sccs 5 win2k security guide
TRANSCRIPT
Nortel Networks – Metro & Enterprise Networks
Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00 May 13, 2004
ABSTRACT
This guide describes the Symposium Call Center Server R5.0 security model and architecture, and the minimum security settings in Windows 2000 Server for a successful R5.0 installation and operation. The guide also provides security recommendations that customers can adopt to their own security policies and configurations.
NOTICE TO HOLDERS OF PAPER COPIES: Upon receipt of a new issue, destroy the previous issue or mark it “OBSOLETE”.
CONFIDENTIAL INFORMATION: The information contained in this document is the property of Nortel Networks. Except as specifically authorized in writing by Nortel Networks, the holder of this document shall keep all information contained herein confidential and shall protect same in whole or in part from disclosure and dissemination to all third parties.
Trademarks Nortel Networks Proprietary
ii Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Trademarks
The following are trademarks of Nortel Networks: Nortel Networks, BNR, ACD, BCS, CallPilot, DMS, DMS-100, DMS-250, DMS-MTX, DMS-SCP, DNC, DPN-100, DVS, DualMode, FastView, Helmsman, M2317, MAP, Symposium, Meridian Digital Centrex (MDC), Meridian, Meridian 1, Meridian Link, Meridian MAX, Meridian NAC, Meridian CCR, Meridian IVR, Meridian Terminal Emulator, MFA, Norstar, PowerTouch, SL-1, SL-100, SuperNode, Telesis, Unity.
Action Request System and AR System are trademarks of Remedy Corporation.
AMDEK is a trademark of Amdek Corporation.
ANSI is a trademark of the American National Standards Institute.
ClearCase is a registered trademark and ClearCase MultiSite is a trademark of Rational Software Corporation.
Continuus, continuus/CM, and Continuus/PT are trademarks of Continuus Software Corporation. CaseWare/CM, CaseWare/PT, CaseWare, ACCENT, and Amplify Control are registered trademarks of Continuus Software Corporation.
Courier is a trademark of Smith-Corona Corporation.
CT Connect, CT Media is a registered trademark of Dialogic.
Frame, FrameBuilder and FrameMaker are trademarks of Adobe Systems Incorporated.
Helvetica and Times are trademarks of Linotype AG or its subsidiaries.
InstallShield is a registered trademark of InstallShield Software Corporation.
Interleaf is a trademark of Interleaf, Inc.
Macintosh, Power Macintosh, and Apple are registered trademarks of Apple Computer, Inc. Mac OS is a trademark of Apple Computer, Inc.
Microsoft Windows, Microsoft Word, Microsoft Excel, PowerPoint, Microsoft Project, Microsoft File Extension, and MS-DOS are trademarks of Microsoft Corporation.
Novell is a trademark of Novell, Inc.
Olecera Chart is a trademark of KL Group Inc.
Portable Document Format is a trademark of Adobe Systems Incorporated.
PostScript is a trademark of Adobe Systems Incorporated.
SYBASE is a trademark of Sybase, Inc.
UNIX is a trademark of UNIX System Laboratories.
Versatility, Versatility Administrator, Versatility Call Blending, Versatility Campaign Plus, Versatility Insight, Versatility Predictive, Versatility Telesales / Teleservice are trademarks of Versatility Inc.
WinRunner, TSL and Context Sensitive are trademarks of Mercury Interactive Corporation.
© 2004 Nortel Networks Corporation
Approvals Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 iii
Approvals
Prepared By
Ronald Chan Date Support Engineer, Contact Center Technology Support Enterprise Networks, Call Center Technology & Solutions Nortel Networks Corporation
Reviewed and Approved By
Rick Medeiros Date Manager, Contact Center Technology & Dev Support Enterprise Networks, Call Center Technology & Solutions Nortel Networks Corporation
Eugene Garvin Date Senior Manager, Contact Center Server R&D Enterprise Networks, Call Center Technology & Solutions Nortel Networks Corporation
Revision history Nortel Networks Proprietary
iv Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Revision history
Issue Number Issue Date
Type of Review Reason(s) for Issue
Author(s)
0.01 March 16, 2004
Draft copy
Initial draft for internal review
Ronald Chan
0.02 April 27, 2004
Draft copy
Updates from internal review
Ronald Chan
1.00 May 13, 2004
Approval copy
Updates from external review
Section 2.1 Clarify Windows 2000 Server including both Standard and Advanced Edition
Section 4.2 Change web link to SCCS 5.0 product information page
Ronald Chan
Table of contents Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 v
Table of contents 1 Introduction ........................................................................................................ 1
1.1 Purpose............................................................................................................................... 1 1.2 Scope.................................................................................................................................. 1 1.3 Intended audience .............................................................................................................. 2
2 Security Models.................................................................................................. 3 2.1 Symposium Call Center Server security architecture ......................................................... 3
2.1.1 Symposium Call Center Server network security layer ......................................... 3 2.1.1.1 Standalone server ........................................................................................... 5 2.1.1.2 Embedded LAN configuration ......................................................................... 5 2.1.1.3 Customer LAN configuration ........................................................................... 5 2.1.1.3.1 Default network binding protocols ............................................................ 5 2.1.1.3.2 Static IP address....................................................................................... 6 2.1.1.3.3 DNS consideration.................................................................................... 6 2.1.1.4 Firewall ............................................................................................................ 6 2.1.2 Symposium Call Center Server server security layer ............................................ 8 2.1.2.1 Windows 2000 Server configuration ............................................................... 8 2.1.2.2 Windows 2000 security settings...................................................................... 9 2.1.2.3 Server configuration ........................................................................................ 9 2.1.3 Symposium Call Center Server application security layer..................................... 9 2.1.3.1 Database access security ............................................................................... 9 2.1.3.2 MAS security server ...................................................................................... 10 2.1.3.3 Remote backup and restore security ............................................................ 10
3 Default R5.0 server security settings and configuration .............................. 11 3.1 Default Windows 2000 Server configuration .................................................................... 11
3.1.1 Default installed Windows 2000 Server components .......................................... 12 3.1.2 Default Windows 2000 services .......................................................................... 16
3.2 Default Windows 2000 security settings........................................................................... 26 3.2.1 Default password policy....................................................................................... 27 3.2.2 Default account lockout policy ............................................................................. 28 3.2.3 Default user rights assignments .......................................................................... 28 3.2.4 Default security setting ........................................................................................ 36 3.2.5 Default IP security policy ..................................................................................... 40 3.2.6 Default audit policy .............................................................................................. 41
3.3 Default Symposium Call Center Server server configuration ........................................... 42 3.3.1 Default disk partitioning type ............................................................................... 42 3.3.2 Default Windows local users ............................................................................... 42 3.3.3 Default print server and file sharing configuration ............................................... 44 3.3.4 Default Internet access ........................................................................................ 44
4 Security recommendations ............................................................................. 45 4.1 Security risk management and policy............................................................................... 45
4.1.1 Risk management................................................................................................ 45 4.1.2 Security policy...................................................................................................... 46
4.2 Windows 2000 security patches and hot fixes.................................................................. 46 4.3 Windows 2000 user accounts and passwords ................................................................. 47 4.4 Anonymous logon ............................................................................................................. 48 4.5 Third-party applications .................................................................................................... 48 4.6 Anti-virus scanning ........................................................................................................... 50 4.7 Internet access ................................................................................................................. 53 4.8 E-mail access ................................................................................................................... 53 4.9 File and folder sharing ...................................................................................................... 53
Table of contents Nortel Networks Proprietary
vi Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
4.10 File and folder permission................................................................................................. 53 4.11 Encryption ......................................................................................................................... 54 4.12 Microsoft Baseline Security Advisor ................................................................................. 55 4.13 SNMP Configuration ......................................................................................................... 58 4.14 Remote support access .................................................................................................... 58 4.15 Symposium Call Center Server backup and restore strategy .......................................... 59
5 Glossary............................................................................................................ 61
6 References........................................................................................................ 63
List of figure Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 vii
List of figure Figure 1 Symposium Call Center Server Security Architecture.................................................................... 3 Figure 2 Symposium Call Center Server Network Security Layer................................................................ 4
List of tables Nortel Networks Proprietary
viii Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
List of tables Table 1 Symposium Call Center Server Default Network Protocols ............................................................ 6 Table 2 Symposium Call Center Server Ports Usage .................................................................................. 7 Table 3 Default Installed Windows 2000 Server Components ................................................................... 12 Table 4 Default Windows 2000 services .................................................................................................... 16 Table 5 Default Password Policy ................................................................................................................ 27 Table 6 Default Account Lockout Policy ..................................................................................................... 28 Table 7 Default User Rights Assignments.................................................................................................. 29 Table 8 Default Security Setting ................................................................................................................. 37 Table 9 Default IP Security Policy .............................................................................................................. 40 Table 10 Default Audit Policy...................................................................................................................... 41 Table 11 Default Symposium Call Center Server Windows Local Users ................................................... 43 Table 12 Symposium Call Center Server File and Folder Permission ....................................................... 54 Table 13 MBSA scanning items and Symposium Call Center Server recommendations .......................... 55
Introduction Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 1
1 Introduction
1.1 Purpose
Server security has become a critical issue in the software industry. It is important for customers to protect all the servers in their network environment (including Symposium Call Center Server) from various security attacks, threats, and vulnerabilities. Since each customer has their own security policies and requirements, it is impossible to present a single Symposium Call Center Server security configuration that will meet all customer needs. This guide describes the basic Symposium Call Center Server R5.0 security model and default security configuration for a successful Symposium Call Center Server R5.0 installation and operation. In addition, this guide includes a set of recommendations for security policies and configuration. Customers can adopt the default and recommended security policies and integrate them with their own security policy for the Symposium Call Center Server R5.0 server.
1.2 Scope
This guide covers the security model and guidelines for Symposium Call Center Server R5.0 (both nodal and NCC servers) running the Windows 2000 Server (Standard and Advanced Edition) operating system. It is not intended to be a comprehensive security guide for Windows 2000 Server, nor for the customer network itself. This guide is only applicable to Symposium Call Center Server R5.0 running on Windows 2000 Server (Standard and Advanced Server edition) platform and does not include earlier releases or other Symposium products, such as the regular Symposium Call Center Server Client application R4.0, Symposium Web Client 4.5, Symposium Express Call Center, or Symposium Web Center Portal.
The security settings and recommendations in this guide only cover the Symposium Call Center Server R5.0 server running with Windows 2000 Server (or Windows 2000 Advance Server) and do not include other components on the same network (for example, the M1 switch, desktop PC, Symposium Web Client application server etc.), or the actual customer network itself (for example, routers, firewalls etc.)
This guide does not include any actual procedures on how to show or change the Windows 2000 Server security settings. It assumes that the reader is familiar with security administration tools, either those supplied by Microsoft (for example, the Microsoft Management Console with appropriate plug-ins), or third-party software that is used to manage the listed security settings for Symposium Call Center Server.
Introduction Nortel Networks Proprietary
2 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
1.3 Intended audience
Caution
This guide contains sensitive security and configuration settings that a potential hacker can use to exploit the security risks of Symposium Call Center Server. Therefore, you must exercise caution and only release security settings information to people on a need-to-know basis.
This guide is intended to be used by anyone wishing to setup a security policy and configure Symposium Call Center Server R5.0 running on Windows 2000 Server within their own security environment. It assumes that the reader is familiar with all security subjects and features in Windows 2000 Server and in the customer network environment.
Security Models Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 3
2 Security Models
2.1 Symposium Call Center Server security architecture
The Symposium Call Center Server design incorporates various security features. Different security layers within the customer network, server PC, and the Symposium Call Center Server application provide overall system security. The Symposium Call Center Server security architecture can be divided into the following three major security layers:
• Network security
• Server security
• Application security
The relationship between the three security layers is shown in Figure 1.
Figure 1 Symposium Call Center Server Security Architecture
2.1.1 Symposium Call Center Server network security layer
The Symposium Call Center Server network security layer defines the network environment in which the Symposium Call Center Server R5.0 server should be configured. It also defines where the customer-supplied network firewall should be placed within the customer network to allow the server in Symposium Call Center Server and the Client (Standard Client and Web Client) to operate
Symposium Call Center Server network security (customer networks)
Symposium Call Center Server R5.0 server security
Symposium Call Center Server application security
Security Models Nortel Networks Proprietary
4 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
properly. The network security layer protects Symposium Call Center Server from possible security attacks through the customer or external networks.
Figure 2 shows an overall Symposium Call Center Server network security layer within a typical customer network environment, including both the regular Symposium Call Center Server Client PC and Symposium Web Client.
Figure 2 Symposium Call Center Server Network Security Layer
Since each customer provides their own network and can have different configurations and requirements, it is impossible to provide a single network configuration for Symposium Call Center Server that meets all customer requirements. Therefore, Nortel Networks recommends you review and consider the following Symposium Call Center Server network and configuration settings when implementing your own network security and configuration settings.
northerntelecom
Telephone Switch
Symposium Call Center Server Server
ELAN Subnet
Symposium Call Center Server Clients
NCC Server Web Client Application Server
Nortel Networks Servers Subnet (CLAN)
Web Client Desktops
Corporate LAN
Firewall/Router
Nortel Contivity 1100
VPN connection for remote support access
SCCS Replication Server
SCCS Standby Server
Security Models Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 5
2.1.1.1 Standalone server
Symposium Call Center Server (nodal and NCC server) is designed as a standalone server (Windows Workgroup) within the network instead of integrating with a Windows Domain. Symposium Call Center Server can coexist with and be located within a Windows Domain, but should not be registered in the domain. By configuring Symposium Call Center Server as a standalone server instead of integrating it with a Windows Domain, you minimize any exposure of the Symposium Call Center Server resources to the network and prevent domain users seeing and logging on to the server.
Symposium Call Center Server R5.0 does not require that any Windows Domain users log on to the server and does not need Windows 2000 Active Directory to operate, even though it runs within a Windows 2000 network environment.
2.1.1.2 Embedded LAN configuration
The Embedded LAN (ELAN) is used for the connection between the telephone PBX switch and Symposium Call Center Server. The ELAN carries all call traffic between the Symposium Call Center Server and the telephone switch (Meridian 1, Meridian IE, or CSE 1000). Symposium Call Center Server only requires a TCP/IP connection to the switch on the ELAN. There should not be a firewall between Symposium Call Center Server and the telephone switch.
For maximum ELAN call traffic performance and security, Nortel Networks recommends that the ELAN be completely isolated from other subnets, and from the external LAN or WAN within the network. Since the ELAN can also carry other telephone switch related traffic for other Nortel Networks products (for example, OTM), you must take into consideration these additional network configuration and security requirements to configure the ELAN (for example, adding a router/gateway or firewall between the ELAN and other subnets, the LAN or WAN).
2.1.1.3 Customer LAN configuration
Symposium Call Center Server (Nodal or NCC server) and the client PCs (both Symposium Call Center Server Client and Web Client) are connected through the Customer LAN (CLAN).
2.1.1.3.1 Default network binding protocols
The network connection protocol between Symposium Call Center server and the client PCs (both the Symposium Call Center Server Client and the Web Client application server) is based on TCP/IP. The Symposium Call Center Server Network Interface Card (NIC) should have the following default network protocol bindings:
Security Models Nortel Networks Proprietary
6 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Table 1 Symposium Call Center Server Default Network Protocols
Default network protocol Function
Client for Microsoft Network Allow Symposium Call Center Server to operate within the Microsoft network environment
File and Printer Sharing for Microsoft Network
Enabled by default. Must be enable for Symposium Call Center Server Remote Database Network Backup & Restore feature to work
Internet Protocol (TCP/IP) Base network protocol for Symposium Call Center Server
It is the implementation personnel’s responsibility to add additional binding protocols to the NIC, as necessary.
2.1.1.3.2 Static IP address
Symposium Call Center Server operates as a standalone server with a static IP address. The Symposium Call Center Server network interface must not be configured with DHCP.
2.1.1.3.3 DNS consideration
If a Domain Name Service (DNS) is configured and available on the CLAN, then the Symposium Call Center Server network interface should be registered with the specified DNS. If no DNS is available, then disable the DNS configuration in the Symposium Call Center Server network interface to prevent errors and possible performance impacts on the Symposium Call Center Server network connection.
2.1.1.4 Firewall
Symposium Call Center Server operates on two separate Embedded LAN (ELAN) and Customer LAN (CLAN) subnet configurations. The ELAN provides critical call traffic between Symposium Call Center Server and the telephone switch. For maximum network traffic performance and security, it is recommended that the ELAN be completely isolated from other subnets, or external LANs or WANs within the network. No firewall should be placed between Symposium Call Center Server and the telephone switch.
Security Models Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 7
The Symposium Call Center Server Client or the Symposium Web Client application server is connected to the Symposium Call Center Server through the CLAN. The Remote Procedure Call (RPC) communication method is used between Symposium Call Center Server and the client PCs (both the Symposium Call Center Server Client and the Web Client application server). Since this communication method requires a large range of dynamic ports, it is not practical to implement a firewall between Symposium Call Center Server and the client PCs by restricting port access. However, you can place an appropriate firewall between the Symposium Web Client application server and the Web Client desktop PCs.
In spite of the requirement to open a very large range of ports in a firewall implementation, Nortel Networks acknowledge the fact that many customers have security policy that may requires knowing all ports being used by Symposium Call Center Server application. Table 2 lists all ports used between a Symposium Call Center Server and the Symposium Call Center Client, and between a Symposium Call Center Server and another Symposium Call Center Server or Symposium Call Center Web Client application server. The list does not include other base ports for Windows network connection, for example port 53 for DNS that may be needed in customer network configuration, and these ports should be known and provided by customers.
Table 2 Symposium Call Center Server Ports Usage
Port Number Functionality
Port 135 Microsoft Windows RPC Locator Service
Port 137 Microsoft NetBIOS Name Service (needed for SCCS Remote Database Backup & Restore feature if deployed)
Port 138 Microsoft NetBIOS Datagram Service (needed for SCCS Remote Database Backup & Restore feature if deployed)
Port 139 Microsoft NetBIOS Session Service (needed for SCCS Remote Database Backup & Restore feature if deployed)
Port 161 SNMP (needed if SNMP NMS is connected)
Port 162 SNMP Traps (needed if SNMP NMS is connected)
Port 530 Microsoft Windows RPC Courier Service.
Security Models Nortel Networks Proprietary
8 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Port Number Functionality (needed if Symposium TAPI server is connected)
Port 1024 to 65535 This is range of ports that can be used by RPC dynamic ports.
Note: There are other hard coded ports used by Symposium Call Center Server, however they all fall within the range of that need to be opened for RPC
It is the implementation personnel’s responsibility to provide and implement any firewalls.
2.1.2 Symposium Call Center Server server security layer
The Symposium Call Center Server R5.0 server security layer defines the security settings and configuration on the Symposium Call Center Server PC. The server security layer protects the Symposium Call Center Server PC from various security attacks and vulnerabilities. The security layer is implemented through security features included in the Windows 2000 Server operating system and through the appropriate server configuration. The overall server security layer consists of the following main security strategies:
• Windows 2000 Server configuration
• Windows 2000 security settings
• Server configuration
2.1.2.1 Windows 2000 Server configuration
The Windows 2000 Server configuration security strategy relies on the default Windows 2000 Server operating system installation and configuration. The default installation and configuration only installs and configures those Windows 2000 components that are required for proper Symposium Call Center Server R5.0 operation. By not installing any unnecessary Windows 2000 components, you minimize the risk of possible security attacks and vulnerabilities through these components. The details of the default Windows 2000 Server configuration are documented in section 3 of this guide.
For details installing Windows 2000 Server according to the default Symposium Call Center Server configuration, see the Nortel Networks Symposium Call Center Server Installation and Maintenance Guide for Release 5.0 [1].
Security Models Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 9
2.1.2.2 Windows 2000 security settings
The Windows 2000 security setting strategy includes a set of default security settings and a users policy designed to protect Symposium Call Center Server by minimizing possible unauthorized access and changes to the server. For details, see section 3 of this guide.
2.1.2.3 Server configuration
The server configuration strategy includes a set of default server configuration settings, such as file system type partitioning, file sharing etc., that help minimize the exposure of the server to potential attackers. For details, see section 3 of this guide.
2.1.3 Symposium Call Center Server application security layer
The Symposium Call Center Server application security layer includes built-in security functions that protect critical information about the Symposium Call Center Server application, customer call center configuration and statistics from illegal access. The application security layer consists of the following major components:
• database access security
• MAS security service
• remote backup and restore security
2.1.3.1 Database access security
Database access security is controlled by the Sybase ASE 12 SQL Server access authorization component. Only authorized database user accounts with correct passwords can access the database through pre-assigned access rights. All critical call center configuration information and customer call statistics are stored in the database. Nortel Networks proprietary information is also stored in the database and can only be accessed by the “system administrator” (SA) account. Details of this account are considered Nortel Networks confidential and, therefore, are not released to any customers. Customers do not need to perform any database access or maintenance operations that require “SA” account access. Instead, customers use other Symposium Call Center Server user accounts to access the database and create custom call statistic reports.
Customers can access the database through the pre-defined “sysadmin” account and other Symposium Call Center Server user accounts created by the Symposium Call Center Server administrators or supervisors. The sysadmin account is different from the SA account. Customers can change the passwords for all created Symposium Call Center Server user accounts, including the pre-defined sysadmin account. In fact, for security purposes, customers must change
Security Models Nortel Networks Proprietary
10 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
the default password for the sysadmin account when logging on to Symposium Call Center Server for the first time.
The database access security model further protects database integrity from unauthorized access and updates by providing pre-defined database views from which customers retrieve database information.
2.1.3.2 MAS security server
The MAS security server is a Symposium Call Center Server service that provides security authentication for the connection between the server in Symposium Call Center Server and Symposium Call Center Server Client PC. The Symposium Call Center Server Client must log on to Symposium Call Center Server through the MAS security service using a valid Symposium Call Center Server user account and password. The MAS security server encrypts and decrypts Symposium Call Center user account passwords using a proprietary algorithm.
Symposium Call Center Server user accounts are separate and different from the client PC’s local or network login account, and the server’s local Windows login accounts. The Symposium Call Center Server user account login does not require Windows login on the Symposium Call Center Server, nor does it require Windows Domain Controller or Windows 2000 Active Directory.
2.1.3.3 Remote backup and restore security
Symposium Call Center Server R5.0 supports database backup and restore on a remote network computer within the Symposium Call Center Server standalone server configuration. Procedures are provided to setup the proper local user account on both the remote backup computer and the server in Symposium Call Center Server to ensure that only assigned user accounts and privileges are used for the remote backup and restore. Customers must exercise proper security measures for the shared remote backup folder on the remote computer to prevent unauthorized access to the Symposium Call Center Server backup files.
Remote backup and restore configuration procedures are documented in Nortel Networks Symposium Call Center Server Installation and Maintenance Guide for Release 5.0 [1].
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 11
3 Default R5.0 server security settings and configuration
Caution
This guide contains sensitive security and configuration settings that a potential hacker could use to exploit the security risks of the Symposium Call Center Server. Therefore, you must exercise caution and only release security settings information to people on a need-to-know basis.
3.1 Default Windows 2000 Server configuration
Symposium Call Center Server R5.0 includes a set of recommendations for the installation and configuration of the Windows 2000 Server operating system. When followed, these recommendations provide a security environment that satisfies most typical customer security requirements. To install and configure Windows 2000 Server according to these recommendations, follow the instructions listed in the Nortel Networks Symposium Call Center Server Installation and Maintenance Guide for Release 5.0[1]. The default configuration listed only covers the Windows 2000 Server operating system configuration and does not include any hardware platform-specific configuration or security settings.
The Windows 2000 Server configuration and security settings listed in this guide include both the default Symposium Call Center Server settings (as installed when you follow the guidelines documented in Nortel Networks Symposium Call Center Server Installation and Maintenance Guide for Release 5.0 [1]), and the minimum Symposium Call Center Server settings (the minimum setting required for Symposium Call Center Server R5.0 operation). Nortel Networks has verified the default Windows 2000 Server configuration as listed to ensure its compatibility with the proper Symposium Call Center Server installation and operation. Therefore, if you choose to alter the default Windows 2000 Server configuration to meet specific customer requirements, note that Nortel Networks will not have verified the impact of such change on the Symposium Call Center Server installation and operation. Customers who deviate from the recommended default Windows 2000 Server configuration must not change or exceed any of the listed Symposium Call Center Server minimum requirements, and must test their Windows 2000 Server configuration with Symposium Call Center Server R5.0 in a non-production environment before putting the configuration online.
Default R5.0 server security settings and configurationNortel Networks Proprietary
12 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
3.1.1 Default installed Windows 2000 Server components
For proper Symposium Call Center Server R5.0 operation, Nortel Networks recommends installing only the required Windows 2000 Server operating system components. Table 3 lists the default Windows 2000 Server installed components and the minimum component requirements for proper Symposium Call Center Server R5.0 operation.
Table 3 Default Installed Windows 2000 Server Components
Windows 2000 component
Windows 2000 sub-component
Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement
Accessories and Utilities
Accessibility Wizard
Installed No dependency
Accessories Installed No dependency
Communications Installed No dependency
Games Installed No dependency
Multimedia Installed No dependency
Certificates Service
Certificate Service CA
Not installed No dependency
Certificate Web Enrollment Support
Not installed No dependency
Indexing Service Installed No dependency
Internet Information Service (IIS)
Common Files Not installed No dependency (must not be installed for security and performance consideration)
Documentation Not installed No dependency (must not be installed for security and performance
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 13
Windows 2000 component
Windows 2000 sub-component
Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement consideration)
File Transfer Protocol (FTP) Server
Not installed No dependency (must not be installed for security and performance consideration)
FrontPage 2000 Server Extension
Not installed No dependency (must not be installed for security and performance consideration)
Internet Information Service Snap-In
Not installed No dependency (must not be installed for security and performance consideration)
Internet Service Manager (HTML)
Not installed No dependency (must not be installed for security and performance consideration)
NNTP Service Not installed No dependency (must not be installed for security and performance consideration)
SMTP Service Not installed No dependency (must not be installed for security and performance
Default R5.0 server security settings and configurationNortel Networks Proprietary
14 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Windows 2000 component
Windows 2000 sub-component
Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement consideration)
Visual InterDev RAD Remote Development Support
Not installed No dependency (must not be installed for security and performance consideration)
World Wide Web Server
Not installed No dependency (must not be installed for security and performance consideration)
Management and Monitoring Tools
Connection Manager Components
Not installed No dependency (must not be installed for security and performance consideration)
Network Monitor Tools
Not installed No dependency
Simple Network Management Protocol
Installed Must be installed for sending Symposium Call Center Server event traps
Networking Service
COM Internet Service Proxy
Not installed No dependency (must not be installed for security and performance consideration)
Domain Name System (DNS)
Not installed No dependency (must not be installed for
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 15
Windows 2000 component
Windows 2000 sub-component
Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement security and performance consideration)
Dynamic Host Configuration Protocol (DHCP)
Not installed Must not be installed
Internet Authentication Service
Not installed No dependency (must not be installed for security and performance consideration)
QoS Admission Control Service
Not installed No dependency (must not be installed for security and performance consideration)
Simple TCP/IP Services
Not installed No dependency (must not be installed for security and performance consideration)
Site Server ILS Services
Not installed No dependency (must not be installed for security and performance consideration)
Windows Internet Name Service (WINS)
Not installed No dependency (must not be installed for security and performance consideration)
Default R5.0 server security settings and configurationNortel Networks Proprietary
16 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Windows 2000 component
Windows 2000 sub-component
Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement
Other Network File and Print Services
File Service for Macintosh
Not installed No dependency (must not be installed for security and performance consideration)
Print Service for Macintosh
Not installed No dependency (must not be installed for security and performance consideration)
Print Service for Unix
Not installed No dependency (must not be installed for security and performance consideration)
Remote Installation Service
Not installed No dependency
Remote Storage Not installed No dependency
Script Debugger Installed No dependency
Terminal Services Client Creator Files Not installed No dependency (recommend not to be installed for security and performance consideration)
Enable Terminal Services
Not installed No dependency (recommend not to be installed for security and performance
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 17
Windows 2000 component
Windows 2000 sub-component
Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement consideration)
Terminal Service Licensing
Not installed No dependency (must not be installed for security and performance consideration)
Windows Media Services
Windows Media Service
Not installed No dependency
Windows Media Service Admin
Not installed No dependency
3.1.2 Default Windows 2000 services
When you install Windows 2000, the installation program creates and configures default Windows services that run when the system is started. Table 4 lists the default Windows 2000 services and the minimum service configuration for Symposium Call Center Server if the Windows 2000 Server is installed with the default Windows components (as listed in Table 3).
Table 4 Default Windows 2000 services
Windows 2000 service Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement
Alerter Automatic No dependency
Application Management Manual No dependency
ASM_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
Default R5.0 server security settings and configurationNortel Networks Proprietary
18 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Windows 2000 service Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement
AUDIT_Service Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
ClipBook Manual No dependency
COM+ Event System Manual No dependency
Computer Browser Automatic No dependency
DBNotifier_Service Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
DHCP Client Automatic No dependency
Distributed File System Automatic No dependency
Distributed Link Tracking Client Automatic No dependency
Distributed Link Tracking Server Manual No dependency
Distributed Transaction Coordinator
Automatic No dependency
DNS Client Automatic Must be enabled for Symposium Call Center Server if the server NIC is DNS enabled
EB_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
ES_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 19
Windows 2000 service Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement
Event Log Automatic Must be enabled for Symposium Call Center Server
Fax Service Manual No dependency
File Replication Manual No dependency
HDC_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
HDM_Service Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
Host Application Integration Automatic (Disabled for NCC server)
Must be enabled for Symposium Call Center Server if Data Integration Wizard is enabled in keycode (built-in SCCS service)
Indexing Service Manual No dependency
Internet Connection Sharing Manual No dependency
Intersite Messaging Disabled No dependency
IPSEC Policy Agent Automatic No dependency
IS_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
Kerberos Key Distribution Center Disabled No dependency
Licensing Logging Service Automatic No dependency
Default R5.0 server security settings and configurationNortel Networks Proprietary
20 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Windows 2000 service Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement
Logical Disk Manager Automatic Must be enabled for Symposium Call Center Server
Logical Disk Manager Administrative Service
Manual No dependency
MAS Backup/Restore Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
MAS Configuration Manager Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
MAS Event Scheduler Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
MAS Fault Manager Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
MAS LinkHandler Port #2 Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
MAS OM Server Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
MAS Security Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 21
Windows 2000 service Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement
MAS Service Daemon Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
MAS Service Manager Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
MAS Time Service Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
Messenger Disabled No dependency
MLSM_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
NameService Automatic (Not applicable to NCC server)
Must be enabled for Symposium Call Center Server (built-in SCCS Visibroker service)
NBNM_Service Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
NBTSM_Service Automatic (Disabled for NCC Server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
NCCOAM_Service Disabled (Automatic if it is a NCC server)
Must be disabled for SCCS except for NCC server (built-
Default R5.0 server security settings and configurationNortel Networks Proprietary
22 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Windows 2000 service Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement in SCCS service)
NDLOAM_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
Net Logon Manual No dependency
Net Meeting Remote Desktop Sharing
Manual No dependency
Network Connections Manual No dependency
Network DDE Manual No dependency
Network DDE DSDM Manual No dependency
NITSM_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
NT LM Security Support Provider Manual No dependency
OAM_Service Automatic Must be enabled for SCCS including NCC server (built-in SCCS service)
pcAnywhere Host Service Automatic Must be enabled for Symposium Call Center Server remote support connection (built-in pcAnywhere service)
Performance Logs and Alerts Manual No dependency
Plug and Play Automatic No dependency
Print Spooler Automatic No dependency
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 23
Windows 2000 service Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement
Protected Storage Automatic No dependency
QoS RSVP Manual No dependency
RDC_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
Remote Access Auto Communication Manager
Manual No dependency
Remote Access Connection Manager
Manual No dependency
Remote Procedure Call (RPC) Automatic Must be enabled for Symposium Call Center Server
Remote Procedure Call (RPC) Locator
Manual Must be enabled for Symposium Call Center Server
Remote Registry Service Automatic No dependency
Remote Storage Automatic No dependency
Routing and Remote Access Disabled No dependency
RSM_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
RunAs Service Automatic Must be enabled for Symposium Call Center Server
SDMCA_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
Default R5.0 server security settings and configurationNortel Networks Proprietary
24 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Windows 2000 service Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement
SDP_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
Security Accounts Manager Automatic Must be enabled for Symposium Call Center Server
Server Automatic Must be enabled for Symposium Call Center Server
Smart Card Manual No dependency
Smart Card Helper Manual No dependency
SNMP Service Automatic Must be enabled for sending Symposium Call Center Server traps
SNMP Trap Service Manual Must be enabled for sending Symposium Call Center Server traps
Sybase BCKServer_<computername>_BS
Automatic Must be enabled for SCCS including NCC server (built-in Sybase service)
Sybase MONServer_<computername>_MS
Manual Must be enabled for SCCS including NCC server (built-in Sybase service)
Sybase SQLServer_<computername>
Automatic Must be enabled for SCCS including NCC server (built-in Sybase service)
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 25
Windows 2000 service Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement
Sybase XPServer_<computername>_XP
Manual Must be enabled for SCCS including NCC server (built-in Sybase service)
System Event Notification Automatic No dependency
Task Scheduler Automatic Must be enabled for Symposium Call Center Server
TCP/IP NetBIOS Helper Service Automatic Must be enabled for Symposium Call Center Server Remote Network Database Backup & Restore feature to function
Telephony Manual No dependency
Telnet Manual No dependency
Terminal Service Disabled No dependency (recommend Disabled for Symposium Call Center Server)
TFA_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
TFABRIDGE_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
TFE Bridge Connector Manual (Disabled for NCC server)
Must be enabled for SCCS except for
Default R5.0 server security settings and configurationNortel Networks Proprietary
26 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Windows 2000 service Default Symposium Call Center Server configuration
Symposium Call Center Server minimum requirement NCC server (built-in SCCS service)
TFE_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
Uninterrupted Power Supply Manual No dependency
Utility Manager Manual No dependency
VSM_Service Automatic (Disabled for NCC server)
Must be enabled for SCCS except for NCC server (built-in SCCS service)
Windows Installer Manual Must be enabled for Symposium Call Center Server
Windows Management Instrumentation
Manual No dependency
Windows Management Instrumentation Driver Extension
Manual No dependency
Windows Time Manual No dependency
Workstation Automatic Must be enabled for Symposium Call Center Server
3.2 Default Windows 2000 security settings
The Windows 2000 Server operating system on the Symposium Call Center Server R5.0 server is protected by the Windows 2000 local security policy. Since Symposium Call Center Server R5.0 does not require Active Directory to work, Windows 2000 Group Policies will not be discussed in this guide.
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 27
As part of Symposium Call Center Server R5.0, Nortel Networks recommends a set of default security settings for the Windows 2000 local security policy that provides a security environment for most typical customer security requirements. Nortel Networks has verified that this default Windows 2000 local security policy is compatible with the proper Symposium Call Center Server installation and operation. Therefore, if you choose to alter the default Windows 2000 security policy (both local and group policy) to meet specific customer security requirements, note that Nortel Networks will not have verified the impact of such a change on the Symposium Call Center Server installation and operation. Customers who deviate from the recommended default Windows 2000 Server security policy (both local and group policy) must not change or exceed any of the listed Symposium Call Center Server minimum requirements, and must test their Windows 2000 Server security policy with Symposium Call Center Server R5.0 in a non-production environment before putting the policy online.
3.2.1 Default password policy
Symposium Call Center Server R5.0 recommends the following default password policy (applicable to the installed Windows 2000 user accounts).
Table 5 Default Password Policy
Policy Default Windows 2000 setting
Symposium Call Center Server minimum requirement
Enforce password history 0 password remembered No dependency
Maximum password age 42 days No dependency
Minimum password age 0 days No dependency
Minimum password length
0 characters Must be less than 6 characters for Symposium Call Center Server installation. Password length can be changed after Symposium Call Center Server installation.
Password must meet complexity requirements
Disabled Disabled for Symposium Call Center Server installation
Store password using Disabled No dependency
Default R5.0 server security settings and configurationNortel Networks Proprietary
28 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Policy Default Windows 2000 setting
Symposium Call Center Server minimum requirement
reversible encryption for all users in the domain
(recommend Disabled)
Since the installation of the Symposium Call Center Server application creates additional Windows accounts with default passwords, the Windows 2000 password policy should be in the default setting (as listed in Table 5) before you install Symposium Call Center Server. Customers can change the Windows 2000 password policy as required after the Symposium Call Center Server application, in which case, they must also make appropriate password changes for all local Windows accounts that are created with the Symposium Call Center Server installation. Nortel Networks recommends that all local Windows account passwords (including accounts created by Symposium Call Center Server) be changed from their default values immediately after installing Symposium Call Center Server.
3.2.2 Default account lockout policy
Table 6 lists the default account lockout security setting and the minimum requirements for Symposium Call Center Server R5.0.
Table 6 Default Account Lockout Policy
Policy Default Windows 2000 setting
Symposium Call Center Server minimum requirement
Account lockout threshold
0 invalid logon attempts No dependency
Account lockout duration Not defined No dependency
Reset account lockout counter after
Not defined No dependency
3.2.3 Default user rights assignments
Table 7 lists the default user rights assignments security setting and the minimum requirements for Symposium Call Center Server R5.0.
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 29
Table 7 Default User Rights Assignments
Policy Default groups with this policy
Default accounts with this policy
Symposium Call Center Server minimum requirement
Access this computer from the network
NGen System, NGen Distributor, Everyone, Users, Power Users, Backup Operators, Administrator
Administrator, NGenSys, NGenDist, NGenDesign
Must be set for the NGen System, NGen Distributor, and Administrator groups.
Must be set for the Administrator, NGenSys, NGenDist, and NGenDesigner accounts.
Act as part of the operating system
NGen System, NGen Design
NGenSys, NGenDesign
Must be set for the NGen System, and NGen Design groups.
Must be set for the NGenSys, and NGenDesign accounts.
Add workstations to domain
NGen Distributor NGenDist, NGenDesign
Must be set for the NGen Distributor group.
Must be set for the NGenDist, and NGenDesign accounts.
Back up files and directory
Administrators, Ngen System, Ngen Distributor, Backup Operator
Administrator, NgenSys, NGenDist, NGenDesign
Must be set for the NGen System, NGen Distributor groups.
Must be set for the NGenSys,
Default R5.0 server security settings and configurationNortel Networks Proprietary
30 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Policy Default groups with this policy
Default accounts with this policy
Symposium Call Center Server minimum requirement NGenDist, and NGenDesign accounts.
Bypass traverse checking
Administrators, NGen Distributor, Backup Operators, Power Users, Users, Everyone
Administrator, NGenSys, NGenDist, NGenDesign
Must be set for the NGen Distributor group.
Must be set for the NGenSys, NGenDist, and NGenDesign accounts
Change the system time
NGen Distributor, Administrators, Power Users
Administrator, NGenSys, NGenDist, NGenDesign
Must be set for the NGen Distributor, and Administrators groups.
Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.
Create a pagefile Administrators, NGen Design
Administrator, NGenSys, NGenDist, NGenDesign
Must be set for the Administrators, and NGen Design groups.
Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.
Create a token object
NGen System, NGen Design
NGenSys Must be set for the NGen System, and NGen Design groups.
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 31
Policy Default groups with this policy
Default accounts with this policy
Symposium Call Center Server minimum requirement
Must be set for the NGenSys account.
Create permanent shared objects
NGen System, NGen Design
NGenSys Must be set for the NGen System, and NGen Design groups.
Must be set for the NGenSys account
Debug programs Administrators, NGen System, NGen Design
Administrator, NGenSys, NGenDist, NGenDesign
No dependency. If removed, Nortel Networks may request to set it again for diagnosing specific site problem.
Force shutdown from a remote system
Administrators, NGen Design
Administrator, NGenSys, NGenDist, NGenDesign
Must be set for the Administrators, and NGen Design groups.
Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.
Generate security audits
NGen Distributor NGenDist, NGenDesign
No dependency
Increase quotas Administrators, NGen Distributor
Administrator, NGenSys, NGenDist, NGenDesign
Must be set for the Administrators, and NGen Distrobutor groups.
Default R5.0 server security settings and configurationNortel Networks Proprietary
32 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Policy Default groups with this policy
Default accounts with this policy
Symposium Call Center Server minimum requirement
Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.
Increase scheduling priority
Administrators, NGen System, NGen Design
Administrator, NGenSys, NGenDist, NGenDesign
Must be set for the Administrators, NGen System, and NGen Design groups.
Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.
Load and unload device drivers
Administrators, NGen System, NGen Design
Administrator, NGenSys, NGenDist, NGenDesign
Must be set for the Administrators, NGen System, and NGen Design groups.
Must be set for the Administrator, NGenSys, NGenDist, and NGen Design accounts.
Lock pages in memory
NGen System, NGen Design
NGenSys, NGenDesign
Must be set for the NGen System, and NGen Design groups.
Must be set for the NGenSys, and NGenDesign
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 33
Policy Default groups with this policy
Default accounts with this policy
Symposium Call Center Server minimum requirement accounts.
Log on as a batch file
NGen System, NGen Distributor
NGenSys, NGenDist, NGenDesign
Must be set for the NGen System, and NGen Distributor groups.
Must be set for the NGenSys, NGenDist, and NGenDesign accounts.
Log on as a service
NGen System, NGen Distributor
NGenSys, NGenDist, NGenDesign
Must be set for the NGen System, and NGen Distributor groups.
Must be set for the NGenSys, NGenDist, and NGenDesign accounts.
Log on locally Administrators, NGen Distributor, TSInternetUser, Guest, Users, Power Users, Backup Operators
Administrator, NGenSys, NGenDist, NGenDesign
Must be set for the Administrators, and NGen Distributor groups.
Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.
Manage auditing and security log
Administrators, NGen Distributor
Administrator, NGenSys, NGenDist, NGenDesign
Must be set for the Administrators, and NGen Distributor groups.
Must be set for the
Default R5.0 server security settings and configurationNortel Networks Proprietary
34 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Policy Default groups with this policy
Default accounts with this policy
Symposium Call Center Server minimum requirement Administrator, NGenSys, NGenDist, and NGenDesign accounts.
Modify firmware environment values
Administrators, NGen System, NGen Design
Administrator, NGenSys, NGenDist, and NGenDesign
Must be set for the Administrators, NGen System, and NGen Design groups.
Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.
Profile single process
Administrators, NGen System, NGen Design, Power Users
Administrator, NGenSys, NGenDist, NGenDesign
Must be set for the Administrators, NGen System, and NGen Design groups.
Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.
Profile system performance
Administrators, NGen System, NGen Design
Administrator, NGenSys, NGenDist, NGenDesign
Must be set for for Administrators, NGen System, and NGen Design groups.
Must be set for the Administrator, NGenSys, NGenDist, and
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 35
Policy Default groups with this policy
Default accounts with this policy
Symposium Call Center Server minimum requirement NGenDesign accounts.
Remove computer from docking station
Administrators, Users, Power Users
Administrator, NGenSys, NGenDist, NGenDesign
No dependency
Replace a process level token
NGen System, NGen Design
NGenSys, NGenDesign
Must be set for the NGen System groups.
Must be set for the NgenSys accounts.
Restore files and directories
Administrators, NGen System, NGen Dsitributor, Backup Operators
Administrator, NGenSys, NGenDist, and NGenDesign
Must be set for the Administrators, NGen System, and NGen Distributor groups.
Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.
Shut down the system
Administrators, NGen Distributor, Backup Operators, Power Users
Administrator, NGenSys, NGenDist, NGenDesign
Must be set for the Administrators, and NGen Distributor groups.
Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts
Take ownership of files or other
Administrators, NGen Distributor
Administrator, NGenSys,
Must be set for the Administrators,
Default R5.0 server security settings and configurationNortel Networks Proprietary
36 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Policy Default groups with this policy
Default accounts with this policy
Symposium Call Center Server minimum requirement
objects NGenDist, NGenDesign
and NGen Distributor groups.
Must be set for the Administrator, NGenSys, NGenDist, and NGenDesign accounts.
Deny access to this computer from the network
Not defined Not defined No dependency
Deny logon as a batch job
Not defined Not defined No dependency
Deny logon as a service
Not defined Not defined No dependency
Deny logon locally
Not defined Not defined No dependency
Enable computer and user accounts to be trusted for delegation
Not defined Not defined No dependency
3.2.4 Default security setting
Table 8 lists the default security setting and minimum requirements for Symposium Call Center Server R5.0.
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 37
Table 8 Default Security Setting
Policy Default Windows 2000 setting
Symposium Call Center Server minimum requirement
Number of previous logons to cache (in case domain controller is not available)
10 logons No dependency
Prompt user to change password before expiration
14 days No dependency
Amount of idle time required before disconnecting session
15 minutes No dependency
Allowed to eject removal NTFS media
Administrator No dependency
Allow system to be shut down without having to log on
Disabled No dependency (recommend Disabled)
Audit the access of global system objects
Disabled No dependency
Audit use of Backup and Restore privilege
Disabled No dependency
Clear virtual memory pagefile when system shutdown
Disabled No dependency
Digitally sign client communication (always)
Disabled No dependency
Digitally sign server communication (always)
Disabled No dependency (recommend Disabled)
Digitally sign server communication (when possible)
Disabled No dependency (recommend Disabled)
Disable CTRL+ALT+DEL requirement for logon
Disabled No dependency (recommend Disabled)
Default R5.0 server security settings and configurationNortel Networks Proprietary
38 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Policy Default Windows 2000 setting
Symposium Call Center Server minimum requirement
Do not display last user name in logon session
Disabled No dependency
Prevent system maintenance of computer account password
Disabled No dependency (recommend Disabled)
Recovery Console: Allow automatic administrative logon
Disabled No dependency
Recovery Console: Allow floppy copy and access to all drives and all folders
Disabled No dependency
Restrict CD-ROM access to locally logged-on user only
Disabled No dependency
Restrict floppy access to locally logged-on user only
Disabled No dependency
Secure channel: Digitally encrypt or sign secure channel data (always)
Disabled No dependency
Secure channel: Require strong (Windows 2000 or later) session key
Disabled No dependency
Send unencrypted password to connect to third party SMB servers
Disabled No dependency
Shut down system immediately if unable to log security audits
Disabled No dependency (recommend Disabled)
Automatically log off users when logon time expires (local)
Enabled No dependency (recommend Enabled)
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 39
Policy Default Windows 2000 setting
Symposium Call Center Server minimum requirement
Digitally sign client communication (when possible)
Enabled No dependency
Prevent users from installing printer driver
Enabled No dependency (recommend Enabled)
Secure channel: Digitally encrypt secure channel data (when possible)
Enabled No dependency
Secure channel: Digitally sign secure channel data (when possible)
Enabled No dependency
Strengthen default permissions of global system objects (e.g. Symbolic Links)
Enabled No dependency
Smart card removal behavior
No Action No dependency
Additional restrictions for anonymous connections
None. Rely on default permissions
No dependency
Allow server operators to schedule task (domain controllers only)
Not defined No dependency (recommend Not defined)
Rename administrator account
Not defined No dependency (recommend Not d1efined for Symposium Call Center Server installation)
Rename guest account Not defined No dependency
Unsigned driver installation behavior
Not defined No dependency
Unsigned non-driver installation behavior
Not defined No dependency
Default R5.0 server security settings and configurationNortel Networks Proprietary
40 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Policy Default Windows 2000 setting
Symposium Call Center Server minimum requirement
LAN Manager Authentication Level
Send LM & NTLM responses
No dependency (recommend remain in default setting)
Message text for users attempting to log on
On No dependency
Message title for users attempting to log on
On No dependency
3.2.5 Default IP security policy
Table 9 lists the default IP security policies assigned and the minimum requirements for Symposium Call Center Server R5.0.
Table 9 Default IP Security Policy
Name Description Default policy assigned
Symposium Call Center Server minimum requirement
Client (Respond Only)
Communicate normally (unsecured). Use the default response rule to negotiate with servers that request security. Only the requested protocol and port traffic with that service is secured.
No No dependency (recommend No)
Secure Server (Require Security)
For all IP traffic, always require security using Kerberos trust. Do NOT allow unsecured communication with untrusted clients.
No No dependency (recommend No)
Server (Request Security)
For all IP traffic, always request security using Kerberos trust. Allow unsecured communication with clients that do not respond to
No No dependency (recommend No)
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 41
Name Description Default policy assigned
Symposium Call Center Server minimum requirement
request
3.2.6 Default audit policy
Table 10 lists the default Windows 2000 audit policies and minimum requirements for Symposium Call Center Server R5.0.
Table 10 Default Audit Policy
Policy Default Windows 2000 setting
Symposium Call Center Server minimum requirement
Audit account logon events
No auditing No dependency
Audit directory service access
No auditing No dependency (recommend No Auditing to maximize Symposium Call Center Server performance)
Audit process tracking No auditing No dependency (recommend No Auditing to maximize Symposium Call Center Server performance)
Audit account management
No auditing No dependency
Audit policy change No auditing No dependency
Audit privilege use No auditing No dependency
Audit object access No auditing No dependency (recommend No Auditing to maximize Symposium Call Center Server
Default R5.0 server security settings and configurationNortel Networks Proprietary
42 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Policy Default Windows 2000 setting
Symposium Call Center Server minimum requirement performance)
Audit logon events No auditing No dependency
Audit system events No auditing No dependency (recommend No Auditing to maximize Symposium Call Center Server performance)
3.3 Default Symposium Call Center Server server configuration
Nortel Networks recommends a default configuration for the Symposium Call Center Server R5.0 server that provides additional security for the server. Nortel Networks has verified the default configuration as listed to ensure its compatibility with the proper Symposium Call Center Server installation and operation. Therefore, if you choose to alter the default server configuration to meet specific customer requirements, note that Nortel Networks will not have verified the impact of such a change on the Symposium Call Center Server installation and configuration. Customers who deviate from the recommended default server configuration must not change or exceed any listed Symposium Call Center Server minimum requirements, and must test their server configuration with Symposium Call Center Server R5.0 in a non-production environment before putting the server online.
3.3.1 Default disk partitioning type
Symposium Call Center Server R5.0 supports Windows NTFS disk partitioning only. Windows NTFS provides additional security for server files. Symposium Call Center Server R5.0 requires that all disk partitions be NTFS.
3.3.2 Default Windows local users
Symposium Call Center Server R5.0 installs three additional Windows 2000 local users during the Symposium Call Center Server software installation. Table 11 lists the three default Symposium Call Center Server Windows local users and how the accounts are used.
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 43
Table 11 Default Symposium Call Center Server Windows Local Users
Default Symposium Call Center Server Windows local user
Used for Symposium Call Center Server minimum requirement
NGenSys Used by customer to log in to Symposium Call Center Server for regular server maintenance (for example, PEP/SU installation etc.).
Must not be removed or renamed from Windows
NGenDist Used by distribution channels and support personnel to log in to Symposium Call Center Server for maintenance and supports (for example, remote support login).
Must not be removed from Windows
NGenDesign Used by Nortel Networks to log in to Symposium Call Center Server. This account is reserved for Nortel Networks usage only.
Must not be removed from Windows
Since the Symposium Call Center Server application has a dependency on the NGenSys account, this account name must not be changed. Customers can change the account names for NGenDist and NGenDesign after the Symposium Call Center Server installation, but this will prevent distribution channels and Nortel support groups from using the default account names to perform Symposium Call Center Server maintenance or support.
All three default Symposium Call Center Server Windows local users are initially created with default passwords. Customers are encouraged to change the default passwords after successful Symposium Call Center Server installation. Procedures for changing the passwords for these default accounts are documented in the Nortel Networks Symposium Call Center Server Installation and Maintenance Guide for Release 5.0[1].
Default R5.0 server security settings and configurationNortel Networks Proprietary
44 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
3.3.3 Default print server and file sharing configuration
The Symposium Call Center Server R5.0 default network setting enables Print Server and File Sharing in the installed protocol stack, but the Symposium Call Center Server configuration does not include a default print server or a shared network folder or file. It is a Symposium Call Center Server R5.0 minimum requirement that no print server be configured on the Symposium Call Center Server R5.0 server.
For security reasons, Nortel Networks recommends that customers do not share any Symposium Call Center Server folders or files over the network. In addition, Nortel Networks recommends that only the local Administrator and Symposium Call Center Server default Windows users be granted write access to Symposium Call Center Server folders. If customers need to download any Symposium Call Center Server files (for example, PEPs or SUs), then Nortel Networks recommends that they download them to a remote computer instead of directly to the Symposium Call Center Server. After downloading the file to the remote computer, the customer can then share it with the server in the Symposium Call Center Server over the network.
3.3.4 Default Internet access
By default, Windows 2000 automatically includes a version of Internet Explorer that you can configure and use for Internet access. However, since Symposium Call Center Server does not require an Internet connection, it is a Symposium Call Center Server R5.0 minimum requirement that the Internet connection remain un-configured. Nortel Networks stipulates that there should be no Internet or Intranet access directly from the Symposium Call Center Server R5.0 server. Failure to meet this requirement may expose the server to severe security risks.
Security recommendations Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 45
4 Security recommendations
This section includes recommended security practices for Symposium Call Center Server R5.0. Nortel Networks recommends that customers consider these suggestions when deciding on their own security policies and practices. This section is not intended to list security settings that meet specific customer requirements. Customers should review their security requirements and compare them with the default and minimum Symposium Call Center Server security settings and configuration (listed in section 3 of this guide), together with the security recommendations listed in this section, before deciding on the appropriate overall Symposium Call Center Server security configuration.
The following security recommendations are not intended to be a comprehensive security guideline for all security-related issues that customers might need to consider. These security recommendations are only intended to be used as guidelines when planning and implementing the proper Symposium Call Center Server R5.0 security policies and practices within your specific environment and according to your security requirements.
4.1 Security risk management and policy
Security threats are increasing constantly, and it is a high priority for all organizations to secure all resources on the network, including Symposium Call Center Server. There is no such thing as a completely secure Symposium Call Center Server that fully meets all the different customer security requirements. To secure Symposium Call Center Server, you must provide your own appropriate security risk management and policy plan.
Symposium Call Center Server R5.0 comes with a set of default security settings that meet most common security protection requirements. Nortel Networks has verified the default Windows 2000 Server configuration as listed to ensure its compatibility with the proper Symposium Call Center Server installation and operation. Therefore, if you choose to alter the default Windows 2000 Server operating system configuration to meet specific customer requirements, note that Nortel Networks will not have verified the impact of such a change on the Symposium Call Center Server installation and configuration. Customers who deviate from the recommended Windows 2000 Server configuration (as listed in section 3 of this guide), and must test their Windows 2000 Server configuration with Symposium Call Center Server R5.0 in a non-production environment before putting the configuration online.
4.1.1 Risk management
To provide a proper secure environment, you must examine your environment and assess the risks you currently face, determine an acceptable level of risk, and maintain the risk at or below acceptable level. Risk can be reduced by increasing
Security recommendations Nortel Networks Proprietary
46 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
the security of your server and environment. As a general rule, the higher the level of security, the more costly the risk management policy is to implement and the more likely that reductions in functionality will occur. You must review the required security level and determine how it might impact Symposium Call Center Server.
4.1.2 Security policy
The security policy defines the procedures for configuring and managing security in your environment. Organizations may have a predefined general server security policy that can conflict with the Symposium Call Center Server default setting. You must review your security policy and determine how it can be implemented with Symposium Call Center Server. Since Symposium Call Center Server is designed as a special real-time call processing platform instead of a general purpose IT server, certain IT server security policies may not be compatible with Symposium Call Center Server. In this case, you may need to relax your security settings to meet the Symposium Call Center Server minimum requirements.
If you have additional local security policy changes for the Symposium Call Center Server, then you must apply the additional security policy after you install Symposium Call Center Server to minimize any possible conflict with the default setting that are made during installation.
4.2 Windows 2000 security patches and hot fixes
Microsoft constantly identifies new Windows 2000 security vulnerabilities. Nortel Networks will monitor and validate newly issued Windows 2000 service packs, security patches and hot-fixes that are applicable to Symposium Call Center Server R5.0. The list of applicable Microsoft service packs and security hot-fixes is documented in the Symposium Products Service Packs Compatibility and Security Hotfixes Applicability List that is available on Nortel Networks Partner Information Center Web site:
https://app12.nortelnetworks.com/cgi-bin/mynn/home/NN_prodDoc.jsp?BkMg=0&prodID=45280&progSrcID=-8026&whereClause=23&curOid=12460
Nortel Networks will occasionally issue security bulletins to warn customers of critical security issues and provide recommended actions. Customers should apply all recommended security actions from Nortel Networks at the earliest possible time.
Customers are encouraged to install the latest available Windows 2000 service packs that have been validated by Nortel Networks. You should schedule regular reviews of your configuration and apply the latest available Windows 2000 service pack as part of your security risk management plan.
Security recommendations Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 47
Given the number of operating system security patches and the complexity inherent in any network, Nortel Networks recommends that you create a systematic and accountable process for identifying and applying security patches.
To help create such a process, you can follow a series of best practices guidelines, as documented in the National Institute of Standards and Technology (NIST) Special Bulletin 800-40, Procedures for Handling a Security Patches. This bulletin suggests that if an organization does not have a centralized group to coordinate the storage, evaluation, and chronicling of security patches into a library, then system administrators or the contact center administrator must fulfill this role.
In addition to these guidelines, whenever possible, Nortel Networks recommends that you follow Microsoft's recommendations regarding newly discovered vulnerabilities and that you promptly install any security patches issued by Microsoft.
Whenever possible, Nortel Networks incorporates the latest OS security recommendations and patches in an integrated solutions testing strategy during each test cycle. However, due to the urgent nature of security patches when vulnerabilities are discovered, Nortel Networks recommends that customers follow Microsoft's guidelines as they are issued, including any Microsoft installation procedures and security patch rollback processes that may be in place. Finally, you must make a full system backup before patching the system to ensure that a rollback is possible, if required.
4.3 Windows 2000 user accounts and passwords
Symposium Call Center Server R5.0 installs three default Windows 2000 local user accounts (NGenSys, NGenDist, and NGenDesign) with default passwords. The initial Symposium Call Center Server Windows account passwords include six characters (or less). To prevent Symposium Call Center Server software installation errors, you must ensure that the minimum password length in the Windows 2000 security policy does not exceed six characters before you install the software. You can change the password length and apply any additional changes to the account and password security policy after you install Symposium Call Center Server. If you increase the password length, you must also make the corresponding change to the passwords for the default Symposium Call Center Server Windows local user accounts.
All three default Symposium Call Center Server Windows local user accounts are created for a specific purpose. You must not change the account name for the NGenSys account. You may change the account names for NGenDist and NGenDesign. However, if you do so, you must provide these new account names to the Distributor/Nortel Networks Support personnel or they will not be able to use these default accounts to access the server remotely. If you change any of the default Symposium Call Center Server Windows local user account names, the
Security recommendations Nortel Networks Proprietary
48 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
changed accounts will not be removed by the Symposium Call Center Server R5.0 software uninstall program, and instead must be removed manually.
For security reasons, customers are encouraged to change the passwords for these default accounts upon successful Symposium Call Center Server installation. If you change the password for the “NGenSys” account, then you must also update the Symposium Call Center Server Backup and Restore service password (refer to the Nortel Networks Symposium Call Center Server Installation & Maintenance Guide for Release 5.0[1] for the password change procedures).
You must not add any additional Windows 2000 user accounts to Symposium Call Center Server (except the account for the R5.0 Remote Database Backup and Restore feature). With the exception of the Administrator account, other default Windows 2000 accounts (for example, Guest) can be disabled or removed to increase the security of the server. If you change the default Administrator account name, it has no impact on the normal operation of the Symposium Call Center Server R5.0 server. However, it will cause the Platform Vendor Independence Check (PVI Check) utility to notify you that an invalid administrator account is being used. Therefore, Nortel Networks recommends that you change the Administrator account name only after you install the Symposium Call Center Server R5.0 software.
4.4 Anonymous logon
The Windows 2000 Server default installation allows you to log on remotely as “Anonymous,” a feature that can expose some server information. Since Symposium Call Center Server R5.0 does not require an Anonymous logon, Nortel Networks recommends that you disable the Anonymous logon by changing the Additional restriction for anonymous connections security policy to No access without explicit anonymous permission, or changing the “HKLM/SYSTEM/CurrentControlSet/Control/LSA/RestrictAnonymous” registry key value from the default value of “0” to “2”.
4.5 Third-party applications
Due to the mission-critical, real-time processing performed by Symposium Call Center Server, Nortel Networks stipulates that no other “application” class software be installed on the server, but that certain “utility” class software may be installed, providing that it conforms to the guidelines listed below.
• “Application” class software generally requires a certain amount of system resources and is not to be installed on the Symposium Call Center Server. The addition of third-party applications may cause a real-time system, such as Symposium Call Center Server, to operate outside of the known engineering limits and hence create potential unknown system problems (for example, CPU contentions, increased network traffic loading, disk access degradations, etc.)
Security recommendations Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 49
• Certain third-party “utility” class software applications, such as hardware diagnostics or backup tools, generally require less system resources during the normal operations of Symposium Call Center Server and are, therefore, permitted. Exceptions are utilities that may cause system problems and degrade performance, such as screen savers. Anti-virus software is classed as a utility and is subject to the generic guidelines below, as well as to a specific series of recommendations detailed further in this guide.
Note: Third party backup software can only be used for offline full backups. The database backup must be performed using the utility provided by Symposium Call Center Server due to proprietary functions called upon during the backup routine.
Guidelines for “utility” implementations
1. During run-time, the utility must not degrade the Symposium Call Center Server system beyond an average 50 percent CPU utilization. Furthermore, the utility must not lower the minimum amount of free hard disk space required by Symposium Call Center Server and the Windows operating system.
2. The utility must not cause any improper software shutdowns or out of sequence shutdowns.
3. The utility must not administer the Symposium Call Center Server software.
4. If the utility has its own database, it must not impact the Symposium Sybase database.
5. A Disk Compression utility must not be used.
6. Memory Tweaking utilities (for example, WinRAM Turbo, Memory Zipper, etc.) that are used to “reclaim” memory unused by Microsoft must not be used.
7. The installation or un-installation of the utility class software must not impact/conflict with the Symposium Call Center Server software (for example, DLL conflicts). If it does impact/conflict with the Symposium Call Center Server software, then you may need to rebuild the server.
8. The installation or un-installation of the utility class software must not impact/conflict with the Symposium Call Center Server minimum security settings and configuration (for example, enabling IIS service, conflicts in the Windows 2000 security settings, etc.). If it does impact/conflict with the Symposium Call Center Server minimum
Security recommendations Nortel Networks Proprietary
50 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
security settings and configuration, then you may need to rebuild the server.
9. The installation of the utility class software must be performed after the Symposium Call Center Server is installed.
10. The software must not be installed within the Symposium Call Center Server folder on the D: drive. Nortel Networks recommends that you install the software in its own folder on the C: drive.
11. The software must be virus free. Do not install any software when the origin of the software is not known.
It is the implementation personnel’s responsibility to perform tests to ensure that these conditions and recommendations are met prior to putting the server into production. As part of the fault diagnostic process, the Distributor/End User may be asked to remove third-party software.
4.6 Anti-virus scanning
Noted that the risk of virus infection on the Symposium Call Center R5.0 server is minimal due to the following reasons:
• The server requires limited access for support.
• Typically, only maintenance personnel have local access to the server and remote access through pcAnywhere.
• All Nortel Networks software distributions including PEPs and SUs are virus free.
• Customers are discouraged from installing non-Symposium Call Center Server software on the server, which minimizes the risk of encountering infected software on the server.
• Customers are discouraged from directly accessing the Internet from the server, which minimizes the risk of getting a virus through the Internet.
• There should be no e-mail activity of any kind on the Symposium Call Center Server R5.0 server, which eliminates any chance of getting a virus through e-mail.
• There should be no shared folders or files on the Symposium Call Center Server R5.0 server, which eliminates any chance of getting a virus through open file/folder sharing.
Security recommendations Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 51
In spite of the above recommendations, Nortel Networks acknowledges the fact that many customers have security policies that may require that anti-virus software be installed on the Symposium Call Center Server R5.0 server.
Nortel Networks has carried out testing on a representative sample of anti-virus software packages (Norton, McAfee, and Innoculate) in order to determine the following generic guidelines for the use of anti-virus software:
• The Symposium Call Center Server software must be installed on the server before you install the anti-virus software. When the anti-virus software is installed, it is the implementation personnel’s responsibility to perform testing with the anti-virus software, in accordance with the guidelines for “utility” implementations outlined in section 4.5 of this guide.
• During PEP installations on both the client and server, all anti-virus functionality should be disabled (for example, firewalls, (passive) scanning, auto updates etc.) and should not be started up automatically until the entire Symposium Call Center Server installation procedure is complete. You may re-enable the anti-virus functionality afterwards, as required.
• If personal firewalls are enabled on the Symposium Call Center Server client PC, then the Report Listener may be flagged as trying to access the Internet. You must configure the ‘Properties’ to allow the Report Listener to access the Symposium Call Center Server R5.0 server through the firewall.
• Set virus scans to run on the server during off-peak hours, and not to start on the hour. Note that several maintenance tasks are automatically activated on Symposium Call Center Server at midnight, so an off-midnight time should be set for virus scans. Similarly, active virus scans should be disabled when running diagnostic traces or logs on the Symposium Call Center Server R5.0 server.
• Infected file quarantine policy on the Server and Client: The anti-virus software should not be configured to deal automatically with suspected infected files. In the event that infected files are located, do not attempt to replace or remove them. Contact your local Nortel Networks Support representative for assistance in determining if the files are part of the Symposium Call Center Server application, or a critical system file.
• Nortel Networks recommends that you exclude the following files from scanning:
F:\Nortel\Database\ <additional database drive>:\Nortel\Database
Security recommendations Nortel Networks Proprietary
52 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
In addition, the following file should be excluded: D:\Nortel\ICCM\bin\Tools2.exe (You will encounter file access errors in the Scan Activity log if you do not exclude this file from scanning.)
• You must not connect the Symposium Call Center Server R5.0 server directly to the Internet to download virus definitions or updated files. In addition, Nortel Networks recommends that you do not connect the Symposium Call Center Server client PC to the Internet. Instead, you should download virus definitions and update files to another location on your network, and then manually upload to the Symposium Call Center Server R5.0 server. This is the same recommended procedure for downloading Symposium Call Center Server PEPs. This recommendation limits access to the Internet, and thus reduces the risk of downloading infected files.
• In addition, all PEP files, CD-ROMs, and floppy disks should be scanned prior to installing or uploading to the server. This practice minimizes any exposure to infected files from outside sources.
• SNMP alerting on virus confirmation: At this time, Nortel Networks has not tested this feature and is unable to ascertain whether it poses any potential risks to Symposium Call Center Server. It is, therefore, not recommended that you activate this feature.
• Capacity considerations: Note that running virus scan software can place an additional load on server in Symposium Call Center Server. It is the implementation personnel’s responsibility to run the Windows 2000 Server Performance Monitor tool on the server to gauge CPU utilization. If the anti-virus software scan causes the server’s average CPU utilization to exceed 50 percent for longer than 20 minutes, then the anti-virus software should not be loaded onto the Symposium Call Center Server R5.0 server.
Note:
• Nortel Networks does not provide support on the configuration of anti-virus software, but it will endeavor to offer guidance where possible. Questions or problems on anti-virus software should be directed to the appropriate vendor.
• The above recommendations are intended as guidelines only, and do not constitute a guarantee of compatibility. Nortel Networks does not plan to perform ongoing compatibility testing, or testing on other anti-virus packages.
Security recommendations Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 53
• If performance or functionality issues are raised to Nortel Networks Support, as part of the fault diagnosis process, the customer/distributor may be asked to remove third-party utility software or anti-virus software.
4.7 Internet access
Internet access poses a major source of security risks, threats, and vulnerabilities to the server. By default, Windows 2000 Server installs Internet Explorer, which can be configured for accessing the Internet. Since Symposium Call Center Server R5.0 does not require Internet access, Nortel Networks recommends that you refrain from accessing the Internet or Intranet directly from the Symposium Call Center Server R5.0 server.
Nortel Networks recommends that if you require access to the Nortel Networks Web site (for example, to obtain the latest PEP/SU etc.), then you should use a separate PC that is virus free.
4.8 E-mail access
Electronic mail (e-mail) and applications using the SMTP service are a major source of security risks, threats, and vulnerabilities. By default, Windows 2000 Server installs Outlook Express, which can be configured to access an e-mail system. Since Symposium Call Center Server R5.0 does not require SMTP service, Nortel Networks recommends that you refrain from accessing any e-mail systems or installing any applications that will enable the SMTP service on the Symposium Call Center Server R5.0 server.
4.9 File and folder sharing
One of the most common forms of malicious code attack (for example, the Code Red and Nimda viruses) occurs through file and folder sharing on the server. By default, Symposium Call Center Server R5.0 does not include any shared folders or files on the server. To help maintain a secure environment, you must not share any installed file or folder at any time. Nortel Networks recommends that you refrain from granting write access permissions to any files or folders (except for the default permissions granted by Symposium Call Center Server) on the Symposium Call Center Server R5.0 server. If there is an absolute need to share files or folders on the server, then you must be cautious when granting write access permission to users on your network and remove the shared access immediately after the user completes the required task.
4.10 File and folder permission
By default, Windows 2000 grant “Everyone” group with Full Control permission for all disk drives without other account or group. This default permission allows everyone accessing the server can have full control on all files and folders, and it is considered as a high security risk. It is a common security policy and practice to
Security recommendations Nortel Networks Proprietary
54 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
remove the “Everyone” group permission for all disk drives and add specific Windows user account or group with specific permission. Symposium Call Center Server supports the removal of the “Everyone” group as long as the following recommended accounts and groups as listed in Table 12 are added to the specified disk. Symposium Call Center Server can fail to operate if these recommended accounts and groups are not added with the required permission.
Table 12 Symposium Call Center Server File and Folder Permission
Account/Group Permission Applied to Granted Disk
Administrators Full Control This folder, Subfolders and files
All drives
SYSTEM Full Control This folder, Subfolders and files
All drives
Creator Owner Full Control Subfolders and files C: drive only (Microsoft’s recommendation)
Everyone Read & Execute This folder only Root of C: drive only (Microsoft’s recommendation)
Read This folder, Subfolders and files
D: drive only (do not need this permission for normal Symposium Call Center operation, only needed for running automatic test suite by Nortel Networks product verification group)
4.11 Encryption
Windows 2000 supports file and folder encryption. However, Symposium Call Center Server R5.0 does not support or require any form of file and folder encryption by Windows 2000. You must not attempt to encrypt any installed Symposium Call Center Server files or folders, including all Symposium Call Center Server database folders and files. If Windows 2000 encryption is enabled
Security recommendations Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 55
on any Symposium Call Center Server database folders or files, it will corrupt the database. In this case, Symposium Call Center Server can only be recovered by re-installing and then restoring the database from the latest available database backup.
4.12 Microsoft Baseline Security Advisor
Symposium Call Center Server R5.0 is compatible with the Microsoft Baseline Security Advisor (MBSA) security tool. You can use this tool to scan the Symposium Call Center Server R5.0 server to check if it meets the Microsoft baseline security recommendations for Windows 2000 Server. If you want to run the MBSA tool against the Symposium Call Center Server R5.0 server, then Nortel Networks recommends that you run this tool after the Symposium Call Center Server R5.0 software is installed. Due to the default configuration of Symposium Call Center Server R5.0, the MBSA may issue certain security non-compliance statements or warnings. Table 13 lists the typical MBSA version 1.2 scanning items and Nortel Networks recommendations for Symposium Call Center Server.
Table 13 MBSA scanning items and Symposium Call Center Server recommendations
MBSA scanned item Symposium Call Center Server recommendation
MSXML Security Updates
MBSA may indicate that latest security updates are out-of-date. Symposium Call Center Server has no dependency on the MSXML, and it is customer’s option to install the latest MSXML security update as recommended by Microsoft.
Windows Security Updates
MBSA may indicate that the latest critical security updates are missing. Check against the latest Symposium Products Service Packs Compatibility and Security Hotfixes Applicability list for applicable Microsoft security updates and installed all applicable security updates.
Microsoft VM Security Updates
MBSA may indicate that latest security updates are out-of-date. Symposium Call Center Server has no dependency on the Microsoft VM, and it is customer’s option to install the latest Microsoft VM security update as recommended by Microsoft.
Office Security Updates MBSA may indicate that latest security updates are out-of-date. Symposium Call Center Server has no dependency on the Microsoft Office, and it is
Security recommendations Nortel Networks Proprietary
56 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
MBSA scanned item Symposium Call Center Server recommendation customer’s option to install the latest Microsoft Office security update as recommended by Microsoft.
Windows Media Player Security Updates
MBSA may indicate that latest security updates are out-of-date. Symposium Call Center Server has no dependency on the Windows Media Player, and it is customer’s option to install the latest Windows Media Player security update as recommended by Microsoft.
MDAC Security Updates MBSA may indicate that the latest critical security updates are missing. Check against the latest Symposium Products Service Packs Compatibility and Security Hotfixes Applicability list for applicable Microsoft security updates and installed all applicable security updates.
Restrict Anonymous MBSA may indicate non-compliance. Restrict anonymous access as recommended by Microsoft.
Administrators MBSA may warn that more than two administrators are found in the computer. Check and confirm that only the “Administrator”, “NGenSys”, “NGenDist”, “NGenDesign”, and the remote database backup and restore users are listed in the Administrator group. Remove any additional administrator accounts.
Password Expiration MBSA may warn that all user accounts have non-expiring passwords. “NGenSys” and the remote database backup and restore users must be configured with non-expiring passwords. Other users can be configured with password expiration, as required.
Internet Connection Firewall
Internet Connection Firewall is not available on Windows 2000 platform. MBSA should indicate Internet Connection Firewall is not installed or configured properly, or is not available on this version of Windows.
Local Account Password Test
MBSA may warn that some user accounts have blank or simple passwords, or could not be analyzed. The passwords for the Symposium Call Center Server default local accounts (NGenSys, NGenDist, and NGenDesign) should pass this test. Check and change user passwords if required.
Security recommendations Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 57
MBSA scanned item Symposium Call Center Server recommendation
Automatic Updates MBSA may indicate non-compliance. Recommend to review and configure the server with the appropriate method to obtain the Microsoft updates.
File System MBSA should indicate that all hard drives are using the NTFS system. Repartition and reinstall Symposium Call Center Server if any software or database drives used by Symposium Call Center Server are not using NTFS.
Autologon MBSA should indicate that Autologon is not configured on this computer. Remove Autologon if configured.
Guest Account MBSA should indicate that the Guest account is disabled on this computer. Disable or remove the Guest account if enabled.
Auditing MBSA may suggest turning on Auditing. Follow the Symposium Call Center Server R5.0 guidelines on the auditing policy (section 3.2.6 of this guide).
Services MBSA may suggest removing unneeded services (for example, Remote Access Connection Manager, Telnet etc.). Do not remove the Remote Access Connection Manager if the RAS method is used for a remote access (pcAnywhere) connection instead of direct modem. Since Symposium Call Center Server does not require the Telnet service, you can remove it as recommended by Microsoft. Review other listed unneeded services and disable them if they are not listed as Symposium Call Center Server required services (section 3.1.2 of this guide).
Shares MBSA may suggest shares on the server. Ensure that only the system default shares are on the server with the proper permissions. Symposium Call Center Server does not require any additional share to work.
Windows Version MBSA must list the Windows version as the Windows 2000 Server version.
IIS Status MBSA should indicate that this service is not running on the computer. Remove the IIS service if it is
Security recommendations Nortel Networks Proprietary
58 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
MBSA scanned item Symposium Call Center Server recommendation running.
SQL Server/MSDE Status
MBSA should indicate that SQL Server and/or MSDE is not installed on this computer. Remove SQL Server and/or MSDE if it is installed.
IE Zones MBSA may indicate that Internet Explorer zones do not have secure settings for access. It is acceptable for Symposium Call Center Server if IE is not configured and used for Internet access.
Macro Security MBSA should indicate that no Microsoft Office products are installed. Remove all Microsoft Office products from the server.
4.13 SNMP Configuration
Symposium Call Center Server R5.0 supports sending Symposium Call Center Server error and alarm events as SNMP traps only, and no other SNMP functions are provided. Nortel Networks recommends the following security configuration to reduce the security risk from SNMP service:
• If no SNMP service (including receiving Symposium Call Center Server SNMP traps) is required by a NMS on the customer network from the Symposium Call Center Server, Nortel Networks recommends you to disable or remove the SNMP Service and SNMP Trap Service from the Windows services. Disabling or removing the SNMP Service and SNMP Trap Service only disable the Symposium Call Center Server capability to send error and alarm events as SNMP traps and will not interfere with other Symposium Call Center Server functions.
• Nortel Networks recommends using a customer defined community name instead of the well known “public” community name for SNMP traps.
• Nortel Networks recommends configuring SNMP Service to accept SNMP packets only from a specified list of known SNMP hosts instead of accepting SNMP packets from any host.
4.14 Remote support access
Symposium Call Center Server R5.0 supports remote connection to the server through pcAnywhere so that Distributors/Nortel Networks support groups can perform remote server maintenance. Customers can configure either a direct
Security recommendations Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 59
modem, Remote Access Service (RAS), or VPN (with Nortel Networks Contivity product) connection method.
Nortel Networks recommends the VPN connection method together with the proper firewall or subnet isolation between the Symposium Call Center Server network subnet and the corporate network, as it provides a secure connection that minimizes the risk of exposing other customer network resources to the remote connection.
To prevent illegal access to the Symposium Call Center Server R5.0 server through the remote connection, you must configure the appropriate pcAnywhere and RAS (if configured) logon accounts and passwords. Nortel Networks recommends that you do not use any default or simple passwords for the pcAnywhere and RAS logon accounts.
For security reason, a firewall may be placed before the Symposium Call Center Server in the network path for the remote connection. In order to allow pcAnywhere remote session to be successful, the port 5631 (TCP) and port 5632 (UDP) must be opened.
4.15 Symposium Call Center Server backup and restore strategy
A proper Symposium Call Center Server backup and restore strategy is critical to recover the Symposium Call Center Server R5.0 sever in event of virus infection or server security damage beyond repair. The Symposium Call Center Server R5.0 Standby Server function does not replace the requirement of regular Symposium Call Center Server backup. It is important to note that Symposium Call Center Server backup and restore strategy must be included as part of your security risk management plan. Nortel Networks recommends that you schedule and perform regular Symposium Call Center Server database backups (local tape or remote database backups). In addition, you must have an up to date Symposium Call Center Server Platform Recovery Disk (PRD) stored in a secure place. Nortel Networks recommends that you create a new PRD whenever there is a Symposium Call Center Server platform configuration change (for example, if you run the Symposium Call Center Server R5.0 Server Setup Configuration Utility, Database Expansion utility, etc.).
Security recommendations Nortel Networks Proprietary
60 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
[ This page is left intentionally blank ]
Glossary Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 61
5 Glossary
The glossary provided relates solely to this document.
CLAN Customer Local Area Network
DHCP Dynamic Host Connection Protocol
DNS Domain Name Service
ELAN Embedded Local Area Network
IT Information Technology
LAN Local Area Network
MAS Meridian Application Server
NCC Network Control Center
Nortel Networks Servers Subnet Previously known as CLAN
PC Personal Computer
PEP Performance Enhancement Package
PRD Platform Recovery Disk
RAS Remote Access Service
SCCS Symposium Call Center Server
SMTP Simple Mail Transfer Protocol
SU Service Update
WAN Wide Area Network
Glossary Nortel Networks Proprietary
62 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
[ This page is left intentionally blank ]
References Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 63
6 References [1] Nortel Networks Symposium Call Center Server Installation and Maintenance Guide,
Product release 4.2, Standard 1.0, April 2002
Nortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 65
[ Last Page ]