Configuration guide for the cisco telepresence system (182 pages)
Summary of Contents for Cisco TELEPRESENCE MANAGEMENT SUITE SECURE SERVER - CONFIGURATION GUIDE 13.0
Page 1
Cisco TelePresence Management Suite Secure Server Hardening Windows Server 2003 for Cisco TMS 13.0 Product Configuration Guide D13148.08 December 2010...
Document revision history Contents References and related documents ......................5 Preface ..............................5 Pre-install considerations ........................7 Installing baseline configuration ......................7 File system............................... 9 Administrator account ..........................9 Set strong password and lockout policies ....................9 Secure the SQL Server ......................... 10 Use Local Service User ........................
Page 3
Document revision history Tables Table 1 Service account file ACLs ......................11 Table 2 Windows components ......................14 Table 3 IIS components ......................... 15 Table 4 Required port exceptions ......................17 Table 5 Required program exceptions ....................18 Table 6 Summary of audit policy settings ....................21 Table 7 List of recommended user rights settings.
Document revision history Document revision history Revision 7 Update for Cisco TMS 12 Comprehensive update for Windows 2003 SP1 Changes Removal of Windows 2000 specific references Updated formatting and reorganization Removed incorrect IIS anonymous restrictions Added SQL Server Service Accounts Added Cisco TMS Service Accounts Revision 8 Updated information and visual template.
General General References and related documents Windows Server 2003 Security Guide (Microsoft Corporation) Windows 2003 Threats and Countermeasures Guide (Microsoft Corporation) Knowledge Base article 823659 Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments Professional Server Pages 3.0 (WROX) Knowledge Base article 2222473...
Page 6
General IMPORTANT: This document does not guarantee that your server is secure from attacks even if you have applied all the changes described. Cisco is not responsible for potential harm that attackers might cause, nor any damage caused to your server by following the steps outlined in this document. Cisco TMS Secure Server Configuration Guide 13.0 Page 6 of 34...
Installation Installation Pre-install considerations We strongly recommend installing Cisco TMS on a dedicated server. Using Cisco TMS server for other purposes or services will reduce the effectiveness of any security initiative. The outline presented in this document assumes Cisco TMS is the only application installed on the server.
Page 8
Installation only be added to the group Users. To set permissions for users in this group Go to Administrative Tools > User Administration > Groups. Next click Set Permissions for the Users group and check the appropriate checkboxes. Take time to properly design your user groups and default system permissions before rolling out Cisco TMS into production.
Securing Windows Server 2003 tasks Securing Windows Server 2003 tasks File system Ensure the file system for all hard disks is NTFS. Avoid using FAT, FAT 32 or FAT 32x file systems, as these file systems do not support the same level of access control and security that the NTFS does. This relates to all partitions on the server and not just the boot partition.
Securing Windows Server 2003 tasks Secure the SQL Server SQL Server 2005 installs by default in a local-only configuration designed to reduce surface area. These additional steps will further reduce exposure by lowering privileges and protocols. Use Local Service User SQL Server installs by default to run as the NETWORK SERVICE user.
Securing Windows Server 2003 tasks Table 1 Service account file ACLs Directory User/Group Permission <tms installdir>\ 1) LocalMachine\Administrators 1) Full Control 2) SYSTEM 2) Full Control 3) tmsserviceuser 3) Read & Execute <tms installdir>\OldConferenceAPI 1) LocalMachine\Administrators 1) Full Control 2) SYSTEM 2) Full Control 3) tmsserviceuser 3) Read &...
Securing Windows Server 2003 tasks Directory User/Group Permission <tms installdir>\wwwTMS\Data\Image 1) LocalMachine\Administrators 1) Full Control 2) SYSTEM 2) Full Control 3) tmsserviceuser 3) Full Control 3) Authenticated Users 4) Read <tms installdir>\wwwTMS\Data\Logo 1) LocalMachine\Administrators 1) Full Control 2) SYSTEM 2) Full Control 3) tmsserviceuser 3) Full Control 3) Authenticated Users...
Securing Windows Server 2003 tasks Open a command prompt and navigate to the .NET 2 installation folder. This normally is C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 Use the aspnet_regiis tool to register the service user to access the required IIS elements with aspnet_regiis –ga <username> aspnet_regiis –ga tmsserviceuser Open Windows Start >...
Securing Windows Server 2003 tasks Remove unnecessary windows components To reduce the attack surface of the Cisco TMS server, ensure that Windows Components that are not required by Cisco TMS are not installed. Go to Windows Start > Control Panel >Add or Remove Programs > Add/Remove Windows Components.
Securing Windows Server 2003 tasks Component Subcomponent Include Windows Media Services Table 3 IIS components Component Subcomponent Include Background Intelligent Transfer Service (BITS) Server Extensions Common Files File Transfer Protocol (FTP) Service FrontPage 2002 Server Extensions Internet Information Services Manager Internet Printing NNTP Service SMTP...
Page 16
Securing Windows Server 2003 tasks Distributed File System Secondary Logon Distributed Link Tracking Client Shell Hardware Detection Distributed Link Tracking Server Smart Card Distributed Transaction Coordinator Special Administration Console Helper Error Reporting Services SQL Server Active Directory Helper File Replication SQL Server Browser Help and Support SQL Server VSS Writer...
Securing Windows Server 2003 tasks Uninterruptible Power Supply Volume Shadow Copy Network services In general any services not required by Cisco TMS should not be running on the Cisco TMS server in order to reduce the attack surface of the server. This is particularly important for network services. Go to Windows Start >...
Cisco TMS services listen to are not blocked. Click Add Program. Click the browse button. Navigate to [INSTALLDIR]\TANDBERG\TMS\Services, where INSTALLDIR is the directory where you installed Cisco TMS. Select the service .exe files as shown below.
Page 19
Securing Windows Server 2003 tasks Directory User/Group Permission 3) SQLServer2005MSSQLUSER$Computer 3) Read &Execute Name$InstanceName \<sql 1) LocalMachine\Administrators 1) Full directory>\MSSQL.1\MS 2) SYSTEM 2) Full SQL\Backup 3) SQLServer2005MSSQLUSER$Computer 3) Full Name$InstanceName \<sql 1) LocalMachine\Administrators 1) Full directory>\MSSQL.1\MS 2) SYSTEM 2) Full SQL\Binn 3) SQLServer2005MSSQLUSER$Computer 3) Read &Execute...
Securing Windows Server 2003 tasks Table 6 Summary of audit policy settings Policy Security Setting Audit account logon Success, Failure The ‘Audit account logon events’ policy determines events whether to log authentication of local users. Both security settings should be logged. Audit account Success, Failure The ‘Audit account management’...
Page 22
Securing Windows Server 2003 tasks Policy Security Setting Act as part of the operating system (SeTcbPrivilege) Add workstations to domain (SeMachineAccountPrivilege) Adjust memory quotas for a process Administrators, LOCAL SERVICE, NETWORK SERVICE, (SeIncreaseQuotaPrivilege) IWAM_<machinename>, SQLServer2005MSSQLUser$ComputerName$InstanceName Allow logon locally Administrators (SeInteractiveLogonRight) Allow logon Through Terminal Administrators Services...
Securing Windows Server 2003 tasks Policy Security Setting Generate security audits LOCAL SERVICE, NETWORK SERVICE (SeAuditPrivilege) Impersonate a client after Administrators, IIS_WPG, SERVICE authentication (SeImpersonatePrivilege) Increase scheduling priority Administrators (SeIncreaseBasePriorityPrivilege) Load and unload device drivers Administrators (SeLoadDriverPrivilege) Lock pages in memory (SeLockMemoryPrivilege) Log on as a batch job IIS_WPG, LOCAL SERVICE, SUPPORT_388945a0,...
Securing Windows Server 2003 tasks Table 8 Recommended security options Policy Security Setting Accounts: Administrator account status Enabled Accounts: Guest account status Disabled Accounts: Limit local account use of blank Enabled passwords to console logon only Accounts: Rename administrator account (Rename to a unique name and delete description) Accounts: Rename guest account...
Page 25
Securing Windows Server 2003 tasks Policy Security Setting Domain member: Require strong (Windows Enabled 2000 or later) session key Interactive logon: Display user information when User display name only the session is locked Interactive logon: Do not display last user name Enabled Interactive logon: Do not require Disabled...
Page 26
Securing Windows Server 2003 tasks Policy Security Setting Network access: Named Pipes that can be COMNAP accessed anonymously COMNODE SQL\QUERY SPOOLSS LLSRPC netlogon lsarpc samr browser Network access: Remotely accessible registry System\CurrentControlSet\Control\ProductOptions paths System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion Network access: Remotely accessible registry System\CurrentControlSet\Control\Print\Printers paths and subpaths System\CurrentControlSet\Services\Eventlog...
Event Viewer is found under Start > Control Panel > Administrative Tools > Event Viewer. Specific events related to Cisco TMS are found under the TANDBERG folder. For each of the event types, the log files should be set to retain informative amounts of data, but they must be limited to prevent attacks from filling up the disk.
Securing Windows Server 2003 tasks Fill in AutoShareServer for Name and 0 for Value data. Screen saver Make sure that the screensaver is password protected in order to prevent internal threads from taking over the server. To enable the password for the screen saver, right-click the desktop and go to Properties > Screen Saver tab.
Securing Windows Server 2003 tasks Clear paging file at shutdown Clear the paging file at shutdown, as there is no need to have an old memory dump on disk when the system is rebooted. Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management Modify Value Name: ClearPageFileAtShutdown Value Type: REG_DWORD Value: 1 Disable Autorun from CD...
Securing IIS Securing IIS The IIS configuration installed by Windows 2003 SP2 is preconfigured to run as a secure server, disabling many services that were enabled in Windows 2000. Previous tools such as URLScan and IISLockdown tool should not be used with IIS 6. The following sections provide additional steps to further secure the server installation.
Securing IIS mainstream browsers Internet Explorer and Firefox support NTLM so basic authentication should be disabled if not accessing Cisco TMS through a proxy 1. Go to Windows Start > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager. 2.
Securing IIS .stm 6. Click OK to close the dialogs. 7. When prompted about Inheritance Overrides for the child nodes, click Select All. 8. Click OK so the changes are applied to the full website. Repeat the step for all virtual directories with a gear icon. Optional - Configure Cisco TMS to use HTTPS The website can be configured to use HTTPS for client access and/or device access.
Post installation and upgrades Post installation and upgrades Cisco TMS upgrades Due to the Cisco TMS application and its components being removed and reinstalled during upgrades, it is necessary to repeat some of the hardening procedures. Below is a reference to those sections that must be reapplied.