Cisco TELEPRESENCE MANAGEMENT SUITE SECURE SERVER - CONFIGURATION GUIDE 13.0, TELEPRESENCE MANAGEMENT SUITE SECURE SERVER Configuration Manual

Cisco TelePresence

Management Suite

Secure Server

Hardening Windows Server 2003 for

Cisco TMS 13.0

Product Configuration Guide

D13148.08

December 2010

Document revision history

Cisco TMS Secure Server Configuration Guide 13.0 Page 2 of 34

Contents

References and related documents ........................................................................................................ 5

Preface .................................................................................................................................................... 5

Pre-install considerations ........................................................................................................................ 7

Installing baseline configuration .............................................................................................................. 7

File system............................................................................................................................................... 9

Administrator account .............................................................................................................................. 9

Set strong password and lockout policies ............................................................................................... 9

Secure the SQL Server ......................................................................................................................... 10

Use Local Service User .................................................................................................................. 10

Disable Network Protocols ............................................................................................................. 10

Cisco TMS Service User Account ......................................................................................................... 10

Create a Cisco TMS Service Account ............................................................................................ 10

Assign file ACLs for Cisco TMS directories .................................................................................... 10

Configure Cisco TMS Services to use Service Account ................................................................ 12

Remove unnecessary user accounts .................................................................................................... 13

Remove unnecessary windows components ........................................................................................ 14

Disable unnecessary windows services ................................................................................................ 15

Network services ................................................................................................................................... 17

Configuring TCP/IP ........................................................................................................................ 17

Configuring the Windows Firewall .................................................................................................. 17

Apply appropriate file ACLs ................................................................................................................... 18

Audit policy ............................................................................................................................................ 20

User rights assignment .......................................................................................................................... 21

Security options ..................................................................................................................................... 23

Set event viewer history ........................................................................................................................ 27

Remove any file shares ......................................................................................................................... 27

Screen saver ......................................................................................................................................... 28

Disable dump file creation ..................................................................................................................... 28

Miscellaneous registry changes ............................................................................................................ 28

Protect the registry from anonymous access ................................................................................. 28

Disable 8.3 file format compatibility ................................................................................................ 28

Clear paging file at shutdown ......................................................................................................... 29

Disable Autorun from CD ............................................................................................................... 29

Protection against denial of service attacks ................................................................................... 29

Check status of logon screen shutdown button ............................................................................. 29

Enable logging on the website .............................................................................................................. 30

Delete the default installed examples .................................................................................................... 30

Disable unneeded web extensions ........................................................................................................ 30

Steps to repeat after Cisco TMS installs and upgrades ........................................................................ 30

Set proper authentication methods ................................................................................................ 30

Delete unused application mappings ............................................................................................. 31

Optional - Configure Cisco TMS to use HTTPS ............................................................................. 32

Optional - Remove XAPDLL ........................................................................................................... 32

Optional - Remove Polycom Endpoint support .............................................................................. 32

Cisco TMS upgrades ............................................................................................................................. 33

Continued monitoring ............................................................................................................................ 33

Up to date patching ............................................................................................................................... 33

Document revision history

Cisco TMS Secure Server Configuration Guide 13.0 Page 3 of 34

Tables

Table 1 Service account file ACLs ........................................................................................................ 11

Table 2 Windows components .............................................................................................................. 14

Table 3 IIS components ......................................................................................................................... 15

Table 4 Required port exceptions ......................................................................................................... 17

Table 5 Required program exceptions .................................................................................................. 18

Table 6 Summary of audit policy settings .............................................................................................. 21

Table 7 List of recommended user rights settings. ............................................................................... 21

Table 8 Recommended security options ............................................................................................... 24

Table 9 Hardening the TCP/IP stack ..................................................................................................... 29

Table 10 Extensions to leave enabled .................................................................................................. 30

Table 11 Nodes to select when applying permissions .......................................................................... 31

Table 12 Extensions to remove ............................................................................................................. 31

Document revision history

Cisco TMS Secure Server Configuration Guide 13.0 Page 4 of 34

Document revision history

Revision 7 Update for Cisco TMS 12

Comprehensive update for Windows 2003 SP1 Changes
Removal of Windows 2000 specific references
Updated formatting and reorganization
Removed incorrect IIS anonymous restrictions
Added SQL Server Service Accounts

Added Cisco TMS Service Accounts
Revision 8 Updated information and visual template.
Revision 9 Stage 1 rebranding.
Revision 10 Stage 2 rebranding – new product names.

General

Cisco TMS Secure Server Configuration Guide 13.0 Page 5 of 34

General

References and related documents



Windows Server 2003 Security Guide (Microsoft Corporation)



Windows 2003 Threats and Countermeasures Guide (Microsoft Corporation)



Knowledge Base article 823659 Client, service, and program incompatibilities that may occur
when you modify security settings and user rights assignments



Professional Server Pages 3.0 (WROX)



Knowledge Base article 2222473 Registry Settings for Windows File Protection (Microsoft
Corporation)



ISA Server and IIS Server (Microsoft Corporation)



Securing (Hardening) Windows Servers (Business Advisory Services Information Security)



Port Assignments foe Commonly-Used Services (Microsoft Corporation)



Windows 2003 Server TCP/IP Core Networking Guide (Microsoft Corporation)



Windows 2003 Group Policy (Microsoft Corporation)



SQL Server 2005 - Setting Up Windows Service Accounts (Microsoft Corporation)

Preface

Cisco TelePresence Management Suite (Cisco TMS) is scalable, easy-to-use and integrates with
existing applications to increase the value of your video network. It provides complete visibility and
centralized control for on-site and remote video systems. Cisco TMS supports management,
deployment, and scheduling of the entire video network, including telepresence, from one single
product.

Hardening a server reduces its exposed services, enforces stricter policies on behavior, and removes
components or functionality not essential to the server’s task. Through the Trustworthy Computing
Initiative Microsoft has significantly increased the security of a default installation of Windows 2003
SP2 compared to Windows 2000 or earlier. If you still wish to further tighten the security of your
installed servers Microsoft provides guidelines on hardening servers based on several degrees of
strength and the task that the server will perform.

This document is intended to provide instruction on how to harden a Windows 2003 server for the
tightest security, that Microsoft terms ‘Specialized Security – Limited Functionality’ while still
maintaining compatibility with the Cisco TMS application.

Hardening a server to this level reduces functionality of the server. Weigh your needs against these
changes before attempting to harden a server. This reduction in functionality will affect other policies
and methods one may normally expect to have available with Windows Server.

Take care when modifying the server as mistakes could render it unusable. A rebuild will be necessary
for recovery. The methods used in this document will allow no access to the Windows Server itself
except for users who are administrators. Additional information on risks regarding these changes are
available in the Microsoft Security Guide and Threats and Countermeasures documentation listed at
the beginning of this document.

This document describes



The installation of Windows.



The process of adding Cisco TMS.



How to secure Windows and IIS for a stand-alone installation of Cisco TMS.

The descriptions provided here apply to Windows 2003 SP2 and Cisco TMS version 12 and newer.
For versions older than Cisco TMS version 12, we recommend starting with a new Windows 2003
SP2server and upgrading to the latest version of Cisco TMS v12 to take advantage of the security
updates integrated into these products.

General

Cisco TMS Secure Server Configuration Guide 13.0 Page 6 of 34

IMPORTANT: This document does not guarantee that your server is secure from attacks even if you
have applied all the changes described. Cisco is not responsible for potential harm that attackers
might cause, nor any damage caused to your server by following the steps outlined in this document.

Installation

Cisco TMS Secure Server Configuration Guide 13.0 Page 7 of 34

Installation

Pre-install considerations

We strongly recommend installing Cisco TMS on a dedicated server. Using Cisco TMS server for
other purposes or services will reduce the effectiveness of any security initiative.



The outline presented in this document assumes Cisco TMS is the only application installed on
the server.



The server should be physically placed in a room that is inaccessible to unauthorized persons.



The server should never be a domain controller.



The security recommendation is to install Cisco TMS using a local instance of SQL Server. This
reduces the surface area of the SQL server and keeps all communications between the
application and the database off the network. Installations looking to use an external SQL Server
should consider using SSL to secure the database traffic between the Cisco TMS Server and the
SQL Server.

For additional Microsoft documentation regarding SSL and SQL, see How SQL Server uses a

certificate when the Force Protocol Encryption option is turned on

Installing baseline configuration

1. Install Windows 2003 SP2- When installing the server; create two partitions on the server.
One is the system partition, usually C:\ where Windows and IIS is installed. The second partition
is used by Cisco TMS. Install Windows Server 2003 with Service Pack 2 (SP2) using the default
settings. Be sure to format the partitions NTFS when performing the initial setup of Windows.

2. Install anti-virus software and updates - Protect the new server by installing your choice of
enterprise anti-virus software package. It is important that you keep up–to-date on the latest
virus signatures. Take note of anti-virus features that control/prevent sending of email via
SMTP. Cisco TMS requires the ability to send mail via SMTP (TCP Port 25).

3. Install the latest Windows Service Pack - As each Service Pack from Microsoft includes all
security fixes known to date it is vital that the latest version is installed. Update your baseline
server to the latest Service Pack for Windows.

4. Install the appropriate post-Service Pack security updates - Update the server to the latest
available post-Service Pack security updates and any relevant hot-fixes. You can subscribe to
the e-mail service where Microsoft sends administrators information about security issues and
hot-fixes available for patching security holes- Go to:

http://www.microsoft.com/technet/security/bulletin/notify.mspx

5. Join server to Domain – Join the new server to the domain it will be used with.

6. Optional – Install SQL Server 2005 - If you are planning on running a full edition of SQL
Server 2005 rather than the express edition installed with Cisco TMS, install SQL Server at this
time to the second partition of the server. The server must be installed in Mixed Authentication
mode – choose a strong password for the SA account. Only the SQL Engine component and its
dependencies are required.

7. Install Cisco TMS - Install the latest version of Cisco TMS. When running the installer, choose
the custom option to allow greater control of the installation.
If no SQL Server was previously installed, specify to install the SQL Server locally with a strong
SA password.
Specify the installation paths of the SQL Server and Cisco TMS directories to be on the second
partition of your server. As part of the installation, IIS and SQL Server may be installed.

8. Secure Default Groups for Cisco TMS – As part of the default installation of Cisco TMS, all
new users are automatically added to the Site Administrators group and the Users group.
Both groups have full permissions to all facilities.
To establish one user as the only Site Administrator, do the following:

a. Log in as that user, go to Administrative Tools > User Administration > Default Groups

and set Users to be the only default group. All new users that log in to Cisco TMS will now

Installation

Cisco TMS Secure Server Configuration Guide 13.0 Page 8 of 34

only be added to the group Users.
To set permissions for users in this group

b. Go to Administrative Tools > User Administration > Groups. Next click Set Permissions

for the Users group and check the appropriate checkboxes.
Take time to properly design your user groups and default system permissions before rolling
out Cisco TMS into production.

9. Check and apply security fixes for SQL and IIS - Run Windows Update again to check for
any updates for any additional components that have been installed along with Cisco TMS.
Check the Microsoft SQL Server website and install any updates for the SQL Server engine.

This concludes the basic installation. The remainder of the document will address securing this
installation without breaking the Cisco TMS Server’s functionality.

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 9 of 34

Securing Windows Server 2003 tasks

File system

Ensure the file system for all hard disks is NTFS. Avoid using FAT, FAT 32 or FAT 32x file systems, as
these file systems do not support the same level of access control and security that the NTFS does.
This relates to all partitions on the server and not just the boot partition.

Administrator account

Password - Make sure that the administrator account has a strong password. A strong password is a

long pass phrase that combines upper and lower case letters, numbers and symbols.
Rename the administrative account - Rename the administrator account to a less obvious name,

and delete or change its description. Even though this will not stop all hackers, it makes their job more
difficult.

Create a dummy administrator account - It is also a good idea to create a dummy administrator
account in addition to the true administrator account. When creating the dummy administrator remove
any privileges associated with the account and set a long and complex password. Finally, take away

all associated privileges by removing the dummy administrator1 account from the User group after it
has been created. Make sure the Event Log is checked regularly for any attempts to use the dummy

administrator account.2

Set strong password and lockout policies

To change the password policies go to Windows Start > Control Panel > Administrative Tools >
Local Security Policy.

Note: Domain level policy settings may override these settings.

Password rules - Choose Account Policies >Password Policy, and apply the following changes:



Set the Minimum password length to at least 8 characters



Set the Minimum password age to at least 1 day



Set the Maximum password age to no more than 180 days



Set the Enforce password history to at least 5
This forces the administrator to change the password every 180 days, ensures the previous five
passwords cannot be reused and that passwords cannot be changed more than once a day.

Account lockout policy – Choose Account Policies > Account Lockout Policy, and apply the
following changes:



Set the Account lockout threshold to no more than 3



Set the Account lockout duration to at least 15 minutes



Set the Reset Account lockout counter after to at least 15 minutes
This will disable any account for at least 15 minutes if the number of login attempts to the said account
exceeds 3. This will deter hackers from using brute force attacks on the accounts.

1

Your newly created administrator account, not the inbuilt account supplied by Windows as this has now been

renamed.

2

Setting up the logging is described in section Error! Reference source not found..

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 10 of 34

Secure the SQL Server

SQL Server 2005 installs by default in a local-only configuration designed to reduce surface area.
These additional steps will further reduce exposure by lowering privileges and protocols.

Use Local Service User

SQL Server installs by default to run as the NETWORK SERVICE user. SQL Server also creates user
groups to simplify assigning permissions when SQL is installed. It will create the user group
SQLServer2005MSSQLUser$ComputerName$InstanceName. To reduce privileges of the user
running SQL, create a local Windows user to act as the service account for SQL Server with a strong
password and a username of your choice. The placeholder name sqlserviceuser will be referenced
through the remainder of this document to refer to this account.

1. In the Start Menu, open Microsoft SQL Server 2005’ Program Group > Configuration Tools

> SQL Server Configuration Manager.

2. Click SQL Server 2005 Services and double-click ‘SQL Server [InstanceName]’ to open the

properties.

3. Select Log on as -> This account and enter the account information for sqlserviceuser.

4. Click OK to save changes and restart the service.

Disable Network Protocols

In the SQL Server Configuration Manager.expand the SQL Server 2005 Network Configuration
tab and select ‘Protocols for [InstanceName]’. Disable all protocols except Shared Memory by right­clicking on them and selecting Disable.

If changes are made you must restart the SQL Engine to have changes take effect.

Cisco TMS Service User Account

Create a Cisco TMS Service Account

Cisco TMS will install its services to run as the Local System account. To run at lowest possible
privileges, a local Windows account will be configured. Create a local Windows User to act as the
service account for Cisco TMS Services and the Cisco TMS website. Use a strong password and a
username of your choice. The placeholder name tmsserviceuser will be referenced through the
remainder of this document to refer to this account.

1. In the Start menu, open Administrative Tools > Local Security Policy.

2. Expand the Local Policy > User Rights Assignment in the tree navigator.

3. Right- click Log on as a Service in the list to the right.

4. Click the Add User or Group button and add the tmsserviceuser account by typing in this

name.

5. Click Check Names.

6. Click OK to save and add tmsserviceuser and OK to save changes to Local Security settings.

Assign file ACLs for Cisco TMS directories

Table 1 below lists the required ACLs for the Cisco TMS directories on the Cisco TMS server. When
editing these ACLs, remove any additional permissions not listed in the table except for inherited
permissions. Inherited permissions will be modified in a later section. Permissions added here are
described assuming inheritance is allowed on all child directories. Child directories with only inherited
permissions are not listed.

To set permissions to a folder in Windows Explorer:

1. Right-click the folder, select Sharing and Security from the drop-down menu,

2. Select the Security tab and set permissions as shown in the table below for each group/user.

Note: This step must be repeated after any future Cisco TMS installations or upgrades as the installer
will default these directories back to the default permissions.

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 11 of 34

Table 1 Service account file ACLs

Directory

User/Group

Permission

<tms installdir>\

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

1) Full Control

2) Full Control

3) Read & Execute

<tms installdir>\OldConferenceAPI 1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Read & Execute

4) Read

<tms installdir>\Provisioning\web 1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Read & Execute

4) Read

<tms
installdir>\Provisioning\OpenDS\bak

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

1) Full Control

2) Full Control

3) Full Control

<tms
installdir>\Provisioning\OpenDS\config

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

1) Full Control

2) Full Control

3) Full Control

<tms
installdir>\Provisioning\OpenDS\db

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

1) Full Control

2) Full Control

3) Full Control

<tms
installdir>\Provisioning\OpenDS\import

-tmp

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

1) Full Control

2) Full Control

3) Full Control

<tms
installdir>\Provisioning\OpenDS\locks

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

1) Full Control

2) Full Control

3) Full Control

<tms
installdir>\Provisioning\OpenDS\logs

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

1) Full Control

2) Full Control

3) Full Control

<tms installdir>\wwwProvisioning 1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Read & Execute

4) Read

<tms installdir>\wwwTMS 1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Read & Execute

4) Read

<tms
installdir>\wwwTMS\Data\CompanyLo
go

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Full Control

4) Read

<tms installdir>\wwwTMS\Data\Export 1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Full Control

4) Read

<tms
installdir>\wwwTMS\Data\ExternalSou
rceFiles

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Full Control

4) Read

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 12 of 34

Directory

User/Group

Permission

<tms installdir>\wwwTMS\Data\Image 1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Full Control

4) Read

<tms installdir>\wwwTMS\Data\Logo 1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Full Control

4) Read

<tms installdir>\wwwTMS\Data\Logs

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

1) Full Control

2) Full Control

3) Full Control

<tms installdir>\wwwTMS\Data\Map 1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Full Control

4) Read

<tms
installdir>\wwwTMS\Data\ReleaseKey

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Full Control

4) Read

<tms
installdir>\wwwTMS\Data\Reports

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Full Control

4) Read

<tms
installdir>\wwwTMS\Data\Snapshot

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Full Control

4) Read

<tms
installdir>\wwwTMS\Data\Software

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Full Control

4) Read

<tms
installdir>\wwwTMS\Data\SystemImag
es

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Full Control

4) Read

<tms
installdir>\wwwTMS\Data\TempFiles

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Full Control

4) Read

<tms
installdir>\wwwTMS\Public\data\SOFT

WARE3

1) LocalMachine\Administrators

2) SYSTEM

3) tmsserviceuser

3) Authenticated Users

1) Full Control

2) Full Control

3) Full Control

4) Read

Configure Cisco TMS Services to use Service Account

Configure the tmsserviceuser to run the ASP.NET application pool for Cisco TMS.

3

This directory is configurable in TMS’s Administrative Settings. If a custom directory is used, update the

permissions as necessary

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 13 of 34

1. Open a command prompt and navigate to the .NET 2 installation folder. This normally is

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727

2. Use the aspnet_regiis tool to register the service user to access the required IIS elements with

aspnet_regiis –ga <username>
aspnet_regiis –ga tmsserviceuser

3. Open Windows Start > Control Panel > Administrative Tools > Internet Information

Services (IIS) Manager

4. Under the name of the local server, expand the Application Pools folder.

5. Right- click TMSNet20AppPool and select Properties.

6. Select the Identity tab.

7. In Application Pool identity select Configurable

8. Browse or enter the tmsserviceuser for User Name and the password of this user.

9. Click OK to close the window

10. Right-Click the Server in the IIS Manager, go to All Tasks and select Restart IIS to restart the

IIS Server
Open Windows Start > Control Panel > Administrative Tools > Services
Locate the services whose names start with ‘TMS’. For each of these service do the following:

1. Double-click the service to open the properties window.

2. Select the Log On tab and select This Account.

3. Enter the account details for the tmsserviceuser account

4. Click OK.

5. Right-click the service

6. Select Restart to have the changes take effect.

Note: These steps must be repeated after any future Cisco TMS installations or upgrades as the
installer will default these services back to the default settings.

Remove unnecessary user accounts

To remove unnecessary user accounts go to Windows Start > Control Panel > Administrative Tools
> Computer Management> System Tools > Local Users and Groups.

Disable all accounts except



Your renamed Administrator account



IWAM_<machinename>



ASPNET



Sqlserviceuser



Your administrator account



IUSR_<machine-name>



tmsserviceuser



At the very least the ‘Guest’ account (disabled by default) should not be active.

Disabling an account is done by:

1. Right-click the account name.

2. Selecting Properties .

3. Under the General tab check the checkbox Account is disabled.

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 14 of 34

Remove unnecessary windows components

To reduce the attack surface of the Cisco TMS server, ensure that Windows Components that are not
required by Cisco TMS are not installed.

Go to Windows Start > Control Panel >Add or Remove Programs > Add/Remove Windows
Components. The following table lists the Windows Components. An N in the Include column
indicates that the component should be unchecked in the Windows Components Wizard. To display
subcomponents, highlight the Windows Component and click the Details button.

Table 2 Windows components

Component

Subcomponent

Include

Accessories and Utilities

N

Application Server Application Server Console N

ASP.NET Y
Enable network COM+ access Y
Enable network DTC access N
Internet Information Services Y (see second

table for details)

Message Queuing N

Certificate Services

N

E-mail Services

N

Fax Services

N

Indexing Services

N

Internet Explorer Enhanced Security
Configuration

For administrator groups Y

For all other user groups Y

Management and Monitoring Tools Connection Manager Administration

Kit

N

Connection Point Services N
Network Monitor Tools N
Simple Network Management

Protocol

Y

WMI SNMP Provider N
WMI Windows Installer Provider N

Networking Services

N

Other Network and File Services

N

Remote Installation Services

N

Remote Storage

N

Security Configuration Wizard

Y

Terminal Server

N

Terminal Services Licensing

N

UDDI Services

N

Update Root Certificates

Y

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 15 of 34

Component

Subcomponent

Include

Windows Media Services

N

Table 3 IIS components

Component

Subcomponent

Include

Background Intelligent Transfer
Service (BITS) Server Extensions

N

Common Files Y
File Transfer Protocol (FTP) Service N
FrontPage 2002 Server Extensions N
Internet Information Services Manager Y
Internet Printing N
NNTP Service N
SMTP N
World Wide Web Services Active Server Pages Y
Internet Data Connector N
Remote Administration (HTML) N
Remote Desktop Web Connection N
Serve Side Includes N
WebDAV Publishing N
World Wide Web Service Y

Disable unnecessary windows services

To reduce the attack surface of the Cisco TMS server, all Windows Services that are not required by
Cisco TMS should in general be disabled.

Go to Windows Start > Control Panel > Administrative Tools >Services.
Disable the services in the following list.

1. Right-click each of them.

2. Under the General tab, click Properties and select Disabled for Startup type.
The status should then be displayed as Disabled under the Status column in the list of Windows

services.



Alerter



Portable Media Serial Number Service



Application Experience Lookup Service



Print Spooler



Application Layer Gateway Service



Remote Access Auto Connection Manager



Application Management



Remote Desktop Help Session Manager



Automatic Updates



Remote Procedure Call (RPC) Locator



Background Intelligent Transfer Service



Remote Registry



ClipBook



Resultant Set of Policy Provider



COM+ System Application



Routing and Remote Access

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 16 of 34



Distributed File System



Secondary Logon



Distributed Link Tracking Client



Shell Hardware Detection



Distributed Link Tracking Server



Smart Card



Distributed Transaction Coordinator



Special Administration Console Helper



Error Reporting Services



SQL Server Active Directory Helper



File Replication



SQL Server Browser



Help and Support



SQL Server VSS Writer



HID Input Service



Telephony



IMAPI CD-Burning COM Service



Terminal Services Session Directory



Indexing Service



Themes



Intersite Messaging



Upload Manager



Kerberos Key Distribution Center



Virtual Disk Service



License Logging



WebClient



Messenger



Windows Audio



NetMeeting Remote Desktop Sharing



Windows Cardspace



Network DDE



Windows Image Acquisition (WIA)



Network DDE DSDM



Windows Management Instrumentation
Driver Extensions



Network Location Awareness



Windows Presentation Foundation Font
Cache 3.0.0.0



Network Provisioning Service



Windows User Mode Driver Framework



Net.TCP Port Sharing Service



WinHTTP Web Proxy Auto-Discovery
Service



NTLM Security Support Provider



Wireless Configuration



Performance Logs and Alerts

The following services are not needed by Cisco TMS and can be disabled, but may be needed
depending on your environment:



Computer Browser



DHCP Client



Microsoft Software Shadow Copy Provider



Server



SQL Server VSS Writer



Task Scheduler

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 17 of 34



Uninterruptible Power Supply



Volume Shadow Copy

Network services

In general any services not required by Cisco TMS should not be running on the Cisco TMS server in
order to reduce the attack surface of the server. This is particularly important for network services.

1. Go to Windows Start > Control Panel > Network Connections. Ensure that only the ‘Local

Area Connection’ is available.

2. Select this connection.

3. Under the General tab, click the Properties button.

4. Make sure Internet Protocol (TCP/IP) is enabled.

5. Client for Microsoft Networks should be enabled if you wish to allow domain administrators to

log into the server.

6. File and Printer Sharing for Microsoft Networks is not recommended, but may be required if

you want to create shares to transfer files over the network (like Software packages or Cisco

TMS Upgrades) to the Cisco TMS server.

7. Make sure any other services are unchecked and disabled.

Configuring TCP/IP

To further secure the server the Internet Protocol (TCP/IP) protocol settings must be configured
correctly.

1. Go to Windows Start > Control Panel > Network Connections > Local Area Connection.

2. Under the General tab, click the Properties button.

3. Click Internet Protocol (TCP/IP).

4. Click the Advanced button.

5. Select the WINS tab, disable any WINS servers that have been defined and uninstall WINS

itself.

6. Click the Disable NetBIOS over TCP/IP radio button.

Configuring the Windows Firewall

Windows Server 2003 with SP1 comes with Windows Firewall, which should be used to block
unsolicited incoming TCP/IP traffic. The firewall will be enabled by default if Windows was installed
from SP1 media or newer.

To make sure it is enabled:

1. Go to Windows Start > Control Panel > Windows Firewall.

2. Select the On radio button.

To configure what incoming traffic to allow,

1. Click the Exceptions tab.

2. For each port to allow, click Add Port.

3. Select the proper protocol.

4. Specify the port number.

5. Enter a description.
Table 4 lists the port exceptions required for the Cisco TMS server.

Table 4 Required port exceptions

Port Protocol

Service

80 TCP HTTP
161 UDP SNMP

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 18 of 34

Port Protocol

Service

162 UDP SNMP traps
389 TCP LDAP
443 TCP SSL over HTTP
636 TCP Secure LDAP
4444 TCP OpenDS Administration
8989 TCP OpenDS Replication

In addition, exceptions have to be made for some of the Cisco TMS services to ensure that incoming
traffic on the ports that Cisco TMS services listen to are not blocked.

1. Click Add Program.

2. Click the browse button.

3. Navigate to [INSTALLDIR]\TANDBERG\TMS\Services, where INSTALLDIR is the directory

where you installed Cisco TMS.

4. Select the service .exe files as shown below.

Table 5 Required program exceptions

Service executa

ble Ports listened to

TMSDatabaseScannerService.exe 8086/TCP and 1025/TCP
TMSLiveService.exe 8085/TCP
TMSPLCMDirectoryService.exe 3601/TCP
TMSSNMPService.exe 2009/UDP

If you are using Remote Desktop for remote management of the server, you need to add an exception
for port 3389/TCP. This is, however, a security risk. If practical, you can reduce this risk by only
allowing traffic on port 3389 from particular IP addresses or the local subnet. This is done by selecting
the exception and clicking on Edit and then Change scope.

Apply appropriate file ACLs

A clean install of Windows Server 2003 has secure ACLs on the file system. To secure the server
even further give the following access permissions to the different user groups. Verify the settings
against this list. Do not set Root(\) permissions recursively, as this will have the undesired effect of
permissions being inherited by all sub directories.

Note: SQL Directories will vary based on your installation so full paths are not shown here.

Directory

User/Group

Permission

Root (\) (...) 1) LocalMachine\Administrators

2) SYSTEM

3) LocalMachine\Users

1) Read & Write

2) Read &Execute

3) Read

\Program Files (...) 1) LocalMachine\Administrators

2) SYSTEM

1) Full

2) Full

\<sql
directory>\MSSQL.1

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Read &Execute

\<sql
directory>\MSSQL.1\MS

1) LocalMachine\Administrators

2) SYSTEM

1) Full

2) Full

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 19 of 34

Directory

User/Group

Permission

SQL 3) SQLServer2005MSSQLUSER$Computer

Name$InstanceName

3) Read &Execute

\<sql
directory>\MSSQL.1\MS
SQL\Backup

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Full

\<sql
directory>\MSSQL.1\MS
SQL\Binn

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Read &Execute

\<sql
directory>\MSSQL.1\MS
SQL\Data

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Full

\<sql
directory>\MSSQL.1\MS
SQL\Install

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Read &Execute

\<sql
directory>\MSSQL.1\MS
SQL\LOG

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Full

\<sql
directory>\MSSQL.1\MS
SQL\repldata

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Full

\<sql
directory>\MSSQL.1\MS
SQL\Template Data

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Full

\Program Files\Microsoft
SQL Server\80\tools

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Read &Execute

\Program Files\Microsoft
SQL Server\80\com

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Read &Execute

\Program Files\Microsoft
SQL Server\90\com

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Read &Execute

\Program Files\Microsoft
SQL Server\90\dts

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Read &Execute

\Program Files\Microsoft
SQL Server\90\sdk

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Read

\Program Files\Microsoft 1) LocalMachine\Administrators 1) Full

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 20 of 34

Directory

User/Group

Permission

SQL Server\90\Setup
Bootstrap

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

2) Full

3) Read &Execute

\Program Files\Microsoft
SQL Server\90\Shared

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Read &Execute

\Program Files\Microsoft
SQL
Server\90\Shared\Error
Dumps

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Read &Write

\Program Files\Microsoft
SQL Server\90\tools

1) LocalMachine\Administrators

2) SYSTEM

3) SQLServer2005MSSQLUSER$Computer
Name$InstanceName

1) Full

2) Full

3) Read &Execute

%systemroot% (usually
\WINDOWS)

1) LocalMachine\Administrators

2) LocalMachine\Users

3) SYSTEM

1) Full

2) Read &Execute

3) Full

%systemroot%\Config 1) LocalMachine\Administrators

2) LocalMachine\Users

3) SYSTEM

1) Full

2)Read &List

3) Full

%systemroot%\System3
2
%systemroot%\System3
2\LogFiles
%systemroot%\System3
2\InetSrv

1) LocalMachine\Administrators

2) LocalMachine\Users

3) SYSTEM

1) Full

2) Read & Execute

3) Full

%systemroot%\System 1) LocalMachine\Administrators

2) LocalMachine\Users

3) SYSTEM

1) Full

2) Read & Execute

3) Full

%systemroot%\Repair 1) LocalMachine\Administrators

2)SYSTEM

1)Full

2)Full

\Documents and
Settings

1) LocalMachine\Administrators

2) LocalMachine\Users

3) SYSTEM

1) Full

2) Read

3) Full

Verify that the following files have these permissions:

File User/Group

Permission

C:\AUTOEXEC.bat 1) LocalMachine\Administrators

2) SYSTEM

1) Full

2) Read & Execute

C:\CONFIG.SYS 1) LocalMachine\Administrators

2) SYSTEM

1) Full

2) Read & Execute

Audit policy

The Audit policy defines which security events get logged.
To access the auditing, go to Windows Start > Control Panel > Administrative Tools > Local

Security Policy > Local Policies > Audit Policy.

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 21 of 34

Table 6 Summary of audit policy settings

Policy

Security

Setting

Audit account logon
events

Success, Failure

The ‘Audit account logon events’ policy determines
whether to log authentication of local users. Both
security settings should be logged.

Audit account
management

Success, Failure

The ‘Audit account management’ policy determines
whether to log the creation, modification and deleting of
accounts. To determine who creates, modifies and
deletes accounts as well as to monitor failed attempts
that could indicate an attack. Log both security settings.

Audit directory service
access

Failure

The ‘Audit directory service access’ setting determines
whether to audit the event of a user accessing an Active
Directory object that has its own system access control
list (SACL) specified. Set to Failure.

Audit logon events

Success, Failure

The ‘Audit logon events’ policy determines whether to
log local account activity. Log both success and failure.

Audit object access

Failure

The ‘Audit object access’ policy determines whether to
log events when a user accesses an object such as a
file, folder or registry key. Log only failures.

Audit policy change

Success

The ‘Audit policy change’ policy determines whether to
log changes to user rights assignment policies, trust
policies and audit policies. Log only successes.

Audit privilege use

Failure

The ‘Audit privilege use’ policy determines whether to
log use of a user right. Failures should be logged as a
failed privilege use can indicate an attempted security
breach.

Audit process tracking

No Auditing

The ‘Audit process tracking’ policy determines whether
to log detailed tracking information for events such as
program activation, process exit, handle duplication, and
indirect object access. As this would generate a large
number of events, the setting should be No auditing.

Audit system events

Success

The ‘Audit system events’ policy determines whether to
log events such as restarts and shutdown and events
affecting security. Log only success.

User rights assignment

User rights assignments provide users and groups with logon rights or privileges on the server. To
access the user rights assignment, go to Windows Start > Control Panel > Administrative Tools >

Local Security Policy> Local Policy > User Rights Assignment.
Table 7 List of recommended user rights settings4.

Policy

Security Setting

Access this computer from the
network (SeNetworkLogonRight)

Administrators, Authenticated Users, ENTERPRISE DOMAIN
CONTROLLERS, IUSR_<machinename>,
IWAM_<machinename>

4

See documentation from Microsoft Support and Setting Up Windows Service Accounts from Microsoft

Development for additional information on SQL service accounts.

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 22 of 34

Policy

Security Setting

Act as part of the operating system
(SeTcbPrivilege)

Add workstations to domain
(SeMachineAccountPrivilege)

Adjust memory quotas for a process
(SeIncreaseQuotaPrivilege)

Administrators, LOCAL SERVICE, NETWORK SERVICE,
IWAM_<machinename>,
SQLServer2005MSSQLUser$ComputerName$InstanceName

Allow logon locally
(SeInteractiveLogonRight)

Administrators

Allow logon Through Terminal
Services
(SeRemoteInteractiveLogonRight)

Administrators

Back up files and directories
(SeBackupPrivilege)

Administrators

Bypass traverse checking
(SeChangeNotifyPrivilege)

Administrators, Authenticated Users,
SQLServer2005MSSQLUser$ComputerName$InstanceName

Change the system time
(SeSystemTimePrivilege)

Administrators

Create a pagefile
(SeCreatePagefilePrivilege)

Administrators

Create a token object
(SeCreateTokenPrivilege)

Create global objects
(SeCreateGlobalPrivilege)

Administrators, SERVICE

Create permanent shared objects
(SeCreatePermanentPrivilege)

Debug programs
(SeDebugPrivilege)

Deny access to this computer from
the network
(SeDenyNetworkLogonRight)

Support_388945a0, ANONYMOUS LOGON,

Deny logon as a batch job
(SeDenyBatchLogonRight)

SUPPORT_388945a0

Deny logon as a service
(SeDenyBatchLogonRight)

Deny logon locally
(SeDenyInteractiveLogonRight)

Guests, SUPPORT_388945a0, ASPNET, tmsserviceuser,
sqlserviceuser

Deny log on Through Terminal
Services
(SeDenyRemoteInteractiveLogon
Right)

Guests, SUPPORT_388945a0, ASPNET, tmsserviceuser,
sqlserviceuser

Enable computer and user accounts
to be trusted for delegation
(SeEnableDelegationPrivilege)

Administrators

Force shutdown from a remote
system
(SeRemoteShutdownPrivilege)

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 23 of 34

Policy

Security Setting

Generate security audits
(SeAuditPrivilege)

LOCAL SERVICE, NETWORK SERVICE

Impersonate a client after
authentication
(SeImpersonatePrivilege)

Administrators, IIS_WPG, SERVICE

Increase scheduling priority
(SeIncreaseBasePriorityPrivilege)

Administrators

Load and unload device drivers
(SeLoadDriverPrivilege)

Administrators

Lock pages in memory
(SeLockMemoryPrivilege)

Log on as a batch job
(SeBatchLogonRight)

IIS_WPG, LOCAL SERVICE, SUPPORT_388945a0,
ASPNET, IUSR_<machinename>, IWAM_<machinename>,
SQLServer2005MSSQLUser$ComputerName$InstanceName

Log on as a service
(SeServiceLogonRight)

NETWORK SERVICE,
SQLServer2005MSSQLUser$ComputerName$InstanceName,
tmsserviceuser

Manage auditing and security log
(SeSecurityPrivilege)

Administrators

Modify firmware environment values
(SeSystemEnvironmentPrivilege)

Administrators

Perform Volume Maintenance
Tasks (SeManageVolumePrivilege)

Administrators

Profile single process
(SeProfileSingleProcessPrivilege)

Administrators

Profile system performance
(SeSystemProfilePrivilege)

Administrators

Remove computer from docking
station (SeUndockPrivilege)

Administrators

Replace a process level token
(SeAssignPrimaryTokenPrivilege)

LOCAL SERVICE, NETWORK SERVICE,
SQLServer2005MSSQLUser$ComputerName$InstanceName,
IWAM_<machinename>

Restore files and directories
(SeRestorePrivilege)

Administrators

Shut down the system
(SeShutdownPrivilege)

Administrators

Synchronize directory service data
(SeSynchAgentPrivilege)

Take ownership of files or other
objects
(SeTakeOwnershipPrivilege)

Administrators

Security options

The security options section is used to configure various security settings including LAN manager
authentication level and logon prompts. Go to Windows Start > Control Panel > Administrative

Tools > Local Security Policy >Local Policy > Security Options.

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 24 of 34

Table 8 Recommended security options

Policy

Security Setting

Accounts: Administrator account status Enabled
Accounts: Guest account status Disabled
Accounts: Limit local account use of blank

passwords to console logon only

Enabled

Accounts: Rename administrator account (Rename to a unique name and delete

description)
Accounts: Rename guest account (Rename to a unique name)
Audit: Audit the access of global system objects Disabled
Audit: Audit the use of Backup and Restore

privilege

Disabled

Audit: Shut down system immediately if unable
to log security audits

Enabled

Note: This setting creates some overhead.

DCOM: Machine Access Restrictions in Security
Descriptor Definition Language

Not Defined

DCOM: Machine Launch Restrictions in Security
Descriptor Definition Language

Not Defined

Devices: Allow undock without having to log on Disabled
Devices: Allowed to format and eject removable

media

Administrators

Devices: Prevent users from installing printer
drivers

Enabled

Devices: Restrict CD-ROM access to locally
logged-on user only

Disabled

Devices: Restrict floppy access to locally
logged-on user only

Disabled

Devices: Unsigned driver installation behavior Warn but allow installation
Domain controller: Allow server operators to

schedule tasks

Not defined

Domain controller: LDAP server signing
requirements

Not defined

Domain controller: Refuse machine account
password changes

Not defined

Domain member: Digitally encrypt or sign
secure channel data (always)

Enabled

Domain member: Digitally encrypt secure
channel data (when possible)

Enabled

Domain member: Digitally sign secure channel
data (when possible)

Enabled

Domain member: Disable machine account
password changes

Disabled

Domain member: Maximum machine account
password age

30 Days

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 25 of 34

Policy

Security Setting

Domain member: Require strong (Windows
2000 or later) session key

Enabled

Interactive logon: Display user information when
the session is locked

User display name only

Interactive logon: Do not display last user name Enabled
Interactive logon: Do not require

CTRL+ALT+DEL

Disabled

Interactive logon: Message text for users
attempting to log on

(Consult with the relevant people in your

organization.)
Interactive logon: Message title for users

attempting to log on

(Consult with the relevant people in your

organization.)
Interactive logon: Number of previous logons to

cache (in case domain controller is not
available)

0

Interactive logon: Prompt user to change
password before expiration

14 days

Interactive logon: Require Domain Controller
authentication to unlock workstation

Enabled

Interactive logon: Require smart card Disabled
Interactive logon: Smart card removal behavior Lock Workstation
Microsoft network client: Digitally sign

communications (always)

Disabled

Microsoft network client: Digitally sign
communications (if server agrees)

Enabled

Microsoft network client: Send unencrypted
password to third-party SMB servers

Disabled

Microsoft network server: Amount of idle time
required before suspending session

15 minutes

Microsoft network server: Digitally sign
communications (always)

Enabled

Microsoft network server: Digitally sign
communications (if client agrees)

Enabled

Microsoft network server: Disconnect clients
when logon hours expire

Enabled

Network access: Allow anonymous SID/Name
translation

Disabled

Network access: Do not allow anonymous
enumeration of SAM accounts

Enabled

Network access: Do not allow anonymous
enumeration of SAM accounts and shares

Enabled

Network access: Do not allow storage of
credentials or .NET Passports for network
authentication

Enabled

Network access: Let Everyone permissions
apply to anonymous users

Disabled

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 26 of 34

Policy

Security Setting

Network access: Named Pipes that can be
accessed anonymously

COMNAP

COMNODE

SQL\QUERY

SPOOLSS

LLSRPC

netlogon

lsarpc

samr

browser
Network access: Remotely accessible registry

paths

System\CurrentControlSet\Control\ProductOptions

System\CurrentControlSet\Control\Server

Applications

Software\Microsoft\Windows NT\CurrentVersion
Network access: Remotely accessible registry

paths and subpaths

System\CurrentControlSet\Control\Print\Printers

System\CurrentControlSet\Services\Eventlog

Software\Microsoft\OLAP Server

Software\Microsoft\Windows

NT\CurrentVersion\Print

Software\Microsoft\Windows

NT\CurrentVersion\Windows
Network access: Restrict anonymous access to

Named Pipes and Shares

Enabled

Network access: Shares that can be accessed
anonymously

Network access: Sharing and security model for
local accounts

Classic - Local users …

Network security: Do not store LAN Manager
hash value on next password change

Enabled

Network security: Force logoff when logon hours
expire

Disabled

Network security: LAN Manager authentication
level

Send NTMLv2 response only

Network security: LDAP client signing
requirements

Negotiate Signing

Network security: Minimum session security for
NTLM SSP based (including secure RPC)
clients

Enabled all settings

Network security: Minimum session security for
NTLM SSP based (including secure RPC)
servers

Enabled all settings

Recovery console: Allow automatic
administrative logon

Disabled

Recovery console: Allow floppy copy and
access to all drives and all folders

Disabled

Shutdown: Allow system to be shut down
without having to log on

Disabled

Shutdown: Clear virtual memory pagefile Disabled

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 27 of 34

Policy

Security Setting

System cryptography: Force strong key
protection for user keys stored on the computer

User must enter a password each time they use a

key
System cryptography: Use FIPS compliant

algorithms for encryption, hashing, and signing

Disabled5

System objects: Default owner for objects
created by members of the Administrators group

Object creator

System objects: Require case insensitivity for
non-Windows subsystems

Enabled

System objects: Strengthen default permissions
of internal system objects (e.g. Symbolic Links)

Enabled

System settings: Optional subsystems
System settings: Use Certificate Rules on

Windows Executables for Software Restriction
Policies

Enabled

Set event viewer history

The Event Viewer is logging events on the server, such as login attempts and changes to policies. The
Event Viewer is found under Start > Control Panel > Administrative Tools > Event Viewer. Specific
events related to Cisco TMS are found under the TANDBERG folder. For each of the event types, the
log files should be set to retain informative amounts of data, but they must be limited to prevent
attacks from filling up the disk.

1. To set the size of the log file, right-click each event type.

2. Select Properties.

3. Set the Maximum log size to 131072 KB.

4. Select Overwrite events as needed.

Remove any file shares

1. Go to Windows Start > Control Panel > Administrative Tools > Computer Management.

2. Expand System Tools and Shared Folders and select Shares. Under Shares several hidden

shares are set up by default.

3. Remove all except the IPC$ share. If you have disabled the Server service in the previous steps,

no shares will be available.

Windows Server creates, by default, administrative shares of your local drives during startup. As soon
as the Server service is started these shares are activated, so in order to remove the shares a registry
key must be created. To do this, create the following key in the Registry Editor:

1. Go to Start > Run and type ‘regedit’. This will open the Registry Editor.

2. Browse to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters

3. Right-click in the left-hand side of the window

4. Select New>DWORD value.

5

You may enable this setting. The consequence of enabling it is that you need version 5.2 of the
Remote Desktop client (XP comes with 5.1) to remotely administrate the server, and you need to
enable TLS 1.0 in your browser for SSL access.

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 28 of 34

5. Fill in AutoShareServer for Name and 0 for Value data.

Screen saver

Make sure that the screensaver is password protected in order to prevent internal threads from taking
over the server.

To enable the password for the screen saver, right-click the desktop and go to Properties > Screen
Saver tab. Select a screensaver and checkmark ‘On resume, password protect’.

Avoid cpu-intensive screensavers such as the OpenGL screensavers and use instead the ’Logon
Screen Saver’. Adjust the wait time of the screen saver to a sensible value.

Set the grace period for the screen saver to prompt for a password to be 0 by adding a registry key.
To do this, edit the following key in the registry setting in the Registry Editor:

1. Under HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon double-click ScreenSaverGracePeriod

2. Set Value data to 0.

Disable dump file creation

If the system crashes, a dump file can provide a hacker with sensitive information. To disable the
dump file creation:

1. Go to Windows Start > Control Panel > System. Under the Advanced tab.

2. Under Startup and Recovery, click the Settings button.

3. Select ‘(none)’ under Write Debugging Information.

Miscellaneous registry changes

To edit settings used to secure the server, edit the registry on the Windows Server by opening a
command window.

1. Go to Windows Start > Run.

2. Type cmd

3. Type regedt32

Note ‘regedt32’ should be used to make the following changes to the registry and not ‘regedit’.

Protect the registry from anonymous access

To restrict remote access to the registry go into the following hive.



Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

• Click the Security toolbar and select Permissions

• Remove all except Administrators who should have Full Control

Disable 8.3 file format compatibility

Filename compatibility for 8.3 file format is on by default. Turn this off.



Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem



Modify

• Value Name: NtfsDisable8dot3NameCreation

• Value Type: REG_DWORD

• Value: 1

Securing Windows Server 2003 tasks

Cisco TMS Secure Server Configuration Guide 13.0 Page 29 of 34

Clear paging file at shutdown

Clear the paging file at shutdown, as there is no need to have an old memory dump on disk when the
system is rebooted.



Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management



Modify

• Value Name: ClearPageFileAtShutdown

• Value Type: REG_DWORD

• Value: 1

Disable Autorun from CD

If a hacker has physical access to the server, and auto run is enabled, the hacker could leave a CD in
the CD-ROM drive. The next time an administrator logs in to the server the CD could launch programs
that access any resources on the server. To prevent this, edit the following registry key:



Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom



Modify

• Value Name: Autorun

• Value Type: REG_DWORD

• Value: 0

Protection against denial of service attacks

In order to harden the TCP/IP stack, go into the following hive.



Under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ create
the values shown in Table 9.

Table 9 Hardening the TCP/IP stack

Registry entry Format Value
EnableICMPRedirect DWORD 0
SynAttackProtect DWORD 1
EnableDeadGWDetect DWORD 0
KeepAliveTime DWORD 300,000
DisableIPSourceRouting DWORD 2
TcpMaxConnectResponseRetransmissions DWORD 2
TcpMaxDataRetransmissions DWORD 3
PerformRouterDiscovery DWORD 0

Check status of logon screen shutdown button

Make sure that the server cannot be shutdown from the login screen. Verify that this key is set to the
correct value. By default this functionality is disabled.



Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon



Modify

• Value Name: ShutdownWithoutLogon

• Value Type: REG_DWORD

• Value: 0

Securing IIS

Cisco TMS Secure Server Configuration Guide 13.0 Page 30 of 34

Securing IIS

The IIS configuration installed by Windows 2003 SP2 is preconfigured to run as a secure server,
disabling many services that were enabled in Windows 2000. Previous tools such as URLScan and
IISLockdown tool should not be used with IIS 6. The following sections provide additional steps to
further secure the server installation.

Enable logging on the website

Logging should be enabled by default on the website.

1. To open the IIS Manager, go to Windows Start >Administrative Tools>Internet Information

Services (IIS) Manager.

2. Expand the ‘Web Sites’ folder.

3. Right-click the ‘Default Web Site and select Properties

4. Make sure Enable Logging is checked.
The log files must not overrun the System Partition. Configure the Log files to save to a directory on

the second partition. Make sure only Administrators and SYSTEM has full control on the log directory.

Delete the default installed examples

Delete the following directories and their contents from the file system of your Cisco TMS server:



\InetPub\AdminScripts



\WINDOWS\System32\Inetsrv\iisadmpwd



\WINDOWS\web\printers



Delete all files under \InetPub\wwwroot but do not delete the directory.

Disable unneeded web extensions

1. Go to Windows Start > Control Panel > Administrative Tools > Internet Information

Services Manager.

2. Expand the ‘Web Sites’ folder.

3. Right-click the ‘Default Web Site’.

4. Select ‘Properties’.

5. Under Virtual Directory, click the Configuration button and make sure only the Web

Extensions listed below are enabled.

Table 10 Extensions to leave enabled

Extension

Enabled

.Active Server Pages Yes
ASP.NET v1.x Yes
ASP.NET v2.x Yes

Steps to repeat after Cisco TMS installs and upgrades

Because Cisco TMS reinstalls the full Cisco TMS website on upgrades, the following sections should
be checked and reapplied.

Set proper authentication methods

By default Cisco TMS is installed with both Basic and Integrated Windows authentication. This allows
the best compatibility with browsers, but risks exposing passwords on unprotected networks. The

Securing IIS

Cisco TMS Secure Server Configuration Guide 13.0 Page 31 of 34

mainstream browsers Internet Explorer and Firefox support NTLM so basic authentication should be
disabled if not accessing Cisco TMS through a proxy6.

1. Go to Windows Start > Control Panel > Administrative Tools > Internet Information Services

(IIS) Manager.

2. Expand the ‘Web Sites’ folder and right-click the website where Cisco TMS is installed

3. Select Properties.

4. In the Directory Security tab > Authentication and Access Control, click Edit.

5. Uncheck Enable Anonymous Access, Digest authentication for Windows domain server,

Basic Authentication and .NET passport authentication and check only Integrated Windows
Authentication..

6. Click OK twice7.

7. When prompted about Inheritance Overrides for the child node, see the table below and only

select those listed as enabled.

8. Click OK to apply the permissions.

Table 11 Nodes to select when applying permissions

Node

Select to Inherit

TMSAgent Yes
Pwx No
TMS Yes
TMS/Public No
TMSConferenceAPI No
XAPSite No

Note: You cannot remove anonymous access to the entire website. Anonymous access is required on
several nodes so that devices can send data to Cisco TMS. Applying permissions as stated above
from a standard Cisco TMS installation will maintain the required access rights.

Delete unused application mappings

1. Go to Windows Start > Administrative Tools > Internet Information Services (IIS) Manager.

2. Expand the ‘Web Sites’ folder and right-click the website where Cisco TMS is installed

3. Select Properties.

4. Under Virtual Directory, click the Configuration button.

5. Under Application Extensions, remove the following extension mappings.

Table 12 Extensions to remove

Extension

.idc
.shtm
.shtml

6

Some External Integration products cannot support NTLM or Kerberos Authentication and basic may need to
be enabled in those situations

7

If Basic is already unchecked, you must enable it to make a change and save it (do not apply to any child
nodes), and then open the Security properties again and uncheck it and follow the remainder of the instructions.

Securing IIS

Cisco TMS Secure Server Configuration Guide 13.0 Page 32 of 34

.stm

6. Click OK to close the dialogs.

7. When prompted about Inheritance Overrides for the child nodes, click Select All.

8. Click OK so the changes are applied to the full website.
Repeat the step for all virtual directories with a gear icon.

Optional - Configure Cisco TMS to use HTTPS

The website can be configured to use HTTPS for client access and/or device access. See Cisco Cisco

TMS Secure Management for details on how to configure HTTPS.

Optional - Remove XAPDLL

If you are not using a Polycom MGC v6 or older, you can remove the XAPDLL from Cisco TMS.

1. Go to Windows Start > Control Panel > Administrative Tools > Internet Information Services

(IIS) Manager.

2. Expand the website Cisco TMS is installed in.

3. Right-click the XAPDLL directory.

4. Click Delete to delete the files and directory <TMS Install Dir>\wwwtms\public\XAPSite.

Optional - Remove Polycom Endpoint support

If you are not managing Polycom Endpoints, you can remove the portions required to support them to
reduce surface area of the public website.

1. Go to Windows Start > Control Panel > Administrative Tools > Internet Information Services

(IIS) Manager.

2. Expand the website Cisco TMS is installed in.

3. Delete the files and directory <TMS Install Dir>\wwwtms\public\pwx

4. Go back to Start > Control Panel > Administrative Tools > Services.

5. Right-click TMSPLCMDirectoryService and set the start-up mode to Disabled.

6. Click Stop to stop the running instance.

Note: Disabling this service will cause a Cisco TMS Ticket to be opened and remain open as Cisco
TMS sees the service is not running.

Post installation and upgrades

Cisco TMS Secure Server Configuration Guide 13.0 Page 33 of 34

Post installation and upgrades

Cisco TMS upgrades

Due to the Cisco TMS application and its components being removed and reinstalled during upgrades,
it is necessary to repeat some of the hardening procedures. Below is a reference to those sections
that must be reapplied.



Assign file ACLs for Cisco TMS directories



Configure Cisco TMS Services to use Service Account



Set proper authentication methods



Delete unused application mappings



Optional - Configure Cisco TMS to use HTTPS



Optional - Remove XAPDLL



Optional - Remove Polycom Endpoint support

Continued monitoring

It is important that the server’s logs be continually audited to monitor for undesired behavior or
attempts to break into the server. The Windows Event Viewer can be used to monitor the security
audits enabled, and the IIS logs can be used for additional information regarding access to the
website. The IIS Logs can grow large on a busy website and should be periodically purged to
conserve disk space.

Up to date patching

It is important that administrators keep their servers up to date to ensure the latest fixes are applied to
their installation. You can subscribe to automatically receive notifications from Microsoft at

http://www.microsoft.com/technet/Security/bulletin/notify.mspx.

Post installation and upgrades

Cisco TMS Secure Server Configuration Guide 13.0 Page 34 of 34

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE
WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO
BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST
TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE
INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS
REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR
CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California,
Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981,
Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE
SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL
WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR
TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR
INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING
OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of
Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their
respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other
company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and
phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is
unintentional and coincidental.

Portions of Tandberg Products Copyright © MadCap Software, Inc., 2005 – 2010. All rights reserved. Unauthorized reproduction
prohibited