- DL manuals
- TANDBERG
- Server
- TELEPRESENCE MANAGEMENT SUITE SECURE SERVER - CONFIGURATION GUIDE 13.0
- Configuration Manual
TANDBERG TELEPRESENCE MANAGEMENT SUITE SECURE SERVER - CONFIGURATION GUIDE 13.0 Configuration Manual
Summary of TELEPRESENCE MANAGEMENT SUITE SECURE SERVER - CONFIGURATION GUIDE 13.0
Page 1
Cisco telepresence management suite secure server hardening windows server 2003 for cisco tms 13.0 product configuration guide d13148.08 december 2010
Page 2: Contents
Document revision history cisco tms secure server configuration guide 13.0 page 2 of 34 contents references and related documents ........................................................................................................ 5 preface ..........................................................
Page 3
Document revision history cisco tms secure server configuration guide 13.0 page 3 of 34 tables table 1 service account file acls ........................................................................................................ 11 table 2 windows components .......................................
Page 4: Document Revision History
Document revision history cisco tms secure server configuration guide 13.0 page 4 of 34 document revision history revision 7 update for cisco tms 12 comprehensive update for windows 2003 sp1 changes removal of windows 2000 specific references updated formatting and reorganization removed incorrect i...
Page 5: General
General cisco tms secure server configuration guide 13.0 page 5 of 34 general references and related documents windows server 2003 security guide (microsoft corporation) windows 2003 threats and countermeasures guide (microsoft corporation) knowledge base article 823659 client, service, and program ...
Page 6
General cisco tms secure server configuration guide 13.0 page 6 of 34 important: this document does not guarantee that your server is secure from attacks even if you have applied all the changes described. Cisco is not responsible for potential harm that attackers might cause, nor any damage caused ...
Page 7: Installation
Installation cisco tms secure server configuration guide 13.0 page 7 of 34 installation pre-install considerations we strongly recommend installing cisco tms on a dedicated server. Using cisco tms server for other purposes or services will reduce the effectiveness of any security initiative. The out...
Page 8
Installation cisco tms secure server configuration guide 13.0 page 8 of 34 only be added to the group users. To set permissions for users in this group b. Go to administrative tools > user administration > groups. Next click set permissions for the users group and check the appropriate checkboxes. T...
Page 9
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 9 of 34 securing windows server 2003 tasks file system ensure the file system for all hard disks is ntfs. Avoid using fat, fat 32 or fat 32x file systems, as these file systems do not support the same level of a...
Page 10
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 10 of 34 secure the sql server sql server 2005 installs by default in a local-only configuration designed to reduce surface area. These additional steps will further reduce exposure by lowering privileges and pr...
Page 11
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 11 of 34 table 1 service account file acls directory user/group permission \ 1) localmachine\administrators 2) system 3) tmsserviceuser 1) full control 2) full control 3) read & execute \oldconferenceapi 1) loca...
Page 12
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 12 of 34 directory user/group permission \wwwtms\data\image 1) localmachine\administrators 2) system 3) tmsserviceuser 3) authenticated users 1) full control 2) full control 3) full control 4) read \wwwtms\data\...
Page 13
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 13 of 34 1. Open a command prompt and navigate to the .Net 2 installation folder. This normally is c:\windows\microsoft.Net\framework\v2.0.50727 2. Use the aspnet_regiis tool to register the service user to acce...
Page 14
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 14 of 34 remove unnecessary windows components to reduce the attack surface of the cisco tms server, ensure that windows components that are not required by cisco tms are not installed. Go to windows start > con...
Page 15
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 15 of 34 component subcomponent include windows media services n table 3 iis components component subcomponent include background intelligent transfer service (bits) server extensions n common files y file trans...
Page 16
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 16 of 34 distributed file system secondary logon distributed link tracking client shell hardware detection distributed link tracking server smart card distributed transaction coordinator special administration c...
Page 17
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 17 of 34 uninterruptible power supply volume shadow copy network services in general any services not required by cisco tms should not be running on the cisco tms server in order to reduce the attack surface of ...
Page 18
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 18 of 34 port protocol service 162 udp snmp traps 389 tcp ldap 443 tcp ssl over http 636 tcp secure ldap 4444 tcp opends administration 8989 tcp opends replication in addition, exceptions have to be made for som...
Page 19
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 19 of 34 directory user/group permission sql 3) sqlserver2005mssqluser$computer name$instancename 3) read &execute \ directory>\mssql.1\ms sql\backup 1) localmachine\administrators 2) system 3) sqlserver2005mssq...
Page 20
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 20 of 34 directory user/group permission sql server\90\setup bootstrap 2) system 3) sqlserver2005mssqluser$computer name$instancename 2) full 3) read &execute \program files\microsoft sql server\90\shared 1) loc...
Page 21
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 21 of 34 table 6 summary of audit policy settings policy security setting audit account logon events success, failure the ‘audit account logon events’ policy determines whether to log authentication of local use...
Page 22
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 22 of 34 policy security setting act as part of the operating system (setcbprivilege) add workstations to domain (semachineaccountprivilege) adjust memory quotas for a process (seincreasequotaprivilege) administ...
Page 23
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 23 of 34 policy security setting generate security audits (seauditprivilege) local service, network service impersonate a client after authentication (seimpersonateprivilege) administrators, iis_wpg, service inc...
Page 24
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 24 of 34 table 8 recommended security options policy security setting accounts: administrator account status enabled accounts: guest account status disabled accounts: limit local account use of blank passwords t...
Page 25
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 25 of 34 policy security setting domain member: require strong (windows 2000 or later) session key enabled interactive logon: display user information when the session is locked user display name only interactiv...
Page 26
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 26 of 34 policy security setting network access: named pipes that can be accessed anonymously comnap comnode sql\query spoolss llsrpc netlogon lsarpc samr browser network access: remotely accessible registry pat...
Page 27
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 27 of 34 policy security setting system cryptography: force strong key protection for user keys stored on the computer user must enter a password each time they use a key system cryptography: use fips compliant ...
Page 28
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 28 of 34 5. Fill in autoshareserver for name and 0 for value data. Screen saver make sure that the screensaver is password protected in order to prevent internal threads from taking over the server. To enable th...
Page 29
Securing windows server 2003 tasks cisco tms secure server configuration guide 13.0 page 29 of 34 clear paging file at shutdown clear the paging file at shutdown, as there is no need to have an old memory dump on disk when the system is rebooted. Under hkey_local_machine\system\currentcontrolset\con...
Page 30: Securing Iis
Securing iis cisco tms secure server configuration guide 13.0 page 30 of 34 securing iis the iis configuration installed by windows 2003 sp2 is preconfigured to run as a secure server, disabling many services that were enabled in windows 2000. Previous tools such as urlscan and iislockdown tool shou...
Page 31
Securing iis cisco tms secure server configuration guide 13.0 page 31 of 34 mainstream browsers internet explorer and firefox support ntlm so basic authentication should be disabled if not accessing cisco tms through a proxy 6 . 1. Go to windows start > control panel > administrative tools > interne...
Page 32
Securing iis cisco tms secure server configuration guide 13.0 page 32 of 34 .Stm 6. Click ok to close the dialogs. 7. When prompted about inheritance overrides for the child nodes, click select all. 8. Click ok so the changes are applied to the full website. Repeat the step for all virtual directori...
Page 33
Post installation and upgrades cisco tms secure server configuration guide 13.0 page 33 of 34 post installation and upgrades cisco tms upgrades due to the cisco tms application and its components being removed and reinstalled during upgrades, it is necessary to repeat some of the hardening procedure...
Page 34
Post installation and upgrades cisco tms secure server configuration guide 13.0 page 34 of 34 the specifications and information regarding the products in this manual are subject to change without notice. All statements, information, and recommendations in this manual are believed to be accurate but...