P. 1
SCCS 5 Win2k Security guide

SCCS 5 Win2k Security guide

|Views: 455|Likes:
Published by api-3754378

More info:

Published by: api-3754378 on Oct 15, 2008
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/18/2014

pdf

text

original

Nortel Networks – Metro & Enterprise Networks

Symposium Call Center Server 5.0 Security Guide for Windows 2000
Issue 1.00 May 13, 2004 ABSTRACT This guide describes the Symposium Call Center Server R5.0 security model and architecture, and the minimum security settings in Windows 2000 Server for a successful R5.0 installation and operation. The guide also provides security recommendations that customers can adopt to their own security policies and configurations.

NOTICE TO HOLDERS OF PAPER COPIES: Upon receipt of a new issue, destroy the previous issue or mark it “OBSOLETE”.

CONFIDENTIAL INFORMATION: The information contained in this document is the property of Nortel Networks. Except as specifically authorized in writing by Nortel Networks, the holder of this document shall keep all information contained herein confidential and shall protect same in whole or in part from disclosure and dissemination to all third parties.

Trademarks

Nortel Networks Proprietary

Trademarks
The following are trademarks of Nortel Networks: Nortel Networks, BNR, ACD, BCS, CallPilot, DMS, DMS-100, DMS-250, DMS-MTX, DMS-SCP, DNC, DPN-100, DVS, DualMode, FastView, Helmsman, M2317, MAP, Symposium, Meridian Digital Centrex (MDC), Meridian, Meridian 1, Meridian Link, Meridian MAX, Meridian NAC, Meridian CCR, Meridian IVR, Meridian Terminal Emulator, MFA, Norstar, PowerTouch, SL-1, SL-100, SuperNode, Telesis, Unity. Action Request System and AR System are trademarks of Remedy Corporation. AMDEK is a trademark of Amdek Corporation. ANSI is a trademark of the American National Standards Institute. ClearCase is a registered trademark and ClearCase MultiSite is a trademark of Rational Software Corporation. Continuus, continuus/CM, and Continuus/PT are trademarks of Continuus Software Corporation. CaseWare/CM, CaseWare/PT, CaseWare, ACCENT, and Amplify Control are registered trademarks of Continuus Software Corporation. Courier is a trademark of Smith-Corona Corporation. CT Connect, CT Media is a registered trademark of Dialogic. Frame, FrameBuilder and FrameMaker are trademarks of Adobe Systems Incorporated. Helvetica and Times are trademarks of Linotype AG or its subsidiaries. InstallShield is a registered trademark of InstallShield Software Corporation. Interleaf is a trademark of Interleaf, Inc. Macintosh, Power Macintosh, and Apple are registered trademarks of Apple Computer, Inc. Mac OS is a trademark of Apple Computer, Inc. Microsoft Windows, Microsoft Word, Microsoft Excel, PowerPoint, Microsoft Project, Microsoft File Extension, and MS-DOS are trademarks of Microsoft Corporation. Novell is a trademark of Novell, Inc. Olecera Chart is a trademark of KL Group Inc. Portable Document Format is a trademark of Adobe Systems Incorporated. PostScript is a trademark of Adobe Systems Incorporated. SYBASE is a trademark of Sybase, Inc. UNIX is a trademark of UNIX System Laboratories. Versatility, Versatility Administrator, Versatility Call Blending, Versatility Campaign Plus, Versatility Insight, Versatility Predictive, Versatility Telesales / Teleservice are trademarks of Versatility Inc. WinRunner, TSL and Context Sensitive are trademarks of Mercury Interactive Corporation.

© 2004 Nortel Networks Corporation

ii

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Approvals

Nortel Networks Proprietary

Approvals
Prepared By
Ronald Chan Support Engineer, Contact Center Technology Support Enterprise Networks, Call Center Technology & Solutions Nortel Networks Corporation Date

Reviewed and Approved By
Rick Medeiros Manager, Contact Center Technology & Dev Support Enterprise Networks, Call Center Technology & Solutions Nortel Networks Corporation Date

Eugene Garvin Senior Manager, Contact Center Server R&D Enterprise Networks, Call Center Technology & Solutions Nortel Networks Corporation

Date

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

iii

Revision history

Nortel Networks Proprietary

Revision history
Issue Number Issue Date
0.01 March 16, 2004

Type of Review Reason(s) for Issue
Draft copy Initial draft for internal review

Author(s)

Ronald Chan

0.02 April 27, 2004

Draft copy Updates from internal review

Ronald Chan

1.00 May 13, 2004

Approval copy Updates from external review Section 2.1 Clarify Windows 2000 Server including both Standard and Advanced Edition Section 4.2 Change web link to SCCS 5.0 product information page

Ronald Chan

iv

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Table of contents

Nortel Networks Proprietary

Table of contents
1 Introduction ........................................................................................................ 1
1.1 1.2 1.3 Purpose............................................................................................................................... 1 Scope.................................................................................................................................. 1 Intended audience .............................................................................................................. 2 Symposium Call Center Server security architecture ......................................................... 3 2.1.1 Symposium Call Center Server network security layer ......................................... 3 2.1.1.1 Standalone server ........................................................................................... 5 2.1.1.2 Embedded LAN configuration ......................................................................... 5 2.1.1.3 Customer LAN configuration ........................................................................... 5 2.1.1.3.1 Default network binding protocols ............................................................ 5 2.1.1.3.2 Static IP address....................................................................................... 6 2.1.1.3.3 DNS consideration.................................................................................... 6 2.1.1.4 Firewall ............................................................................................................ 6 2.1.2 Symposium Call Center Server server security layer ............................................ 8 2.1.2.1 Windows 2000 Server configuration ............................................................... 8 2.1.2.2 Windows 2000 security settings...................................................................... 9 2.1.2.3 Server configuration ........................................................................................ 9 2.1.3 Symposium Call Center Server application security layer..................................... 9 2.1.3.1 Database access security ............................................................................... 9 2.1.3.2 MAS security server ...................................................................................... 10 2.1.3.3 Remote backup and restore security ............................................................ 10 Default Windows 2000 Server configuration .................................................................... 11 3.1.1 Default installed Windows 2000 Server components .......................................... 12 3.1.2 Default Windows 2000 services .......................................................................... 16 Default Windows 2000 security settings........................................................................... 26 3.2.1 Default password policy....................................................................................... 27 3.2.2 Default account lockout policy ............................................................................. 28 3.2.3 Default user rights assignments .......................................................................... 28 3.2.4 Default security setting ........................................................................................ 36 3.2.5 Default IP security policy ..................................................................................... 40 3.2.6 Default audit policy .............................................................................................. 41 Default Symposium Call Center Server server configuration ........................................... 42 3.3.1 Default disk partitioning type ............................................................................... 42 3.3.2 Default Windows local users ............................................................................... 42 3.3.3 Default print server and file sharing configuration ............................................... 44 3.3.4 Default Internet access ........................................................................................ 44 Security risk management and policy............................................................................... 45 4.1.1 Risk management................................................................................................ 45 4.1.2 Security policy...................................................................................................... 46 Windows 2000 security patches and hot fixes.................................................................. 46 Windows 2000 user accounts and passwords ................................................................. 47 Anonymous logon ............................................................................................................. 48 Third-party applications .................................................................................................... 48 Anti-virus scanning ........................................................................................................... 50 Internet access ................................................................................................................. 53 E-mail access ................................................................................................................... 53 File and folder sharing ...................................................................................................... 53 Symposium Call Center Server 5.0 Security Guide for Windows 2000 v

2

Security Models.................................................................................................. 3
2.1

3

Default R5.0 server security settings and configuration .............................. 11
3.1

3.2

3.3

4

Security recommendations ............................................................................. 45
4.1

4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 Issue 1.00

Table of contents 4.10 4.11 4.12 4.13 4.14 4.15

Nortel Networks Proprietary

File and folder permission................................................................................................. 53 Encryption ......................................................................................................................... 54 Microsoft Baseline Security Advisor ................................................................................. 55 SNMP Configuration ......................................................................................................... 58 Remote support access .................................................................................................... 58 Symposium Call Center Server backup and restore strategy .......................................... 59

5 6

Glossary ............................................................................................................ 61 References ........................................................................................................ 63

vi

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

List of figure

Nortel Networks Proprietary

List of figure
Figure 1 Symposium Call Center Server Security Architecture.................................................................... 3 Figure 2 Symposium Call Center Server Network Security Layer................................................................ 4

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

vii

List of tables

Nortel Networks Proprietary

List of tables
Table 1 Symposium Call Center Server Default Network Protocols ............................................................ 6 Table 2 Symposium Call Center Server Ports Usage .................................................................................. 7 Table 3 Default Installed Windows 2000 Server Components ................................................................... 12 Table 4 Default Windows 2000 services .................................................................................................... 16 Table 5 Default Password Policy ................................................................................................................ 27 Table 6 Default Account Lockout Policy ..................................................................................................... 28 Table 7 Default User Rights Assignments .................................................................................................. 29 Table 8 Default Security Setting ................................................................................................................. 37 Table 9 Default IP Security Policy .............................................................................................................. 40 Table 10 Default Audit Policy...................................................................................................................... 41 Table 11 Default Symposium Call Center Server Windows Local Users ................................................... 43 Table 12 Symposium Call Center Server File and Folder Permission ....................................................... 54 Table 13 MBSA scanning items and Symposium Call Center Server recommendations .......................... 55

viii

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Introduction

Nortel Networks Proprietary

1
1.1

Introduction
Purpose
Server security has become a critical issue in the software industry. It is important for customers to protect all the servers in their network environment (including Symposium Call Center Server) from various security attacks, threats, and vulnerabilities. Since each customer has their own security policies and requirements, it is impossible to present a single Symposium Call Center Server security configuration that will meet all customer needs. This guide describes the basic Symposium Call Center Server R5.0 security model and default security configuration for a successful Symposium Call Center Server R5.0 installation and operation. In addition, this guide includes a set of recommendations for security policies and configuration. Customers can adopt the default and recommended security policies and integrate them with their own security policy for the Symposium Call Center Server R5.0 server.

1.2

Scope
This guide covers the security model and guidelines for Symposium Call Center Server R5.0 (both nodal and NCC servers) running the Windows 2000 Server (Standard and Advanced Edition) operating system. It is not intended to be a comprehensive security guide for Windows 2000 Server, nor for the customer network itself. This guide is only applicable to Symposium Call Center Server R5.0 running on Windows 2000 Server (Standard and Advanced Server edition) platform and does not include earlier releases or other Symposium products, such as the regular Symposium Call Center Server Client application R4.0, Symposium Web Client 4.5, Symposium Express Call Center, or Symposium Web Center Portal. The security settings and recommendations in this guide only cover the Symposium Call Center Server R5.0 server running with Windows 2000 Server (or Windows 2000 Advance Server) and do not include other components on the same network (for example, the M1 switch, desktop PC, Symposium Web Client application server etc.), or the actual customer network itself (for example, routers, firewalls etc.) This guide does not include any actual procedures on how to show or change the Windows 2000 Server security settings. It assumes that the reader is familiar with security administration tools, either those supplied by Microsoft (for example, the Microsoft Management Console with appropriate plug-ins), or third-party software that is used to manage the listed security settings for Symposium Call Center Server.

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

1

Introduction

Nortel Networks Proprietary

1.3

Intended audience

Caution
This guide contains sensitive security and configuration settings that a potential hacker can use to exploit the security risks of Symposium Call Center Server. Therefore, you must exercise caution and only release security settings information to people on a need-to-know basis.

This guide is intended to be used by anyone wishing to setup a security policy and configure Symposium Call Center Server R5.0 running on Windows 2000 Server within their own security environment. It assumes that the reader is familiar with all security subjects and features in Windows 2000 Server and in the customer network environment.

2

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Security Models

Nortel Networks Proprietary

2
2.1

Security Models
Symposium Call Center Server security architecture
The Symposium Call Center Server design incorporates various security features. Different security layers within the customer network, server PC, and the Symposium Call Center Server application provide overall system security. The Symposium Call Center Server security architecture can be divided into the following three major security layers: • • • Network security Server security Application security

The relationship between the three security layers is shown in Figure 1.

Symposium Call Center Server network security (customer networks)

Symposium Call Center Server R5.0 server security

Symposium Call Center Server application security

Figure 1 Symposium Call Center Server Security Architecture

2.1.1 Symposium Call Center Server network security layer The Symposium Call Center Server network security layer defines the network environment in which the Symposium Call Center Server R5.0 server should be configured. It also defines where the customer-supplied network firewall should be placed within the customer network to allow the server in Symposium Call Center Server and the Client (Standard Client and Web Client) to operate
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 3

Security Models

Nortel Networks Proprietary

properly. The network security layer protects Symposium Call Center Server from possible security attacks through the customer or external networks. Figure 2 shows an overall Symposium Call Center Server network security layer within a typical customer network environment, including both the regular Symposium Call Center Server Client PC and Symposium Web Client.
ELAN Subnet Symposium Call Center Server Server
nr c n o th m te er le o

VPN connection for remote support access

SCCS Standby Server

Nortel Contivity 1100

Telephone Switch

Nortel Networks Servers Subnet (CLAN)

Firewall/Router Symposium Call Center Server Clients SCCS Replication Server NCC Server Web Client Application Server

Corporate LAN

Web Client Desktops

Figure 2 Symposium Call Center Server Network Security Layer

Since each customer provides their own network and can have different configurations and requirements, it is impossible to provide a single network configuration for Symposium Call Center Server that meets all customer requirements. Therefore, Nortel Networks recommends you review and consider the following Symposium Call Center Server network and configuration settings when implementing your own network security and configuration settings.

4

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Security Models

Nortel Networks Proprietary

2.1.1.1

Standalone server

Symposium Call Center Server (nodal and NCC server) is designed as a standalone server (Windows Workgroup) within the network instead of integrating with a Windows Domain. Symposium Call Center Server can coexist with and be located within a Windows Domain, but should not be registered in the domain. By configuring Symposium Call Center Server as a standalone server instead of integrating it with a Windows Domain, you minimize any exposure of the Symposium Call Center Server resources to the network and prevent domain users seeing and logging on to the server. Symposium Call Center Server R5.0 does not require that any Windows Domain users log on to the server and does not need Windows 2000 Active Directory to operate, even though it runs within a Windows 2000 network environment. 2.1.1.2 Embedded LAN configuration

The Embedded LAN (ELAN) is used for the connection between the telephone PBX switch and Symposium Call Center Server. The ELAN carries all call traffic between the Symposium Call Center Server and the telephone switch (Meridian 1, Meridian IE, or CSE 1000). Symposium Call Center Server only requires a TCP/IP connection to the switch on the ELAN. There should not be a firewall between Symposium Call Center Server and the telephone switch. For maximum ELAN call traffic performance and security, Nortel Networks recommends that the ELAN be completely isolated from other subnets, and from the external LAN or WAN within the network. Since the ELAN can also carry other telephone switch related traffic for other Nortel Networks products (for example, OTM), you must take into consideration these additional network configuration and security requirements to configure the ELAN (for example, adding a router/gateway or firewall between the ELAN and other subnets, the LAN or WAN). 2.1.1.3 Customer LAN configuration

Symposium Call Center Server (Nodal or NCC server) and the client PCs (both Symposium Call Center Server Client and Web Client) are connected through the Customer LAN (CLAN). 2.1.1.3.1 Default network binding protocols

The network connection protocol between Symposium Call Center server and the client PCs (both the Symposium Call Center Server Client and the Web Client application server) is based on TCP/IP. The Symposium Call Center Server Network Interface Card (NIC) should have the following default network protocol bindings:

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

5

Security Models

Nortel Networks Proprietary

Table 1 Symposium Call Center Server Default Network Protocols

Default network protocol Client for Microsoft Network

Function Allow Symposium Call Center Server to operate within the Microsoft network environment Enabled by default. Must be enable for Symposium Call Center Server Remote Database Network Backup & Restore feature to work Base network protocol for Symposium Call Center Server

File and Printer Sharing for Microsoft Network

Internet Protocol (TCP/IP)

It is the implementation personnel’s responsibility to add additional binding protocols to the NIC, as necessary. 2.1.1.3.2 Static IP address

Symposium Call Center Server operates as a standalone server with a static IP address. The Symposium Call Center Server network interface must not be configured with DHCP. 2.1.1.3.3 DNS consideration

If a Domain Name Service (DNS) is configured and available on the CLAN, then the Symposium Call Center Server network interface should be registered with the specified DNS. If no DNS is available, then disable the DNS configuration in the Symposium Call Center Server network interface to prevent errors and possible performance impacts on the Symposium Call Center Server network connection. 2.1.1.4 Firewall

Symposium Call Center Server operates on two separate Embedded LAN (ELAN) and Customer LAN (CLAN) subnet configurations. The ELAN provides critical call traffic between Symposium Call Center Server and the telephone switch. For maximum network traffic performance and security, it is recommended that the ELAN be completely isolated from other subnets, or external LANs or WANs within the network. No firewall should be placed between Symposium Call Center Server and the telephone switch.

6

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Security Models

Nortel Networks Proprietary

The Symposium Call Center Server Client or the Symposium Web Client application server is connected to the Symposium Call Center Server through the CLAN. The Remote Procedure Call (RPC) communication method is used between Symposium Call Center Server and the client PCs (both the Symposium Call Center Server Client and the Web Client application server). Since this communication method requires a large range of dynamic ports, it is not practical to implement a firewall between Symposium Call Center Server and the client PCs by restricting port access. However, you can place an appropriate firewall between the Symposium Web Client application server and the Web Client desktop PCs. In spite of the requirement to open a very large range of ports in a firewall implementation, Nortel Networks acknowledge the fact that many customers have security policy that may requires knowing all ports being used by Symposium Call Center Server application. Table 2 lists all ports used between a Symposium Call Center Server and the Symposium Call Center Client, and between a Symposium Call Center Server and another Symposium Call Center Server or Symposium Call Center Web Client application server. The list does not include other base ports for Windows network connection, for example port 53 for DNS that may be needed in customer network configuration, and these ports should be known and provided by customers.
Table 2 Symposium Call Center Server Ports Usage

Port Number Port 135 Port 137

Functionality Microsoft Windows RPC Locator Service Microsoft NetBIOS Name Service (needed for SCCS Remote Database Backup & Restore feature if deployed) Microsoft NetBIOS Datagram Service (needed for SCCS Remote Database Backup & Restore feature if deployed) Microsoft NetBIOS Session Service (needed for SCCS Remote Database Backup & Restore feature if deployed) SNMP (needed if SNMP NMS is connected) SNMP Traps (needed if SNMP NMS is connected) Microsoft Windows RPC Courier Service.
7

Port 138

Port 139

Port 161 Port 162 Port 530
Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Security Models

Nortel Networks Proprietary

Port Number

Functionality (needed if Symposium TAPI server is connected) This is range of ports that can be used by RPC dynamic ports. Note: There are other hard coded ports used by Symposium Call Center Server, however they all fall within the range of that need to be opened for RPC

Port 1024 to 65535

It is the implementation personnel’s responsibility to provide and implement any firewalls. 2.1.2 Symposium Call Center Server server security layer The Symposium Call Center Server R5.0 server security layer defines the security settings and configuration on the Symposium Call Center Server PC. The server security layer protects the Symposium Call Center Server PC from various security attacks and vulnerabilities. The security layer is implemented through security features included in the Windows 2000 Server operating system and through the appropriate server configuration. The overall server security layer consists of the following main security strategies: • • • Windows 2000 Server configuration Windows 2000 security settings Server configuration Windows 2000 Server configuration

2.1.2.1

The Windows 2000 Server configuration security strategy relies on the default Windows 2000 Server operating system installation and configuration. The default installation and configuration only installs and configures those Windows 2000 components that are required for proper Symposium Call Center Server R5.0 operation. By not installing any unnecessary Windows 2000 components, you minimize the risk of possible security attacks and vulnerabilities through these components. The details of the default Windows 2000 Server configuration are documented in section 3 of this guide. For details installing Windows 2000 Server according to the default Symposium Call Center Server configuration, see the Nortel Networks Symposium Call Center Server Installation and Maintenance Guide for Release 5.0 [1].
8 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00

Security Models

Nortel Networks Proprietary

2.1.2.2

Windows 2000 security settings

The Windows 2000 security setting strategy includes a set of default security settings and a users policy designed to protect Symposium Call Center Server by minimizing possible unauthorized access and changes to the server. For details, see section 3 of this guide. 2.1.2.3 Server configuration

The server configuration strategy includes a set of default server configuration settings, such as file system type partitioning, file sharing etc., that help minimize the exposure of the server to potential attackers. For details, see section 3 of this guide. 2.1.3 Symposium Call Center Server application security layer The Symposium Call Center Server application security layer includes built-in security functions that protect critical information about the Symposium Call Center Server application, customer call center configuration and statistics from illegal access. The application security layer consists of the following major components: • • • database access security MAS security service remote backup and restore security Database access security

2.1.3.1

Database access security is controlled by the Sybase ASE 12 SQL Server access authorization component. Only authorized database user accounts with correct passwords can access the database through pre-assigned access rights. All critical call center configuration information and customer call statistics are stored in the database. Nortel Networks proprietary information is also stored in the database and can only be accessed by the “system administrator” (SA) account. Details of this account are considered Nortel Networks confidential and, therefore, are not released to any customers. Customers do not need to perform any database access or maintenance operations that require “SA” account access. Instead, customers use other Symposium Call Center Server user accounts to access the database and create custom call statistic reports. Customers can access the database through the pre-defined “sysadmin” account and other Symposium Call Center Server user accounts created by the Symposium Call Center Server administrators or supervisors. The sysadmin account is different from the SA account. Customers can change the passwords for all created Symposium Call Center Server user accounts, including the predefined sysadmin account. In fact, for security purposes, customers must change
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 9

Security Models

Nortel Networks Proprietary

the default password for the sysadmin account when logging on to Symposium Call Center Server for the first time. The database access security model further protects database integrity from unauthorized access and updates by providing pre-defined database views from which customers retrieve database information. 2.1.3.2 MAS security server

The MAS security server is a Symposium Call Center Server service that provides security authentication for the connection between the server in Symposium Call Center Server and Symposium Call Center Server Client PC. The Symposium Call Center Server Client must log on to Symposium Call Center Server through the MAS security service using a valid Symposium Call Center Server user account and password. The MAS security server encrypts and decrypts Symposium Call Center user account passwords using a proprietary algorithm. Symposium Call Center Server user accounts are separate and different from the client PC’s local or network login account, and the server’s local Windows login accounts. The Symposium Call Center Server user account login does not require Windows login on the Symposium Call Center Server, nor does it require Windows Domain Controller or Windows 2000 Active Directory. 2.1.3.3 Remote backup and restore security

Symposium Call Center Server R5.0 supports database backup and restore on a remote network computer within the Symposium Call Center Server standalone server configuration. Procedures are provided to setup the proper local user account on both the remote backup computer and the server in Symposium Call Center Server to ensure that only assigned user accounts and privileges are used for the remote backup and restore. Customers must exercise proper security measures for the shared remote backup folder on the remote computer to prevent unauthorized access to the Symposium Call Center Server backup files. Remote backup and restore configuration procedures are documented in Nortel Networks Symposium Call Center Server Installation and Maintenance Guide for Release 5.0 [1].

10

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Default R5.0 server security settings and configurationNortel Networks Proprietary

3

Default R5.0 server security settings and configuration
Caution
This guide contains sensitive security and configuration settings that a potential hacker could use to exploit the security risks of the Symposium Call Center Server. Therefore, you must exercise caution and only release security settings information to people on a need-to-know basis.

3.1

Default Windows 2000 Server configuration
Symposium Call Center Server R5.0 includes a set of recommendations for the installation and configuration of the Windows 2000 Server operating system. When followed, these recommendations provide a security environment that satisfies most typical customer security requirements. To install and configure Windows 2000 Server according to these recommendations, follow the instructions listed in the Nortel Networks Symposium Call Center Server Installation and Maintenance Guide for Release 5.0[1]. The default configuration listed only covers the Windows 2000 Server operating system configuration and does not include any hardware platform-specific configuration or security settings. The Windows 2000 Server configuration and security settings listed in this guide include both the default Symposium Call Center Server settings (as installed when you follow the guidelines documented in Nortel Networks Symposium Call Center Server Installation and Maintenance Guide for Release 5.0 [1]), and the minimum Symposium Call Center Server settings (the minimum setting required for Symposium Call Center Server R5.0 operation). Nortel Networks has verified the default Windows 2000 Server configuration as listed to ensure its compatibility with the proper Symposium Call Center Server installation and operation. Therefore, if you choose to alter the default Windows 2000 Server configuration to meet specific customer requirements, note that Nortel Networks will not have verified the impact of such change on the Symposium Call Center Server installation and operation. Customers who deviate from the recommended default Windows 2000 Server configuration must not change or exceed any of the listed Symposium Call Center Server minimum requirements, and must test their Windows 2000 Server configuration with Symposium Call Center Server R5.0 in a non-production environment before putting the configuration online.

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

11

Default R5.0 server security settings and configurationNortel Networks Proprietary

3.1.1 Default installed Windows 2000 Server components For proper Symposium Call Center Server R5.0 operation, Nortel Networks recommends installing only the required Windows 2000 Server operating system components. Table 3 lists the default Windows 2000 Server installed components and the minimum component requirements for proper Symposium Call Center Server R5.0 operation.
Table 3 Default Installed Windows 2000 Server Components

Windows 2000 component

Windows 2000 sub-component

Default Symposium Call Center Server configuration Installed Installed Installed Installed Installed Not installed Not installed Installed

Symposium Call Center Server minimum requirement No dependency No dependency No dependency No dependency No dependency No dependency No dependency No dependency No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for security and performance
Issue 1.00

Accessories and Utilities

Accessibility Wizard Accessories Communications Games Multimedia

Certificates Service

Certificate Service CA Certificate Web Enrollment Support

Indexing Service Internet Information Service (IIS) Common Files

Not installed

Documentation

Not installed

12

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Windows 2000 component

Windows 2000 sub-component

Default Symposium Call Center Server configuration Not installed

Symposium Call Center Server minimum requirement consideration) No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for security and performance
13

File Transfer Protocol (FTP) Server

FrontPage 2000 Server Extension

Not installed

Internet Not installed Information Service Snap-In

Internet Service Manager (HTML)

Not installed

NNTP Service

Not installed

SMTP Service

Not installed

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Windows 2000 component

Windows 2000 sub-component

Default Symposium Call Center Server configuration Not installed

Symposium Call Center Server minimum requirement consideration) No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for security and performance consideration) No dependency Must be installed for sending Symposium Call Center Server event traps No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for
Issue 1.00

Visual InterDev RAD Remote Development Support

World Wide Web Server

Not installed

Management and Monitoring Tools

Connection Manager Components

Not installed

Network Monitor Tools Simple Network Management Protocol

Not installed Installed

Networking Service

COM Internet Service Proxy

Not installed

Domain Name System (DNS)

Not installed

14

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Windows 2000 component

Windows 2000 sub-component

Default Symposium Call Center Server configuration

Symposium Call Center Server minimum requirement security and performance consideration) Must not be installed No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for security and performance consideration)
15

Dynamic Host Configuration Protocol (DHCP) Internet Authentication Service

Not installed

Not installed

QoS Admission Control Service

Not installed

Simple TCP/IP Services

Not installed

Site Server ILS Services

Not installed

Windows Internet Name Service (WINS)

Not installed

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Windows 2000 component

Windows 2000 sub-component

Default Symposium Call Center Server configuration Not installed

Symposium Call Center Server minimum requirement No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for security and performance consideration) No dependency (must not be installed for security and performance consideration) No dependency

Other Network File and Print Services

File Service for Macintosh

Print Service for Macintosh

Not installed

Print Service for Unix

Not installed

Remote Installation Service Remote Storage Script Debugger Terminal Services Client Creator Files

Not installed

Not installed Installed Not installed

No dependency No dependency No dependency (recommend not to be installed for security and performance consideration) No dependency (recommend not to be installed for security and performance
Issue 1.00

Enable Terminal Services

Not installed

16

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Windows 2000 component

Windows 2000 sub-component

Default Symposium Call Center Server configuration Not installed

Symposium Call Center Server minimum requirement consideration) No dependency (must not be installed for security and performance consideration) No dependency No dependency

Terminal Service Licensing

Windows Media Services

Windows Media Service Windows Media Service Admin

Not installed Not installed

3.1.2 Default Windows 2000 services When you install Windows 2000, the installation program creates and configures default Windows services that run when the system is started. Table 4 lists the default Windows 2000 services and the minimum service configuration for Symposium Call Center Server if the Windows 2000 Server is installed with the default Windows components (as listed in Table 3).
Table 4 Default Windows 2000 services

Windows 2000 service

Default Symposium Symposium Call Call Center Server Center Server configuration minimum requirement Automatic Manual Automatic (Disabled for NCC server) No dependency No dependency Must be enabled for SCCS except for NCC server (builtin SCCS service)

Alerter Application Management ASM_Service

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

17

Default R5.0 server security settings and configurationNortel Networks Proprietary

Windows 2000 service

Default Symposium Symposium Call Call Center Server Center Server configuration minimum requirement Automatic Must be enabled for SCCS including NCC server (builtin SCCS service) No dependency No dependency No dependency Must be enabled for SCCS including NCC server (builtin SCCS service) No dependency No dependency No dependency No dependency No dependency Must be enabled for Symposium Call Center Server if the server NIC is DNS enabled Must be enabled for SCCS except for NCC server (builtin SCCS service) Must be enabled for SCCS except for NCC server (builtin SCCS service)
Issue 1.00

AUDIT_Service

ClipBook COM+ Event System Computer Browser DBNotifier_Service

Manual Manual Automatic Automatic

DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator DNS Client

Automatic Automatic Automatic Manual Automatic Automatic

EB_Service

Automatic (Disabled for NCC server)

ES_Service

Automatic (Disabled for NCC server)

18

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Windows 2000 service

Default Symposium Symposium Call Call Center Server Center Server configuration minimum requirement Automatic Must be enabled for Symposium Call Center Server No dependency No dependency Must be enabled for SCCS except for NCC server (builtin SCCS service) Must be enabled for SCCS including NCC server (builtin SCCS service) Must be enabled for Symposium Call Center Server if Data Integration Wizard is enabled in keycode (built-in SCCS service) No dependency No dependency No dependency No dependency Must be enabled for SCCS except for NCC server (builtin SCCS service) No dependency No dependency
19

Event Log

Fax Service File Replication HDC_Service

Manual Manual Automatic (Disabled for NCC server)

HDM_Service

Automatic

Host Application Integration

Automatic (Disabled for NCC server)

Indexing Service Internet Connection Sharing Intersite Messaging IPSEC Policy Agent IS_Service

Manual Manual Disabled Automatic Automatic (Disabled for NCC server)

Kerberos Key Distribution Center Licensing Logging Service
Issue 1.00

Disabled Automatic

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Windows 2000 service

Default Symposium Symposium Call Call Center Server Center Server configuration minimum requirement Automatic Must be enabled for Symposium Call Center Server No dependency Must be enabled for SCCS including NCC server (builtin SCCS service) Must be enabled for SCCS including NCC server (builtin SCCS service) Must be enabled for SCCS including NCC server (builtin SCCS service) Must be enabled for SCCS including NCC server (builtin SCCS service) Must be enabled for SCCS including NCC server (builtin SCCS service) Must be enabled for SCCS including NCC server (builtin SCCS service) Must be enabled for SCCS including NCC server (builtin SCCS service)
Issue 1.00

Logical Disk Manager

Logical Disk Manager Administrative Service MAS Backup/Restore

Manual Automatic

MAS Configuration Manager

Automatic

MAS Event Scheduler

Automatic

MAS Fault Manager

Automatic

MAS LinkHandler Port #2

Automatic

MAS OM Server

Automatic

MAS Security

Automatic

20

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Windows 2000 service

Default Symposium Symposium Call Call Center Server Center Server configuration minimum requirement Automatic Must be enabled for SCCS including NCC server (builtin SCCS service) Must be enabled for SCCS including NCC server (builtin SCCS service) Must be enabled for SCCS including NCC server (builtin SCCS service) No dependency Must be enabled for SCCS except for NCC server (builtin SCCS service) Must be enabled for Symposium Call Center Server (built-in SCCS Visibroker service) Must be enabled for SCCS including NCC server (builtin SCCS service) Must be enabled for SCCS except for NCC server (builtin SCCS service) Must be disabled for SCCS except for NCC server (built21

MAS Service Daemon

MAS Service Manager

Automatic

MAS Time Service

Automatic

Messenger MLSM_Service

Disabled Automatic (Disabled for NCC server)

NameService

Automatic (Not applicable to NCC server)

NBNM_Service

Automatic

NBTSM_Service

Automatic (Disabled for NCC Server)

NCCOAM_Service

Disabled (Automatic if it is a NCC server)

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Windows 2000 service

Default Symposium Symposium Call Call Center Server Center Server configuration minimum requirement in SCCS service) Automatic (Disabled for NCC server) Must be enabled for SCCS except for NCC server (builtin SCCS service) No dependency No dependency No dependency No dependency No dependency Must be enabled for SCCS except for NCC server (builtin SCCS service) No dependency Must be enabled for SCCS including NCC server (builtin SCCS service) Must be enabled for Symposium Call Center Server remote support connection (built-in pcAnywhere service) No dependency No dependency No dependency
Issue 1.00

NDLOAM_Service

Net Logon Net Meeting Remote Desktop Sharing Network Connections Network DDE Network DDE DSDM NITSM_Service

Manual Manual Manual Manual Manual Automatic (Disabled for NCC server)

NT LM Security Support Provider OAM_Service

Manual Automatic

pcAnywhere Host Service

Automatic

Performance Logs and Alerts Plug and Play Print Spooler
22

Manual Automatic Automatic

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Windows 2000 service

Default Symposium Symposium Call Call Center Server Center Server configuration minimum requirement Automatic Manual Automatic (Disabled for NCC server) No dependency No dependency Must be enabled for SCCS except for NCC server (builtin SCCS service) No dependency No dependency Must be enabled for Symposium Call Center Server Must be enabled for Symposium Call Center Server No dependency No dependency No dependency Must be enabled for SCCS except for NCC server (builtin SCCS service) Must be enabled for Symposium Call Center Server Must be enabled for SCCS except for NCC server (builtin SCCS service)
23

Protected Storage QoS RSVP RDC_Service

Remote Access Auto Communication Manager Remote Access Connection Manager Remote Procedure Call (RPC)

Manual Manual Automatic

Remote Procedure Call (RPC) Locator Remote Registry Service Remote Storage Routing and Remote Access RSM_Service

Manual

Automatic Automatic Disabled Automatic (Disabled for NCC server)

RunAs Service

Automatic

SDMCA_Service

Automatic (Disabled for NCC server)

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Windows 2000 service

Default Symposium Symposium Call Call Center Server Center Server configuration minimum requirement Automatic (Disabled for NCC server) Must be enabled for SCCS except for NCC server (builtin SCCS service) Must be enabled for Symposium Call Center Server Must be enabled for Symposium Call Center Server No dependency No dependency Must be enabled for sending Symposium Call Center Server traps Must be enabled for sending Symposium Call Center Server traps Must be enabled for SCCS including NCC server (builtin Sybase service) Must be enabled for SCCS including NCC server (builtin Sybase service) Must be enabled for SCCS including NCC server (builtin Sybase service)
Issue 1.00

SDP_Service

Security Accounts Manager

Automatic

Server

Automatic

Smart Card Smart Card Helper SNMP Service

Manual Manual Automatic

SNMP Trap Service

Manual

Sybase BCKServer_<computername>_BS

Automatic

Sybase Manual MONServer_<computername>_MS

Sybase SQLServer_<computername>

Automatic

24

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Windows 2000 service

Default Symposium Symposium Call Call Center Server Center Server configuration minimum requirement Manual Must be enabled for SCCS including NCC server (builtin Sybase service) No dependency Must be enabled for Symposium Call Center Server Must be enabled for Symposium Call Center Server Remote Network Database Backup & Restore feature to function No dependency No dependency No dependency (recommend Disabled for Symposium Call Center Server) Must be enabled for SCCS except for NCC server (builtin SCCS service) Must be enabled for SCCS except for NCC server (builtin SCCS service) Must be enabled for SCCS except for
25

Sybase XPServer_<computername>_XP

System Event Notification Task Scheduler

Automatic Automatic

TCP/IP NetBIOS Helper Service

Automatic

Telephony Telnet Terminal Service

Manual Manual Disabled

TFA_Service

Automatic (Disabled for NCC server)

TFABRIDGE_Service

Automatic (Disabled for NCC server)

TFE Bridge Connector

Manual (Disabled for NCC server)

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Windows 2000 service

Default Symposium Symposium Call Call Center Server Center Server configuration minimum requirement NCC server (builtin SCCS service) Automatic (Disabled for NCC server) Must be enabled for SCCS except for NCC server (builtin SCCS service) No dependency No dependency Must be enabled for SCCS except for NCC server (builtin SCCS service) Must be enabled for Symposium Call Center Server No dependency No dependency No dependency Must be enabled for Symposium Call Center Server

TFE_Service

Uninterrupted Power Supply Utility Manager VSM_Service

Manual Manual Automatic (Disabled for NCC server)

Windows Installer

Manual

Windows Management Instrumentation Windows Management Instrumentation Driver Extension Windows Time Workstation

Manual Manual Manual Automatic

3.2

Default Windows 2000 security settings
The Windows 2000 Server operating system on the Symposium Call Center Server R5.0 server is protected by the Windows 2000 local security policy. Since Symposium Call Center Server R5.0 does not require Active Directory to work, Windows 2000 Group Policies will not be discussed in this guide.

26

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Default R5.0 server security settings and configurationNortel Networks Proprietary

As part of Symposium Call Center Server R5.0, Nortel Networks recommends a set of default security settings for the Windows 2000 local security policy that provides a security environment for most typical customer security requirements. Nortel Networks has verified that this default Windows 2000 local security policy is compatible with the proper Symposium Call Center Server installation and operation. Therefore, if you choose to alter the default Windows 2000 security policy (both local and group policy) to meet specific customer security requirements, note that Nortel Networks will not have verified the impact of such a change on the Symposium Call Center Server installation and operation. Customers who deviate from the recommended default Windows 2000 Server security policy (both local and group policy) must not change or exceed any of the listed Symposium Call Center Server minimum requirements, and must test their Windows 2000 Server security policy with Symposium Call Center Server R5.0 in a non-production environment before putting the policy online. 3.2.1 Default password policy Symposium Call Center Server R5.0 recommends the following default password policy (applicable to the installed Windows 2000 user accounts).
Table 5 Default Password Policy

Policy

Default Windows 2000 setting 0 password remembered 42 days 0 days 0 characters

Symposium Call Center Server minimum requirement No dependency No dependency No dependency Must be less than 6 characters for Symposium Call Center Server installation. Password length can be changed after Symposium Call Center Server installation. Disabled for Symposium Call Center Server installation No dependency
27

Enforce password history Maximum password age Minimum password age Minimum password length

Password must meet complexity requirements Store password using
Issue 1.00

Disabled

Disabled

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Policy

Default Windows 2000 setting

reversible encryption for all users in the domain

Symposium Call Center Server minimum requirement (recommend Disabled)

Since the installation of the Symposium Call Center Server application creates additional Windows accounts with default passwords, the Windows 2000 password policy should be in the default setting (as listed in Table 5) before you install Symposium Call Center Server. Customers can change the Windows 2000 password policy as required after the Symposium Call Center Server application, in which case, they must also make appropriate password changes for all local Windows accounts that are created with the Symposium Call Center Server installation. Nortel Networks recommends that all local Windows account passwords (including accounts created by Symposium Call Center Server) be changed from their default values immediately after installing Symposium Call Center Server. 3.2.2 Default account lockout policy Table 6 lists the default account lockout security setting and the minimum requirements for Symposium Call Center Server R5.0.
Table 6 Default Account Lockout Policy

Policy

Default Windows 2000 setting 0 invalid logon attempts

Symposium Call Center Server minimum requirement No dependency No dependency No dependency

Account lockout threshold

Account lockout duration Not defined Reset account lockout counter after Not defined

3.2.3 Default user rights assignments Table 7 lists the default user rights assignments security setting and the minimum requirements for Symposium Call Center Server R5.0.
28 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00

Default R5.0 server security settings and configurationNortel Networks Proprietary Table 7 Default User Rights Assignments

Policy

Default groups with this policy

Default accounts with this policy

Symposium Call Center Server minimum requirement Must be set for the NGen System, NGen Distributor, and Administrator groups. Must be set for the Administrator, NGenSys, NGenDist, and NGenDesigner accounts.

Access this computer from the network

NGen System, NGen Distributor, Everyone, Users, Power Users, Backup Operators, Administrator

Administrator, NGenSys, NGenDist, NGenDesign

Act as part of the operating system

NGen System, NGen Design

NGenSys, NGenDesign

Must be set for the NGen System, and NGen Design groups. Must be set for the NGenSys, and NGenDesign accounts.

Add workstations to domain

NGen Distributor

NGenDist, NGenDesign

Must be set for the NGen Distributor group. Must be set for the NGenDist, and NGenDesign accounts.

Back up files and directory

Administrators, Ngen System, Ngen Distributor, Backup Operator

Administrator, NgenSys, NGenDist, NGenDesign

Must be set for the NGen System, NGen Distributor groups. Must be set for the NGenSys,

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

29

Default R5.0 server security settings and configurationNortel Networks Proprietary

Policy

Default groups with this policy

Default accounts with this policy

Symposium Call Center Server minimum requirement NGenDist, and NGenDesign accounts. Must be set for the NGen Distributor group. Must be set for the NGenSys, NGenDist, and NGenDesign accounts

Bypass traverse checking

Administrators, NGen Distributor, Backup Operators, Power Users, Users, Everyone

Administrator, NGenSys, NGenDist, NGenDesign

Change the system time

NGen Distributor, Administrators, Power Users

Administrator, NGenSys, NGenDist, NGenDesign

Must be set for the NGen Distributor, and Administrators groups. Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.

Create a pagefile

Administrators, NGen Design

Administrator, NGenSys, NGenDist, NGenDesign

Must be set for the Administrators, and NGen Design groups. Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.

Create a token object

NGen System, NGen Design

NGenSys

Must be set for the NGen System, and NGen Design groups.
Issue 1.00

30

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Policy

Default groups with this policy

Default accounts with this policy

Symposium Call Center Server minimum requirement Must be set for the NGenSys account.

Create permanent shared objects

NGen System, NGen Design

NGenSys

Must be set for the NGen System, and NGen Design groups. Must be set for the NGenSys account

Debug programs

Administrators, NGen System, NGen Design

Administrator, NGenSys, NGenDist, NGenDesign

No dependency. If removed, Nortel Networks may request to set it again for diagnosing specific site problem. Must be set for the Administrators, and NGen Design groups. Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.

Force shutdown from a remote system

Administrators, NGen Design

Administrator, NGenSys, NGenDist, NGenDesign

Generate security audits Increase quotas

NGen Distributor Administrators, NGen Distributor

NGenDist, NGenDesign Administrator, NGenSys, NGenDist, NGenDesign

No dependency Must be set for the Administrators, and NGen Distrobutor groups.

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

31

Default R5.0 server security settings and configurationNortel Networks Proprietary

Policy

Default groups with this policy

Default accounts with this policy

Symposium Call Center Server minimum requirement Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.

Increase scheduling priority

Administrators, NGen System, NGen Design

Administrator, NGenSys, NGenDist, NGenDesign

Must be set for the Administrators, NGen System, and NGen Design groups. Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.

Load and unload device drivers

Administrators, NGen System, NGen Design

Administrator, NGenSys, NGenDist, NGenDesign

Must be set for the Administrators, NGen System, and NGen Design groups. Must be set for the Administrator, NGenSys, NGenDist, and NGen Design accounts.

Lock pages in memory

NGen System, NGen Design

NGenSys, NGenDesign

Must be set for the NGen System, and NGen Design groups. Must be set for the NGenSys, and NGenDesign

32

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Default R5.0 server security settings and configurationNortel Networks Proprietary

Policy

Default groups with this policy

Default accounts with this policy

Symposium Call Center Server minimum requirement accounts. Must be set for the NGen System, and NGen Distributor groups. Must be set for the NGenSys, NGenDist, and NGenDesign accounts.

Log on as a batch file

NGen System, NGen Distributor

NGenSys, NGenDist, NGenDesign

Log on as a service

NGen System, NGen Distributor

NGenSys, NGenDist, NGenDesign

Must be set for the NGen System, and NGen Distributor groups. Must be set for the NGenSys, NGenDist, and NGenDesign accounts.

Log on locally

Administrators, NGen Distributor, TSInternetUser, Guest, Users, Power Users, Backup Operators

Administrator, NGenSys, NGenDist, NGenDesign

Must be set for the Administrators, and NGen Distributor groups. Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.

Manage auditing and security log

Administrators, NGen Distributor

Administrator, NGenSys, NGenDist, NGenDesign

Must be set for the Administrators, and NGen Distributor groups. Must be set for the

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

33

Default R5.0 server security settings and configurationNortel Networks Proprietary

Policy

Default groups with this policy

Default accounts with this policy

Symposium Call Center Server minimum requirement Administrator, NGenSys, NGenDist, and NGenDesign accounts. Must be set for the Administrators, NGen System, and NGen Design groups. Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.

Modify firmware environment values

Administrators, NGen System, NGen Design

Administrator, NGenSys, NGenDist, and NGenDesign

Profile single process

Administrators, NGen System, NGen Design, Power Users

Administrator, NGenSys, NGenDist, NGenDesign

Must be set for the Administrators, NGen System, and NGen Design groups. Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.

Profile system performance

Administrators, NGen System, NGen Design

Administrator, NGenSys, NGenDist, NGenDesign

Must be set for for Administrators, NGen System, and NGen Design groups. Must be set for the Administrator, NGenSys, NGenDist, and

34

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Default R5.0 server security settings and configurationNortel Networks Proprietary

Policy

Default groups with this policy

Default accounts with this policy

Symposium Call Center Server minimum requirement NGenDesign accounts. No dependency

Remove computer from docking station

Administrators, Users, Power Users

Administrator, NGenSys, NGenDist, NGenDesign NGenSys, NGenDesign

Replace a process NGen System, level token NGen Design

Must be set for the NGen System groups. Must be set for the NgenSys accounts.

Restore files and directories

Administrators, NGen System, NGen Dsitributor, Backup Operators

Administrator, NGenSys, NGenDist, and NGenDesign

Must be set for the Administrators, NGen System, and NGen Distributor groups. Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.

Shut down the system

Administrators, NGen Distributor, Backup Operators, Power Users

Administrator, NGenSys, NGenDist, NGenDesign

Must be set for the Administrators, and NGen Distributor groups. Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts

Take ownership of files or other
Issue 1.00

Administrators, NGen Distributor

Administrator, NGenSys,

Must be set for the Administrators,
35

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Policy

Default groups with this policy

Default accounts with this policy

objects

NGenDist, NGenDesign

Symposium Call Center Server minimum requirement and NGen Distributor groups. Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.

Deny access to this computer from the network Deny logon as a batch job Deny logon as a service Deny logon locally

Not defined

Not defined

No dependency

Not defined Not defined Not defined

Not defined Not defined Not defined Not defined

No dependency No dependency No dependency No dependency

Enable computer Not defined and user accounts to be trusted for delegation

3.2.4 Default security setting Table 8 lists the default security setting and minimum requirements for Symposium Call Center Server R5.0.

36

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Default R5.0 server security settings and configurationNortel Networks Proprietary Table 8 Default Security Setting

Policy

Default Windows 2000 setting 10 logons

Symposium Call Center Server minimum requirement No dependency

Number of previous logons to cache (in case domain controller is not available)

Prompt user to change 14 days password before expiration Amount of idle time required before disconnecting session Allowed to eject removal NTFS media Allow system to be shut down without having to log on Audit the access of global system objects Audit use of Backup and Restore privilege Clear virtual memory pagefile when system shutdown Digitally sign client communication (always) Digitally sign server communication (always) Digitally sign server communication (when possible) 15 minutes

No dependency No dependency

Administrator Disabled

No dependency No dependency (recommend Disabled) No dependency No dependency No dependency

Disabled Disabled Disabled

Disabled Disabled Disabled

No dependency No dependency (recommend Disabled) No dependency (recommend Disabled) No dependency (recommend Disabled)
37

Disable CTRL+ALT+DEL Disabled requirement for logon
Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Policy

Default Windows 2000 setting Disabled Disabled

Symposium Call Center Server minimum requirement No dependency No dependency (recommend Disabled) No dependency

Do not display last user name in logon session Prevent system maintenance of computer account password Recovery Console: Allow automatic administrative logon Recovery Console: Allow floppy copy and access to all drives and all folders Restrict CD-ROM access to locally logged-on user only Restrict floppy access to locally logged-on user only Secure channel: Digitally encrypt or sign secure channel data (always) Secure channel: Require strong (Windows 2000 or later) session key Send unencrypted password to connect to third party SMB servers Shut down system immediately if unable to log security audits Automatically log off users when logon time expires (local)

Disabled

Disabled

No dependency

Disabled

No dependency

Disabled

No dependency

Disabled

No dependency

Disabled

No dependency

Disabled

No dependency

Disabled

No dependency (recommend Disabled) No dependency (recommend Enabled)

Enabled

38

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Default R5.0 server security settings and configurationNortel Networks Proprietary

Policy

Default Windows 2000 setting Enabled

Symposium Call Center Server minimum requirement No dependency

Digitally sign client communication (when possible) Prevent users from installing printer driver Secure channel: Digitally encrypt secure channel data (when possible) Secure channel: Digitally sign secure channel data (when possible) Strengthen default permissions of global system objects (e.g. Symbolic Links) Smart card removal behavior Additional restrictions for anonymous connections Allow server operators to schedule task (domain controllers only) Rename administrator account

Enabled Enabled

No dependency (recommend Enabled) No dependency

Enabled

No dependency

Enabled

No dependency

No Action None. Rely on default permissions Not defined

No dependency No dependency No dependency (recommend Not defined) No dependency (recommend Not d1efined for Symposium Call Center Server installation) No dependency No dependency No dependency

Not defined

Rename guest account Unsigned driver installation behavior Unsigned non-driver installation behavior
Issue 1.00

Not defined Not defined Not defined

Symposium Call Center Server 5.0 Security Guide for Windows 2000

39

Default R5.0 server security settings and configurationNortel Networks Proprietary

Policy

Default Windows 2000 setting Send LM & NTLM responses On On

Symposium Call Center Server minimum requirement No dependency (recommend remain in default setting) No dependency No dependency

LAN Manager Authentication Level Message text for users attempting to log on Message title for users attempting to log on

3.2.5 Default IP security policy Table 9 lists the default IP security policies assigned and the minimum requirements for Symposium Call Center Server R5.0.
Table 9 Default IP Security Policy

Name

Description

Default policy assigned

Symposium Call Center Server minimum requirement No dependency (recommend No)

Client (Respond Only)

Communicate normally No (unsecured). Use the default response rule to negotiate with servers that request security. Only the requested protocol and port traffic with that service is secured. For all IP traffic, always require security using Kerberos trust. Do NOT allow unsecured communication with untrusted clients. For all IP traffic, always request security using Kerberos trust. Allow unsecured communication with clients that do not respond to No

Secure Server (Require Security) Server (Request Security)

No dependency (recommend No)

No

No dependency (recommend No)

40

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Default R5.0 server security settings and configurationNortel Networks Proprietary

Name

Description

Default policy assigned

Symposium Call Center Server minimum requirement

request

3.2.6 Default audit policy Table 10 lists the default Windows 2000 audit policies and minimum requirements for Symposium Call Center Server R5.0.
Table 10 Default Audit Policy

Policy

Default Windows 2000 setting No auditing No auditing

Symposium Call Center Server minimum requirement No dependency No dependency (recommend No Auditing to maximize Symposium Call Center Server performance) No dependency (recommend No Auditing to maximize Symposium Call Center Server performance) No dependency No dependency No dependency No dependency (recommend No Auditing to maximize Symposium Call Center Server
41

Audit account logon events Audit directory service access

Audit process tracking

No auditing

Audit account management Audit policy change Audit privilege use Audit object access

No auditing No auditing No auditing No auditing

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Default R5.0 server security settings and configurationNortel Networks Proprietary

Policy

Default Windows 2000 setting

Symposium Call Center Server minimum requirement performance) No dependency No dependency (recommend No Auditing to maximize Symposium Call Center Server performance)

Audit logon events Audit system events

No auditing No auditing

3.3

Default Symposium Call Center Server server configuration
Nortel Networks recommends a default configuration for the Symposium Call Center Server R5.0 server that provides additional security for the server. Nortel Networks has verified the default configuration as listed to ensure its compatibility with the proper Symposium Call Center Server installation and operation. Therefore, if you choose to alter the default server configuration to meet specific customer requirements, note that Nortel Networks will not have verified the impact of such a change on the Symposium Call Center Server installation and configuration. Customers who deviate from the recommended default server configuration must not change or exceed any listed Symposium Call Center Server minimum requirements, and must test their server configuration with Symposium Call Center Server R5.0 in a non-production environment before putting the server online. 3.3.1 Default disk partitioning type Symposium Call Center Server R5.0 supports Windows NTFS disk partitioning only. Windows NTFS provides additional security for server files. Symposium Call Center Server R5.0 requires that all disk partitions be NTFS. 3.3.2 Default Windows local users Symposium Call Center Server R5.0 installs three additional Windows 2000 local users during the Symposium Call Center Server software installation. Table 11 lists the three default Symposium Call Center Server Windows local users and how the accounts are used.

42

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Default R5.0 server security settings and configurationNortel Networks Proprietary Table 11 Default Symposium Call Center Server Windows Local Users

Default Symposium Call Center Server Windows local user NGenSys

Used for

Symposium Call Center Server minimum requirement Must not be removed or renamed from Windows

Used by customer to log in to Symposium Call Center Server for regular server maintenance (for example, PEP/SU installation etc.). Used by distribution channels and support personnel to log in to Symposium Call Center Server for maintenance and supports (for example, remote support login).

NGenDist

Must not be removed from Windows

NGenDesign

Used by Nortel Networks to Must not be removed log in to Symposium Call from Windows Center Server. This account is reserved for Nortel Networks usage only.

Since the Symposium Call Center Server application has a dependency on the NGenSys account, this account name must not be changed. Customers can change the account names for NGenDist and NGenDesign after the Symposium Call Center Server installation, but this will prevent distribution channels and Nortel support groups from using the default account names to perform Symposium Call Center Server maintenance or support. All three default Symposium Call Center Server Windows local users are initially created with default passwords. Customers are encouraged to change the default passwords after successful Symposium Call Center Server installation. Procedures for changing the passwords for these default accounts are documented in the Nortel Networks Symposium Call Center Server Installation and Maintenance Guide for Release 5.0[1].

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

43

Default R5.0 server security settings and configurationNortel Networks Proprietary

3.3.3 Default print server and file sharing configuration The Symposium Call Center Server R5.0 default network setting enables Print Server and File Sharing in the installed protocol stack, but the Symposium Call Center Server configuration does not include a default print server or a shared network folder or file. It is a Symposium Call Center Server R5.0 minimum requirement that no print server be configured on the Symposium Call Center Server R5.0 server. For security reasons, Nortel Networks recommends that customers do not share any Symposium Call Center Server folders or files over the network. In addition, Nortel Networks recommends that only the local Administrator and Symposium Call Center Server default Windows users be granted write access to Symposium Call Center Server folders. If customers need to download any Symposium Call Center Server files (for example, PEPs or SUs), then Nortel Networks recommends that they download them to a remote computer instead of directly to the Symposium Call Center Server. After downloading the file to the remote computer, the customer can then share it with the server in the Symposium Call Center Server over the network. 3.3.4 Default Internet access By default, Windows 2000 automatically includes a version of Internet Explorer that you can configure and use for Internet access. However, since Symposium Call Center Server does not require an Internet connection, it is a Symposium Call Center Server R5.0 minimum requirement that the Internet connection remain unconfigured. Nortel Networks stipulates that there should be no Internet or Intranet access directly from the Symposium Call Center Server R5.0 server. Failure to meet this requirement may expose the server to severe security risks.

44

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Security recommendations

Nortel Networks Proprietary

4

Security recommendations
This section includes recommended security practices for Symposium Call Center Server R5.0. Nortel Networks recommends that customers consider these suggestions when deciding on their own security policies and practices. This section is not intended to list security settings that meet specific customer requirements. Customers should review their security requirements and compare them with the default and minimum Symposium Call Center Server security settings and configuration (listed in section 3 of this guide), together with the security recommendations listed in this section, before deciding on the appropriate overall Symposium Call Center Server security configuration. The following security recommendations are not intended to be a comprehensive security guideline for all security-related issues that customers might need to consider. These security recommendations are only intended to be used as guidelines when planning and implementing the proper Symposium Call Center Server R5.0 security policies and practices within your specific environment and according to your security requirements.

4.1

Security risk management and policy
Security threats are increasing constantly, and it is a high priority for all organizations to secure all resources on the network, including Symposium Call Center Server. There is no such thing as a completely secure Symposium Call Center Server that fully meets all the different customer security requirements. To secure Symposium Call Center Server, you must provide your own appropriate security risk management and policy plan. Symposium Call Center Server R5.0 comes with a set of default security settings that meet most common security protection requirements. Nortel Networks has verified the default Windows 2000 Server configuration as listed to ensure its compatibility with the proper Symposium Call Center Server installation and operation. Therefore, if you choose to alter the default Windows 2000 Server operating system configuration to meet specific customer requirements, note that Nortel Networks will not have verified the impact of such a change on the Symposium Call Center Server installation and configuration. Customers who deviate from the recommended Windows 2000 Server configuration (as listed in section 3 of this guide), and must test their Windows 2000 Server configuration with Symposium Call Center Server R5.0 in a non-production environment before putting the configuration online. 4.1.1 Risk management To provide a proper secure environment, you must examine your environment and assess the risks you currently face, determine an acceptable level of risk, and maintain the risk at or below acceptable level. Risk can be reduced by increasing

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

45

Security recommendations

Nortel Networks Proprietary

the security of your server and environment. As a general rule, the higher the level of security, the more costly the risk management policy is to implement and the more likely that reductions in functionality will occur. You must review the required security level and determine how it might impact Symposium Call Center Server. 4.1.2 Security policy The security policy defines the procedures for configuring and managing security in your environment. Organizations may have a predefined general server security policy that can conflict with the Symposium Call Center Server default setting. You must review your security policy and determine how it can be implemented with Symposium Call Center Server. Since Symposium Call Center Server is designed as a special real-time call processing platform instead of a general purpose IT server, certain IT server security policies may not be compatible with Symposium Call Center Server. In this case, you may need to relax your security settings to meet the Symposium Call Center Server minimum requirements. If you have additional local security policy changes for the Symposium Call Center Server, then you must apply the additional security policy after you install Symposium Call Center Server to minimize any possible conflict with the default setting that are made during installation.

4.2

Windows 2000 security patches and hot fixes
Microsoft constantly identifies new Windows 2000 security vulnerabilities. Nortel Networks will monitor and validate newly issued Windows 2000 service packs, security patches and hot-fixes that are applicable to Symposium Call Center Server R5.0. The list of applicable Microsoft service packs and security hot-fixes is documented in the Symposium Products Service Packs Compatibility and Security Hotfixes Applicability List that is available on Nortel Networks Partner Information Center Web site: https://app12.nortelnetworks.com/cgibin/mynn/home/NN_prodDoc.jsp?BkMg=0&prodID=45280&progSrcID=8026&whereClause=23&curOid=12460 Nortel Networks will occasionally issue security bulletins to warn customers of critical security issues and provide recommended actions. Customers should apply all recommended security actions from Nortel Networks at the earliest possible time. Customers are encouraged to install the latest available Windows 2000 service packs that have been validated by Nortel Networks. You should schedule regular reviews of your configuration and apply the latest available Windows 2000 service pack as part of your security risk management plan.

46

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Security recommendations

Nortel Networks Proprietary

Given the number of operating system security patches and the complexity inherent in any network, Nortel Networks recommends that you create a systematic and accountable process for identifying and applying security patches. To help create such a process, you can follow a series of best practices guidelines, as documented in the National Institute of Standards and Technology (NIST) Special Bulletin 800-40, Procedures for Handling a Security Patches. This bulletin suggests that if an organization does not have a centralized group to coordinate the storage, evaluation, and chronicling of security patches into a library, then system administrators or the contact center administrator must fulfill this role. In addition to these guidelines, whenever possible, Nortel Networks recommends that you follow Microsoft's recommendations regarding newly discovered vulnerabilities and that you promptly install any security patches issued by Microsoft. Whenever possible, Nortel Networks incorporates the latest OS security recommendations and patches in an integrated solutions testing strategy during each test cycle. However, due to the urgent nature of security patches when vulnerabilities are discovered, Nortel Networks recommends that customers follow Microsoft's guidelines as they are issued, including any Microsoft installation procedures and security patch rollback processes that may be in place. Finally, you must make a full system backup before patching the system to ensure that a rollback is possible, if required.

4.3

Windows 2000 user accounts and passwords
Symposium Call Center Server R5.0 installs three default Windows 2000 local user accounts (NGenSys, NGenDist, and NGenDesign) with default passwords. The initial Symposium Call Center Server Windows account passwords include six characters (or less). To prevent Symposium Call Center Server software installation errors, you must ensure that the minimum password length in the Windows 2000 security policy does not exceed six characters before you install the software. You can change the password length and apply any additional changes to the account and password security policy after you install Symposium Call Center Server. If you increase the password length, you must also make the corresponding change to the passwords for the default Symposium Call Center Server Windows local user accounts. All three default Symposium Call Center Server Windows local user accounts are created for a specific purpose. You must not change the account name for the NGenSys account. You may change the account names for NGenDist and NGenDesign. However, if you do so, you must provide these new account names to the Distributor/Nortel Networks Support personnel or they will not be able to use these default accounts to access the server remotely. If you change any of the default Symposium Call Center Server Windows local user account names, the

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

47

Security recommendations

Nortel Networks Proprietary

changed accounts will not be removed by the Symposium Call Center Server R5.0 software uninstall program, and instead must be removed manually. For security reasons, customers are encouraged to change the passwords for these default accounts upon successful Symposium Call Center Server installation. If you change the password for the “NGenSys” account, then you must also update the Symposium Call Center Server Backup and Restore service password (refer to the Nortel Networks Symposium Call Center Server Installation & Maintenance Guide for Release 5.0[1] for the password change procedures). You must not add any additional Windows 2000 user accounts to Symposium Call Center Server (except the account for the R5.0 Remote Database Backup and Restore feature). With the exception of the Administrator account, other default Windows 2000 accounts (for example, Guest) can be disabled or removed to increase the security of the server. If you change the default Administrator account name, it has no impact on the normal operation of the Symposium Call Center Server R5.0 server. However, it will cause the Platform Vendor Independence Check (PVI Check) utility to notify you that an invalid administrator account is being used. Therefore, Nortel Networks recommends that you change the Administrator account name only after you install the Symposium Call Center Server R5.0 software.

4.4

Anonymous logon
The Windows 2000 Server default installation allows you to log on remotely as “Anonymous,” a feature that can expose some server information. Since Symposium Call Center Server R5.0 does not require an Anonymous logon, Nortel Networks recommends that you disable the Anonymous logon by changing the Additional restriction for anonymous connections security policy to No access without explicit anonymous permission, or changing the “HKLM/SYSTEM/CurrentControlSet/Control/LSA/RestrictAnonymous” registry key value from the default value of “0” to “2”.

4.5

Third-party applications
Due to the mission-critical, real-time processing performed by Symposium Call Center Server, Nortel Networks stipulates that no other “application” class software be installed on the server, but that certain “utility” class software may be installed, providing that it conforms to the guidelines listed below. • “Application” class software generally requires a certain amount of system resources and is not to be installed on the Symposium Call Center Server. The addition of third-party applications may cause a real-time system, such as Symposium Call Center Server, to operate outside of the known engineering limits and hence create potential unknown system problems (for example, CPU contentions, increased network traffic loading, disk access degradations, etc.)
Issue 1.00

48

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Security recommendations

Nortel Networks Proprietary

Certain third-party “utility” class software applications, such as hardware diagnostics or backup tools, generally require less system resources during the normal operations of Symposium Call Center Server and are, therefore, permitted. Exceptions are utilities that may cause system problems and degrade performance, such as screen savers. Anti-virus software is classed as a utility and is subject to the generic guidelines below, as well as to a specific series of recommendations detailed further in this guide.

Note: Third party backup software can only be used for offline full backups. The database backup must be performed using the utility provided by Symposium Call Center Server due to proprietary functions called upon during the backup routine. Guidelines for “utility” implementations 1. During run-time, the utility must not degrade the Symposium Call Center Server system beyond an average 50 percent CPU utilization. Furthermore, the utility must not lower the minimum amount of free hard disk space required by Symposium Call Center Server and the Windows operating system. 2. The utility must not cause any improper software shutdowns or out of sequence shutdowns. 3. The utility must not administer the Symposium Call Center Server software. 4. If the utility has its own database, it must not impact the Symposium Sybase database. 5. A Disk Compression utility must not be used. 6. Memory Tweaking utilities (for example, WinRAM Turbo, Memory Zipper, etc.) that are used to “reclaim” memory unused by Microsoft must not be used. 7. The installation or un-installation of the utility class software must not impact/conflict with the Symposium Call Center Server software (for example, DLL conflicts). If it does impact/conflict with the Symposium Call Center Server software, then you may need to rebuild the server. 8. The installation or un-installation of the utility class software must not impact/conflict with the Symposium Call Center Server minimum security settings and configuration (for example, enabling IIS service, conflicts in the Windows 2000 security settings, etc.). If it does impact/conflict with the Symposium Call Center Server minimum
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 49

Security recommendations

Nortel Networks Proprietary

security settings and configuration, then you may need to rebuild the server. 9. The installation of the utility class software must be performed after the Symposium Call Center Server is installed. 10. The software must not be installed within the Symposium Call Center Server folder on the D: drive. Nortel Networks recommends that you install the software in its own folder on the C: drive. 11. The software must be virus free. Do not install any software when the origin of the software is not known. It is the implementation personnel’s responsibility to perform tests to ensure that these conditions and recommendations are met prior to putting the server into production. As part of the fault diagnostic process, the Distributor/End User may be asked to remove third-party software.

4.6

Anti-virus scanning
Noted that the risk of virus infection on the Symposium Call Center R5.0 server is minimal due to the following reasons: • • • • The server requires limited access for support. Typically, only maintenance personnel have local access to the server and remote access through pcAnywhere. All Nortel Networks software distributions including PEPs and SUs are virus free. Customers are discouraged from installing non-Symposium Call Center Server software on the server, which minimizes the risk of encountering infected software on the server. Customers are discouraged from directly accessing the Internet from the server, which minimizes the risk of getting a virus through the Internet. There should be no e-mail activity of any kind on the Symposium Call Center Server R5.0 server, which eliminates any chance of getting a virus through e-mail. There should be no shared folders or files on the Symposium Call Center Server R5.0 server, which eliminates any chance of getting a virus through open file/folder sharing.

• •

50

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Security recommendations

Nortel Networks Proprietary

In spite of the above recommendations, Nortel Networks acknowledges the fact that many customers have security policies that may require that anti-virus software be installed on the Symposium Call Center Server R5.0 server. Nortel Networks has carried out testing on a representative sample of anti-virus software packages (Norton, McAfee, and Innoculate) in order to determine the following generic guidelines for the use of anti-virus software: • The Symposium Call Center Server software must be installed on the server before you install the anti-virus software. When the anti-virus software is installed, it is the implementation personnel’s responsibility to perform testing with the anti-virus software, in accordance with the guidelines for “utility” implementations outlined in section 4.5 of this guide. During PEP installations on both the client and server, all anti-virus functionality should be disabled (for example, firewalls, (passive) scanning, auto updates etc.) and should not be started up automatically until the entire Symposium Call Center Server installation procedure is complete. You may re-enable the anti-virus functionality afterwards, as required. If personal firewalls are enabled on the Symposium Call Center Server client PC, then the Report Listener may be flagged as trying to access the Internet. You must configure the ‘Properties’ to allow the Report Listener to access the Symposium Call Center Server R5.0 server through the firewall. Set virus scans to run on the server during off-peak hours, and not to start on the hour. Note that several maintenance tasks are automatically activated on Symposium Call Center Server at midnight, so an offmidnight time should be set for virus scans. Similarly, active virus scans should be disabled when running diagnostic traces or logs on the Symposium Call Center Server R5.0 server. Infected file quarantine policy on the Server and Client: The anti-virus software should not be configured to deal automatically with suspected infected files. In the event that infected files are located, do not attempt to replace or remove them. Contact your local Nortel Networks Support representative for assistance in determining if the files are part of the Symposium Call Center Server application, or a critical system file. Nortel Networks recommends that you exclude the following files from scanning: F:\Nortel\Database\ <additional database drive>:\Nortel\Database
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 51

Security recommendations

Nortel Networks Proprietary

In addition, the following file should be excluded: D:\Nortel\ICCM\bin\Tools2.exe (You will encounter file access errors in the Scan Activity log if you do not exclude this file from scanning.) • You must not connect the Symposium Call Center Server R5.0 server directly to the Internet to download virus definitions or updated files. In addition, Nortel Networks recommends that you do not connect the Symposium Call Center Server client PC to the Internet. Instead, you should download virus definitions and update files to another location on your network, and then manually upload to the Symposium Call Center Server R5.0 server. This is the same recommended procedure for downloading Symposium Call Center Server PEPs. This recommendation limits access to the Internet, and thus reduces the risk of downloading infected files. In addition, all PEP files, CD-ROMs, and floppy disks should be scanned prior to installing or uploading to the server. This practice minimizes any exposure to infected files from outside sources. SNMP alerting on virus confirmation: At this time, Nortel Networks has not tested this feature and is unable to ascertain whether it poses any potential risks to Symposium Call Center Server. It is, therefore, not recommended that you activate this feature. Capacity considerations: Note that running virus scan software can place an additional load on server in Symposium Call Center Server. It is the implementation personnel’s responsibility to run the Windows 2000 Server Performance Monitor tool on the server to gauge CPU utilization. If the anti-virus software scan causes the server’s average CPU utilization to exceed 50 percent for longer than 20 minutes, then the anti-virus software should not be loaded onto the Symposium Call Center Server R5.0 server.

Note: • Nortel Networks does not provide support on the configuration of antivirus software, but it will endeavor to offer guidance where possible. Questions or problems on anti-virus software should be directed to the appropriate vendor. The above recommendations are intended as guidelines only, and do not constitute a guarantee of compatibility. Nortel Networks does not plan to perform ongoing compatibility testing, or testing on other anti-virus packages.

52

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Security recommendations

Nortel Networks Proprietary

If performance or functionality issues are raised to Nortel Networks Support, as part of the fault diagnosis process, the customer/distributor may be asked to remove third-party utility software or anti-virus software.

4.7

Internet access
Internet access poses a major source of security risks, threats, and vulnerabilities to the server. By default, Windows 2000 Server installs Internet Explorer, which can be configured for accessing the Internet. Since Symposium Call Center Server R5.0 does not require Internet access, Nortel Networks recommends that you refrain from accessing the Internet or Intranet directly from the Symposium Call Center Server R5.0 server. Nortel Networks recommends that if you require access to the Nortel Networks Web site (for example, to obtain the latest PEP/SU etc.), then you should use a separate PC that is virus free.

4.8

E-mail access
Electronic mail (e-mail) and applications using the SMTP service are a major source of security risks, threats, and vulnerabilities. By default, Windows 2000 Server installs Outlook Express, which can be configured to access an e-mail system. Since Symposium Call Center Server R5.0 does not require SMTP service, Nortel Networks recommends that you refrain from accessing any e-mail systems or installing any applications that will enable the SMTP service on the Symposium Call Center Server R5.0 server.

4.9

File and folder sharing
One of the most common forms of malicious code attack (for example, the Code Red and Nimda viruses) occurs through file and folder sharing on the server. By default, Symposium Call Center Server R5.0 does not include any shared folders or files on the server. To help maintain a secure environment, you must not share any installed file or folder at any time. Nortel Networks recommends that you refrain from granting write access permissions to any files or folders (except for the default permissions granted by Symposium Call Center Server) on the Symposium Call Center Server R5.0 server. If there is an absolute need to share files or folders on the server, then you must be cautious when granting write access permission to users on your network and remove the shared access immediately after the user completes the required task.

4.10 File and folder permission
By default, Windows 2000 grant “Everyone” group with Full Control permission for all disk drives without other account or group. This default permission allows everyone accessing the server can have full control on all files and folders, and it is considered as a high security risk. It is a common security policy and practice to
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 53

Security recommendations

Nortel Networks Proprietary

remove the “Everyone” group permission for all disk drives and add specific Windows user account or group with specific permission. Symposium Call Center Server supports the removal of the “Everyone” group as long as the following recommended accounts and groups as listed in Table 12 are added to the specified disk. Symposium Call Center Server can fail to operate if these recommended accounts and groups are not added with the required permission.
Table 12 Symposium Call Center Server File and Folder Permission

Account/Group Permission Administrators SYSTEM Creator Owner Full Control Full Control Full Control

Applied to This folder, Subfolders and files This folder, Subfolders and files Subfolders and files

Granted Disk All drives All drives C: drive only (Microsoft’s recommendation) Root of C: drive only (Microsoft’s recommendation) D: drive only (do not need this permission for normal Symposium Call Center operation, only needed for running automatic test suite by Nortel Networks product verification group)

Everyone

Read & Execute

This folder only

Read

This folder, Subfolders and files

4.11 Encryption
Windows 2000 supports file and folder encryption. However, Symposium Call Center Server R5.0 does not support or require any form of file and folder encryption by Windows 2000. You must not attempt to encrypt any installed Symposium Call Center Server files or folders, including all Symposium Call Center Server database folders and files. If Windows 2000 encryption is enabled
54 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00

Security recommendations

Nortel Networks Proprietary

on any Symposium Call Center Server database folders or files, it will corrupt the database. In this case, Symposium Call Center Server can only be recovered by re-installing and then restoring the database from the latest available database backup.

4.12 Microsoft Baseline Security Advisor
Symposium Call Center Server R5.0 is compatible with the Microsoft Baseline Security Advisor (MBSA) security tool. You can use this tool to scan the Symposium Call Center Server R5.0 server to check if it meets the Microsoft baseline security recommendations for Windows 2000 Server. If you want to run the MBSA tool against the Symposium Call Center Server R5.0 server, then Nortel Networks recommends that you run this tool after the Symposium Call Center Server R5.0 software is installed. Due to the default configuration of Symposium Call Center Server R5.0, the MBSA may issue certain security noncompliance statements or warnings. Table 13 lists the typical MBSA version 1.2 scanning items and Nortel Networks recommendations for Symposium Call Center Server.
Table 13 MBSA scanning items and Symposium Call Center Server recommendations

MBSA scanned item MSXML Security Updates

Symposium Call Center Server recommendation MBSA may indicate that latest security updates are out-of-date. Symposium Call Center Server has no dependency on the MSXML, and it is customer’s option to install the latest MSXML security update as recommended by Microsoft. MBSA may indicate that the latest critical security updates are missing. Check against the latest Symposium Products Service Packs Compatibility and Security Hotfixes Applicability list for applicable Microsoft security updates and installed all applicable security updates. MBSA may indicate that latest security updates are out-of-date. Symposium Call Center Server has no dependency on the Microsoft VM, and it is customer’s option to install the latest Microsoft VM security update as recommended by Microsoft. MBSA may indicate that latest security updates are out-of-date. Symposium Call Center Server has no dependency on the Microsoft Office, and it is
55

Windows Security Updates

Microsoft VM Security Updates

Office Security Updates

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Security recommendations

Nortel Networks Proprietary

MBSA scanned item

Symposium Call Center Server recommendation customer’s option to install the latest Microsoft Office security update as recommended by Microsoft. MBSA may indicate that latest security updates are out-of-date. Symposium Call Center Server has no dependency on the Windows Media Player, and it is customer’s option to install the latest Windows Media Player security update as recommended by Microsoft. MBSA may indicate that the latest critical security updates are missing. Check against the latest Symposium Products Service Packs Compatibility and Security Hotfixes Applicability list for applicable Microsoft security updates and installed all applicable security updates. MBSA may indicate non-compliance. Restrict anonymous access as recommended by Microsoft. MBSA may warn that more than two administrators are found in the computer. Check and confirm that only the “Administrator”, “NGenSys”, “NGenDist”, “NGenDesign”, and the remote database backup and restore users are listed in the Administrator group. Remove any additional administrator accounts. MBSA may warn that all user accounts have nonexpiring passwords. “NGenSys” and the remote database backup and restore users must be configured with non-expiring passwords. Other users can be configured with password expiration, as required. Internet Connection Firewall is not available on Windows 2000 platform. MBSA should indicate Internet Connection Firewall is not installed or configured properly, or is not available on this version of Windows. MBSA may warn that some user accounts have blank or simple passwords, or could not be analyzed. The passwords for the Symposium Call Center Server default local accounts (NGenSys, NGenDist, and NGenDesign) should pass this test. Check and change user passwords if required.

Windows Media Player Security Updates

MDAC Security Updates

Restrict Anonymous Administrators

Password Expiration

Internet Connection Firewall

Local Account Password Test

56

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Security recommendations

Nortel Networks Proprietary

MBSA scanned item Automatic Updates

Symposium Call Center Server recommendation MBSA may indicate non-compliance. Recommend to review and configure the server with the appropriate method to obtain the Microsoft updates. MBSA should indicate that all hard drives are using the NTFS system. Repartition and reinstall Symposium Call Center Server if any software or database drives used by Symposium Call Center Server are not using NTFS. MBSA should indicate that Autologon is not configured on this computer. Remove Autologon if configured. MBSA should indicate that the Guest account is disabled on this computer. Disable or remove the Guest account if enabled. MBSA may suggest turning on Auditing. Follow the Symposium Call Center Server R5.0 guidelines on the auditing policy (section 3.2.6 of this guide). MBSA may suggest removing unneeded services (for example, Remote Access Connection Manager, Telnet etc.). Do not remove the Remote Access Connection Manager if the RAS method is used for a remote access (pcAnywhere) connection instead of direct modem. Since Symposium Call Center Server does not require the Telnet service, you can remove it as recommended by Microsoft. Review other listed unneeded services and disable them if they are not listed as Symposium Call Center Server required services (section 3.1.2 of this guide). MBSA may suggest shares on the server. Ensure that only the system default shares are on the server with the proper permissions. Symposium Call Center Server does not require any additional share to work. MBSA must list the Windows version as the Windows 2000 Server version. MBSA should indicate that this service is not running on the computer. Remove the IIS service if it is
57

File System

Autologon

Guest Account

Auditing

Services

Shares

Windows Version IIS Status

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Security recommendations

Nortel Networks Proprietary

MBSA scanned item SQL Server/MSDE Status IE Zones

Symposium Call Center Server recommendation running. MBSA should indicate that SQL Server and/or MSDE is not installed on this computer. Remove SQL Server and/or MSDE if it is installed. MBSA may indicate that Internet Explorer zones do not have secure settings for access. It is acceptable for Symposium Call Center Server if IE is not configured and used for Internet access. MBSA should indicate that no Microsoft Office products are installed. Remove all Microsoft Office products from the server.

Macro Security

4.13 SNMP Configuration
Symposium Call Center Server R5.0 supports sending Symposium Call Center Server error and alarm events as SNMP traps only, and no other SNMP functions are provided. Nortel Networks recommends the following security configuration to reduce the security risk from SNMP service: • If no SNMP service (including receiving Symposium Call Center Server SNMP traps) is required by a NMS on the customer network from the Symposium Call Center Server, Nortel Networks recommends you to disable or remove the SNMP Service and SNMP Trap Service from the Windows services. Disabling or removing the SNMP Service and SNMP Trap Service only disable the Symposium Call Center Server capability to send error and alarm events as SNMP traps and will not interfere with other Symposium Call Center Server functions. Nortel Networks recommends using a customer defined community name instead of the well known “public” community name for SNMP traps. Nortel Networks recommends configuring SNMP Service to accept SNMP packets only from a specified list of known SNMP hosts instead of accepting SNMP packets from any host.

• •

4.14 Remote support access
Symposium Call Center Server R5.0 supports remote connection to the server through pcAnywhere so that Distributors/Nortel Networks support groups can perform remote server maintenance. Customers can configure either a direct
58 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00

Security recommendations

Nortel Networks Proprietary

modem, Remote Access Service (RAS), or VPN (with Nortel Networks Contivity product) connection method. Nortel Networks recommends the VPN connection method together with the proper firewall or subnet isolation between the Symposium Call Center Server network subnet and the corporate network, as it provides a secure connection that minimizes the risk of exposing other customer network resources to the remote connection. To prevent illegal access to the Symposium Call Center Server R5.0 server through the remote connection, you must configure the appropriate pcAnywhere and RAS (if configured) logon accounts and passwords. Nortel Networks recommends that you do not use any default or simple passwords for the pcAnywhere and RAS logon accounts. For security reason, a firewall may be placed before the Symposium Call Center Server in the network path for the remote connection. In order to allow pcAnywhere remote session to be successful, the port 5631 (TCP) and port 5632 (UDP) must be opened.

4.15 Symposium Call Center Server backup and restore strategy
A proper Symposium Call Center Server backup and restore strategy is critical to recover the Symposium Call Center Server R5.0 sever in event of virus infection or server security damage beyond repair. The Symposium Call Center Server R5.0 Standby Server function does not replace the requirement of regular Symposium Call Center Server backup. It is important to note that Symposium Call Center Server backup and restore strategy must be included as part of your security risk management plan. Nortel Networks recommends that you schedule and perform regular Symposium Call Center Server database backups (local tape or remote database backups). In addition, you must have an up to date Symposium Call Center Server Platform Recovery Disk (PRD) stored in a secure place. Nortel Networks recommends that you create a new PRD whenever there is a Symposium Call Center Server platform configuration change (for example, if you run the Symposium Call Center Server R5.0 Server Setup Configuration Utility, Database Expansion utility, etc.).

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

59

Security recommendations

Nortel Networks Proprietary

[ This page is left intentionally blank ]

60

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

Glossary

Nortel Networks Proprietary

5

Glossary
The glossary provided relates solely to this document.

CLAN DHCP DNS ELAN IT LAN MAS NCC PC PEP PRD RAS SCCS SMTP SU WAN

Customer Local Area Network Dynamic Host Connection Protocol Domain Name Service Embedded Local Area Network Information Technology Local Area Network Meridian Application Server Network Control Center Previously known as CLAN Personal Computer Performance Enhancement Package Platform Recovery Disk Remote Access Service Symposium Call Center Server Simple Mail Transfer Protocol Service Update Wide Area Network

Nortel Networks Servers Subnet

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

61

Glossary

Nortel Networks Proprietary

[ This page is left intentionally blank ]

62

Symposium Call Center Server 5.0 Security Guide for Windows 2000

Issue 1.00

References

Nortel Networks Proprietary

6
[1]

References
Nortel Networks Symposium Call Center Server Installation and Maintenance Guide, Product release 4.2, Standard 1.0, April 2002

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

63

Nortel Networks Proprietary

[ Last Page ]

Issue 1.00

Symposium Call Center Server 5.0 Security Guide for Windows 2000

65

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->