines for Cisco ICM Software
Release 7.0(0) on Windows Server 2003. The term "ICM software" includes: IP Contact Center
(IPCC) Enterprise and Hosted Editions, System IPCC, and ICM Enterprise and Hosted Editions.
Optional ICM applications applying to these server configurations are also addressed here, with
the exception of the following: Web Collaboration Option Collaboration Server, Media Blender
(when not co-resident with a PG; if co-resident with a PG then these best practices are applicable),
Dynamic Content Adapter and E-mail Manager Option. References throughout this document
to "ICM/IPCC" will assume the aforementioned configurations. Any accompanying applications
making up the customer's particular solution, whether Cisco provided - such as PSO applications
- or provided by a Cisco partner, have not been approved for use with these security hardening
recommendations. Special testing and qualification must be considered to ensure that
recommended security configurations do not hinder the operation of those applications.
The configurations presented in this document represent parameters used internally within Cisco
to develop and test the applications. Other than the base Operating System and applications'
installations, any deviation from this set cannot be guaranteed to provide a compatible operating
environment. It is important to note recommendations contained in this document will not always
be uniformly implemented; some implementations - as based on corporate policy, specific IT
utilities (e.g., backup accounts) or other external guidelines - may modify or limit the application
of these guidelines.
Note: Security Hardening for Release 7.0(0) is supported on Windows 2003 only when the
server has been hardened using the 6.0 guidelines. You cannot upgrade a non-hardened Windows
2000 server from ICM 5.0 or 6.0 to ICM 7.0(0) and then apply hardening. First harden the
Windows 2000 Server running a previous version of ICM before upgrading to 7.0(0). The other
option is to upgrade the Operating System to Windows Server 2003 after upgrading the
ICM/IPCC software and then applying the automated hardening described in this guide.
1
Preface
Audience
Audience
This document is primarily intended for server administrators and OS and application installers.
It is assumed that the target reader of this document is an experienced administrator familiar
with Windows 2003 and Windows Server 2003 installations. It is further assumed that the reader
is fully familiar with the applications making up the ICM/IPCC solution, as well as with the
installation and administration of these systems. It is the intent of these best practices to
additionally provide a consolidated view of securing the various third-party applications on
which the Cisco contact center applications depend. Should vendor recommendations differ
from these guidelines, following such recommendations may result in systems that are not
protected from malicious attacks.
Organization
This document is organized into the Following:
Chapter Description
Encryption Support A brief overview of the encryption methods used in ICM/IPCC
IPSec and NAT Support Security Best Practices of deploying IPSec and NAT in an ICM/IPCC
Environment.
Windows Server 2003 Firewall Configuration The use of Windows Firewall and details about Cisco's Windows Firewall
configuration script.
Automated Security Hardening Settings on Specific details of the settings changed when using the Cisco Security
Windows Server 2003 Template.
Updating Microsoft Windows Security Best Practices to use when updating Windows Server 2003.
SQL Server Hardening Security Best Practices for SQL Server

Cisco SSL Encryption Utility Details on using the SSL Encryption Utility
Intrusion Prevention and Cisco Security Agent Using Cisco Security Agent for Host Intrusion Detection.
Microsoft Baseline Security Analyzer (MBSA) Example of what to expect when running MBSA on a typical ICM Server.
Auditing Security Best Practices for setting Auditing Policies on ICM/IPCC

Servers.
General Anti-Virus Guidelines and General Anti-Virus Guidelines and Recommendations

Recommendations
2
Preface
Related Documentation
Chapter Description
Remote Administration Security Best Practices to consider when using various remote
administration applications.
Additional Security Best Practices Additional Security Best Practices on:
• Additional Cisco Call Center Applications
• Microsoft Internet Information Server
• Sybase EAServer (Jaguar)
• RMS Listener Hardening
• WMI Service Hardening
• SNMP Service Hardening
• Toll Fraud Prevention
• Syskey
• Third-party Security Providers
• Third Part Management Agents
Related Documentation
The recommendations contained herein are based in part on hardening guidelines published by
Microsoft, such as those found in the Windows Server 2003 Security Hardening Guide, as well
as other third-party vendors' hardening recommendations. A number of recommendations are
made fully consistent with supporting Microsoft guidelines; our intent is to further interpret and
customize those guidelines as specifically applicable to the ICM/IPCC server products.
This document should be used in conjunction with the Planning and Staging Guides that are
part of the ICM/IPCC documentation. It should further be used as a reference standard for all
customers requiring verification that certain security configuration changes to the base operating
system and contact center application servers have been certified for use with the ICM/IPCC
applications. The average time to execute the majority of the steps has been reduced significantly
due to the automation and integration with the impacted products installation programs.
More information can be found in the following documents:
• Staging Guide for ICM Release 7.0(0)
• Microsoft Windows Server 2003 Security Hardening Guide (http://www.microsoft.com/

technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx)
3
Preface
Conventions
Conventions
This manual uses the following conventions:
Convention Description
boldface font Boldface font is used to indicate commands,
such as user entries, keys, buttons, and folder
and submenu names. For example:
• Choose Edit > Find.
• Click Finish.
italic font Italic font is used to indicate the following:
• To introduce a new term. Example: A skill

group is a collection of agents who share
similar skills.
• For emphasis. Example: Do not use the

numerical naming convention.
• A syntax value that the user must replace.

Example: IF (condition, true-value,
false-value)
• A book title. Example: See the Cisco CRS

Installation Guide.
window font Window font, such as Courier, is used for the

following:
• Text as it appears in code or that the window

displays. Example: <html><title>Cisco
Systems,Inc. </title></html>
< > Angle brackets are used to indicate the

following:
• For arguments where the context does not

allow italic, such as ASCII output.
• A character string that the user enters but

that does not appear on the window such as
a password.
4
Preface
Obtaining Documentation
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides
several ways to obtain technical assistance and other technical resources. These sections explain
how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/techsupport
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Product Documentation DVD
The Product Documentation DVD is a comprehensive library of technical product documentation

on a portable medium. The DVD enables you to access multiple versions of installation,
configuration, and command guides for Cisco hardware and software products. With the DVD,
you have access to the same HTML documentation that is found on the Cisco website without
being connected to the Internet. Certain products also have .PDF versions of the documentation
available.
The Product Documentation DVD is available as a single unit or as a subscription. Registered

Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product
number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Ordering Documentation
Registered Cisco.com users may order Cisco documentation at the Product Documentation
Store in the Cisco Marketplace at this URL::
Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m.
(0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere
by calling 011 408 519-5055. You can also order documentation by e-mail at
tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States
and Canada, or elsewhere at 011 408 519-5001.
5
Preface
Documentation Feedback
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online
feedback form that appears with the technical documents on Cisco.com.
You can submit comments about Cisco documentation by using the response card (if present)
behind the front cover of your document or by writing to the following address:
Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA
95134-9883
We appreciate your comments.
Product Alerts and Field Notices

Modifications to or updates about Cisco products are announced in Cisco Product Alerts and
Cisco Field Notices. You can register to receive Cisco Product Alerts and Cisco Field Notices
by using the Product Alert Tool on Cisco.com. This tool enables you to create a profile and
choose those products for which you want to receive information. Access the tool at this URL:
http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do?local=en.
Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you will find information about how to:
• Report security vulnerabilities in Cisco products.
• Obtain assistance with security incidents that involve Cisco products.
• Register to receive security information from Cisco.
A current list of security advisories and notices for Cisco products is available at this URL:
http://www.cisco.com/go/psirt
To see security advisories, security notices, and security responses as they are updated in real
time, you can subscribe to the Product Security Incident Response Team Really Simple
Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is
found at this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
6
Preface
Obtaining Technical Assistance
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we
release them, and we strive to correct all vulnerabilities quickly. If you think that you might
have identified a vulnerability in a Cisco product, contact PSIRT:
• For Emergencies only: security-alert@cisco.com
An emergency is either a condition in which a system is under active attack or a condition

for which a severe and urgent security vulnerability should be reported. All other conditions
are considered nonemergencies.
• For Nonemergencies: psirt@cisco.com
In an emergency, you can also reach PSIRT by telephone:
• 1 877 228-7302
• 1 408 525-6532
Note: We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example,
GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with
information that has been encrypted with PGP versions 2.x through 9.x.
Never use a revoked or an expired encryption key. The correct public key to use in your
correspondence with PSIRT is the one linked in the Contact Summary section of the Security
Vulnerability Policy page at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The link on this page has the current PGP key ID in use.
If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone
numbers before sending any sensitive material to find other means of encrypting the data.

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco
Technical Support & Documentation website on Cisco.com features extensive online support
resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance
Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service
contract, contact your reseller.
7
Preface
Cisco Technical Support & Documentation Website
The Cisco Technical Support & Documentation website provides online documents and tools
for troubleshooting and resolving technical issues with Cisco products and technologies. The
website is available 24 hours a day, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support & Documentation website requires a
Cisco.com user ID and password. If you have a valid service contract but do not have a user ID
or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note: Use the Cisco Product Identification (CPI) tool to locate your product serial number
before submitting a web or phone request for service. You can access the CPI tool from the
Cisco Technical Support & Documentation website by clicking the Tools & Resources Tools.
Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or
click the Cisco Product Identification Tool RMAs. The CPI tool offers three search options:
by product ID or model name; by tree view; or for certain products, by copying and pastingshow
command output. Search results show an illustration of your product with the serial number
label location highlighted. Locate the serial number label on your product and record the
information before placing a service call.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests.
(S3 and S4 service requests are those in which your network is minimally impaired or for which
you require product information.) After you describe your situation, the TAC Service Request
Tool provides recommended solutions. If your issue is not resolved using the recommended
resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request
Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by
telephone. (S1 or S2 service requests are those in which your production network is down or
severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests
to help keep your business operations running smoothly
To open a service request by telephone, use one of the following numbers:
• Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
• EMEA: +32 2 704 55 55
• USA: 1 800 553-2447
8
Preface
Obtaining Additional Publications and Information
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established
severity definitions.
Severity 1 (S1) - Your network is down, or there is a critical impact to your business operations.
You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2) - Operation of an existing network is severely degraded, or significant aspects

of your business operation are negatively affected by inadequate performance of Cisco products.
You and Cisco will commit full-time resources during normal business hours to resolve the
situation.
Severity 3 (S3) - Operational performance of your network is impaired, but most business
operations remain functional. You and Cisco will commit resources during normal business
hours to restore service to satisfactory levels.
Severity 4 (S4) - You require information or assistance with Cisco product capabilities,
installation, or configuration. There is little or no effect on your business operations.

Information about Cisco products, technologies, and network solutions is available from various
online and printed sources.
• Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief
product overviews, key features, sample part numbers, and abbreviated technical specifications
for many Cisco products that are sold through channel partners. It is updated twice a year
and includes the latest Cisco offerings. To order and find out more about the Cisco Product
Quick Reference Guide, go to this URL:
http://www.cisco.com/go/guide
• Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise.
Visit Cisco Marketplace, the company store, at this URL:
• Cisco Press publishes a wide range of general networking, training and certification titles.
Both new and experienced users will benefit from these publications. For current Cisco Press
titles and other information, go to Cisco Press at this URL:
http://www.ciscopress.com
• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and
networking investments. Each quarter, Packet delivers coverage of the latest industry trends,
9
Preface
technology breakthroughs, and Cisco products and solutions, as well as network deployment
and troubleshooting tips, configuration examples, customer case studies, certification and
training information, and links to scores of in-depth online resources. You can access Packet
magazine at this URL:
http://www.cisco.com/packet
• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing
companies learn how they can use technology to increase revenue, streamline their business,
and expand services. The publication identifies the challenges facing these companies and
the technologies to help solve them, using real-world case studies and business strategies to
help readers make sound technology investment decisions. You can access iQ Magazine at
this URL:
http://www.cisco.com/go/iqmagazine
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets
and intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
• Networking products offered by Cisco Systems, as well as customer support services, can
be obtained at this URL:
http://www.cisco.com/en/US/products/index.html
• Networking Professionals Connection is an interactive website for networking professionals

to share questions, suggestions, and information about networking products and technologies
with Cisco experts and other networking professionals. Join a discussion at this URL:
http://www.cisco.com/discuss/networking
• World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html
10
Chapter 1
Encryption Support
This section describes the types of encryption used in the ICM system. The concepts should aid
you in understanding how encryption is used in the ICM/IPCC environment.
This section contains the following topics:
• User and Agent Passwords, page 11

• Call Variables and Extended Call Variables, page 11
• Internet Script Editor, Agent Reskilling and WebView, page 12
• CTI OS C++/COM Toolkit, page 12
• Cisco Contact Center SNMP Management Service, page 13
• Cisco Support Tools, page 13
• Additional Encryption, page 13
User and Agent Passwords

Cisco ICM/IPCC systems are highly distributed applications composed of many node and server
applications. Applications users' and contact center agents' passwords are stored in the Cisco
ICM Logger databases as well as the Distributor databases as an RSA Data Security, Inc. MD5
Message-Digest Algorithm hash. When passed from one server node to another, such as from
a Peripheral Gateway to a Router, or from a Distributor to a Router or a Logger, they are passed
as MD5 hashes as opposed to clear text.
Call Variables and Extended Call Variables

To protect data sent in call variables or ECC variables, Cisco ICM relies on IPSec and the
deployment of IPSec policies between servers running Windows Server 2003. In an IPCC
environment, the establishment of an IPSec channel between the Cisco Call Manager and the
Peripheral Gateway is also supported. The recommended integrity algorithm is SHA-1 and the
11
Chapter 1: - Encryption Support
Internet Script Editor, Agent Reskilling and WebView
encryption algorithm is 3DES. The recommended IKE security algorithm is a minimum of

Diffie-Hellman Group 2 for a 1024-bit key or 2048-bit key if processing power allows it.
See Also
IPSec and NAT Support on page 15
Internet Script Editor, Agent Reskilling and WebView

Release 7.0(0) of Cisco ICM supports, as a default on Windows 2003 Server, the encryption of
traffic for users accessing the ICM Internet Script Editor, Agent Reskilling, and WebView
applications so that all user logins and optionally session traffic done from a remote machine
are protected from snooping. The applications are HTTP based that implement the SSL v3.0
protocol using the OpenSSL libraries.
The Agent Reskilling and Internet Script Editor web applications will also be deployed and
enabled for 128-bit SSL encryption in IIS 6.0 as a default so that all supervisor logins, user
logins, and data exchanged is protected across the network.
For WebView, the authentication phase is encrypted with 128-bit encryption by default. As an
option, users may decide to encrypt the entire session which may be done during installation or
afterwards using the SSL Encryption Utility.
For more information on enabling certain Cipher Suites in IIS see: http://support.microsoft.com/
?kbid=245030
See Also
Cisco SSL Encryption Utility on page 71
Cisco WebView Documentation
CTI OS C++/COM Toolkit

The CTI OS (C++/COM toolkit) and CAD agent desktops implement TLS v1.0 protocol using
the OpenSSL libraries to protect data exchanged from the agent desktop to the CTI Object
Server. A Cipher suite is used for authentication, key exchange, and stream encryption. The
Cipher suite is as follows:
• Key exchange: Diffie-Hellman
• Authentication: RSA
• Encryption: AES (128)
• Message digest algorithm: SHA1
Refer to the CTI OS System Manager's Guide and Cisco CAD Installation Guide for more
configuration details.
12
Chapter 1: Encryption Support
Cisco Contact Center SNMP Management Service
Cisco Contact Center SNMP Management Service

The ICM/IPCC software includes an SNMP v3 agent to support authentication and encryption
(privacy) provided by SNMP Research International. Cisco's implementation exposes the
configuration of the communication with a management station to be authenticated using the
MD5 or SHA-1 digest algorithms, and for all SNMP messages to be encrypted using one of the
following three protocols: 3DES, AES-192, or AES-256.
See Also
SNMP Hardening on page 109
SNMP Guide for Cisco ICM/IPCC Enterprise & Hosted Editions
Cisco Support Tools

The Cisco Support Tools for Cisco IPCC is a serviceability application that is deployed with
SSL enabled by default. This ensures all data exchanged from the browser to the server and
vice versa as well as user logins are encrypted with 128-bit encryption.
Additional Encryption
In addition to the various areas of application level encryption provided in the Cisco ICM suite
of applications, Cisco supports the deployment of the solution across sites running Cisco IOS(TM)
IPSec in Tunnel Mode with HMAC-SHA1 Authentication (ESP-SHA-HMAC) and 3DES
Encryption (ESP-3DES).
See Also
IPSec and NAT Support on page 15
13
Chapter 1: - Encryption Support
Additional Encryption
14
Chapter 2
IPSec and NAT Support
Internet Protocol security (IPSec) is a framework of open standards for ensuring private, secure
communications over Internet Protocol (IP) networks, through the use of cryptographic security
services.
For more information, see http://www.cisco.com/go/ipsec and http://www.microsoft.com/

resources/documentation/WindowsServ/2003/standard/proddocs/en-us/
sag_IPSECtopnode.asp
Implementing IPSec in an ICM or IPCC environment means finding a balance between ease of
deployment and usability, and protecting sensitive information from unauthorized access.
Finding the proper balance requires:
• Assessing the risk and determining the appropriate level of security for your organization.
• Identifying valuable information.
• Defining security policies that use your risk management criteria and protect the identified
information.
• Determining how the policies can best be implemented within the existing organization.
• Ensuring that management and technology requirements are in place.
Security considerations are also influenced by the way the application will be used or deployed.
For example, the required security might differ, depending on whether certain ICM/IPCC servers
will be deployed in a single data center or across a number of sites which may or may not
communicate across trusted networks. The security framework in Windows Server 2003 is
designed to fulfill the most stringent security requirements. However, software alone might be
less effective without careful planning and assessment, effective security guidelines, enforcement,
auditing, and sensible security policy design and assignment.
15
Chapter 2: - IPSec and NAT Support
Support for IPSec (IP Security) in Tunnel Mode
• Support for IPSec (IP Security) in Tunnel Mode, page 16

• Support for IPSec (IP Security) in Transport Mode, page 17
• IPSec Connection to Cisco CallManager, page 21
• Monitoring IPSec Activity, page 21
• Securing Support Tools Using IPSEC, page 23
• Support for NAT (Network Address Translation), page 24
• NAT and CTI OS, page 24
• IPSec and NAT Transparency, page 25
• Additional IPSec References, page 25
Support for IPSec (IP Security) in Tunnel Mode

Due to increased security concerns in the deployment of data and voice networks alike, ICM
and IPCC Enterprise deployments now add support for IPSec between Central Controller sites
and remote Peripheral (PG) sites. This secure network implementation implies a distributed
model where the WAN connection is secured via IPSec tunnels. The testing undertaken in this
release was limited to configuration of Cisco IOS(TM) IPSec in Tunnel Mode, meaning only
the Cisco IP Routers (IPSec peers) between the two sites were part of the secure channel
establishment. All data traffic is encrypted across the WAN link but un-encrypted on the local
area networks. In tunnel mode, traffic flow confidentiality is ensured between IPSec peers
which, in this case, are the IOS Routers connecting a central site to a remote site.
The qualified specifications for the IPSec configuration are as follows:
• HMAC-SHA1 Authentication (ESP-SHA-HMAC)
• 3DES Encryption (ESP-3DES)
We highly recommend that hardware encryption be used in order to avoid a significant increase
in IP Router CPU overhead and throughput impact. There are also some latency implications,
so it is important to size the network infrastructure (network hardware and physical links)
accordingly. There are also considerations that must be taken for QoS networks. The common
recommendation is to classify and apply QoS features based on packet header information before
traffic is tunnel encapsulated and/or encrypted.
More detailed resources on Cisco IOS IPSec functionality can be found at http://www.cisco.com/
go/ipsec
16
Chapter 2: IPSec and NAT Support
Support for IPSec (IP Security) in Transport Mode
System Requirements
System Requirements for IPSec Support in Transport Mode
• Cisco ICM Release 7.0(0)
• Microsoft(R) Windows(R) Server 2003
• Intel PRO/100 S Server Adapter P/N PILA8470C3
Note:
• IPSec offload network adapters accelerate the cryptographic operations used to secure IPSec
packets, therefore minimizing the performance costs for encryption. As a result, IPSec -
secured TCP/IP connections can achieve similar throughput as TCP/IP connections that are
not secured using IPSec. If the hardware acceleration cards cannot be used, then IPSec
encryption will increase CPU load, and decrease throughput.
• ICM Release 7.0(0) support for IPSec is contingent on the use of network interface cards
which support IPSec offloads. The card listed in the System Requirements list is what has
been tested and is recommended.
See Also
For more information about the benefits of using IPSec hardware offload adapters, see "Intel
PRO/100S Network Adapter, IPSec Offload Performance and Comparison," at http://
www.veritest.com/clients/reports/intel/intelps.pdf.
Supported Communication Paths
ICM Release 7.0(0) supports deploying IPSec in a Windows Server 2003 operating environment
to secure server to server communication. The support is limited to the following list of nodes
which exchange customer sensitive data.
1. NAM Router - CICM Router
2. ICM Router Side A - ICM Logger Side A (visible path)
3. ICM Router Side B - ICM Logger Side B (visible path)
4. ICM Router Side A - ICM Router Side B (private path)
5. ICM Logger Side A - ICM Logger Side B (private path)
6. ICM Router - ICM Peripheral Gateway (PG)
17
a. ICM Router Side A - ICM PG Side A
b. ICM Router Side A - ICM PG Side B
c. ICM Router Side B - ICM PG Side A
d. ICM Router Side B - ICM PG Side B
7. ICM Router - ICM Real-time Distributor (Primary/Secondary)
a. ICM Router Side A - ICM Real-time Distributor (Primary/Secondary)
b. ICM Router Side B - ICM Real-time Distributor (Primary/Secondary)
8. ICM Logger - ICM Real-time Distributor (Primary/Secondary) with HDS
a. ICM Logger Side A - ICM Real-time Distributor (Primary/Secondary) with HDS
b. ICM Logger Side B - ICM Real-time Distributor (Primary/Secondary) with HDS
9. ICM PG Side A - ICM PG Side B
a. visible path
b. private path
10. ICM PG Side A/B - Cisco CallManager (IPCC)
For the server communication paths identified, the following security level should be considered
a general basis for planning an IPSec deployment:
• High security
Computers that contain highly sensitive data are at risk for data theft, accidental or malicious
disruption of the system, or any public network communications. Secure Server (Require
Security), a default policy, requires IPSec protection for all traffic being sent or received
(except initial inbound communication) with stronger security methods. Unsecured
communication with a non-IPSec-aware computer is not allowed.
See Also
Be sure to consult the Microsoft Knowledge Base article IPSec default exemptions are removed
in Windows Server 2003 (http://support.microsoft.com/kb/810207/EN-US/) for important
information about changes in Windows Server 2003 IPSec support from Windows 2000 Server
support of IPSec.
Configuring IPSec Policy
Windows Server 2003 IPSec policy configuration is the translation of security requirements to
one or more IPSec policies.
18
Each IPSec policy consists of one or more IPSec rules. Each IPSec rule consists of:
• A selected filter list.
• A selected filter action.
• Selected authentication methods.
• A selected connection type.
• A selected tunnel setting.
There are multiple ways to configure IPSec policies but the following is the most direct method:
Create a new policy and define the set of rules for the policy, adding filter lists and filter actions
as required. In this method, an IPSec policy is created first and then rules are added and
configured. Filter lists (specifying traffic types) and filter actions (specifying how the traffic is
treated) are added during rule creation.
An IPSec Security Policy must be created for each communication path and on each end (on
every server). The following will need to be provided when creating and editing the properties
of each IPSec policy using the IP Security Policy Wizard.
1. Name
2. Description (optional)
3. Do not Activate the default response rule
4. IP Security Rule - Add Rule using the Add Wizard
– Tunnel Endpoint: Do not specify a tunnel
– Network Type: All network connections
5. IP Filter List
– Name
– Description (optional)
– Add IP Filter using the Add Wizard
Description (optional)
Source address: A specific IP Address (differs based on the path)
Source address: A specific IP Address (differs based on the path)
Destination address: A specific IP Address (differs based on the path)
IP Protocol type: Any
19
– Add Filter Action using the Add Wizard
Name
Description (optional)
Filter Action General Options: Negotiate security
Do not communicate with computers that do not support IPSec
IP Traffic Security: Integrity and encryption - Integrity algorithm: SHA1 - Encryption

algorithm: 3DES
– Authentication Method: Active Directory _Kerberos V5 protocol (Default)
Note:
• X509 certificates can also be used in a production environment depending on customers'
preference. With ICM requiring Active Directory in all deployment models, relying on
Kerberos as the authentication method will not require any extra security credential
management. For PG to CCM connections an X509 pre-shared key should be used.
• For enhanced security, the use of pre-shared key authentication is not recommended because
it is a relatively weak authentication method. In addition, pre-shared keys are stored in
plaintext. It is recommended that you use pre-shared keys only for testing. For more
information, see Pre-shared key authentication at http://www.microsoft.com/resources/
documentation/WindowsServ/2003/standard/proddocs/en-us/sag_IPSec_Und4.asp
6. Key Exchange Security Method - IKE Security Algorithms (Defaults)
– Integrity algorithm: SHA1
– Encryption algorithm: 3DES
– Diffie-Hellman group: Medium (DH Group 2, 1024-bit key)
Note:
• For enhanced security, do not use Diffie-Hellman Group 1, which provides 768 bits of keying
strength. For maximum security, use Group 2048 (high), which provides 2,048 bits of keying
strength. Strong Diffie-Hellman groups combined with longer key lengths increase the
computational difficulty of determining a secret key. For more information, see Key exchange
methods at http://www.microsoft.com/resources/documentation/WindowsServ/2003/
standard/proddocs/en-us/sag_IPSECkeyexchgsm.asp
• For information about general best practices for security, see Best practices for security at
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
proddocs/en-us/sag_SEconceptsbp.asp
• Using key lengths results in more CPU processing overhead.
20
IPSec Connection to Cisco CallManager
IPSec Connection to Cisco CallManager

On IPCC Systems, when the CallManager is not in the same domain as the ICM system, you
are unable to use kerberos for authentication. You must use X.509 certificates.
Monitoring IPSec Activity
IPSec Monitor
IP Security Monitor (ipsecmon) can be used to monitor IPSec on a Windows Server 2003
operating system. Details on the use of IPSec Monitor can be found at http://
www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/
en-us/IPSEC_Mon_Node.asp
IPSec Logging
If your policies do not work correctly, you might need to enable the logging of the IPSec security
association process. This is called an Oakley log. The log is difficult to read, but it can help you
track down the location of the failure in the process. The following steps walk you through the
steps for enabling IPSec logging.
Step 1 Select Start, Run. Type Regedt32 and click OK to get into the Registry Editor.
Step 2 Double-click HKEY_LOCAL_MACHINE.
Step 3 Navigate to System\CurrentControlSet\Services\PolicyAgent.
Step 4 Double-click Policy Agent.
Step 5 Right-click in the right-hand pane and select Edit, Add Key.
Step 6 Enter Oakley as the key name (case sensitive).
Step 7 Double-click Oakley. Then right-click in the left-hand pane and select New, DWORD Value.
Step 8 Enter the value name EnableLogging (case sensitive)
Step 9 Double-click the value and set the DWORD to 1. Click OK.
Step 10 Go to a command prompt and type net stop policyagent & net start policyagent.
Step 11 Find the log in %windir%\debug\Oakley.log
21
Monitoring IPSec Activity
Network Monitoring
The Network Monitor component (netmon) that ships with Windows Server 2003 can capture
frames that are sent to or from the computer on which Network Monitor is installed. For more
information, refer to Microsoft documentation at http://www.microsoft.com/resources/
documentation/windowsserv/2003/standard/proddocs/en-us/sag_netmnintro.asp
System Monitoring
The built-in Performance console (perfmon) provides the ability to monitor network activity
along with the other performance data on the system. Treat network components as another set
of hardware resources to observe as part of your normal performance-monitoring routine.
Network activity can influence the performance not only of your network components but also
of your system as a whole. You should monitor other resources along with network activity,
such as disk, memory, and processor activity. System Monitor enables you to track network
and system activity using a single tool. Use the following counters as part of your normal
monitoring configuration:
Cache\Data Map Hits %
Cache\Fast Reads/sec
Cache\Lazy Write Pages/sec
Logical Disk\% Disk Space
Memory\Available Bytes
Memory\Nonpaged Pool Allocs
Memory\Nonpaged Pool Bytes
Memory\Paged Pool Allocs
Memory\Paged Pool Bytes
Processor(_Total)\% Processor Time
System\Context Switches/sec
System\Processor Queue Length
Processor(_Total)\Interrupts/sec
22
Securing Support Tools Using IPSEC
Securing Support Tools Using IPSEC

Support Tools uses a different architecture than ICM/IPCC. The Support Tools Server uses a
client-policy with a filter that requests security. The Support Tools Node Agents uses a
client-policy that requires security.
The filter does not monitor one-to-one connections. Instead, the filter monitors all incoming IP
traffic that uses the default Support Tools TCP Port (39100). The Support Tools Server, by
requesting but not requiring IPSEC from each Node Agent, does not deny traffic from a Node
Agent that is unable to use IPSEC.
Support Tools uses the ESP protocol (Encapsulating Security Payload) for authentication but
does not use encryption. ESP is used to authenticate instead of the AH protocol (Authentication
Header) for the ability to support NAT.
Support Tools uses SHA1 for the integrity algorithm in ESP. The policy uses Kerberos in order
to support authentication when components reside within the same Active Directory as the
server. The policy uses X.509 certificates when components reside in a different Active Directory
domain . This means that the policy for the Support Tools server should be configured to support
both Kerberos and Certification authentication. Kerberos should be the preferred method and
thus listed first in the Authentication Methods list.
A filter should be added complying with the above listed recommendations when securing a
Support Tools component that resides on a system with a one-to-one IPSEC policy. The filter
should be added to the filter list of the existing policy and listed second.
A configuration example follows:
Support Tools IPSEC Configuration Example
Client Policy
IP Filter
From any IP address / TCP port
To any IP address / specific TCP port (39100, Support
Tools default)
Filter Action
Request Security on Support Tools Server
Require Security on Node Agent
Negotiate security
ESP with SHA1 Integrity and no encryption
Authentication Mode (Both should be listed on Support
Tools server)
Kerberos
Certification (On machines where Kerberos is not
available)
23
Support for NAT (Network Address Translation)
Support for NAT (Network Address Translation)

Network Address Translation (NAT) is a mechanism for conserving registered IP addresses in
large networks and simplifying IP addressing management tasks. As its name implies, NAT
translates IP addresses within private "internal" networks to "legal" IP addresses for transport
over public "external" networks (such as the Internet). Incoming traffic is translated back for
delivery within the inside network.
Release 7.0(0) continues support for deployment of IP Phones (IPCC) across NAT. Cisco has
also tested locating remote Peripheral (PG) servers on a NAT network remote from the Central
Controller servers (Routers and Loggers). The qualification of NAT support for PG servers was
limited to a network infrastructure implementing Cisco IP Routers with NAT functionality.
Agent Desktops are supported in a NAT environment, except when silent monitoring is used.
Silent Monitoring is not supported under NAT, see the section on NAT and CTI OS below.
More detailed resources on how to configure NAT can be found at http://www.cisco.com/
More details on how to deploy IP Phones across NAT can be found at the following link: http:/
/cisco.com/en/US/partner/products/sw/iosswrel/ps1834/
products_feature_guide09186a008008052e .html
NAT and CTI OS

CTI OS Silent Monitor does not work in a production environment when all of the servers of
the IP Contact Center Solution (AW, PG , CTI OS Server and Call Manager) are located on a
remote data center with a private addressing scheme and the agent/supervisor desktops and hard
IP-phones are on the call center network that also has its own address scheme while both networks
(data center and call center) are joined together using Network Address translation (NAT).
The two main problems that are identified in this environment are as follows:
• The CTI toolkit Agent Desktop cannot sniff any VoIP packets from the PC port on the IP
Phone, because the IP address used on the packet filter is the translated address sent by Cisco
Call Manager. The problem is that the address belongs to the address scheme at the data
center network and not on the call center network space. Note that the problem identified in
this bullet is not particular to CTI OS but also affects applications written using GED-188
directly that rely on the RTP Stated/Stop events.
• The IP address the CTI toolkit Supervisor Desktop provides the CTI toolkit Agent Desktop
for it to forward sniffed VoIP packets is an address on the data center address space. The
CTI toolkit Supervisor Desktop obtains its IP address from the eClientIdentifyEvent sent by
CTI OS Server to the supervisor workstation when it initiates its session with CTI OS Server.
The IP address included in the event is the translated address in the data center network versus
that of the call center network.
24
IPSec and NAT Transparency
IPSec and NAT Transparency

The IPSec NAT Transparency feature introduces support for IP Security (IPSec) traffic to travel
through Network Address Translation (NAT) or Port Address Translation (PAT) points in the
network by addressing many known incompatibilities between NAT and IPSec. NAT Traversal
(NAT-T) is a feature that is auto detected by VPN devices. There are no configuration steps for
a router running Cisco IOS Software Release 12.2(13)T and above. If both VPN devices are
NAT-T capable, then NAT-T is auto detected and auto negotiated.
Additional IPSec References

Additional IPSec references can be found on the web at:
• IPSec Architecture - http://www.microsoft.com/technet/itsolutions/network/security/

ipsecarc.mspx
• Windows Server 2003 IPSec Documentation - http://www.microsoft.com/resources/

documentation/WindowsServ/2003/enterprise/proddocs/en-us/sag_IPSECtopnode.asp
• Intel PRO/100S Network Adapter, IPSec Offload Performance and Comparison - http://
www.veritest.com/clients/reports/intel/intelps.pdf
25
Additional IPSec References
26
Chapter 3
Windows Server 2003 Firewall Configuration
Windows Server 2003 (Service Pack 1) includes Windows Firewall. Windows Firewall is a
stateful host firewall which drops all unsolicited incoming traffic that does not correspond to
either traffic sent in response to a request of the computer (solicited traffic), or unsolicited traffic
that has NOT been specified as allowed (excepted traffic). This behavior of Windows Firewall
provides a level of protection from malicious users and programs that use unsolicited incoming
traffic to attack computers.
More information can be found in Microsoft's Windows Firewall Operations Guide (http://
www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/
c52a765e-5a62-4c28-9e3f-d5ed334cadf6.mspx).
If you are using IPSec, you should also consult the following Microsoft TechNet article on
Managing IPSec and Multicast Settings (http://www.microsoft.com/technet/prodtechnol/
windowsserver2003/library/Operations/6955d995-7b77-47cf-8749-cd906afc46d9.mspx).
Note: Windows Firewall is disabled by default on systems that have been upgraded to SP1.
Systems that have a new installation of Windows Server 2003 that already include SP1 (known
as a slipstream installation) have Windows Firewall enabled by default.
You may enable Windows Firewall on your ICM/IPCC Servers, however, you must ensure that
all required ports are open so that the ICM/IPCC components installed on the server can function
properly.
Cisco provides a utility to automatically allow all traffic from ICM/IPCC applications on a
Windows Server 2003 SP1 server. Additionally, the utility is developed so that it can open ports
for common 3rd party applications used in the ICM/IPCC environment. The script reads the list
of ports in the file
%SYSTEMDRIVE%\CiscoUtils\FirewallConfig\CiscoICMfwConfig_exc.xml and
uses the directive contained therein to modify the firewall settings. See below for more
information on the CiscoICMfwConfig_exc.xml file.
The utility allows all traffic from ICM/IPCC applications by adding the relevant applications
to the list of excepted programs and services. When the excepted application runs, Windows
27
Chapter 3: - Windows Server 2003 Firewall Configuration
Cisco Firewall Configuration Utility Prerequisites
Firewall monitors the ports on which the program listens and automatically adds those ports to
the list of excepted traffic.
The script can allow traffic from the third party applications by adding the application's port
number to the list of excepted traffic. However, you must edit the
CiscoICMfwConfig_exc.xml file to enable these ports.
Ports/Services Enabled by default:
• 80/TCP and 443/TCP - HTTP/HTTPS (when IIS is installed)
• Microsoft Remote Desktop
• File and Print Sharing Exception ( See Microsoft's technet article Enable or disable the File
and Printer Sharing exception (http://www.microsoft.com/technet/prodtechnol/
windowsserver2003/library/ServerHelp/267c6000-957e-4fb4-8698-e41d4439fb58.mspx).
Ports than can be optionally opened:
• 5900/TCP - VNC (optional)
• 5800/TCP - Java Viewer (optional)
• 21800/TCP - Tridia VNC Pro (encrypted remote control) (optional)
• 5631/TCP and 5632/UDP - pcAnywhere(optional)
Note: The XML file may be configured to add port based exceptions outside of this list.
• Cisco Firewall Configuration Utility Prerequisites, page 28

• Using the Cisco Firewall Configuration Utility, page 29
• Verifying New Windows Firewall Settings, page 29
• Configuring Windows Server 2003 Firewall to Communicate With Active Directory, page
30
• Understanding the CiscoICMfwConfig_exc.xml File, page 33
• Troubleshooting Windows Firewall, page 34

The following must be installed before using the Firewall configuration utility:
1. Windows Server 2003 Service Pack 1 (if you are not doing a slipstream install that includes
Windows Server 2003 SP1)
2. ICM/IPCC Version 7.0(0) component(s)
28
Chapter 3: Windows Server 2003 Firewall Configuration
Note: Any subsequent installation of any new component to the Application installation will
require re-configuring the Windows Firewall. This involves removing the configuration
previously applied and re-running the windows firewall configuration utility.
Using the Cisco Firewall Configuration Utility
Warning: If you attempt to run this utility from a remote session, such as VNC, you may
be "locked out" once the firewall starts. If possible, perform any firewall related work at
the computer, as network connectivity may be severed for some remote applications.
Use the Cisco Firewall Configuration utility on each server running an ICM component. To use
the utility:
Step 1 Stop all application services.
Step 2 From a command prompt, run cscript

%SYSTEMDRIVE%\CiscoUtils\FirewallConfig\CiscoICMfwConfig.vbe
Step 3 If this is the first time the script has run then it will run register.bat and ask you to rerun
the application using the same command as above. Rerun the script as if instructed to do so.
Note: If you subsequently rerun the script and it says that it is (again) running for the first time,
and to (again) rerun the script, then manually run the register.bat file from the command
line.
Step 4 A confirmation Dialog appears. Click OK.
The script verifies the Windows Firewall service is installed, then starts it if it is not running.
It then updates the firewall with the ports and services specified in the file
%SYSTEMDRIVE%\CiscoUtils\FirewallConfig\CiscoICMfwConfig_exc.xml
Step 5 Reboot the server.
Verifying New Windows Firewall Settings
You can verify that the ICM components and ports have been added to the Windows Firewall
exception list by:
Step 1 Select Start > Settings > Control Panel > Windows Firewall.
The Windows Firewall dialog box appears.
Step 2 Select the Exceptions tab of the Windows Firewall dialog box.
Step 3 Scroll through the list of excepted applications. Several ICM executables now appear on the
list as well as any ports or services defines in the configuration file.
29
Configuring Windows Server 2003 Firewall to Communicate With Active Directory

You need to open up the ports used by domain controllers (DCs) for communication via LDAP
and other protocols to ensure Active Directory is able to communicate through a firewall.
Be sure to consult the Microsoft Knowledge Base (KB) KB179442 (http://support.microsoft.com/

kb/179442/en-us) for important information about configuring firewall for Domains and Trusts.
To establish secure communications between DCs and ICM Services you need to define the
following ports for outbound and inbound exceptions on the firewall:
• Ports that are already defined
• Variable ports (high ports) for use with Remote Procedure Calls (RPC)
Configuring Domain Controller Ports
The following port definitions must be defined on all DCs within the demilitarized zone (DMZ)
that might be replicating to external DCs. It is important that you define the ports on all DCs
in the domain.
Restrict FRS Traffic to a Specific Static Port

kb/319553/en-us) for more information about restricting File Replication service (FSR) traffic
to a specific static port.
Step 1 Start Registry Editor (Regedt32.exe).
Step 2 Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters
Step 3 Add the following registry values:
• New: Reg_DWORD
• Name: RPC TCP/IP Port Assignment
• Value: 10000 (decimal)
30
Restrict Active Directory replication traffic to a specific port

kb/224196/en-us) for more information about restricting Active Directory replication traffic to
a specific port.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
• New: Reg_DWORD
• Name: RPC TCP/IP Port
• Value: 10001 (decimal)
Configure Remote Procedure Call (RPC) port allocation

kb/154596/en-us ) for more information about configuring RPC port allocation.
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
Step 3 Add the Internet key.
• Ports: MULTI_SZ: 10002-10200
• PortsInternetAvailable: REG_SZ : Y
• UseInternetPorts: REG_SZ : Y
Windows Server 2000 and 2003 Firewall Ports

kb/179442/en-us ) for a detailed description of the ports that are used to configure a firewall for
domains and trusts.
31
Server Port Protocol Protocol Service

135 TCP RPC RPC Connector Helper
(machines connect to
determine which high port to
use)
137 TCP UDP NetBIOS Name
138 UDP NetBIOS NetLogon and
Browsing
139 NetBIOS Session
123 UDP NTP
389 TCP LDAP
636 TCP UDP LDAP SSL
3268 LDAP GC
3269 LDAP GC SSL
42 Wins Replication
53 TCP UDP DNS
88 TCP UDP Kerberos
445 TCP UDP SMB over IP (Microsoft-DS)
10000 TCP RPC NTFRS
10001 TCP RPC NTDS
10002 - 10200 TCP RPC - Dynamic High Open
Ports
ICMP
Testing Connectivity
To test connectivity and show the FRS configuration in Active Directory, use the Ntfrsult tool.
Step 1 From the command line, run the Windows File Replication utility: Ntfrsutl version
<server_name>.
When communications between the domain controllers are configured properly, the ntfrsutl
output shows the FRS configuration in Active Directory.
Validating Connectivity
To validate connectivity between the domain controllers, use the Portqry tool.
32
Understanding the CiscoICMfwConfig_exc.xml File
Visit the following Microsoft Web site: http://download.microsoft.com/download/3/f/4/

3f4c6a54-65f0-4164-bdec-a3411ba24d3a/PortQryUI.exe (http://download.microsoft.com/
download/3/f/4/3f4c6a54-65f0-4164-bdec-a3411ba24d3a/portqryui.exe) to obtain the tool.
Step 1 Download the PortQryUI.exe and run the tool.
Step 2 Select the destination CD or PDC.
Step 3 Select Domains and Trusts.
Step 4 Use the response from PortQry to verify the ports are open.

kb/832919/en-us ) for more information about PortQry features and functionality.
Understanding the CiscoICMfwConfig_exc.xml File

The CiscoICMfwConfig_exc.xml file is a standard XML file that contains the list of applications,
services and ports that the Cisco Firewall Script uses to modify the Windows Firewall so that
the firewall works properly in the ICM/IPCC environment.
The file consists of three main parts:
• Services - The services that are allowed access through the firewall.
• Ports - The ports that the firewall should open.
This is conditional depending on the installation of IIS in the case of TCP/80 and TCP/443.
• Applications - The applications that are not allowed access through the firewall.
The script automatically excludes all of the applications listed in the

CiscoICMfwConfig_exc.xml file.
Note: The behavior of the Applications section is opposite to that of the other two sections
in the file. The Ports and Services sections ALLOW access, whereas the Application section
DENIES access.
You can manually add additional services or ports to the CiscoICMfwConfig_exc.xml file and
rerun the script to reconfigure Windows Firewall, for example, if you wanted to allow your
Jaguar server connections from port 9000 (CORBA), then you could add a line within the
<Ports> part of the file to open port 9000 on the Windows Firewall:
<Port Number="9000" Protocol="TCP" Name="CORBA" />.
Note: This would only be needed if remote Jaguar administration is required. In most cases this
is not needed.
33
Troubleshooting Windows Firewall
You could also use the standard Windows Firewall mechanism to add or deny the ports or
applications by selecting the Exceptions tab of the Windows Firewall Control Panel Applet and
clicking Add Port... or Add Program....
Some commonly used ports are listed in the file, however they are commented out. In XML,
comments (ignored code) is surrounded by the  tags respectively. Anything within
those tags is ignored. You can easily enable one of the commonly used ports by cutting it out
of the commented section and pasting it after the closing comment tag (-->), but before the
</Ports> tag.

The following notes and tasks can aid you if you have trouble with Windows Firewall.
General Troubleshooting Notes
Some general troubleshooting notes for Windows Firewall:
1. Running the CiscoICMfwConfig application for the first time requires that it be run twice
to allow for the registration of FirewallLib.dll. In some cases, a time lapse is needed for
the registration to complete, especially on a slower system.
2. If the registration fails, it's possible the .NET framework isn't installed correctly. Verify
the following path and files exist:
%windir%\Microsoft.NET\Framework\v1.1.4322\regasm.exe
%windir%\Microsoft.NET\Framework\v1.1.4322\gacutil.exe
3. Change %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\Register.bat as needed

to meet the environment.
Windows Firewall Interferes with Router Private Interface Communication
Indication: The MDS fails to connect from the Side-A router to Side-B router on the private
interface IP Addresses (Isolated) only when the Windows Firewall is enabled.
Problem: Windows Firewall is preventing the application (mdsproc.exe) from sending traffic
to the remote host on the private network.
Recommended Action: Configure static routes on both Side-A and Side-B routers for the
private addresses (high and non high).
Windows Firewall Shows Dropped Packets but no ICM or IPCC Failures are Evident
Indication: The Windows Firewall Log shows dropped packets but the ICM and IPCC
applications do not exhibit any application failures.
34
Problem: The Windows Firewall is designed to log any and all traffic destined to the host when
it either isn't allowed or it is sent to a port that no allowed application is listening on.
Recommended Action: Review the pfirewall.log file closely to determine the source and
destination IP Addresses and Ports. Use netstat or tcpview to determine what processes
listen/connect on what ports.
Undo Firewall Settings
You can use the firewall configuration utility to undo the last application of the firewall settings.
You will need the CiscoICMfwConfig_undo.xml file.
Note: The undo file is only written if the configuration completes successfully. Manual cleanup
may be necessary using the Windows Firewall Control Panel Applet in case this file does not
exist for the undo operation to complete.
To undo the firewall settings:
Step 1 Stop all application services.
Step 2 Open a command window by selecting Start > Run and entering CMD in the dialog window.
Click OK.
Step 3 cd %SYSTEMDRIVE%\CiscoUtils\FirewallConfig
Step 4 Type: cscript CiscoICMfwConfig.vbe undo
35
36
Chapter 4
Automated Security Hardening Settings on Windows
Server 2003
The ICM and System IPCC Setup programs can automatically apply a majority of the Cisco
recommended Windows hardening settings on Windows Server 2003 Systems with Service
Pack 1 or greater.
ICM/IPCC is qualified to work only on a standard, Retail (or OEM) packaged installation of
Windows Server 2003 (Standard or Enterprise), with or without Cisco Security Hardening.
Cisco provides its own security hardening policy to secure the standard Windows image for
ICM/IPCC. Cisco does not support ICM/IPCC on a customized Windows image (that is, a
corporate image) or when custom security hardening has been applied. Customized image of
the Windows operating system or customer security hardening can cause the ICM/IPCC
application to fail.
The settings detailed below are automatically applied when you choose to use the automated
hardening feature in setup. All of the following settings appear under the Computer
Configuration > Windows Settings > Security Settings category of settings.
In addition to automatically applying the settings during setup, the script can be used to upgrade
the current Cisco ICM security template if there is one already installed, and it can rollback the
template to previous versions of the Cisco ICM security settings. The script can also rollback
the security settings to the settings originally on the server before any Cisco ICM security
settings were applied.
Note: If security hardening is applied using the 7.2(1) template but Internet Explorer is not
configured to support the TLS 1.0 protocol, the Web browser will not be unable to connect to
the Web server. An error message indicates that the page is either unavailable or that the Web
site might be experiencing technical difficulties. See Enabling Tranport Layer Security (TLS)
1.0 Protocol (page 74)for instructions on how to adjust your browser settings.
37
Chapter 4: - Automated Security Hardening Settings on Windows Server 2003
Applying/Removing Cisco ICM Security Settings
The Customer Voice Portal 4.0.1 Security Hardening template is the same as ICM 7.0 Security
Hardening template except for two settings and the template name:
• SecondaryLogonService: Automatic (CVP); Disabled(ICM)
• MinimumPasswordAge: 0 (CVP); 1 (ICM)
• Template name: Cisco_Security_Template.inf (CVP); CiscoICM_Security_Template.inf

(ICM)
Note: Servers running Cisco Collaboration Server (CCS), Cisco Email Manager (CEM), Cisco
Dynamic Content Adapter (DCA), and Remote Monitoring Suite (RMS) are not supported for
use with the automated hardening script.
• Applying/Removing Cisco ICM Security Settings, page 38

• Account Policies Settings, page 40
• Local Policies, page 41
• Event Log, page 53
• System Services, page 54
• Registry, page 61
• File System, page 61

There are several ways in which you can install, upgrade, and rollback security settings:
Applying Cisco ICM Security Settings During Setup
The ICM and System IPCC Setup applications determine if Cisco ICM Security Hardening is
applied, and if not, prompt you to apply Cisco ICM security settings during ICM installation.
Choosing Yes applies the Cisco ICM security settings as defined in the current security template.
Choosing No results in no security setting changes.
If Cisco ICM Security Hardening is already applied, but the template version of the security
settings is older than the one available to ICM Setup, Setup prompts you to update the security
settings to the new template version. Choosing YES applies the new version of the security
settings, while at the same time creating a rollback script so you can revert to the earlier template
settings at a later time. Choosing No results in no security settings being changed.
Manual Installation of Cisco ICM Security Settings
You can manually install the latest Cisco ICM security settings template at any time by running
the ICMSecurityHardening VBS script. The script is located in
%SYSTEMDRIVE%\CiscoUtils\SecurityTemplates.
38
Chapter 4: Automated Security Hardening Settings on Windows Server 2003
Note: You must use cscript from the command line to invoke the script.
To manually apply a Cisco ICM Security Setting template:
Step 1 From the command line type in cscript

%SYSTEMDRIVE%\CiscoUtils\SecurityTemplates\ICMSecurityHardening.vbe
HARDEN
Rolling Back Security Settings
You can manually rollback to a previous version of the system's security settings to prior security
state by using the ICMSecurityHardening script. Each time the security hardening script is run
a rollback file is created. The "1" extension denotes that it is the baseline settings for the server
before hardening was applied. A new rollback file is created with each subsequent update of
the security template. The are numbered consecutively, "2", "3", "4", etc.
Warning: The ICMSecurityHardening script cannot rollback changes made to Registry

Values and File System security settings.
To roll back to a previous version of the security settings:
Step 1 If: Then:

You want From the command line type in cscript
to %SYSTEMDRIVE%\CiscoUtils\SecurityTemplates\ICMSecurityHardening.vbe
rollback ROLLBACK <ROLLBACKFILE>
all the
settings
contained
in a
security
template:
You want From the command line type in cscript
to only %SYSTEMDRIVE%\CiscoUtils\SecurityTemplates\ICMSecurityHardening.vbe
rollback ROLLBACK <ROLLBACKFILE> <AREA>
settings in
a
particular
area:
Where <ROLLBACKFILE> is the name of the file from which you want to rollback the settings.
and <AREA> is one of the following section names; SECURITYPOLICY, USER_RIGHTS,
SERVICES
39
Account Policies Settings
See Also
Account Policies Settings on page 40
Local Policies on page 41
Event Log on page 53
System Services on page 54
Account Policies Settings

The following Settings are applied in Computer Configuration > Windows Settings > Account
Policies.
Note: Account policies are overwritten by the domain policy by default. Applying the Cisco
ICM Security Template does not take effect. These settings are only significant when the machine
is not a member of a domain. Cisco Recommends that you set the Default Domain Group Policy
with these settings.
When a value is listed as Not Defined then it means that the setting is not changed from what
was previously set before the automated hardening script runs.
The security settings can be viewed in the Local Security Policy Snap-in.
Password Policy
Setting Value: 7.0(0) & 7.1(1) Value: 7.2(1)

Enforce password history 24 passwords remembered 24 passwords remembered
Maximum password age 42 days 90 days
Minimum password age 2 days 1 days
Minimum password length 12 characters 12 characters
Passwords must meet Enabled Enabled

complexity requirements
Store password using Disabled Disabled

reversible encryption for all
users in the domain
Account Lockout Policy

Account lockout duration 15 minutes 15 minutes
40
Local Policies

Account lockout threshold 10 invalid logon attempts 3 invalid logon attempts
Reset account lockout counter 15 minutes 15 minutes

after
Kerberos Policy

Enforce user logon restrictions Not Defined Not Defined
Maximum lifetime for service Not Defined Not Defined

ticket
Maximum lifetime for user Not Defined Not Defined

ticket
Maximum lifetime for user Not Defined Not Defined

ticket renewal
Maximum tolerance for Not Defined Not Defined

computer clock
synchronization
Local Policies
Audit Policy

Audit account logon events Success, Failure Success, Failure
Audit account management Success, Failure Success, Failure
Audit directory service access Success, Failure Not defined
Audit logon events Success, Failure Success, Failure
Audit object access Success, Failure Failure
Audit policy change Success Success, Failure
41
Local Policies

Audit privilege use Success, Failure Failure
Audit process tracking No auditing Not defined
Audit system events Success Success, Failure
User Rights Assignment

Access this computer from the Not Defined Not Defined
network
(SeNetworkLogonRight)
Act as part of the operating Not Defined Not Defined

system (SeTcbPrivilege)
Add workstations to domain Administrators Administrators

(SeMachineAccountPrivilege)
Adjust memory quotas for a LOCAL SERVICE,NETWORK LOCAL

process SERVICE,Administrators SERVICE,NETWORK
(SeIncreaseQuotaPrivilege) SERVICE, Administrators
Allow logon locally Not Defined Null

(SeInteractiveLogonRight)
Allow logon Through Terminal Administrators Administrators

Services
(SeRemoteInteractiveLogonRight)
Back up files and directories Not Defined Administrators

(SeBackupPrivilege)
Bypass traverse checking Not Defined Users

(SeChangeNotifyPrivilege)
Change the system time Administrators Administrators

(SeSystemTimePrivilege)
Create a pagefile Administrators Administrators

(SeCreatePagefilePrivilege)
Create a token object Not Defined Null

(SeCreateTokenPrivilege)
42
Local Policies

Create global objects Not Defined Not Defined
(SeCreateGlobalPrivilege)
Create permanent shared Not Defined Null

objects
(SeCreatePermanentPrivilege)
Debug programs Not Defined Administrators

(SeDebugPrivilege)
Deny access to this computer ANONYMOUS LOGON; Built-in ANONYMOUS LOGON;

from the network Administrator; Guest; Guests; Built-in Administrator;
(SeDenyNetworkLogonRight) Support_388945a0; Guest; Guests;
Support_388945a0;
Deny logon as a batch job Guest; Guests; Support_388945a0 Guest; Guests;
(SeDenyBatchLogonRight) Support_388945a0
Deny logon as a service Not Defined Null

(SeDenyServiceLogonRight)
Deny logon locally Not Defined Guests

(SeDenyInteractiveLogonRight)
Deny log on Through Terminal Built-in Administrator; Guest; Built-in Administrator;

Services Guests; Support_388945a0 Guest; Guests;
(SeDenyRemoteInteractiveLogonRight) Support_388945a0
Enable computer and user Not Defined Administrators

accounts to be trusted for
delegation
(SeEnableDelegationPrivilege)
Force shutdown from a remote Administrators Administrators

system
(SeRemoteShutdownPrivilege)
Generate security audits LOCAL SERVICE,NETWORK LOCAL

(SeAuditPrivilege) SERVICE SERVICE,NETWORK
SERVICE
Impersonate a client after Not Defined Not Defined
authentication
(SeImpersonatePrivilege)
Increase scheduling priority Administrators Administrators

(SeIncreaseBasePriorityPrivilege)
43
Local Policies

Load and unload device drivers Administrators Administrators
(SeLoadDriverPrivilege)
Lock pages in memory Administrators Administrators

(SeLockMemoryPrivilege)
Log on as a batch job Not Defined Null

(SeBatchLogonRight)
Log on as a service Not Defined Not Defined

(SeServiceLogonRight)
Manage auditing and security Administrators Administrators

log (SeSecurityPrivilege)
Modify firmware environment Administrators Administrators

values
(SeSystemEnvironmentPrivilege)
Perform Volume Maintenance Administrators Administrators

Tasks
(SeManageVolumePrivilege)
Profile single process Administrators Administrators

(SeProfileSingleProcessPrivilege)
Profile system performance Administrators Administrators

(SeSystemProfilePrivilege)
Remove computer from Administrators Administrators

docking station
(SeUndockPrivilege)
Replace a process level token Not Defined LOCAL

(SeAssignPrimaryTokenPrivilege) SERVICE,NETWORK
SERVICE
Restore files and directories Administrators Administrators
(SeRestorePrivilege)
Shut down the system Administrators Administrators

(SeShutdownPrivilege)
Synchronize directory service Not Defined Null

data (SeSynchAgentPrivilege)
44
Local Policies

Take ownership of files or Not Defined Administrators
other objects
(SeTakeOwnershipPrivilege)
Security Options
Most of these settings can be viewed by running secpol.msc on a Windows 2003 Server.
However, not all MSS settings are shown by default. You should consult the document Threats
and Countermeasures: Security Settings in Windows Server 2003 and Windows XP available
from microsoft.com for details on viewing all of the available security settings in the Microsoft
Local Security Settings console.

Accounts: Administrator Not Defined Not Defined
account status
Accounts: Guest account status Disabled Disabled
Accounts: Limit local account Enabled Enabled

use of blank passwords to
console logon only
Accounts: Rename Not Defined xadministrator

administrator account
Accounts: Rename guest Not Defined xguest

account
Audit: Audit the access of Disabled Disabled

global system objects
Audit: Audit the use of Backup Disabled Disabled

and Restore privilege
Audit: Shut down system Disabled Not defined

immediately if unable to log
security audits
Devices: Allow undock Disabled Disabled

without having to log on
Devices: Allowed to format Administrators Administrators

and eject removable media
45
Local Policies

Devices: Prevent users from Enabled Enabled
installing printer drivers
Devices: Restrict CD-ROM Enabled Enabled

access to locally logged-on
user only
Devices: Restrict floppy access Enabled Enabled

to locally logged-on user only
Devices: Unsigned driver Warn but allow installation Warn but allow installation
installation behavior
Domain controller: Allow Not Defined Not Defined

server operators to schedule
tasks
Domain controller: LDAP Not Defined Not Defined

server signing requirements
Domain controller: Refuse Not Defined Not Defined

machine account password
changes
Domain member: Digitally Not Defined Not Defined

encrypt or sign secure channel
data (always)
Domain member: Digitally Enabled Enabled

encrypt secure channel data
(when possible)
Domain member: Digitally Enabled Enabled

sign secure channel data (when
possible)
Domain member: Disable Disabled Disabled

machine account password
changes
Domain member: Maximum 30 days 30 days

machine account password age
Domain member: Require Enabled Enabled

strong (Windows 2000 or later)
session key
46
Local Policies

Interactive logon: Do not Enabled Enabled
display last user name
Interactive logon: Do not Disabled Disabled

require CTRL+ALT+DEL
Interactive logon: Message text This system is restricted to This system is restricted to
for users attempting to log on authorized users. Individuals authorized users.
attempting unauthorized access Individuals attempting
will be prosecuted. unauthorized access will be
prosecuted.
Interactive logon: Message title IT IS AN OFFENSE TO IT IS AN OFFENSE TO
for users attempting to log on CONTINUE WITHOUT PROPER CONTINUE WITHOUT
AUTHORIZATION. PROPER
AUTHORIZATION.
Interactive logon: Number of 0 logons 0 logons
previous logons to cache (in
case domain controller is not
available)
Interactive logon: Prompt user 14 days 14 days

to change password before
expiration
Interactive logon: Require Enabled Enabled

Domain Controller
authentication to unlock
workstation
Interactive logon: Require Not Defined Not Defined

smart card
Interactive logon: Smart card Lock Workstation Lock Workstation

removal behavior
Microsoft network client: Not Defined Not Defined

Digitally sign communications
(always)
Microsoft network client: Enabled Enabled

(if server agrees)
Microsoft network client: Send Disabled Disabled

unencrypted password to
third-party SMB servers
47
Local Policies

Microsoft network server: 15 minutes 15 minutes
Amount of idle time required
before suspending session
Microsoft network server: Enabled Enabled

(always)
Microsoft network server: Not Defined Enabled

(if client agrees)
Microsoft network server: Not Defined Enabled
Disconnect clients when logon
hours expire
Network access: Allow Disabled Disabled
anonymous SID/Name
translation
Network access: Do not allow Enabled Enabled

anonymous enumeration of
SAM accounts

anonymous enumeration of
SAM accounts and shares

storage of credentials or .NET
Passports for network
authentication
Network access: Let Everyone Disabled Disabled

permissions apply to
anonymous users
Network access: Named Pipes Not Defined Not Defined

that can be accessed
anonymously
Network access: Remotely Not Defined Not Defined

accessible registry paths
Network access: Remotely Not Defined Not Defined

accessible registry paths and
subpaths
48
Local Policies

Network access: Restrict Enabled Enabled
anonymous access to Named
Pipes and Shares
Network access: Shares that Not Defined Not Defined

can be accessed anonymously
Network access: Sharing and Not Defined Classic - local users

security model for local authenticate as themselves
accounts
Network security: Do not store Enabled Enabled

LAN Manager hash value on
next password change
Network security: Force logoff Enabled Enabled

when logon hours expire
Network security: LAN Send LM & NTLM - use NTLMv2 Send NTLMv2 response
Manager authentication level session security if negotiated only\refuse LM & NTLM
Network security: LDAP client Negotiate signing Negotiate signing

signing requirements
Network security: Minimum Not Defined Require 128-bit encryption

session security for NTLM SSP
based (including secure RPC)
clients
Network security: Minimum Not Defined Require 128-bit encryption

session security for NTLM SSP
based (including secure RPC)
servers
Recovery console: Allow Disabled Disabled

automatic administrative logon
Recovery console: Allow Enabled Disabled

floppy copy and access to all
drives and all folders
Shutdown: Allow system to be Disabled Disabled

shut down without having to
log on
49
Local Policies

Shutdown: Clear virtual Enabled Enabled
memory pagefile
System cryptography: Force User must enter a password each User must enter a password
strong key protection for user time they use a key each time they use a key
keys stored on the computer
System cryptography: Use Not Defined Enabled

FIPS compliant algorithms for
encryption, hashing, and
signing
System objects: Default owner Not Defined Not Defined

for objects created by members
of the Administrators group
System objects: Require case Enabled Enabled

insensitivity for non-Windows
subsystems
System objects: Strengthen Enabled Enabled

default permissions of internal
system objects (e.g. Symbolic
Links)
System settings: Use Not Defined Not Defined

Certificate Rules on Windows
Executables for Software
Restriction Policies
MSS: (AFD 10 10
DynamicBacklogGrowthDelta)
Number of connections to
create when additional
connections are necessary for
Winsock applications (10
recommended)
Note: MSS settings are not

displayed by default in the
Local Security Policy or
Security Templates snap-in.
Manual configuration is
required to implement this.
MSS: (AFD Enabled Enabled

EnableDynamicBacklog)
Enable dynamic backlog for
50
Local Policies

Winsock applications
(recommended)
MSS: (AFD 20000 20000

MaximumDynamicBacklog)
Maximum number of
'quasi-free' connections for
Winsock applications
MSS: (AFD 20 20
MinimumDynamicBacklog)
Minimum number of free
connections for Winsock
applications (20 recommended
for systems under attack, 10
otherwise)
MSS: (AutoAdminLogon) Disabled Disabled

Enable Automatic Logon (not
recommended)
MSS: (AutoShareWks) Enable Disabled Disabled

Administrative Shares (not
recommended except for
highly secure environments)
MSS: Highest Protection, source routing Highest Protection, source

(DisableIPSourceRouting) IP is automatically disabled. routing is automatically
source routing protection level disabled.
(protects against packet
spoofing)
MSS: (DisableSavePassword) Undefined Enabled

Prevent the dial-up passsword
from being saved
(recommended)
MSS: (EnableDeadGWDetect) Disabled Disabled
Allow automatic detection of
dead network gateways (could
lead to DoS)
MSS: (EnableICMPRedirect) Disabled Disabled

Allow ICMP redirects to
override OSPF generated
routes
51
Local Policies

MSS: Disabled Disabled
(EnablePMTUDiscovery)
Allow automatic detection of
MTU size (possible DoS by an
attacker using a small MTU)
MSS: (Hidden) Hide Computer Not Defined - (not recommended Not Defined - (not
From the Browse List except for highly secure recommended except for
environments) highly secure
environments)
MSS: (KeepAliveTime) How 300000 or 5 minutes 300000 or 5 minutes
often keep-alive packets are (recommended) (recommended)
sent in milliseconds
MSS: (NoDefaultExempt) Not Defined Not Defined

Enable NoDefaultExempt for
IPSec Filtering (recommended)
MSS: (NoDriveTypeAutoRun) 255, disable autorun for all drives 255, disable autorun for all
Disable Autorun for all drives drives
MSS: Enabled Enabled

(NoNameReleaseOnDemand)
Allow the computer to ignore
NetBIOS name release requests
except from WINS servers

(NtfsDisable8dot3NameCreation)
Enable the computer to stop
generating 8.3 style filenames

(PerformRouterDiscovery)
Allow IRDP to detect and
configure DefaultGateway
addresses (could lead to DoS)
MSS: (SafeDllSearchMode) Enabled Enabled

Enable Safe DLL search mode
(recommended)
MSS: 0 0
(ScreenSaverGracePeriod) The
time in seconds before the
screen saver grace period
expires (0 recommended)
52
Event Log

MSS: (SynAttackProtect) Syn Connections time sooner if a SYN Connections time sooner if
attack protection level (protects attack is detected by the server a SYN attack is detected by
against DoS) the server
MSS: 3 & 6 seconds, half-open 3 & 6 seconds, half-open

(TCPMaxConnectResponseRetransmissions) connections dropped after 21 connections dropped after
SYN-ACK retransmissions seconds 21 seconds
when a connection request is
not acknowledged
MSS: 3 3
(TCPMaxDataRetransmissions)
How many times
unacknowledged data is
retransmitted (3 recommended,
5 is default)
MSS: 5 5
(TCPMaxPortsExhausted)
How many dropped connect
requests to initiate SYN attack
protection (5 is recommended)
MSS: (WarningLevel) 90% 90%

Percentage threshold for the
security event log at which the
system will generate a warning
Event Log
Maximum application log size 16384 kilobytes 81920 kilobytes
Maximum security log size 81920 kilobytes 81920 kilobytes
Maximum system log size 16384 kilobytes 81920 kilobytes
Restrict guest access to Enabled Enabled

application log
Restrict guest access to Enabled Enabled

security log
53
System Services

Restrict guest access to system Enabled Enabled
log
Retain application log Not Defined 7 days
Retain security log Not Defined 7 days
Retain system log Not Defined 7 days
Retention method for As Needed As Needed

application log
Retention method for security As Needed As Needed

log
Retention method for system As Needed As Needed

log
System Services
Note: The service startup settings for 7.0(0) and 7.2(1) are the same. However, the 7.2(1) security
template modifies permissions for the Alerter and ClipBook services. The Administrators group
and the SYSTEM group permissions for the Alerter and ClipBook services are set to allow full
control; all other permissions are revoked.
Settings for System Services
Full Service Name Service Name Startup Type

.NET Framework Support Service CORRTSvc Disabled
Alerter Alerter Disabled
Application Layer Gateway Service ALG Disabled
Application Management AppMgmt Disabled
ASP .NET State Service aspnet_state Disabled
Automatic Updates wuauserv Automatic
Background Intelligent Transfer BITS Manual

Service
54
System Services

Certificate Services CertSvc Disabled
Client Service for NetWare NWCWorkstation Disabled
ClipBook ClipSrv Disabled
Cluster Service ClusSvc Disabled
COM+ System Application COMSysApp Manual
COM+Event Services EventSystem Automatic
Computer Browser Browser Disabled
Cyrptographic Services CryptSvc Automatic
DCOM Server Process Launcher DcomLaunch Automatic
DHCP Client Dhcp Automatic
DHCP Server DHCPServer Disabled
Distributed File System Dfs Disabled
Distributed Link Tracking Client TrkWks Disabled
Distributed Link Tracking Server TrkSvr Disabled
Distributed Transaction Coordinator MSDTC Disabled
DNS Client Dnscache Automatic
DNS Server DNS Disabled
Error Reporting Service ERSvc Disabled
Event Log Eventlog Automatic
Fast User Switching Compatibility FastUserSwitchingCompatibility Disabled
Fax Service Fax Disabled
File Replication NtFrs Disabled
55
System Services

File Server for Macintosh MacFile Disabled
FTP Publishing Service MSFtpsvc Disabled
Help and Support helpsvc Disabled
HTTP SSL HTTPFilter Not Defined
Human Interface Device Access HidServ Disabled
IAS Jet Database Access IASJet Disabled
IIS Admin Service IISADMIN Not Defined
IMAPI CD-Burning COM Service ImapiService Disabled
Indexing Service cisvc Disabled
Infrared Monitor Irmon Disabled
Internet Authentication Service IAS Disabled
Internet Connection Firewall SharedAccess Automatic

(ICF)/Internet Connection Sharing
(ICS)
Intersite Messaging IsmServ Not Defined
IP Version 6 Helper Service 6to4 Disabled
IPSec Policy Agent (IPSec Service) PolicyAgent Automatic
Kerberos Key Distribution Center Kdc Not Defined
LED/LCD Manager SALDM Disabled
License Logging Service LicenseService Disabled
Logical Disk Manager dmserver Manual
Logical Disk Manager Dmadmin Manual

Administrative Service
Message Queuing msmq Not Defined
56
System Services

Message Queuing Down Level mqds Disabled
Clients
Message Queuing Triggers Mqtgsvc Disabled
Messenger Messenger Disabled
Microsoft POP3 Service POP3SVC Disabled
MS Software Shadow Copy Provider SwPrv Manual
MSSEARCH MSSEARCH Disabled
MSSQL$UDDI MSSQL$UDDI Disabled
MSSQLServerADHelper MSSQLServerADHelper Disabled
Netlogon Netlogon Automatic
NetMeeting Remote Desktop Sharing mnmsrvc Disabled
Network Connections Netman Manual
Network DDE NetDDE Disabled
Network DDE DSDM NetDDEdsdm Disabled
Network Location Awareness (NLA) NLA Manual
Network News Transfer Protocol NntpSvc Disabled

(NNTP)
Network Provisioning Service xmlprov Disabled
NTLM Security Support Provider NtLmSsp Automatic
Performance Logs and Alerts SysmonLog Manual
Plug and Play PlugPlay Automatic
Portable Media Serial Number WmdmPmSN Disabled
Print Server for Macintosh MacPrint Disabled
57
System Services

Print Spooler Spooler Not Defined
Protected Storage ProtectedStorage Automatic
Remote Access Auto Connection RasAuto Disabled

Manager
Remote Access Connection Manager RasMan Manual
Remote Administration Service srvcSurg Disabled
Remote Desktop Help Session RDSessMgr Disabled

Manager
Remote Installation BINLSVC Disabled
Remote Procedure Call (RPC) RpcSs Automatic
Remote Procedure Call (RPC) RpcLocator Not Defined

Locator
Remote Registry Service RemoteRegistry Automatic
Remote Server Manager appmgr Disabled
Remote Server Monitor Appmon Disabled
Remote Storage Notification Remote_Storage_User_Link Disabled
Remote Storage Server Remote_Storage_Server Disabled
Removable Storage NtmsSvc Manual
Resultant Set of Policy Provider RSoPProv Disabled
Routing and Remote Access RemoteAccess Disabled
SAP Agent nwsapagent Disabled
Secondary Logon seclogon Disabled
Security Accounts Manager SamSs Automatic
Server lanmanserver Automatic
58
System Services

SharePoint Timer Service SPTimer Disabled
Shell Hardware Detection ShellHWDetection Disabled
Simple Mail Transport Protocol SMTPSVC Disabled

(SMTP)
Simple TCP/IP Services SimpTcp Disabled
Single Instance Storage Groveler Groveler Disabled
Smart Card SCardSvr Disabled
SNMP Service SNMP Disabled
SNMP Trap Service SNMPTRAP Disabled
Special Administration Console Sacsvr Disabled

Helper
SQLAgent$* (* UDDI or WebDB) SQLAgent$WEBDB Not Defined
System Event Notification SENS Automatic
Task Scheduler Schedule Automatic
TCP/IP NetBIOS Helper Service LmHosts Automatic
TCP/IP Print Server LPDSVC Disabled
Telephony TapiSrv Not Defined
Telnet TlntSvr Disabled
Terminal Services TermService Manual
Terminal Services Licensing TermServLicensing Disabled
Terminal Services Session Directory Tssdis Disabled
Themes Themes Disabled
Trivial FTP Daemon tftpd Disabled
59
System Services

Uninterruptible Power Supply UPS Not Defined
Upload Manager Uploadmgr Disabled
Virtual Disk Service VDS Disabled
Volume Shadow Copy VSS Manual
Web Element Manager elementmgr Disabled
WebClient WebClient Disabled
Windows Audio AudioSrv Disabled
Windows Firewall/Internet SharedAccess Not Defined

Connection Sharing
Windows Image Acquisition (WIA) StiSvc Disabled
Windows Installer MSIServer Manual
Windows Internet Name Service WINS Disabled

(WINS)
Windows Management winmgmt Automatic

Instrumentation
Windows Management Wmi Manual

Instrumentation Driver Extensions
Windows Media Connect WmcCds Disabled
Windows Media Connect (WMC) WmcCdsLs Disabled

Helper Service
Windows Media Services WMServer Disabled
Windows System Resource Manager WindowsSystemResourceManager Disabled
Windows Time W32Time Automatic
Windows User Mode Driver UMWdf Disabled

Framework
60
Registry

WinHTTP Web Proxy WinHttpAutoProxySvc Disabled
Auto-Discovery Service
WinSIP WinSIP Disabled
Wireless Configuration WZCSVC Disabled
WMI Performance Adapter WmiApSrv Manual
Workstation lanmanworkstation Automatic
World Wide Web Publishing Service W3SVC Not Defined
Registry
The 7.2(1) security template modifies the access auditing for the following registry keys. These
changes do not apply to earlier template versions.
Warning: The ICMSecurityHardening script cannot rollback changes made to Registry

auditing.
Object Name Group or User Name Auditing

HKLM\Software Everyone Access Failure
HKLM\System Everyone Access Failure
File System
The 7.2(1) security template modifies the access auditing for the following files. These changes
do not apply to earlier template versions.
Warning: The ICMSecurityHardening script cannot rollback changes made to File System
access permissions.
Object Name Group or User Name Permissions

arp.exe Administrator, SYSTEM Full Control
at.exe Administrator, SYSTEM Full Control
attrib.exe Administrator, SYSTEM Full Control
cacls.exe Administrator, SYSTEM Full Control
debug.exe Administrator, SYSTEM Full Control
61
File System
Object Name Group or User Name Permissions

edlin.exe Administrator, SYSTEM Full Control
eventtriggers.exe Administrator, SYSTEM Full Control
ftp.exe Administrator, SYSTEM Full Control
nbtstst.exe Administrator, SYSTEM Full Control
net.exe Administrator, SYSTEM Full Control
net1.exe Administrator, SYSTEM Full Control
netsh.exe Administrator, SYSTEM Full Control
netstat.exe Administrator, SYSTEM Full Control
nslookup.exe Administrator, SYSTEM Full Control
ntbackup.exe Administrator, SYSTEM Full Control
rcp.exe Administrator, SYSTEM Full Control
reg.exe Administrator, SYSTEM Full Control
regedt.exe Administrator, SYSTEM Full Control
regini.exe Administrator, SYSTEM Full Control
regsvr32.exe Administrator, SYSTEM Full Control
rexec.exe Administrator, SYSTEM Full Control
route.exe Administrator, SYSTEM Full Control
rsh.exe Administrator, SYSTEM Full Control
sc.exe.exe Administrator, SYSTEM Full Control
secedit.exe Administrator, SYSTEM Full Control
subst.exe Administrator, SYSTEM Full Control
systeminfo.exe Administrator, SYSTEM Full Control
telnet.exe Administrator, SYSTEM Full Control
tftp.exe Administrator, SYSTEM Full Control
tlntsvr.exe Administrator, SYSTEM Full Control
62
Chapter 5
Updating Microsoft Windows
Note:
• Windows 2003 "R1", otherwise known as SP1, is not currently supported by ICM/IPCC
Release 7.0(0). See the CCBU Policy for Third-Party Software/Security Updates (http:/
/www.cisco.com/en/US/partner/products/sw/custcosw/ps1001/prod_bulletins_list.html).
• Windows 2000 Server, SP4 now has an Update Roll Up available: Windows 2000 Update
Rollup 1 for Service Pack 4 (http://www.microsoft.com/windows2000/server/evaluation/
news/bulletins/rollup.mspx). This update contains many security updates.
• Microsoft Security Updates, page 63

• Microsoft Service Pack Policy, page 65
Microsoft Security Updates

Automatically applying security and software update patches from third-party vendors is not
without risk. Although the risk is generally small, subtle changes in functionality or additional
layers of code may alter the overall performance of Cisco Contact Center products.
ICM/IPCC customers are specifically cautioned to not automatically enable Microsoft Windows
Update. The update schedule can conflict with other ICM/IPCC activity. Users should only
apply those updates that are recommended by Cisco. However, customers can use Microsoft
Software Update Service or similar patch management products to selectively approve Critical
and Important patches that have been qualified by Cisco.
Cisco categorizes and qualifies third-party security updates as they are released by the
manufacturer. While some updates clearly impact ICM/IPCC products, it is important to realize
63
Chapter 5: - Updating Microsoft Windows
Microsoft Security Updates
that not all updates are critical, important, or impact ICM/IPCC products. To help guide
customers, updates are placed in one of these four categories:
1. Impacting
ICM/IPCC product impact testing is performed within a predefined window of when the
security update is released by the third-party vendor. The security update must match the
following conditions:
– The update is labeled by the vendor as Critical or Important or is otherwise of special

interest
– It potentially affects some ICM/IPCC product component or functionality (or is basic

to the OS and affects all operations for any software)
– It must apply to the latest ICM/IPCC specified Service Pack(s)
2. Not Impacting
ICM/IPCC products are not impacted by the security update and no further testing is
performed. The security update must match the following conditions:
– The update is labeled by the vendor as Critical or Important or is otherwise of special

interest
– It does not affect any ICM/IPCC component or functionality or any basic OS

functionality
3. Deferred
Validation is typically deferred to the next Service Release, Maintenance Release, and
subsequent Major/Minor Releases. The security update must match the following
conditions:
– The update is labeled by the vendor as Moderate or Low
– It affects some ICM/IPCC component or functionality (or is basic to the OS and

affects all operations for any software)
4. Not Applicable
The security update does not apply to any current ICM/IPCC product. No further
qualification is required. The security update must match the following conditions:
– The security update does not apply to the latest ICM/IPCC Specified Service Pack(s),
regardless of ICM/IPCC product applicability or vendor-rated severity.
64
Chapter 5: Updating Microsoft Windows
Microsoft Service Pack Policy
All third-party qualification notices are sent as Field Notices.
• Customers can set up a profile to be alerted of field notice postings by going to the following
link: http://www.cisco.com/cgi-bin/Support/FieldNoticeTool/field-notice
• For the Security Updates categorized as Impacting, Cisco continues to test its products to
further determine if there are any potential conflicts after the initial field notice. A field notice
update is released when those tests are completed.
• Customers should follow Microsoft's guidelines regarding when and how they should apply
these updates.
• Cisco recommends that Contact Center customers separately assess all security patches
released by Microsoft and install those deemed appropriate for their environments. Cisco
will continue to provide a service of separately assessing and where necessary, validating
higher severity security patches that may be relevant to the Contact Center software products.
• See CCBU Policy for Third-Party Software/Security Updates at http://www.cisco.com/en/

US/partner/products/sw/custcosw/ps1001/prod_bulletins_list.html

Do not automatically apply Microsoft Service Packs for the Operating system or SQL Server.
Cisco qualifies service packs through extensive testing and defines compatible service packs
in each product's Bill of Materials.
The Microsoft Windows Automatic Update Client can be configured to poll a server that is
running Microsoft Software Update Services (SUS) or Windows Server Update Services in
place of the default Windows Update Web site to retrieve updates.
This is the recommended approach to be able to selectively approve updates and determine
when they get deployed on production servers.
To use Automatic Updates with a server that is running Software Update Services, see the
Software Update Services Deployment white paper. To view this white paper, visit the following
Microsoft Web site: http://www.microsoft.com/windowsserversystem/updateservices/
techinfo/previous/susdeployment.mspx
Configuring the Server to use an Alternate Windows Update Server
To configure the server to use an alternate Windows Update server:
Step 1 Select Start > Run and type regedit in the dialog. Click OK.
Warning: If you use Registry Editor incorrectly, you may cause serious problems that
may require you to reinstall your operating system. Cisco cannot guarantee that you can
solve problems that result from using the Registry Editor incorrectly. Use the Registry
Editor at your own risk and make backups as appropriate.
65
Chapter 5: - Updating Microsoft Windows
Step 2 In regedit, locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Step 3 Edit (or add) the following setting:
Value name: UseWUServer
Registry Value Type: Reg_DWORD
Value data: Set this value to 1 to configure Automatic Updates to use a server that is running
Software Update Services instead of Windows Update.
Step 4 To determine the server that is running SUS that your client computers and servers go to for
their updates, add the following registry values to the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
Value name: WUServer
Registry Value Type: Reg_SZ
This value sets the SUS server by HTTP name (for example, http://IntranetSUS).
Value name: WUStatusServer
Registry Value Type: Reg_SZ
This value sets the SUS statistics server by HTTP name
66
Chapter 6
SQL Server Hardening
SQL Server Hardening Suggestions
Top Hardening Suggestions
Top Hardening Suggestions:
1. Do not install SQL Server on an Active Directory Domain Controller.
2. In a multi-tier environment, run Web logic and business logic on separate computers. In
Release 7.0(0), Webview servers can be deployed on a dedicated server not shared with
an Admin Workstation.
3. Install latest applicable SQL Server service pack and security updates (SP4 or later), Refer
to the Bill of Materials for the compatible service pack for your product.
4. Set a strong password for the ‘sa' account before installing the ICM software (see below).
5. Limit privileges for SQL Server Service account, MSSQLServer.
Note: The following assumes the SQL Server has been installed prior with the service
configured to run as the ‘LocalSystem' Account. It's possible these steps can be shortened
if the SQL Server is installed initially to run using a least privileged account. See the ICM
Staging Guide for more information on how to properly install SQL Server using a Domain
User Account to run the MSSQL Server service.
a. Create a Windows domain user account (e.g., <domain>\SQLServiceAcct>). (See

Staging Guide for details). Appropriate file system permissions (Modify) must be
given to this user account for the \mssql\data directory to be able to create, expand
or delete databases as needed by the ‘icmdba' application.
67
Chapter 6: - SQL Server Hardening
b. Configure Security Account Delegation in Active Directory (Users folder) for this
account:
From the ‘Account' property page, select ‘Account is trusted for delegation'.
Make sure ‘Account is sensitive and cannot be delegated' is NOT selected.
c. Configure Security Account Delegation in Active Directory (Computers folder) for

each machine that has SQL (or MSDE) installed:
Select ‘Trust computer for delegation' on the ‘General' property page.
d. Have a Domain Administrator configure Security Account Delegation using the

SetSPN utility from the Windows 2000 resource kit to set a Service Principal Name
as follows:
List the existing SPN for the machine by typing the following at a command prompt:
setspn -L <machine>
Delete any existing SPN for the MSSQLSvc entry by typing the following at a
command prompt: setspn -D "MSSQLSvc/<machine:port>
<serviceaccountname>" <machine> 1
Create a new SPN entry for the MSSQLSvc entry by typing the following at a
command prompt: setspn -A "MSSQLSvc/<machine:port>
<serviceaccountname>" <machine>
e. Add the domain user account created in Step a. to the NTFS permissions for the
Operating System and data partitions at the root level (e.g., C:\). Allow all
permissions, except Full Control.
f. Finally, add this domain user account created in Step a. to the Registry permissions
for the HKEY_LOCAL_MACHINE\Software, HKEY_LOCAL_MACHINE\System
and HKEY_USERS hives, giving it Full Control.
g. From the SQL Server Enterprise Manager, configure the SQL Server service to run
as the domain user account created in Step a. (e.g., <domain>\SQLServiceAcct>).
6. Disable SQL Server Agent Service, SQLServerAgent.
Note: Applying SQL Server security updates or hotfixes may require that the SQL Server
Agent service be enabled. It is recommended that this service should be reset to 'enabled'
before performing the update. When the update has completed, stop the service and set it
to back to 'disabled'.
7. Disable Distributed Transaction Coordinator, MSDTC (done by default by the automated

server hardening in the Cisco ICM Security Template Settings).
1) The string inside quotes must match exactly what is seen in the List command:: setspn -L <machine>
68
Chapter 6: SQL Server Hardening
Note: The SQLServerAgent and MSDTC services may be used for 3rd Party Backup
solutions therefore we recommend checking the Backup Agents' system requirements
before disabling these services.
8. Use NTFS directory security with EFS for SQL Server data directories. EFS must be set
while logged in under the account credentials that the SQL service will run under (e.g.,
<domain>\SQLServiceAcct>). From the Local Policy editor, temporarily grant 'logon
locally' privileges to this account to enable EFS then remove this right after logging off.
Warning: EFS should only be enabled if there is a concern with data theft as there will be
a performance impact.
Note: In order to copy and send the data to other parties, it will be necessary to backup
the database to a different directory that is not encrypted to ensure that the receiving party
is able to read the data in the backup. This can be accomplished by exporting or backing
up the database from the SQL Server Enterprise Manager.
9. Disable the SQL guest account.
10. Restrict sysadmin membership to your ICM administrators.
11. Block TCP port 1433 and UDP port 1434 at the firewall except for when the ICM distributor
or administrative workstation is not in the same security zone as the ICM Logger.
12. Protection by good housekeeping:
a. Run the KillPwd utility to remove password data from setup files. Detailed instructions
on how to run this utility can be found in KB Article Q263968 at http://
support.microsoft.com/default.aspx?scid=kb;en-us;263968
b. Delete or secure old setup files: Delete or archive the following files after installation:
sqlstp.log, sqlsp.log, and setup.iss in the <systemdrive>:\Program Files\Microsoft
SQL Server\MSSQL\Install folder for a default installation, and the
<systemdrive>:\Program Files\Microsoft SQL Server\ MSSQL$<Instance
Name>\Install folder for named instances.
If the current system is an upgrade from SQL Server 7.0, delete the following files:
setup.iss in the %Windir% folder, and sqlsp.log in the Windows Temp folder.
13. Change the recovery actions of the Microsoft SQL Server service to restart after a failure.
14. Remove all sample databases, e.g., Pubs and Northwind.
SQL Server Users and Authentication
When creating a user for the SQL Server account, create Windows accounts with the lowest
possible privileges for running SQL Server services. It is preferable that this be done during the
installation of SQL Server.
69
Chapter 6: - SQL Server Hardening
Use Windows Only authentication if possible. Cisco Contact Center applications use Windows
authentication to access SQL Server. Cisco understands that some third party applications may
require SQL Server authentication to run properly, but if you are not using any third party
products to access SQL Server, then you should use Windows Only authentication, rather than
mixed mode authentication.
Using mixed mode authentication can increase security risks.
During ICM setup, if the sa password is found to be blank, then a randomly generated strong
password is generated and used to secure the sa account. This randomly generated sa password
is displayed only once during the install. Make note of the password as it is not presented
again. Resetting of the sa account password may be done after installation by logging on to the
SQL Server using a Windows Local Administrator account.
70
Chapter 7
Cisco SSL Encryption Utility
About the SSL Encryption Utility

In ICM release 7.0(0), ICM web servers are configured for secure access (HTTPS) using SSL.
Cisco provides an application called the SSL Encryption Utility (SSLUtil.exe) to help with the
task of configuring web servers for use with SSL.
Note: This utility is only supported on servers running Windows Server 2003.
The operations performed by the SSL encryption utility can also be accomplished by the operating
system facilities such as IIS, however the Cisco utility simplifies the process.
SSLUtil.exe is located in the <ICMInstallDrive>\icm\bin folder. The SSL Encryption Utility

can be invoked in either standalone mode or automatically as part of setup.
The SSL Encryption Utility generates log messages pertaining to the operations that it performs.
When running as part of setup, log messages are written to the setup log file. In standalone
mode, the log messages are only displayed on the SSL Utility Window.
The SSL Encryption Utility performs two major functions:
• SSL Configuration
• SSL Certificate Administration
71
Chapter 7: - Cisco SSL Encryption Utility
SSL is only available for ICM web applications installed on Windows Server 2003. The
ICM/IPCC web applications that can be configured for SSL are:
• WebView
• IPCC Web Administration (System IPCC)
• Internet Script Editor
• Agent Re-skilling
Installing SSL During Setup
By default, setup enables SSL for IPCC Web Administration, Internet Script Editor and Agent
Re-skilling applications. SSL can be configured for WebView during setup. By default,
Authentication mode is selected for WebView during setup. For more detail on SSL for WebView
application, refer to "SSL Configuration at ICM Setup" in WebView Installation and
Administration Guide for Cisco ICM/IPCC Enterprise & Hosted Editions. If the SSL settings
are changed via other means such as IIS manager while the SSL Configuration Utility is open,
those changes are not reflected in the SSL Configuration Utility unless it is closed and reopened.
The SSL Configuration Utility also facilitates creation of self-signed certificates and installation
of the created certificate in IIS. A certificate may also be removed from IIS using this tool.
When invoked as part of setup, the SSL Configuration Utility sets SSL port in IIS to 443 if it
is found to be blank.
If you want to use SSL for Agent Reskilling or Internet Script Editor, then you can just accept
the default settings during installation and the supported servers will use SSL.
If you want to use SSL in WebView, leave Enable Encryption selected. You can further specify
session encryption (all traffic is encrypted, not just the authentication process) during the
WebView setup process; note that this increases server load significantly.
When the utility runs during setup a self-signed certificate is generated (using OpenSSL),
imported into the Local Machine Store, and installed on the web server. Virtual directories are
enabled and configured for SSL with 128-bit encryption.
Note: During setup, if a certificate exists or the Web Server is found to have an existing server
certificate installed, a log entry is added and no changes take effect. Any certificate management
changes must be done using the utility in standalone mode or directly using the IIS Services
Manager.
SSL Encryption Utility in Standalone Mode
In standalone mode, the SSL Configuration Utility displays the list of the ICM instances installed
on the local machine. When an ICM instance is selected, the web applications installed and
their SSL settings are displayed. You can then alter the SSL settings for the web application.
72
Chapter 7: Cisco SSL Encryption Utility
Figure 1: SSL Config Utility - Configuration Tab
The SSL Configuration Utility also facilitates creation of self-signed certificates and installation
of the created certificate in IIS. A certificate may also be removed from IIS using this tool.
When invoked as part of setup, the SSL Configuration Utility sets SSL port in IIS to 443 if it
is found to be blank.
Figure 2: SSL Config Utility - Certificate Administration Tab
73
Chapter 7: - Cisco SSL Encryption Utility
Enabling the Transport Layer Security (TLS) 1.0 Protocol
In ICM release 7.2(1), hardening settings on Windows Server 2003 secure the IIS webserver
by default. Specifically, the security template enables FIPS compliant strong encryption, which
requires the TLS 1.0 protocol be enabled instead of SSL 2.0 or SSL 3.0. TLS 1.0 is enabled on
Internet Explorer 7.0 by default, but is not enabled on Internet Explorer 6.0. To ensure Web
browser connectivity to a hardened Webview, Dynamic Reskilling (Agent Reskilling), or SIPCC
Webconfig server over HTTPS using Internet Explorer 6, you need to enable TLS 1.0 protocol.
Step 1 Launch Internet Explorer 6.0.
Step 2 On the Tools menu, click Internet Options.
Step 3 Select the Advanced tab.
Step 4 Scroll to Security and select the Use TLS 1.0 checkbox.
Be sure to consult the Microsoft Knowledge Base (KB)KB811833 (http://support.microsoft.com/

kb/811833 )for additional information about security settings.
Note: If security hardening is applied using the 7.2(1) template but Internet Explorer is not
configured to support the TLS 1.0 protocol, the Web browser will not be unable to connect to
the Web server. An error message indicates that the page is either unavailable or that the Web
site might be experiencing technical difficulties.
74
Chapter 8
Intrusion Prevention and Cisco Security Agent
The Cisco Security Agent (CSA) provides Host Intrusion Detection and prevention for servers.
As high-visibility network security attacks such as Code Red and the SQL Slammer worm have
shown, traditional host and desktop security technologies are limited in their capability to combat
the effects of new and evolving virus attacks. Unlike traditional signature matching security
technologies, CSA analyzes virus behavior to provide robust protection with reduced operational
costs. By identifying and preventing malicious behavior before it occurs, CSA removes potential
known and unknown ("Day Zero") security risks that threaten enterprise networks and
applications.
Note: You should not view CSA as providing complete security for servers running Cisco ICM
software. Rather, you should view CSA as an additional line of defense which, when used with
other standards defenses such as virus scanning software, firewalls, and the documented
guidelines, as providing enhanced security for ICM software servers.
• What are Cisco Security Agent Policies?, page 75

• Types of Agents, page 76
What are Cisco Security Agent Policies?

The Cisco Security Agent provides protection for Windows platforms based on a set of rules,
or policies, that you set. Policies define which actions on the system and network are allowed
and denied. Cisco Security Agent checks actions that use system or network resources and
blocks denied actions.
75
Chapter 8: - Intrusion Prevention and Cisco Security Agent
Types of Agents
You define policies to control access to system and network resources based on the following
parameters:
• Which resource is being accessed
• Which operation is being invoked
• Which process is invoking the action
Cisco has defined a policy for CSA to protect servers without interfering with the normal
operations of ICM software. You can download this policy from the Cisco Web site
(www.cisco.com).
Note: If you do use CSA, then consult the following guide for important information regarding
installing ICM/IPCC applications using their default paths. Installing ICM/IPCC application to
their default paths minimizes any issues that may arise out of using CSA with supported
applications that have been installed in non-default locations.
See Also
Cisco Security Agent Installation/Deployment Guide for ICM/IPCC Enterprise & Hosted Editions
Types of Agents
You can use Cisco Security Agent as either a Standalone Agent or a Managed Agent.
Managed Agent
A Managed Agent reports all significant events to a centralized Management Center.
The Management Center serves multiple agents and servers simultaneously. The Management
Center allows you to monitor and protect multiple servers using a browser-based console.
The Managed Agent is appropriate if you are using third-party software that is not approved by
Cisco for ICM servers. If this is the case, it is recommended that you purchase and install the
CSA Management Center, then import the ICM policy (page 75) and customize it to allow the
third-part applications to operate.
Standalone Agent
The CSA Standalone Agent provides the same protections and the Managed Agent, but does
not report events back to the Management Center. Furthermore, the Standalone Agent uses a
static policy (page 75) that you cannot modify.
The Standalone Agent for ICM software is available free of charge from Cisco.
76
Chapter 8: Intrusion Prevention and Cisco Security Agent
Types of Agents
See Also
Cisco Security Agent on the Cisco Web Site (www.cisco.com/go/csa)
77
Chapter 8: - Intrusion Prevention and Cisco Security Agent
Types of Agents
78
Chapter 9
Microsoft Baseline Security Analyzer (MBSA)
The Microsoft Baseline Security Analyzer checks computers running Microsoft Windows(R)
Server 2003, Windows XP, Windows 2000, or Windows NT(R) 4.0 for common security
mis-configurations.
The following are the scanning options selected for Cisco ICM Real-Time Distributor running
one or more web applications (e.g. Internet Script Editor, WebView, or Agent-Reskilling).
• Windows operating system (OS) checks
• IIS checks
• SQL checks
• Security update checks
• Password checks
This report is provided to show an example of the results of running the MBSA tool against a
Cisco ICM server that is running the majority of Microsoft Server Applications supported by
the tool.
• Security Update Scan Results, page 80

• Windows Scan Results, page 80
• Internet Information Services (IIS) Scan Results, page 81
• SQL Server Scan Results, page 82
• Desktop Application Scan Results, page 83
79
Chapter 9: - Microsoft Baseline Security Analyzer (MBSA)
Security Update Scan Results
Security Update Scan Results

Score Issue Result
Windows Security Updates No critical security updates are missing.
IIS Security Updates No critical security updates are missing.
SQL Server/MSDE Security Updates Instance (default): No critical security updates are
missing.
MDAC Security Updates No critical security updates are missing.
MSXML Security Updates No critical security updates are missing.
Office Security Updates No Microsoft Office products are installed.
Windows Scan Results

Table 1: Vulnerabilities
Score Issue Result

Automatic Updates Automatic Updates are managed through Group Policy on this computer.
Administrators More than 2 Administrators were found on this computer.
Note: This warning can be ignored given that the Cisco ICM application
requires the addition of certain groups to the Local Administrators group,
therefore triggering this event. It is recommended that you review the Result
Details and remove any known unnecessary accounts.
Password Expiration Some user accounts (1 of 7) have non-expiring passwords.
Note: When the server is properly configured to require expiring passwords,

this warning will typically find the Guest account to have a non-expiring
password even though the account is disabled. This warning can be ignored.
Windows Firewall Windows Firewall is enabled and has exceptions configured. Windows
Firewall is enabled on all network connections.
Local Account Password Test Some user accounts (1 of 7) have blank or simple passwords, or could not
be analyzed.
80
Chapter 9: Microsoft Baseline Security Analyzer (MBSA)
Internet Information Services (IIS) Scan Results
Score Issue Result

File System All hard drives (1) are using the NTFS file system.
Autologon Autologon is not configured on this computer.
Guest Account The Guest account is disabled on this computer.
Restrict Anonymous Computer is properly restricting anonymous access.
Table 2: Additional System Information
Score Issue Result

Auditing Logon Success and Logon Failure auditing are both enabled.
Services Some potentially unnecessary services are installed.
Shares 2 share(s) are present on your computer.
Windows Version Computer is running Windows 2000 or greater.
Internet Information Services (IIS) Scan Results

Score Issue Result

IIS Lockdown Tool The IIS Lockdown tool was developed for IIS 4.0, 5.0, and
5.1, and is not needed for new Windows Server 2003
installations running IIS 6.0.
Sample Applications IIS sample applications are not installed.
IISAdmin Virtual Directory IISADMPWD virtual directory is not present.
Parent Paths Parent paths are not enabled.
MSADC and Scripts Virtual Directories The MSADC and Scripts virtual directories are not present.
81
SQL Server Scan Results
Table 4: Additional System Information
Score Issue Result

Domain Controller Test IIS is not running on a domain controller.
IIS Logging Enabled All web and FTP sites are using the recommended logging
options.
SQL Server Scan Results

Instance (default)
Score Issue Result

Sysadmin role members BUILTIN\Administrators group is part of sysadmin role.
Note: This is acceptable because the Cisco ICM application adds

certain groups to the local Administrators account on the server which
require dbo access to the database.
Sysadmins No more than 2 members of sysadmin role are present.
Service Accounts SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service
accounts are not members of the local Administrators group and do
not run as LocalSystem.
Exposed SQL Server/MSDE The 'sa' password and SQL service account password are not exposed
Password in text files.
Domain Controller Test SQL Server and/or MSDE is not running on a domain controller.
SQL Server/MSDE Security Mode SQL Server and/or MSDE authentication mode is set to Windows
Only.
Registry Permissions The Everyone group does not have more than Read access to the SQL
Server and/or MSDE registry keys.
CmdExec role CmdExec is restricted to sysadmin only.
Folder Permissions Permissions on the SQL Server and/or MSDE installation folders are
set properly.
82
Chapter 9: Microsoft Baseline Security Analyzer (MBSA)
Desktop Application Scan Results
Score Issue Result

Guest Account The Guest account is not enabled in any of the databases.
SQL Server/MSDE Account The check was skipped because SQL Server and/or MSDE is operating
Password Test in Windows Only authentication mode.

Score Issue Result

IE Zones Internet Explorer zones have secure settings for all users.
IE Enhanced Security Configuration for The use of Internet Explorer is restricted for administrators
Administrators on this server.
IE Enhanced Security Configuration for The use of Internet Explorer is restricted for
Non-Administrators non-administrators on this server.
Macro Security No Microsoft Office products are installed
83
84
Chapter 10
Auditing
You can set auditing policies to track significant events, such as account logon attempts. Local
policies should also always be set.
Note: Domain auditing policies always overwrite local auditing policies. The two sets of policies
should be identical where possible.
To set local auditing policies, select Start > Programs > Administrative Tools > Local Security
Policies.
Note: Automated Security Hardening on Windows 2003 (as described in Chapter 4) configures
the ICM/IPCC server with the recommended auditing settings. See Local Policies - Audit Policy
(page 41)
• How to View Auditing Policies, page 85

• Security Log, page 86
• Real-Time Alerts, page 86
• SQL Server Auditing Policies, page 86
• Active Directory Auditing Policies, page 87
How to View Auditing Policies

Step 1 Select Start > Programs > Administrative Tools > Local Security Policies.
the Local Security Settings window opens.
Step 2 In the tree in the left pane, select and expand Local Policies.
Step 3 In the tree under Local Policies, select Audit Policy.
The different auditing policies appear in the left pane.
85
Chapter 10: - Auditing
Security Log
Step 4 View or change the auditing policies by double-clicking the policy name.
Security Log
After setting auditing policies, it is recommended that you view the security log once a week.
You need to look for unusual activity such as Logon failures or Logon successes with unusual
accounts.
To view the Security Log, selectStart> Programs > Administrative Tools > Event Viewer
Real-Time Alerts
MSFT Windows provides the SNMP Event Translator facility, which lets you translate events
in the Windows eventlog into real-time alerts by converting the event into an SNMP trap. Use
evntwin.exe or evntcmd.exe to configure SNMP traps.
Be sure to consult Microsoft TechNet

http://technet2.microsoft.com/windowsserver/en/library/978683e3-b1d9-4733-98a2-31085c43c1171033.mspx?mfr=true
(http://technet2.microsoft.com/windowsserver/en/library/
978683e3-b1d9-4733-98a2-31085c43c1171033.mspx?mfr=true )for additional information
about configuring the translation of events to traps.
Refer to the Cisco SNMP Installation and Basic Configuration guide for information about
configuring SNMP trap destinations.
SQL Server Auditing Policies

For general SQL Server auditing policies, see SQL server Auditing at Microsoft (http://
www.microsoft.com/technet/security/prodtech/sqlserver/sql2kaud.mspx).
SQL Server C2 Security Auditing
C2 security is a government rating for security in which the system has been certified for
discretionary resource protection and auditing capability.
Cisco does not support C2 auditing for SQL Server in the ICM/IPCC environment. Cisco cannot
guarantee that enabling C2 auditing on SQL Server will not have significant negative impact
on the system. For more information on C2 Auditing, see SQL Server 2000 C2 Administrator's
and User's Security Guide (http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/
sqlc2.mspx).
86
Chapter 10: Auditing
Active Directory Auditing Policies

It is recommended that you audit Active Directory account management and logins, and monitor
audit logs for unusual activity.
The following table contains the recommended and default DC Audit policies.
Table 7: Active Directory Audit Policy Recommendations
Policy Default Setting Recommended Comments

Setting
Audit account logon No auditing Success and Failure Account logon events are generated when a domain
events user account is authenticated on a Domain
Controller.
Audit account Not defined Success Account management events are generated when
management security principal accounts are created, modified,
or deleted.
Audit directory service No auditing Success Directory services access events are generated
access when an Active Directory object with a system
access control list (SACL) is accessed.
Audit logon events No auditing Success and Failure Logon events are generated when a domain user
interactively logs onto a Domain Controller or
when a network logon to a Domain Controller is
performed to retrieve logon scripts and policies.
Audit object access No auditing (No change)
Audit policy change No auditing Success Policy change events are generated for changes to
user rights assignment policies, audit policies, or
trust policies.
Audit privilege use No auditing (No change)
Audit process tracking No auditing (No change)
Audit system events No auditing Success System events are generated when a user restarts
or shuts down the Domain Controller or when an
event occurs that affects either the system security
or the security log.
87
Chapter 10: - Auditing
88
Chapter 11
General Anti-Virus Guidelines and Recommendations
Cisco recommends that you only use the approved Anti-Virus (AV) software products with
ICM/IPCC software, as described in this part.
Warning: Often, the default AV configuration settings increase CPU load and memory
and disk usage, adversely affecting software performance. Therefore it is critical that you
follow the guidelines in this part when using AV software with ICM/IPCC software.
Viruses are unpredictable and Cisco cannot assume responsibility for the consequences of virus
attacks on mission-critical applications. Particular care should be taken for systems that use
Microsoft Internet Information Server (IIS) such as WebView.
Note:
• Your corporate Anti-Virus strategy should include specific provisions for any server positioned
outside the corporate firewall or subject to frequent connections to the public Internet.
• Refer to the Bill of Materials for the application and version qualified and approved for your
release of ICM/IPCC.
Many of the default AV configuration settings can adversely affect product performance as a
result of increased CPU load, memory, and disk usage by the Anti-Virus software program.
Cisco tests specific configurations to maximize product performance.
• Guidelines and Recommendations, page 90

• ICM/IPCC Software Maintenance Parameters, page 91
• File Type Exclusion Recommendations, page 92
89
Chapter 11: - General Anti-Virus Guidelines and Recommendations
Guidelines and Recommendations
Guidelines and Recommendations

Anti-virus applications have numerous configuration options that allow very granular control
of what and how data should be scanned on a server.
With any anti-virus product, configuration is a balance of scanning versus the performance of
the server. The more you choose to scan, the greater the potential performance overhead. The
role of the system administrator is to determine what the optimal configuration requirements
will be for installing an anti-virus application within a particular environment. Refer to your
particular anti-virus product documentation for more detailed configuration information.
The following list highlights some general best practices:
• Update AV software scanning engines and definition files on a regular basis, following your
organization's current policies.
• Upgrade to the latest supported version of the third-party anti-virus application. Newer
versions improve scanning speed over previous versions, resulting in lower overhead on
servers.
• Avoid scanning of any files accessed from remote drives (such as network mappings or UNC
connections). Where possible, each of these remote machines should have its own anti-virus
software installed, thus keeping all scanning local. With a multi-tiered anti-virus strategy,
scanning across the network and adding to the network load should not be required.
• Schedule full scans of systems by AV software only during scheduled maintenance windows,
and when the AV scan will not interrupt other ICM maintenance activities.
• Do not set AV software to run in an automatic or background mode for which all incoming
data or modified files are scanned in real time.
• Due to the higher scanning overhead of heuristics scanning over traditional anti-virus scanning,
use this advanced scanning option only at key points of data entry from untrusted networks
(such as email and Internet gateways).
• Real-time or on-access scanning can be enabled, but only on incoming files (when writing
to disk). This is the default setting for most anti-virus applications. Implementing on-access
scanning on file reads will yield a higher impact on system resources than necessary in a
high-performance application environment.
• While on-demand and real-time scanning of all files gives optimum protection, this
configuration does have the overhead of scanning those files that cannot support malicious
90
Chapter 11: General Anti-Virus Guidelines and Recommendations
ICM/IPCC Software Maintenance Parameters
code (for example, ASCII text files). Cisco recommends excluding files or directories of
files, in all scanning modes, that are known to present no risk to the system.
• Schedule regular disk scans only during low usage times and at times when application
activity is lowest. To determine when application purge activity is scheduled, refer to the
Security Best Practices guides listed in the previous item.
• Disable the email scanner if the server does not use email.
• Additionally, set the AV software to block port 25 to block any outgoing email.(Do not block
port 25 on Cisco Email Manager Servers, if CEM uses the default port 25 to send email)
• Block IRC ports.
• If your AV software has spyware detection and removal then enable this feature. Clean
infected files, or if they cannot be cleaned delete them.
• Enable logging in your AV application. Limit the log size to 2 MB.
• Set your AV software to scan compressed files.
• Set your AV software to not use more than 20% CPU utilization at any time.
• When a virus is found, the first action should be to clean the file, the second to delete or
quarantine the file.
• If available in your AV software, enable buffer overflow protection.
• Set your AV software to start on system startup.
ICM/IPCC Software Maintenance Parameters

Before scheduling AV software activity on Cisco ICM/IPCC Servers, note that a few parameters
that control the application's activity at specific times. Anti-Virus software configuration settings
should avoid scheduling "Daily Scans," "Automatic DAT Updates," and "Automatic Product
Upgrades" during the times specified below.
Logger Recommendations
Do not schedule AV software activity to coincide with the time specified in the following Logger
registry keys:
• HKLM\SOFTWARE\Cisco Systems, Inc.\ICM\<inst>\

Logger<A/B>\Recovery\CurrentVersion\Purge\Schedule\Schedule Value Name: Schedule
• HKLM\SOFTWARE\Cisco Systems, Inc.\ICM\<inst>\

Logger<A/B>\Recovery\CurrentVersion\UpdateStatistics\Schedule Value Name: Schedule
91
Chapter 11: - General Anti-Virus Guidelines and Recommendations
File Type Exclusion Recommendations
Distributor Recommendations
Do not schedule AV software activity to coincide with the time specified in the following
Distributor registry keys:
• HKLM\SOFTWARE\Cisco Systems, Inc. \ICM\<inst>\Distributor\RealTimeDistributor\

CurrentVersion\Recovery\CurrentVersion\Purge\Schedule Value Name: Schedule
• HKLM\SOFTWARE\Cisco Systems, Inc. \ICM\<inst>\Distributor\RealTimeDistributor\

CurrentVersion\Recovery\CurrentVersion\UpdateStatistics\Schedule Value Name: Schedule
Router and PG Recommendations
On the ICM Router and Peripheral Gateway (PG), do not schedule AV program tasks:
• During times of heavy or peak call load.
• At the half hour and hour marks, as ICM processes increase during those times.
Other Scheduled Tasks Recommendations
You can find other scheduled ICM process activities on Windows by inspecting the Scheduled
Tasks Folder. Scheduled AV program activity should not conflict with those ICM scheduled
activities
File Type Exclusion Recommendations

There are a number of binary files that are written to during the operation of ICM processes
that have little risk of virus infection.
Omit files with the following file extensions from the drive and on-access scanning configuration
of the AV program:
• *.hst applies to PG.
• *.ems applies to ALL.
92
Chapter 12
Remote Administration
This section describes recommended practices for remote administration.
Note:
• Use of any remote administration applications can cause adverse effects during load.
• Use of remote administration tools that employ encryption can impact server performance.
The performance level impact is tied to the level of encryption used. More encryption results
in more impact to the server performance.
• Windows Terminal Services (Remote Desktop), page 93

• pcAnywhere, page 95
• VNC, page 99
• TRIDIA VNC Pro, page 99
Windows Terminal Services (Remote Desktop)

Terminal Services permits users to remotely execute applications on Microsoft Windows Server
2003 from a wide range of devices over virtually any type of network connection. It can be
enabled to run in either Application Server or Remote Administration modes. ICM/IPCC only
supports Remote Administration mode.
Remote Desktop
Communication between the server and the client will use native Remote Desktop Protocol
(RDP) encryption. By default, all data sent is protected by encryption based on the maximum
key strength supported by the client.
RDP is the preferred remote control protocol due to its security and low performance impact
93
Chapter 12: - Remote Administration
Windows Terminal Services (Remote Desktop)
Windows Server 2003 Terminal Services provides the ability to connect to and shadow a console
session thereby replacing the need to pcAnywhere or VNC. From a command line:
mstsc -v:servername /F -console
Securing the RDP-TCP Connection
You can configure the properties of the terminal server's RDP-TCP connection to provide better
protection. Run Terminal Services Configurator, select Connections, and then select RDP-TCP.
Step 1 Restrict the number of client sessions that can remain active on the server.
From the Network Adapter tab, select Maximum connections and set the limit on the number
of concurrent connections.
Step 2 Set session time limits.
From the Sessions tab, check the first of three Override User Settings check box and set values
for each of the following (all values are recommendations; use values that work best within
your organization):
1. End a disconnected session, 1 or 5 minutes.
2. Active session limit, 1 or 2 days.
3. Idle session limit, 30 minutes.
Step 3 Set permissions for users and groups on the terminal server.
Use the Permissions tab to add users, groups and computers access limits and permissions. Click
Add, select the user, group or computer name, and then set one of three basic permissions:
1. Full Control (given to administrators and the system; allows logging onto the terminal
server, modifying the connection parameters, connecting to a session, getting session info,
resetting or ending a session, logging off other users, remotely controlling other users'
sessions, sending messages to other users, and disconnecting sessions).
2. User Access (given to ordinary users; allows logging onto the terminal server, getting
session info, connecting to a session or sending messages to other user sessions).
3. Guest Access (for restricted users; allows logging onto the terminal server).
Step 4 Optionally, restrict reconnections of a disconnected session to the client computer from which
the user originally connected.
From the Sessions tab, check the last of three Override User Settings check boxes and set Allow
reconnection from previous client.
Step 5 Optionally, configure encryption levels to High.
94
Chapter 12: Remote Administration
pcAnywhere
From the General tab, set Encryption level to High. Use this option only if there is a risk that
communications can be eavesdropped.
Per-User Terminal Services Settings
You can configure a number of per-user terminal services settings for each user. Using Active
Directory Users and Computers, right click on a user and then select properties
Step 1 On the Terminal Services Profile tab, set a user's right to logon to terminal server by setting the
Allow logon to terminal server checkbox. Optionally, create a profile and set a path to a terminal
services home directory.
Step 2 On the Sessions tab, set session active and idle time outs.
Step 3 On the Remote Control tab, set whether a remote session can be remotely viewed and controlled
by administrators and whether a user's permission is required.
pcAnywhere
NOTE: The following discussion applies to all approved versions of pcAnywhere.2
Security is one of the most important considerations in implementing a remote control solution.
pcAnywhere addresses security in the following ways:
1. Restricting access to internal machines
2. Preventing unauthorized connections to a pcAnywhere host
3. Protecting the data stream during a remote control session
4. Preventing unauthorized changes to the installed product
5. Identifying security risks
6. Logging events during a remote control session
pcAnywhere is a trademark of Symantec, Inc. For details, see http://www.symantec.com/

pcanywhere/.
2) Refer to the Bill of Materials for the versions qualified and approved for your release of ICM.
95
pcAnywhere
Restricting access to internal machines
One of the best ways to ensure security is to restrict connections from outside your organization.
pcAnywhere is the only remote control product to provide the following two ways to accomplish
this objective:
• Limiting connections to a specific TCP/IP address range - pcAnywhere hosts can be configured
to only accept TCP/IP connections that fall within a specified range of addresses.
• Serialization - A feature that enables the embedding of a security code into the pcAnywhere
host and remote objects created. This security code must be present on both ends for a
connection to be made.
Preventing unauthorized connections to a pcAnywhere host
The first line of defense in creating a secure remote computing environment is to prevent
unauthorized users from connecting to the host. pcAnywhere provides a number of security
features to help you achieve this objective.
Authentication Authentication is the process of taking a user's credentials and verifying them against
a directory or access list to determine if the user is authorized to connect to the system.
Mandatory passwords pcAnywhere now requires a password for all host sessions. This security feature prevents
users from inadvertently launching an unprotected host session.
Callback security (for dial-up pcAnywhere lets dial-up users specify a call-back number for remote control sessions.
connections) In a normal pcAnywhere session, the remote connects to the host, and the session begins.
When callback is enabled, the remote calls the host, but then the host drops the connection
and calls back the remote at the specified phone number.
Table 8: General pcAnywhere Security Settings
Settings Default Change to Description

Restrict connections after an end no (optional) With pcAnywhere, host users can prevent
of session remote users from reconnecting to the host
if the session is stopped due to a normal or
abnormal end of session.
Wait for anyone Yes Yes
and secure by no Yes
(lock computer)
96
pcAnywhere
Table 9: Security Options - Connection Options

Prompt to confirm no (optional) This feature prompts the host user to acknowledge the remote
connection caller and permit or reject the connection. By enabling this feature,
users can know when someone is connecting to their host
computer. This will depend on the remote administration policy
of whether users must be physically present at the server being
remotely accessed.
Table 10: Security Options - Login Options

Make password case sensitive no yes Lets you use a combination of uppercase and lowercase letters
in a password. This setting applies to pcAnywhere
Authentication only.
Limit login attempts per call 3 3 pcAnywhere lets host users limit the number of times a remote
user can attempt to login during a single session to protect
against hacker attacks.
Limit time to complete login 3 1 Similarly, host users can limit the amount of time that a remote
user has to complete a login to protect against hacker and
denial of service attacks.
Table 11: Security Options - Session Options

Disconnect if inactive no Yes Limits time of connection. pcAnywhere lets host users
limit the amount of time that a remote caller can stay
(2 Minutes) connected to the host to protect against denial of service
attacks and improper use.
Protecting the data stream during a remote control session
Encryption prevents the data stream (including the authorization process) from being viewed
using readily available tools.
pcAnywhere offers three levels of encryption:
• pcAnywhere encryption
• Symmetric encryption
• Public key encryption
97
pcAnywhere
Table 12: Encryption Configuration

Level <none> Symmetric Lists the following encryption options:
None: Sends data without encrypting it.
pcAnywhere encoding: Scrambles the data using a mathematical

algorithm so that it cannot be easily interpreted by a third party.
Symmetric: Encrypts and decrypts data using a cryptographic key.
Public key: Encrypts and decrypts data using a cryptographic key.

Both the sender and recipient must have a digital certificate and an
associated public/private key pair.
Deny lower encryption no Yes Refuses a connection with a computer that uses a lower level of
level encryption than the one you selected.
Encrypt user ID and no no Encrypts only the remote user's identity during the authorization
password only process. This option is less secure than encrypting an entire session.
Preventing unauthorized changes to the installed product
Integrity checking is a feature that, when enabled, verifies that the host and remote objects, DLL
files, executables, and registry settings have not been changed since the initial installation. If
pcAnywhere detects changes to these files on a computer, pcAnywhere will not run. This security
feature guards against hacker attacks and employee changes that might hurt security.
Identifying security risks
Symantec's Remote Access Perimeter Scanner (RAPS) lets administrators scan their network
and telephone lines to identify unprotected remote access hosts and plug security holes. This
tool provides administrators with a way to access the vulnerability of their network in terms of
remote access products. Using RAPS, you can automatically shut down an active pcAnywhere
host that is not password protected and inform the user.
Logging events during a remote control session
You can log every file and program that is accessed during a remote control session for security
and auditing purposes. Previous versions only tracked specific pcAnywhere tasks such as login
attempts and activity within pcAnywhere. The centralized logging features in pcAnywhere let
you log events to pcAnywhere log, NT Event Log (NT, Windows 2000, Windows Server 2003),
or an SNMP monitor.
98
VNC
VNC
SSH Server allows the use of VNC through an encrypted tunnel to create secure remote control
sessions. However, this configuration is currently not supported by Cisco. The performance
impact of running an SSH server has not been determined.
TRIDIA VNC Pro

Tridia VNC Pro provides the same level of use a regular VNC but adds additional security
features such as enhanced password security, viewer logs and 1024-bit encryption. For more
information about TRIDIA VNC Pro see http://www.tridiavncpro.com/.
99
TRIDIA VNC Pro
100
Chapter 13
Additional Security Best Practices
Additional Cisco Call Center Applications

Security best practices for additional Cisco Call Center applications appears below:
Cisco ICM WebView
The Cisco ICM/IP Contact Center Enterprise Edition WebView Installation and Administration
Guide contains the following security related documentation:
• "Creating a WebView Administrator", "Supervisors and WebView Reports", and "Setting

Up WebView Users" which describes login, domain, and password security for WebView
users.
• "Supervisors and WebView Reports" also describes how a supervisor can only see his or her
own agents.
• "WebView User's Password Expiration and Domain Security Settings" describes WebView
(ICM) users as taking their security setting from the domain on which they are created. The
domain also sets the expiration date on the password.
• WebView online help:
Under saving reports: From the Security pull-down menu, select either Shared or Private. If
you select Shared, all WebView users can access the report. If you select Private, only you
can access the report. Under Viewing graphical reports and using the Job Scheduler is a
discussion of the mechanics involved in order to allow viewing graphical reports and use of
the Job Scheduler in a Microsoft Internet Explorer browser — which requires that all ActiveX
Controls and plug-ins be enabled in the browser's security settings.
101
Chapter 13: - Additional Security Best Practices
Microsoft Internet Information Server (IIS)
Note: Starting in release 7.0(0), WebView now supports SSL for both Sessions and/or
Authentication.
Cisco ICM CTI Object Server (CTI OS)
In the Cisco ICM Software CTI OS System Manager's Guide
• Desktop Users: the section "Desktop User Accounts" contains instructions for configuring
privileges for desktop users.
Cisco Agent Desktop (CAD)
The Cisco Agent Desktop Documentation, found within the IPCC Documentation Set - http:/
/www.cisco.com/univercd/cc/td/doc/product/icm/ipccente/index.htm - Privileges: Required
privileges of various kinds are discussed in the CAD Installation Guide and the CAD
Administrator User's Guide.

Internet Information Server (IIS) is only required for two applications making up the ICM/IPCC
solution targeted in this document, WebView and Internet Script Editor. The service should not
be installed, or should be disabled, on any other node except for the Distributor. There are some
exceptions in multi-media configuration of the solution. In this case, product documentation
and system requirements must be followed.
Hardening IIS for use with WebView and Internet Script Editor on Windows 2000 Platforms
Note: These hardening suggestions only apply to Windows 2000 Server. Windows 2003 Server's
version of IIS is more secure than the version of IIS found in Windows 2000 Server.
Top Hardening Suggestions:
Step 1 IIS is used as an intranet-only http server for the ICM product. It is expected that a firewall is
deployed to protect external connections to the server.
Step 2 Install the most recent compatible service pack and updates.
Note: Refer to the Bill of Materials for the compatible service pack for your product.
Step 3 Disable the following non essential services:
• File Transfer Service
• E-mail Service
• News Service
102
Chapter 13: Additional Security Best Practices
Note: This can be accomplished using the IIS Lockdown tool as described below. However,
Windows Server 2003 does not enable these extra services by default when installing IIS. Verify
that are not installed or they are disabled.
The following sub-components of Internet Information Services (IIS) must be selected during
the installation of the web server:
• Common Files
• Internet Information Services Snap-In - for management purposes
• Internet Services Manager (HTML) - for management purposes
• World Wide Web Server
Step 4 Run the IISLockDown tool:
1. Select Static Web server template and select "View template settings" checkbox.
Note: On systems that do not require IIS you can use this tool to disable IIS by selecting
the ‘Server that does not require IIS' template option.
2. Disable all services except Web service.
3. Disable all unneeded script extensions.
4. Select all additional security options except for "Scripts".
Note: Note that all selected virtual directories must be removed with the exception of the
"Scripts" virtual directory.
5. Install URLScan.
Step 5 Click Finish to complete the wizard.
Edit <system_directory>\system32\inetsrv\urlscan\urlscan.ini as follows:
1. Change "AllowDotInPath=0" to "AllowDotInPath=1"
2. Add "POST" to the [AllowVerbs] section
3. Remove all entries under [DenyUrlSequences] section.
In addition to the above edits, the following additional changes are required depending on
whether WebView or Internet Script Editor or both are going to be running on the computer.
WebView Only - No Changes Requires
103
Internet Script Editor Only:
1. Change "UseAllowExtensions=0" to "UseAllowExtensions=1"
2. Add these entries to [AllowExtensions]
– .dll
– .ese
WebView and Internet Script Editor:
1. Change "UseAllowExtensions=0" to "UseAllowExtensions=1"
2. Add these entries to [AllowExtensions]
– .jhtml
– .jsp
– .AdminServlet
– .js
– .css
– .cab
– .psr
– .xml
– .zip
– .jar
– .
Note: This entry is a "dot".
– .exe
– .dll
Step 6 Setting Registry permissions
Warning: If you use Registry Editor incorrectly, you may cause serious problems that
may require you to reinstall your operating system. Cisco cannot guarantee that you can
solve problems that result from using the Registry Editor incorrectly. Use the Registry
Editor at your own risk and make backups as appropriate.
104
Sybase EAServer (Jaguar) Hardening
Use RegEdt32 to set the permissions depending on whether only WebView or only Internet
Script Editor or both are going to be running on the computer.
1. WebView Only:
Add the "IUSR_<machine_name>" account to have Read only rights to the

HKEY_LOCAL_MACHINE\Software and HKEY_LOCAL_MACHINE\System hives.
2. Internet Script Editor Only:
Add the "IWAM_<machine_name>" account to have Read only rights to the

HKEY_LOCAL_MACHINE\Software and HKEY_LOCAL_MACHINE\System hives.
3. WebView and Internet Script Editor:
Implement both of the "WebView Only" and "Internet Script Editor Only" sections above.

Jaguar is used by some ICM/IPCC Enterprise products such as WebView. Use these guidelines
for hardening Jaguar with WebView after the installation of the ICM and 3rd Party Tools
Starting Jaguar Manager
To start Jaguar Manager:
Step 1 Launch "Jaguar Manager" Application from Start > Program > Sybase > EAServer 5.1 > Jaguar
Manager from the WebView Server Machine.
Step 2 Once the Jaguar Manager has started, click on Tools > Connect > Jaguar Manager.
Step 3 In the resulting dialog replace "localhost" in the "Host Name" field with the actual hostname
or host IP address.
Step 4 Click the ‘Connect' button.
Changing Jaguar Password
The password used to connect to the Jaguar service is changed in Jaguar Administration and in
the jagconnection.properties file. The guidelines provided below to accomplish this are also
provided in the reporting documentation (See WebView Installation Guide).
Note: If the password is changed, any subsequent reinstallation of ICM on a WebView server
will prompt the user for the Jaguar Password.
The ‘jagadmin' password is modified in two steps:
105
Step 1 Modify ‘jagadmin' password on EAServer
1. Using the tree on the left pane of Jaguar Manager, navigate to Jaguar Manager > Servers
> Jaguar
2. After selecting ‘Jaguar' node, click on File->Server Properties… menu
3. On the server properties dialog box, select ‘Security' tab
4. Click on ‘Set jagadmin Password' button.
5. On the ‘Administrator Password' dialog box
– Leave ‘Old jagadmin Password' blank.
– Enter new password in the ‘New jagadmin Password' and ‘Verify N jagadmin
Password' fields.
6. Click ‘OK'
Step 2 Modify ‘jagadmin' password at WebView
1. Using Windows Explorer, navigate to ‘<Sybdase

Home>\EAServer\html\classes\com\cisco\atg is typically ‘C:\Program
Files\Sybase').
2. Open file ‘jagconnection.properties' using Notepad or WordPad.
3. Locate ‘JAGCONNECT_JAGUAR_ADMIN_PWD' key in the properties file. By default

it is blank.
4. Enter the new jagadmin password from step 1 above in clear text. The modified key should
look like ‘JAGCONNECT_JAGUAR_ADMIN_PWD=<new password>'
Note: The password entered in clear text gets encrypted when WebView runs for first time after
the change.
Restart WebView and Jaguar after you have changed the password. See below:
Restart WebView/Services
Step 1 Close Jaguar Manager.
Step 2 Restart ‘Jaguar' service from Windows Services panel.
Step 3 Restart ‘IIS Admin' service from Windows Services panel (this will also restart ‘World Wide
Web' service automatically).
106
RMS Listener Hardening
See Also
The Windows Firewall may block port 9000 (Jaguar Manager Tool - CORBA). If you wish to
open port 9000 see Understanding the CiscoICMfwConfig_exc.xml File (page 33) to learn how
to use the Cisco Firewall tool to open the port.
RMS Listener Hardening

The RMS Listener receives data from remote Logger or SDDSN nodes using either a TCP/IP
LAN connection or a RAS dial-up modem connection and NetBEUI. The data is transferred
using a file copy process over this connection. As a result, a writeable file share must be
configured on the RMS Listener.
Note: Servers running RMS are not supported for use with Automated Security Hardening.
General hardening recommendations follow:
1. It is assumed that you have followed the general hardening procedures in this document.
2. It is also assumed that you have two NTFS partitions. One for the OS and one for the
remote data transfer.
3. The OS partition should be hardened to allow only <machine>\Administrators and SYSTEM

accounts for file system and registry permissions as described earlier in this document.
4. Create a local group called <machine>\ListenerAccounts.
5. Create a local account for the duplex Listener to use to connect to this Listener with basic
user rights (e.g., <machine>\ListenerAcct).
6. Add this account to the <machine>\ListenerAccounts group and remove this account from
<machine>\Users group.
7. From the ListenCfg utility configure the other Listener to connect to this Listener using
this account. Note: The domain would be the name of this machine. For example, if this
107
WMI Service Hardening
is the side A Listener and the machine name was ListenerSideA, you would configure
the side B Listener to connect to ListenerSideA\ListenerAcct.
8. For each customer system that will connect to the RMS Listener, create a local account
with basic user rights (e.g., <machine>\Acme_ICMUser). Note: If remote access (modem)
is used, this account will need dial-in permissions.
9. Add these customers to the local <machine>\ListenerAccounts group and remove these
accounts from the <machine>\Users group.
10. No registry access is needed for this group
11. Create the identical group and accounts on both Side A and Side B RMS Listener systems.
12. The root of the remote data partition (e.g., F:\) should be configured to allow the SYSTEM
account Full Control.
13. At the root of the remote data partition (e.g., F:\), the <machine>\Administrators and
<machine>\ListenerAccounts groups should have ONLY: 'List Folder Contents', 'Read'
and 'Write' permissions. Do NOT give 'Full', 'Modify' or 'Read & Execute' rights. This
will prevent inadvertent launching of a virus that might have been copied from a remote
system to the RMS Listener.
14. The logical share to the remote data partition (e.g., ‘FF') should be configured for Full
Control with the <machine>\ListenerAccounts and SYSTEM accounts having access.
Note that the NTFS permissions will further restrict the physical access to this share.
15. Enable Remote Access logging if a RAS connection via modem is used.
16. Configure the Domain and Backup domain in the Logger or SDDSN ‘Phone Home' setup
screen to use the Listener Side A and B machine names respectively.
Refer to the RMS documentation for additional information about configuration.
WMI Service Hardening

Windows Management Instrumentation (WMI) is used to manage Windows systems. WMI
security is an extension of the security subsystem built into Windows operating systems. WMI
security includes: WMI namespace-level security; Distributed COM (DCOM) security; and
Standard Windows OS security.
WMI namespace-level security:
To configure the WMI namespace-level security:
Step 1 Launch the %SYSTEMROOT%\System32\Wmimgmt.msc MMC control.
Step 2 Right click on the WMI Control icon and select properties.
108
SNMP Hardening
Step 3 Select the ‘Security' properties page.
Step 4 Select the ‘Root' folder and press the ‘Security' button.
Step 5 Remove EVERYONE from the selection list then press the ‘OK' button.
Only <machine>\Administrators should have ALL rights.
Additional WMI Security Considerations
The WMI services are set to ‘Manual' startup by default. These services are used by 3rd Party
Management agents as well as Cisco Support Tools Node Agent to capture system data and
should not be disabled unless specifically required.
DCOM security configuration should be performed in a manner that is consistent with your
scripting environment. Refer to the WMI security documentation for additional details on using
DCOM security.
Additional References:
• How to Set WMI Namespace Security in Windows Server 2003asp (http://

support.microsoft.com/default.aspx?scid=kb;en-us;325353)
• Securing a Remote WMI Connection (http://msdn.microsoft.com/library/default.asp?url=/

library/en-us/wmisdk/wmi/securing_a_remote_wmi_connection.asp)
SNMP Hardening
See the SNMP Guide for Cisco ICM/IPCC Enterprise & Hosted Editions for details on
installation, setting the community names, user names, and trap destinations.
Although the Microsoft Management and Monitoring Tools sub-components are necessary for
SNMP manageability, the Microsoft native SNMP service will be disabled during ICM Setup
and its functionality replaced by a more secure agent infrastructure. The administrator should
not attempt to re-enable the Microsoft SNMP service as this may cause conflicts with the Cisco
installed SNMP agents.
The Microsoft SNMP trap service should be explicitly disabled. It is not recommended that
ICM/IPCC Enterprise servers run management software for collecting SNMP traps, thus, the
Microsoft SNMP trap service is not necessary.
Versions 1 and 2c of the SNMP protocol are less secure than version 3. SNMP version 3 features
a significant step forward in security. For ICM Enterprise and IPCC Enterprise hosts located
109
Toll Fraud Prevention
on internal networks behind corporate firewalls, it is desirable to enable SNMP manageability

by performing the additional configuration and hardening recommendations listed below:
1. Create SNMP v1/v2c community strings or SNMP v3 user names using a combination of
upper- and lower-case characters. DO NOT use the common "public" and/or "private"
community strings. Create names that are difficult to guess.
2. Use of SNMP v3 is highly preferred. Always enable authentication for each SNMP v3
user name. The use of a privacy protocol is also encouraged.
3. Limit the number of hosts that are allowed to connect to SNMP manageable devices.
4. Configure community strings and user names on manageable devices to accept SNMP
requests only from those hosts running SNMP management applications. (This is done
via the SNMP agent configuration tool when defining community strings and user names.)
5. Enable sending of SNMP traps for authentication failures. This will alert you to potential
attackers trying to "guess" community strings and/or user names.
SNMP manageability is installed on ICM/IPCC Enterprise servers and is executing by default.

However, for security reasons, SNMP access is denied until the configuration steps enumerated
above have been completed.
As an alternative that provides a much higher level of security, customers may choose to
configure IPSec filters and an IPSec policy for SNMP traffic between an SNMP management
station and SNMP agents. Follow Microsoft's recommendations on how to accomplish this. For
more information on IPSec policy for SNMP traffic refer to Microsoft knowledge base article:
Q324261.
Toll Fraud Prevention

Toll fraud is a serious issue in the Telecommunications Industry. The fraudulent use of
telecommunications technology can be very expensive for a company, and it is essential that
the Telecom Administrator take the necessary precautions to prevent this. For IPCC environments,
resources are available on Cisco.com providing some basic information to lock down
CallManager systems and to mitigate against toll fraud.
In ICM, the primary concern would be in using dynamic labels in the label node of an ICM
script. If the dynamic label is constructed from information entered by a caller (such as with
Run External Script), then it is possible to construct labels of the form.
• 9.....
• 9011....
• etc.
These labels might cause the call to be sent to outside lines or even to international numbers.
If the dial plans configured in the routing client would allow such numbers to go through, and
110
Syskey
the customer does not want such labels to be used, then the ICM script must check for valid
labels before using them.
A simple example would be an ICM script that prompts the caller with "If you know your party's
extension, enter it now", and then uses the digits entered blindly in a dynamic label node. It is
possible that the call could be transferred anywhere. If this behavior is not desired, then either
the ICM routing script or the routing client's dial plan must check for and disallow invalid
numbers.
An example of an ICM script check might be an "If" node that use an expression such as
substr (Call.CallerEnteredDigits, 1, 1) = "9"
The "True" branch of this node would then branch back to ask the caller again. The false branch
would allow the call to proceed. This is, of course, only an example. Each customer must decide
what is allowed, or not, based on their own environment.
ICM does not normally just transfer calls to arbitrary phone numbers. Numbers have to be
explicitly configured as legal destinations, or alternatively the ICM routing script can contain
logic which causes the call to be transferred to a phone number which is contained in a script
variable. It is possible for a script to be written in such a way that a caller enters a series of digits
and the script treats it as a destination phone number and asks the routing client to transfer the
call to that number. Our recommendation would be to add logic to such a script to make sure
the requested destination phone number is reasonable.
Syskey
Syskey enables the encryption of the account databases. It is recommended that you use Syskey
to secure any local account database.
Note: When configuring Syskey, you must use the System Generated Password and Store
Startup Key Locally options in the Startup Key dialog box.
Third-Party Security Providers

Cisco has qualified ICM software with the Operating System implementations of NTLM,
Kerberos V and IPSec security protocols.
Cisco does not support other third-party security provider implementations.
Third-Party Management Agents

Some server vendors include in their server operating system installations agents to provide
convenient server management and monitoring.
111
Third-Party Management Agents
For example:
• HP's ProLiant Servers run Insight Management Agents for Windows.
• IBM provides the IBM Director Agent.
These and other agents enable the gathering of detailed inventory information about servers,
including operating system, memory, network adapters, and hardware.
While Cisco recognizes such agents can be of value, due to performance impact considerations,
Cisco does not currently support their use on mission critical IPCC/ICM servers.
Warning: You must configure agents in accordance to the Anti-Virus policies (page 89)
described in this document. Polling or intrusive scans should not be executed during peak
hours, but rather scheduled during maintenance windows.
Note: You should install SNMP services as recommended by these third-party management
applications to take full advantage of the management capabilities provided with your servers.
Failing to install, or disabling, SNMP prevents enterprise management applications from receiving
hardware pre-failure alerts and disables certain application functions such as advanced ProLiant
status polling, inventory reporting, and version control in HP Insight Manager.
See Also
HPInsight Management Agents User Guide (ftp://ftp.compaq.com/pub/products/servers/
management/imaug.pdf) HP Software Security Customer Advisories (http://
h18013.www1.hp.com/products/servers/management/mgtsw-advisory.html)
112

Security Best Practices Guide For ICM and IPCC Enterprise & Hosted Editions

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

Security Best Practices Guide For ICM and IPCC Enterprise & Hosted Editions

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Best Practices Guide For ICM and IPCC Enterprise & Hosted Editions

Uploaded by

Copyright:

Available Formats

Security Best Practices Guide

for ICM and IPCC Enterprise & Hosted Editions

SQL Server Hardening Security Best Practices for SQL Server

Auditing Security Best Practices for setting Auditing Policies on ICM/IPCC

General Anti-Virus Guidelines and General Anti-Virus Guidelines and Recommendations

Additional Security Best Practices Additional Security Best Practices on:

• Additional Cisco Call Center Applications

• Microsoft Internet Information Server

• Sybase EAServer (Jaguar)

• RMS Listener Hardening

• WMI Service Hardening

• SNMP Service Hardening

• Toll Fraud Prevention

• Third-party Security Providers

• Third Part Management Agents

More information can be found in the following documents:

• Staging Guide for ICM Release 7.0(0)

• Microsoft Windows Server 2003 Security Hardening Guide (http://www.microsoft.com/

• Choose Edit > Find.

italic font Italic font is used to indicate the following:

• To introduce a new term. Example: A skill

• For emphasis. Example: Do not use the

• A syntax value that the user must replace.

• A book title. Example: See the Cisco CRS

window font Window font, such as Courier, is used for the

• Text as it appears in code or that the window

< > Angle brackets are used to indicate the

• For arguments where the context does not

• A character string that the user enters but

You can access the Cisco website at this URL:

You can access international Cisco websites at this URL:

Product Documentation DVD

The Product Documentation DVD is a comprehensive library of technical product documentation

The Product Documentation DVD is available as a single unit or as a subscription. Registered

We appreciate your comments.

Product Alerts and Field Notices

Cisco Product Security Overview

• Report security vulnerabilities in Cisco products.

• Obtain assistance with security incidents that involve Cisco products.

• Register to receive security information from Cisco.

Reporting Security Problems in Cisco Products

• For Emergencies only: security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition

• For Nonemergencies: psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:

Obtaining Technical Assistance

Cisco Technical Support & Documentation Website

Submitting a Service Request

To open a service request by telephone, use one of the following numbers:

• Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)

• EMEA: +32 2 704 55 55

• USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

Definitions of Service Request Severity

Severity 2 (S2) - Operation of an existing network is severely degraded, or significant aspects

Obtaining Additional Publications and Information

• Networking Professionals Connection is an interactive website for networking professionals