security configuration for windows 2003 diane systems user...

SecurityConfiguration forWindows 2003DIANE systems

DPS

7000/XTA

NO

VASC

ALE

7000

Security

REFERENCE47 A2 11EL 02

DPS7000/XTANOVASCALE 7000

Security Configurationfor Windows 2003DIANE systems

Security

January 2006

BULL CEDOC

357 AVENUE PATTON

B.P.20845

49008 ANGERS CEDEX 01

FRANCE

REFERENCE47 A2 11EL 02

The following copyright notice protects this book under Copyright laws which prohibit such actions as, but notlimited to, copying, distributing, modifying, and making derivative works.

Copyright Bull SAS 1992, 2006

Printed in France

Suggestions and criticisms concerning the form, content, and presentation of thisbook are invited. A form is provided at the end of this book for this purpose.

To order additional copies of this book or other Bull Technical Publications, youare invited to use the Ordering Form also provided at the end of this book.

Trademarks and Acknowledgements

We acknowledge the right of proprietors of trademarks mentioned in this book.

Intel® and Itanium® are registered trademarks of Intel Corporation.

Windows® and Microsoft® software are registered trademarks of Microsoft Corporation.

UNIX® is a registered trademark in the United States of America and other countries licensed exclusively throughthe Open Group.

Linux® is a registered trademark of Linus Torvalds.

The information in this document is subject to change without notice. Bull will not be liable for errors containedherein, or for incidental or consequential damages in connection with the use of this material.

Preface

47 A2 11EL iii

Preface

This document targets customers requiring information about the security configuration of:

- the DPS7000/XTA Diane system (32-bit) under Windows 2003 (original version with no Service Packs installed) or Windows 2003 SP1

- the NS7000 (Itanium) Diane system under Windows 2003 SP1.

To be effective, a security policy must be defined and applied at all levels of a company's information system. The Diane server must be installed in a secure environment.

This document does not discuss security for the global infrastructure of an information system but those security issues that apply to the Diane server.

This version concerns the Diane DPS7000/XTA 32-bit server and NS7000 Itanium server.

The security of the BullMaint maintenance workstation (or PAP in NS7000) is not discussed in this document.

For all Windows 2003 Diane systems the majority of security elements are factory-configured by applying a security model and by adding extra security features. The decision to enable the Windows 2003 SP1 firewall described in this document is optional and left up to customers who can choose whether or not to use it depending on their own IT system security policy.

All the security measures described in this document have been validated in-depth by specialist Bull teams.

Purpose

Security configuration for Windows 2003 DIANE systems

iv 47 A2 11EL

Chapter 1: Diane-Windows 2003 security model

Chapter 2: Additional security settings

Chapter 3: Configuring and enabling the Windows 2003 firewall

Chapter 4: List of ports used on the Diane-Windows 2003 system

Chapter 5: Windows updates

Chapter 6: Choosing an antivirus

Appendix A: Windows 2003 ports

Appendix B: Windows services on the Diane-Windows 2003 system

Appendix C: Firewall configurator

• Internet Connection Firewall Feature Overview (Microsoft) http://www.microsoft.com/technet/prodtechnol/winxppro/plan/icf.mspx

• Windows Server 2003 System Services Reference (Microsoft) http://download.microsoft.com/download/8/a/d/8ad3bc09-c975-4552-a56d-cee76181a301/SPTCG_SSS.doc

• 77 A2 88 US V7000 Software Installation and Activation Guide

• 47 A2 91US Interop7 User’s Guide

• 47 A2 37UT TDS-TCP/IP User’s Guide

• 47 A2 02EL Security on the DIANE System (Windows 2000)

Structure

Bibliography

Preface

47 A2 11EL v

• Revision 00: First version of the document

This version concerns the initial version of Windows 2003 (with application of a Service Pack).

Some security issues are not discussed in this initial version of the document. Please contact Bull's support teams if you have any questions.

• Revision 01:

Two new chapters added:

Chapter 5: Windows updates

Chapter 6: Choosing an antivirus

Additions to Chapter 4: List of ports used on the Diane-Windows 2003 system, in particular for CLX and IUM-SA7.

• Revision 02:

Additions for Windows 2003 SP1 on DPS7000/XTA and NovaScale 7000

Revisions


vi 47 A2 11EL

Preface

47 A2 11EL v

Contents

1. Diane-Windows 2003 security model

1.1 Windows 2003 services ............................................................................................................................1-1

1.2 NTFS permissions........................................................................................................................................1-3 E:\ConfigV7000 ........................................................................................................................................1-3 E:\ GlobalDiskSpace .................................................................................................................................1-3

2. Additional security settings

2.1 Users and groups ........................................................................................................................................2-1

2.2 Network.......................................................................................................................................................2-1

2.3 Strategy........................................................................................................................................................2-2

3. Configuring and enabling the Windows 2003 firewall

3.1 Windows 2003 SP1 firewall .....................................................................................................................3-1

3.2 Configuring Windows 2003 SP1 firewall ................................................................................................3-2

3.3 Activating the Windows 2003 SP1 firewall .............................................................................................3-3

3.4 Oracle..........................................................................................................................................................3-9

3.5 SNMP ....................................................................................................................................................... 3-10

4. List of ports used on the Diane-Windows 2003 system

4.1 Ports..............................................................................................................................................................4-1

4.2 FTP7..............................................................................................................................................................4-3

4.3 TDS-TCP/IP .................................................................................................................................................4-3

4.4 SUBUX .........................................................................................................................................................4-3

4.5 CLX ...............................................................................................................................................................4-4

4.6 IUM-SA7 .....................................................................................................................................................4-5


vi 47 A2 11EL

4.7 ORACLE.......................................................................................................................................................4-5

5 Windows updates

5.1 Regular updates ..........................................................................................................................................5-1

5.2 Service Packs...............................................................................................................................................5-1

6 Choosing an antivirus

6.1 Symantec Antivirus......................................................................................................................................6-1

6.2 Support for other antivirus programs than Symantec AntiVirus™............................................................6-1

A. Windows 2003 ports

B. Windows services on the Diane-Windows 2003 system

C. Firewall configurator

C.1 Automatic mode......................................................................................................................................... C-3 C.1.1 User rights................................................................................................................................... C-3 C.1.2 Checking of Windows version.................................................................................................. C-4 C.1.3 Checking of Windows Firewall/Internet Connection Sharing (ICS) service state ............... C-4 C.1.4 Automatic mode of configuration (cases 1-4)......................................................................... C-4 C.1.5 Automatic mode of enumeration (cases 5-6).......................................................................... C-7

C.2 V7000 Firewall Configurator User Rights................................................................................................ C-8 C.2.1 No user rights ............................................................................................................................. C-8 C.2.2 Read only restricted rights ......................................................................................................... C-9 C.2.3 Full user rights...........................................................................................................................C-10

C.3 Checking of Windows version................................................................................................................C-12

C.4 Checking of Windows Firewall/Internet Connection Sharing (ICS) service state .............................C-13

C.5 Checking of a V7000 Firewall Configurator previous instance ..........................................................C-14

C.6 Components managed in main dialog box...........................................................................................C-15 C.6.1 Native Windows common components.................................................................................C-15 C.6.2 V7000 components.................................................................................................................C-16 C.6.3 Interop7 components ..............................................................................................................C-17 C.6.4 Third party components...........................................................................................................C-18

C.7 Components state towards the firewall at main dialog box opening time..........................................C-19

Preface

47 A2 11EL vii

C.7.1 Case of Interop7 components uninstall..................................................................................C-19

C.8 Components state validation/invalidation in main dialog box ...........................................................C-20

C.9 Main dialog box use cases .....................................................................................................................C-23 C.9.1 Use case 1................................................................................................................................C-24 C.9.2 Use case 2................................................................................................................................C-25 C.9.3 Use case 3................................................................................................................................C-26 C.9.4 Use case 4................................................................................................................................C-27 C.9.5 Use case 5................................................................................................................................C-28 C.9.6 Use case 6................................................................................................................................C-33 C.9.7 Use case 7................................................................................................................................C-34

C.10 Interactive session file ..............................................................................................................................C-36


viii 47 A2 11EL

47 A2 11EL 1-1

1. Diane-Windows 2003 security model

All factory-default Diane-W2003 systems are made secure by the systematic application of the "Diane-Windows 2003" security model.

This chapter describes the effects of applying the security model to the machine configuration compared to the standard Windows 2003 configuration.

1.1 Windows 2003 services

The following services are disabled on top of those already disabled as standard by Windows.

Note SP1: In case of Windows 2003 SP1 the services marked with an asterisk * are not « Disabled » by the Diane security model

Application Management Application installation via network

Automatic Updates Automatic updates from Microsoft update site

Background Intelligent Transfer Service File transfer using leftover bandwidth

Computer Browser Updates to resources shared over the network


1-2 47 A2 11EL

DHCP Client: Access to DHCP server to get an IP address

Distributed File System Management of distributed logical volumes (DFS)

Distributed Link Tracking Client Management of NTFS files via the network

File Replication Duplication of files over the network

FTP Publishing Service * FTP administration via IIS

Indexing Service File indexing for fast local or networked searches

Remote Access Auto Connection Manager

Automatic handling of network connections

Remote Access Connection Manager Management of dialup or VPN connections through the internet

Remote Registry Enables remote administrators to modify the registry

Smart Card Management of smart cards and smart card readers

TCP/IP NetBIOS Helper Support for NetBIOS protocol

Telephony Support for Telephony APIs

World Wide Web Publishing Service * Web administration via IIS

Each of these services can re-enabled (set to MANUAL or AUTOMATIC) according to the customer's needs.

For more information:

http://download.microsoft.com/download/8/a/d/8ad3bc09-c975-4552-a56d-cee76181a301/SPTCG_SSS.doc

Diane-Windows 2003 security model

47 A2 11EL 1-3

1.2 NTFS permissions

NTFS permissions are applied by default to directories and their dependants as follows:

C:\Drivers:

Full Control for Administrators and V7000BullServices groups

Read & Execute/List Folder for Everyone

C:\Fix_Manufacturing:

Full Control for Administrators and V7000BullServices groups


E:\ (V7000 partition)

Full Control for Administrators

Read & Execute/Write/Modify/List Folder for V7000BullServices


These permissions are propagated to subdirectories:

E:\ConfigV7000

and

E:\ GlobalDiskSpace

Warning: Disk space apart "GCOS7 disks" (for windows applications /data ) must be out of mounted points "E:\GlobalDiskSpace" and partitions must use a letter from G: and beyond. If Partitions were previously attached to mounted points "E:\GlobalDiskSpace", use Disk Manager to change partitions letters. In this case permissions are kept from "E:\GlobalDiskSpace" . Modify them according to customer requirements.

____________


1-4 47 A2 11EL

In the C:\Fix_Manufacturing\Security directory you will find files that define the factory-default version of W2003 (in case of problems). These files are:

W2003aclc1.txt (for C:\Drivers)

W2003aclc2.txt (for C:\Fix_Manufacturing)

W2003acle.txt (for the E:\ Partition)

Note: The permissions defined in this chapter must not be modified.

47 A2 11EL 2-1

2. Additional security settings

The additional security settings described in this chapter are applied to the factory default version of all systems of Diane-Windows 2003.

2.1 Users and groups

Administrator group

There is no Administrator user account

1 AdmDiane account with 1 password chosen by the customer

1 AdmBull account with 1 factory-default password unique to the machine

IIS_WPG Group

The IUSR_XXX user account is disabled

The IWAM_XXX user account is disabled

2.2 Network

File and Printer Sharing for Microsoft Networks is unselected in the network card properties for the machine's TCP/IP connection.

The purpose of this is to prevent shared resources (Files, printers) being mounted on the machine.

It also prevents users from doing remote Computer Management from another Windows machine.


2-2 47 A2 11EL

It can be re-enabled without stopping GCOS or V7000 or rebooting Windows.

2.3 Strategy

The Security settings mean that in the Windows connection dialog there is no record of the last logged-on user.

Interactive logon: Do not display last user name is set to "Enabled".

For Windows 2003 SP1 :

The Security settings also mean that the user name is not displayed when returning from the “Idle screen”.

Interactive logon: Do not display user information when the session is locked is set to "Enabled".

It is possible to modify these settings to "Disabled".

To change the status, launch ("Start / Run /") gpedit.msc and go through the tree structure as follows:

Computer Configuration->Windows Settings->Security Settings->Local Policies-> Security Options

47 A2 11EL 3-1

3. Configuring and enabling the Windows 2003 firewall

On Diane systems, the Windows 2003 firewall is disabled by default. The decision to enable it is at the customer's discretion, since it is directly linked to the company's general IT security policy.

The Windows firewall evolved considerably between Windows 2003 and Windows 2003 SP1. On the Diane system the firewall can be activated starting from the Windows 2003 SP1 version. The information contained in this section is not applicable to the initial version of Windows 2003.

3.1 Windows 2003 SP1 firewall

The main characteristics of the Windows 2003 SP1 firewall are as follows:

• The activation of the firewall is available for all connections (i.e. all network cards) of the platform.

• Filters incoming and outgoing connections.

• Can be configured for applications (.exe file names) or communication ports (TCP or UDP protocols).

• In case of a configured application, the communication ports used by this application are opened only when it is active.


3-2 47 A2 11EL

3.2 Configuring Windows 2003 SP1 firewall

The activation of the firewall should not obviously disturb the operation of the Diane server. The firewall must thus be configured according to the applications, which can be used on the server and are using communication ports.

For more details about the communication ports used on Diane, refer to section 4.

To facilitate the configuration of the firewall on the Diane server, a specific tool has been designed: "V7000 Firewall Configurator".

Several V7000 and Interop7 components are using network facilities, and must correctly operate when the firewall is activated on the platform.

The goal of the V7000 Firewall Configurator application is to configure the native firewall of Windows 2003 SP1

• for V7000 and Interop7 components as well as Windows native common components necessary for V7000 and Interop7

• and also for factory installed third party components on a “Full V7000 Server” installation.

The configuration tool is activated at the end of the V7000 activation and at the end of the Interop7 installation. The configuration is automatically done for V7000 and Interop7 applications.

However, the configurator application does not have any effect on the activation or deactivation of the firewall. This decision is under the customer responsibility.

The configuration tool can also be manually started. It can be used for the firewall configuration on the Diane server as well as on a remote administration station (V7000 Remote Admin).

A detailed description of the "V7000 Firewall Configurator" is available in the appendix C of this document.

Configuring and enabling the Windows 2003 firewall

47 A2 11EL 3-3

3.3 Activating the Windows 2003 SP1 firewall

In Windows 2003 SP1 Diane server, the service Windows Firewall/Internet Connection Sharing (ICS) is started at the factory.

To activate the firewall, select “on” in the Windows Firewall view (started from the “Control Panel”):


3-4 47 A2 11EL

To configure the Windows Firewall for standard applications used on a Diane server, go to "Exceptions" Tab and check:

- Remote Desktop

This will allow "Remote Desktop" on all Network Connections

Then, go to "Advanced" Tab and select TCP-IP Network Connection


47 A2 11EL 3-5

- Click on "Settings"


3-6 47 A2 11EL

- Select:

FTP Server (associated to port 21)

Telnet Server (associated to port 23)

Web Server (HTTP) (associated to port 80)

- Click on OK

- On the same way TCP-IP Network Connection was selected, now select HUB CONNECTION and repeat the same operation for the 3 Services


47 A2 11EL 3-7

• Response to a "ping"

Once enabled, the firewall protects the machine from "pings" coming from all other machines. This is an important element in strengthening security.

However, "pings" may be useful in checking that a network between two machines is working correctly. In this case, you can configure the firewall using the ICMP (Internet Control Message Protocol) tab so that the machine answers "pings" from other machines.

To avoid a breach in security, this must be a temporary measure only. The rights described below must be removed once they cease to be necessary.


3-8 47 A2 11EL

In the ICMP Box:

- click on the "Settings…" button.


47 A2 11EL 3-9

Note: Microsoft strongly recommends you do not open ICMP Messages that are used in hacking and denial of service attacks. (Source: Internet Connection Firewall Feature (ICF) Overview).

3.4 Oracle

Applications that must be defined in the firewall configuration :

• In case of a database on GCOS7: v7sg7.exe (should be automatically defined by the configurator at the end of Interop7 installation

• In case of a database on Windows: oracle.exe and tnslsnr.exe in the bin directory of Oracle installation.


3-10 47 A2 11EL

3.5 SNMP

Applications that must be defined in the firewall configuration :

C:\WINDOWS\System32\snmp.exe for « SNMP Service »

C:\WINDOWS\System32\snmptrap.exe for « SNMP Trap Service »

47 A2 11EL 4-1

4. List of ports used on the Diane-Windows 2003 system

This section lists the port numbers used in the Diane Windows-2003 server.

One is reminded that the fire wall of Windows 2003 SP1 allows the automatic opening of the ports used by the applications defined at the time of its configuration.

The configuration of the firewall for the V7000 and Interop7 components is ensured by the firewall configurator as described in the section 3 and in the appendix C of this document.

With Windows 2003 SP1, it is thus no more necessary to take care of the opening of each port. Nevertheless this section is kept for information purposes.

4.1 Ports

The ports used on the Diane system are defined in the documentation for each product. This product documentation should be used as the reference guide.

For information purposes, the following table lists the incoming ports used by the products (or functions) often used on the Diane system. This list may not be exhaustive. In case of problems, it is recommended you refer to the product documentation.

The "Open by default" column indicates which ports should be opened systematically when enabling the firewall. These ports are used by the system's basic products or functions. The others must only be opened if the listed products are used.

The port numbers given in this table are those defined by default. The majority are configurable. Any changes to the port number must also be reflected in the firewall configuration.


4-2 47 A2 11EL

Product (or function)

Ports (default value)

Open by default

DCOM 7050 - 7099 TCP YES RPC 135 TCP YES FTP7 9037 TCP YES

(see note on FTP7 below table)

NT7GW for ESP7, DA7, JTDS, JUFAS, JESP7, HOOX, …. etc access GCOS7 via ATMI API (TDS_TCP/IP) or H_SRVCAM (DSA)

9002 TCP YES

SRVCAM for CNDSA 9003 TCP YES TDS-TCP/IP See note on TDS-TCP/IP

below table NO

SQL *XT 9007 TCP NO (only open in the case of

access from a remote system)

IUM-SA7 See note on IUM-SA7 below table)

NO

SUBUX Range 1023 - 512 See note on SUBUX below table

NO

CLX Range 1023 - 512 See note on CLX below table

NO

SDM (Shared Disk Manager)

7000 TCP NO (only open in the case of

shared disks) RCF7 (Remote Control Facility)

7011 TCP NO (only open if ISM is used)

SNMP 161 UDP NO SNMP7 7161 UDP NO OpenSave No port to open NetOp 6502 TCP and UDP NO

(pointless if standard connection via maintenance

network) Navisphere

6389 TCP NO (only useful for CX range)

List of ports used on the Diane-Windows 2003 system

47 A2 11EL 4-3

4.2 FTP7

The firewall automatically manages the opening of dynamic ports in that it recognizes the use of FTP though the use of port 21 on the local or remote machine.

When the transfer is initialized on GCOS7 and the remote server is not listening on port 21, the firewall does not know FTP is being used and cannot manage the dynamic ports. Use port 21 on the remote system (instead of port 9037 for a Diane).

When the transfer is initialized by a remote client in passive mode, you must either use active mode or use port 21 on the Diane.

4.3 TDS-TCP/IP

TDS uses the port specified in the Windows services file <windir>\system32\drivers\etc\services. The service name comprises a concatenation of the:

Local host name tds name

For example: If a client wants to connect to TDS TDS1 located on the XTA system referenced by the BC0F host name, the following line must appear in /etc/services file:

bc0ftds1 10100/tcp You should then open port 10100 TCP.

4.4 SUBUX

SUBUX uses ports, in pairs, in decreasing order from 1023 to 512. The number of pairs of ports used corresponds to the number of SUBUX commands that can be submitted and activated simultaneously, to a maximum of 255.

It is therefore essential to open as many pairs of ports, beginning with 1023,1022, as SUBUX commands that can be submitted and activated


4-4 47 A2 11EL

simultaneously plus, if appropriate, a number of additional ports in case other applications use ports in the same range.

You are advised to refer to the SUBUX product documentation, available in the following document:

47 A2 91US 06 Interop7 User’s Guide

4.5 CLX

The Interop ID340 release is a prerequisite for using CLX with the firewall activated.

CLX selects its ports from the same range as SUBUX in decreasing numeric order starting with 1023. CLX does not use more than 5 ports.

If CLX is used with SUBUX, you simply open 5 extra ports to the ones defined for SUBUX (see previous paragraph).

If CLX is used without SUBUX, you are recommended to open about ten ports in decreasing numeric order starting with 1023.

You are advised to refer to the CLX product documentation, available in the following document:

47 A2 63UU 07 Cartridge Tape Library User’s Guide

List of ports used on the Diane-Windows 2003 system

47 A2 11EL 4-5

4.6 IUM-SA7

The GCOS7 IUM-SA7 agent listens on a port that is chosen dynamically.

When it is initialized, it writes all useful information for clients who want to connect in the ST7SEC_BINDING member of SA7.IUM.SL. The client can retrieve this information via FTP.

Example of content of file SA7.IUM.SL..ST7SEC_BINDING: ncadg_ip_udp 172.31.37.14 22115

It includes 3 pieces of connection information:

• Protocol: UDP • Address: 172.31.37.14 • Port: 22115

This is the port you need to open in the Firewall configuration (you will need to modify it if another occurrence of the agent is launched).

4.7 ORACLE

Base Oracle on Diane GCOS7 side:

To be accessible from Open world applications the Oracle base uses a GCOS7 program (Listener Oracle) that is listening to a port number configured in the GCOS file "listener_ora".

This port number must be autorized in the Firewall configuration.

Base on the Diane Windows side:

Oracle on Windows uses the dynamic port rerooting. Opening the port number configured in the "listener.ora" file is not sufficient*.

Oracle suggests several solutions. The simplest one is to disable the dynamic port rerooting by setting in the register the key USE_SHARED_SOCKET=true.


4-6 47 A2 11EL

47 A2 11EL 5-1

5 Windows updates

5.1 Regular updates

Microsoft regularly diffuses patches designed to improve Windows® security.

Bull monitors and analyzes these patches constantly and on the Bull Solution On Line server (www.bull.fr/support) it makes available to its customers those that are DPS 7000/XTA -qualified.

These updates must be downloaded and installed as quickly as possible.

5.2 Service Packs

Periodically (once or twice a year) Microsoft diffuses patches and enhancements in a "kit" commonly known as a Service Pack.

Each Service Pack receives an in-depth validation from the Bull Research department in order to be sure that it will not interfere with the running of the DPS 7000/XTA systems.

Bull then installs the Service Packs that have been approved by its technicians. This is done as part of the DPS 7000/XTA maintenance contract.

When Microsoft launches a new Service Pack, Bull informs its GCOS 7 customers that it is starting validation and then performs the installation.


5-2 47 A2 11EL

47 A2 11EL 6-1

6 Choosing an antivirus

Windows® updates must be supplemented by the installation of antivirus software designed to destroy any viruses that have managed to penetrate the system.

6.1 Symantec Antivirus

The antivirus chosen and approved by Bull for its DPS 7000/XTA systems is Symantec AntiVirus Corporate Edition for workstations and network servers published by Symantec. This is installed on all systems.

It is customers' responsibility to systematically update the signatures and technical status of the antivirus program from the Symantec Web site: www.symantec.com/avcenter.

Details of the procedure are supplied to all DPS 7000/XTA customers.

The license supplied by Bull gives rights to signature updates for one year from the moment it is installed on the server. It is then the customer's responsibility to renew the license from Symantec and install it.

6.2 Support for other antivirus programs than Symantec AntiVirus™

Customers may choose other antivirus programs than Symantec AntiVirus™. In this case, they must make a formal request to Bull who will uninstall the Symantec antivirus software.

Bull will continue to support systems protected with other antivirus software than Symantec. If problems arise from their use, any Bull callouts incurred will be at the customer's expense if the problem handled would not have occurred if Symantec antivirus software had been active.


6-2 47 A2 11EL

47 A2 11EL A-1

A. Windows 2003 ports

Ports used by Windows 2003 services.

This list is taken from the document: "Port_Requirements_for_Microsoft_W2003" available from Microsoft.

Port Protocol Network Service System Service System Service Logical Name

7 TCP Echo Simple TCP/IP Services SimpTcp

7 UDP Echo Simple TCP/IP Services SimpTcp

9 TCP Discard Simple TCP/IP Services SimpTcp

9 UDP Discard Simple TCP/IP Services SimpTcp

13 TCP Daytime Simple TCP/IP Services SimpTcp

13 UDP Daytime Simple TCP/IP Services SimpTcp

17 TCP Quotd Simple TCP/IP Services SimpTcp

17 UDP Quotd Simple TCP/IP Services SimpTcp

19 TCP Chargen Simple TCP/IP Services SimpTcp

19 UDP Chargen Simple TCP/IP Services SimpTcp

20 TCP FTP default data

FTP Publishing Service MSFtpsvc

21 TCP FTP control FTP Publishing Service MSFtpsvc

21 TCP FTP control Application Layer Gateway Service

ALG


A-2 47 A2 11EL


23 TCP Telnet Telnet TlntSvr

25 TCP SMTP Simple Mail Transport Protocol

SMTPSVC

25 UDP SMTP Simple Mail Transport Protocol

SMTPSVC

25 TCP SMTP Exchange Server

25 UDP SMTP Exchange Server

42 TCP WINS Replication

Windows Internet Name Service

WINS

42 UDP WINS Replication


WINS

53 TCP DNS DNS Server DNS

53 UDP DNS DNS Server DNS

53 TCP DNS Internet Connection Firewall/Internet Connection Sharing

SharedAccess

53 UDP DNS Internet Connection Firewall/Internet Connection Sharing

SharedAccess

67 UDP DHCP Server

DHCP Server DHCPServer

67 UDP DHCP Server

Internet Connection Firewall/Internet Connection Sharing

SharedAccess

69 UDP TFTP Trivial FTP Daemon Service

tftpd

80 TCP HTTP Windows Media Services WMServer

80 TCP HTTP World Wide Web Publishing Service

W3SVC

80 TCP HTTP SharePoint Portal Server

88 TCP Kerberos Kerberos Key Distribution Center

Kdc

Windows 2003 ports

47 A2 11EL A-3


88 UDP Kerberos Kerberos Key Distribution Center

Kdc

102 TCP X.400 Microsoft Exchange MTA Stacks

110 TCP POP3 Microsoft POP3 Service POP3SVC

110 TCP POP3 Exchange Server

119 TCP NNTP Network News Transfer Protocol

NntpSvc

123 UDP NTP Windows Time W32Time

123 UDP SNTP Windows Time W32Time

135 TCP RPC Message Queuing msmq

135 TCP RPC Remote Procedure Call RpcSs

135 TCP RPC Exchange Server

135 TCP RPC Certificate Services CertSvc

135 TCP RPC Cluster Service ClusSvc

135 TCP RPC Distributed File System DFS

135 TCP RPC Distributed Link Tracking TrkSvr

135 TCP RPC Distributed Transaction Coordinator MSDTC

135 TCP RPC Event Log Eventlog

135 TCP RPC Fax Service Fax

135 TCP RPC File Replication NtFrs

135 TCP RPC Local Security Authority LSASS

135 TCP RPC Remote Storage Notification Remote_Storage_User_Link

135 TCP RPC Remote Storage Server Remote_Storage_Server

135 TCP RPC Systems Management Server 2.0


A-4 47 A2 11EL


135 TCP RPC Terminal Services Licensing TermServLicensing

135 TCP RPC Terminal Services Session Directory Tssdis

137 UDP NetBIOS Name

Resolution

Computer Browser Browser


Resolution

Server lanmanserver


Resolution


WINS


Resolution

Net Logon Netlogon


Resolution

Systems Management Server 2.0

138 UDP NetBIOS Datagram Service



Messenger Messenger


Server lanmanserver


Net Logon Netlogon


Distributed File System Dfs



Windows 2003 ports

47 A2 11EL A-5


Service


License Logging Service LicenseService

139 TCP NetBIOS Session Service



Fax Service Fax


Performance Logs and Alerts

SysmonLog


Print Spooler Spooler


Server lanmanserver


Net Logon Netlogon


Remote Procedure Call Locator

RpcLocator






License Logging Service LicenseService

143 TCP IMAP Exchange Server


A-6 47 A2 11EL


161 UDP SNMP SNMP Service SNMP

162 UDP SNMP Traps

Outbound

SNMP Trap Service SNMPTRAP

270 TCP MOM 2004 Microsoft Operations Manager 2004

MOM

389 TCP LDAP Server

Local Security Authority LSASS

389 UDP LDAP Server


389 TCP LDAP Server


389 UDP LDAP Server


443 TCP HTTPS HTTP SSL HTTPFilter

443 TCP HTTPS World Wide Web Publishing Service

W3SVC

443 TCP HTTPS SharePoint Portal Server

445 TCP SMB Fax Service Fax

445 TCP SMB License Logging Service LicenseService

445 TCP SMB Print Spooler Spooler

445 TCP SMB Server lanmanserver

445 TCP SMB Remote Procedure Call Locator

RpcLocator

445 TCP SMB Distributed File System Dfs

445 TCP SMB Net Logon Dfs

500 UDP IPSec ISAKMP


515 TCP LPD TCP/IP Print Server LPDSVC

548 TCP File Server for

Macintosh

File Server for Macintosh MacFile

Windows 2003 ports

47 A2 11EL A-7


Macintosh

554 TCP RTSP Windows Media Services WMServer

563 TCP NNTP over SSL

Network News Transfer Protocol

NntpSvc

593 TCP RPC over HTTP

Remote Procedure Call RpcSs

593 TCP RPC over HTTP

Exchange Server

636 TCP LDAP SSL Local Security Authority LSASS

636 UDP LDAP SSL Local Security Authority LSASS

993 TCP IMAP over SSL

Exchange Server

995 TCP POP3 over SSL

Exchange Server

1270 TCP MOM-Encrypted

Microsoft Operations Manager 2000

one point

1433 TCP SQL over TCP

Microsoft SQL Server SQLSERVR

1433 TCP SQL over TCP

MSSQL$UDDI SQLSERVR

1434 UDP SQL Probe Microsoft SQL Server SQLSERVR

1434 UDP SQL Probe MSSQL$UDDI SQLSERVR

1645 UDP Legacy RADIUS

Internet Authentication Service

IAS

1646 UDP Legacy RADIUS


IAS

1701 UDP L2TP Routing and Remote Access

RemoteAccess

1723 TCP PPTP Routing and Remote Access

RemoteAccess

1755 TCP MMS Windows Media Services WMServer


A-8 47 A2 11EL


1755 UDP MMS Windows Media Services WMServer

1801 TCP MSMQ Message Queuing msmq

1801 UDP MSMQ Message Queuing msmq

1812 UDP RADIUS Authenticati

on


IAS

1813 UDP RADIUS Accounting


IAS

1900 UDP SSDP SSDP Discovery Service SSDPRSRV

2101 TCP MSMQ-DCs

Message Queuing msmq

2103 TCP MSMQ-RPC


2105 TCP MSMQ-RPC


2107 TCP MSMQ-Mgmt


2393 TCP OLAP Services

7.0

SQL Server: Downlevel OLAP Client Support

2394 TCP OLAP Services

7.0

SQL Server: Downlevel OLAP Client Support

2460 UDP MS Theater Windows Media Services WMServer

2535 UDP MADCAP DHCP Server DHCPServer

2701 TCP SMS Remote Control (control)

SMS Remote Control Agent

2701 UDP SMS Remote Control (control)


Windows 2003 ports

47 A2 11EL A-9


2702 TCP SMS Remote Control (data)


2702 UDP SMS Remote Control (data)


2703 TCP SMS Remote

Chat


2703 UDP SMS Remote

Chat


2704 TCP SMS Remote

File Transfer


2704 UDP SMS Remote

File Transfer


2725 TCP SQL Analysis Services

SQL 2000 Analysis Server

2869 TCP UPNP Universal Plug and Play Device Host

UPNPHost

2869 TCP SSDP event

notification

SSDP Discovery Service SSDPRSRV

3268 TCP Global Catalog Server


3269 TCP Global Catalog Server


3343 UDP Cluster Services

Cluster Service ClusSvc


A-10 47 A2 11EL


Services

3389 TCP Terminal Services

NetMeeting Remote Desktop Sharing

mnmsrvc

3389 TCP Terminal Services

Terminal Services TermService

3527 UDP MSMQ-Ping


4011 UDP BINL Remote Installation BINLSVC

4500 UDP NAT-T Local Security Authority LSASS

5000 TCP SSDP legacy event

notification

SSDP Discovery Service SSDPRSRV

5004 UDP RTP Windows Media Services WMServer

5005 UDP RTCP Windows Media Services WMServer

42424 TCP ASP.Net Session

State

ASP.NET State Service aspnet_state

51515 TCP MOM-Clear Microsoft Operations Manager 2000

one point

47 A2 11EL B-1

B. Windows services on the Diane-Windows 2003 system

This appendix contains the list of Windows services present on a Diane-Windows 2003 system. It is included for information purposes.

The "Installation" column gives the service's original product.

Name Description Installation Status Startup Type Log On As Alerter Notifies selected users and

computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.

W2003 Disabled Local Service

Application Layer Gateway Service

Provides support for application level protocol plug-ins and enables network/protocol connectivity. If this service is disabled, any services that explicitly depend on it will fail to start.

W2003 Manual Local Service


B-2 47 A2 11EL

Application Management

Processes installation, removal, and enumeration requests for Active Directory IntelliMirror group policy programs. If the service is disabled, users will be unable to install, remove, or enumerate any IntelliMirror programs. If this service is disabled, any services that explicitly depend on it will fail to start.

W2003 Manual with W2003 Disabled By Security Script

Local System

Automatic Updates Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.

W2003 Automatic with W2003 Disabled with Security Script

Local System

Background Intelligent Transfer Service

Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.

W2003 Manual Local System

ClipBook Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.

W2003 Disabled Local System

Windows services on the Diane-Windows 2003 system

47 A2 11EL B-3

COM+ Event System

Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.

W2003 Started Manual Local System

COM+ System Application

Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.


Computer Browser Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.


Local System

ConnectEMC Navisphere Manual Local System


B-4 47 A2 11EL

Cryptographic Services

Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

W2003 Started Automatic Local System

DHCP Client Registers and updates IP addresses and DNS records for this computer. If this service is stopped, this computer will not receive dynamic IP addresses and DNS updates. If this service is disabled, any services that explicitly depend on it will fail to start.


Network Service

Distributed File System

Integrates disparate file shares into a single, logical namespace and manages these logical volumes distributed across a local or wide area network. If this service is stopped, users will be unable to access file shares. If this service is disabled, any services that explicitly depend on it will fail to start.



47 A2 11EL B-5

Distributed Link Tracking Client

Enables client programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. If this service is stopped, the links on this computer will not be maintained or tracked. If this service is disabled, any services that explicitly depend on it will fail to start.


Local System

Distributed Link Tracking Server

Enables the Distributed Link Tracking Client service within the same domain to provide more reliable and efficient maintenance of links within the domain. If this service is disabled, any services that explicitly depend on it will fail to start.


Distributed Transaction Coordinator

Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.


Network Service

DNS Client Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.

W2003 Started Automatic Network Service

EMC PowerPath Service 3.0.6

EMC PowerPath Service PowerPath Started Automatic Local System


B-6 47 A2 11EL

Emulex HBAnyware Remote Management Drivers Emulex

Disabled Local System

Emulex HBAnyware Discovery

Performs discovery of local and remote HBAs

Drivers Emulex

Manual Local System

Error Reporting Service

Collects, stores, and reports unexpected application crashes to Microsoft. If this service is stopped, then Error Reporting will occur only for kernel faults and some types of user mode faults. If this service is disabled, any services that explicitly depend on it will not start.


Event Log Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.


File Replication Allows files to be automatically copied and maintained simultaneously on multiple servers. If this service is stopped, file replication will not occur and servers will not synchronize. If this service is disabled, any services that explicitly depend on it will fail to start.


Local System

FTP Publishing Service

Enables this server to be a File Transfer Protocol (FTP) server. If this service is stopped, the server cannot function as an FTP server. If this service is disabled, any services that explicitly depend on it will fail to start.

IIS Automatic with W2003 Disabled with Security Script

Local System

GTS Event Agent GTS Started Automatic Local System


47 A2 11EL B-7

Help and Support Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


HTTP SSL This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.


Human Interface Device Access

Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.


IBM Active PCI Alert Service

1X4 machine Started Automatic Local System

IBM Remote Supervisor Adapter II

1X4 machine Started Automatic Local System

IIS Admin Service Enables this server to administer Web and FTP services. If this service is stopped, the server will be unable to run Web, FTP, NNTP, or SMTP sites or configure IIS. If this service is disabled, any services that explicitly depend on it will fail to start.

IIS Started Automatic Local System


B-8 47 A2 11EL

IMAPI CD-Burning COM Service

Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.


Indexing Service Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.


Local System

Intel NCS NetService

Supports Intel(R) PROSet for Wired Connections.

IntelProset Manual Local System

Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)

Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. If this service is stopped, networking services such as Internet sharing, name resolution, addressing and/or intrusion prevention will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


Interop7Adm Allows to start, stop and to get the state of the Interop7 servers

Interop7 Started Automatic Local System

Intersite Messaging Enables messages to be exchanged between computers running Windows Server sites. If this service is stopped, messages will not be exchanged, nor will site routing information be calculated for other services. If this service is disabled, any services that explicitly depend on it will fail to start.



47 A2 11EL B-9

IP4700 Trap Catcher

Navisphere Manual Local System

IPSEC Services Provides end-to-end security between clients and servers on TCP/IP networks. If this service is stopped, TCP/IP security between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to start.


Kerberos Key Distribution Center

On domain controllers this service enables users to log on to the network using the Kerberos authentication protocol. If this service is stopped on a domain controller, users will be unable to log on to the network. If this service is disabled, any services that explicitly depend on it will fail to start.


License Logging Monitors and records client access licensing for portions of the operating system (such as IIS, Terminal Server and File/Print) as well as products that aren't a part of the OS, like SQL and Exchange Server. If this service is stopped, licensing will be enforced, but will not be monitored.

W2003 Disabled Network Service


B-10 47 A2 11EL

Logical Disk Manager

Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.


Logical Disk Manager Administrative Service

Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.


Messenger Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.


Microsoft Software Shadow Copy Provider

Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.


Navisphere Agent Navisphere Started Automatic Local System


47 A2 11EL B-11

Net Logon Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer may not authenticate users and services and the domain controller cannot register DNS records. If this service is disabled, any services that explicitly depend on it will fail to start.


NetMeeting Remote Desktop Sharing

Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


NetOp Helper ver. 7.65 (2004052)

The NetOp Helper Service provides essential functions needed by NetOp programs from Danware.

NetOP Started Automatic Local System

Network Connections

Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. If this service is disabled, you will not be able to view local area network and remote connections and any services that explicitly depend on it will fail to start.



B-12 47 A2 11EL

Network DDE Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


Network DDE DSDM

Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


Network Location Awareness (NLA)

Collects and stores network configuration and location information, and notifies applications when this information changes.


NT LM Security Support Provider

Provides security to remote procedure call (RPC) programs that use transports other than named pipes.


Performance Logs and Alerts

Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.

W2003 Manual Network Service


47 A2 11EL B-13

Plug and Play Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.


Portable Media Serial Number Service

Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.


Print Spooler Manages all local and network print queues and controls all printing jobs. If this service is stopped, printing on the local machine will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


Protected Storage Protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users. If this service is stopped, protected storage will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


Remote Access Auto Connection Manager

Detects unsuccessful attempts to connect to a remote network or computer and provides alternative methods for connection. If this service is stopped, users will need to manually connect. If this service is disabled, any services that explicitly depend on it will fail to start.


Local System


B-14 47 A2 11EL

Remote Access Connection Manager

Manages dial-up and virtual private network (VPN) connections from this computer to the Internet or other remote networks. If this service is stopped, the operating system might not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.


Local System

Remote Desktop Help Session Manager

Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.


Remote Procedure Call (RPC)

Serves as the endpoint mapper and COM Service Control Manager. If this service is stopped or disabled, programs using COM or Remote Procedure Call (RPC) services will not function properly.


Remote Procedure Call (RPC) Locator

Enables remote procedure call (RPC) clients using the RpcNs* family of APIs to locate RPC servers. If this service is stopped or disabled, RPC clients using RpcNs* APIs may be unable to locate servers or fail to start. RpcNs* APIs are not used internally in Windows.

W2003 Manual Network Service

Remote Registry Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.


Local Service


47 A2 11EL B-15

Removable Storage Manages and catalogs removable media and operates automated removable media devices. If this service is stopped, programs that are dependent on Removable Storage, such as Backup and Remote Storage, will operate more slowly. If this service is disabled, any services that explicitly depend on it will fail to start.


Resultant Set of Policy Provider

Enables a user to connect to a remote computer, access the Windows Management Instrumentation database for that computer, and either verify the current Group Policy settings made for the computer or check settings before they are applied. If this service is stopped, remote verification will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


Routing and Remote Access

Enables multi-protocol LAN-to-LAN, LAN-to-WAN, virtual private network (VPN), and network address translation (NAT) routing services for clients and servers on this network. If this service is stopped, these services will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


SavRoam Symantec AntiVirus Roaming Service

Antivirus Symantec

Manual Local System


B-16 47 A2 11EL

Secondary Logon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


Security Accounts Manager

The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.


Server Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


ServeRAID Manager Agent

1X4 machine ServeRAID Started Automatic Local System

Shell Hardware Detection

Provides notifications for AutoPlay hardware events.


Smart Card Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.


Local Service

Special Administration Console Helper

Allows administrators to remotely access a command prompt using Emergency Management Services.



47 A2 11EL B-17

Symantec AntiVirus Provides real-time virus scanning, reporting, and management functionality for Symantec AntiVirus.

Antivirus Symantec

Started Automatic Local System

Symantec AntiVirus Definition Watcher

Monitors and maintains virus definitions.

Antivirus Symantec


Symantec Event Manager

Symantec Event Manager Antivirus Symantec


Symantec Network Drivers Service

Symantec Network Drivers Service

Antivirus Symantec

Manual Local System

Symantec Password Validation

Symantec Password Validation Service

Antivirus Symantec

Manual Local System

Symantec Settings Manager

Symantec Settings Manager Antivirus Symantec


System Event Notification

Monitors system events and notifies subscribers to COM+ Event System of these events. If this service is stopped, COM+ Event System subscribers will not receive system event notifications. If this service is disabled, any services that explicitly depend on it will fail to start.


Task Scheduler Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.



B-18 47 A2 11EL

TCP/IP NetBIOS Helper

Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on the network, therefore enabling users to share files, print, and log on to the network. If this service is stopped, these functions might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


Local Service

Telephony Provides Telephony API (TAPI) support for clients using programs that control telephony devices and IP-based voice connections. If this service is stopped, the function of all dependent programs will be impaired. If this service is disabled, any services that explicitly depend on it will fail to start.


Local System

Telnet Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.



47 A2 11EL B-19

Terminal Services Allows users to connect interactively to a remote computer. Remote Desktop, Fast User Switching, Remote Assistance, and Terminal Server depend on this service - stopping or disabling this service may make your computer unreliable. To prevent remote use of this computer, clear the checkboxes on the Remote tab of the System properties control panel item.


Terminal Services Session Directory

Enables a user connection request to be routed to the appropriate terminal server in a cluster. If this service is stopped, connection requests will be routed to the first available server.


Themes Provides user experience theme management.


Uninterruptible Power Supply

Manages an uninterruptible power supply (UPS) connected to the computer.


Upload Manager Manages the synchronous and asynchronous file transfers between clients and servers on the network. Driver data is anonymously uploaded from these transfers and then used by Microsoft to help users find the drivers they need. The Driver Feedback Server asks the client's permission to upload the computer's hardware profile and then search the Internet for information about how to obtain the appropriate driver or get support. If this service stops, Microsoft will not have access to the driver data.



B-20 47 A2 11EL

V7000 Administration

Administration of V7000 GCOS7 virtual machine.

V7000 VAS Started Automatic Local System

V7000 System Control

Engine of V7000 GCOS7 virtual machine.

V7000 SYC Started Automatic .\V7000Engine

Virtual Disk Service Provides software volume and hardware volume management service.


Volume Shadow Copy

Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.


WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.


Windows Audio Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.


Windows Image Acquisition (WIA)

Provides image acquisition services for scanners and cameras.


Windows Installer Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.



47 A2 11EL B-21

Windows Management Instrumentation

Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.


Windows Management Instrumentation Driver Extensions

Monitors all drivers and event trace providers that are configured to publish Windows Management Instrumentation (WMI) or event trace information. If this service is disabled, any services that explicitly depend on it will fail to start.


Windows Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


WinHTTP Web Proxy Auto-Discovery Service

Implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP Services (WinHTTP). WPAD is a protocol to enable an HTTP client to automatically discover a proxy configuration. If this service is stopped or disabled, the WPAD protocol will be executed within the HTTP client's process instead of an external service process; there would be no loss of functionality as a result.



B-22 47 A2 11EL

Wireless Configuration

Enables automatic configuration for IEEE 802.11 adapters. If this service is stopped, automatic configuration will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


WMI Performance Adapter

Provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network. This service only runs when Performance Data Helper is activated.


Workstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


World Wide Web Publishing Service

Provides Web connectivity and administration through the Internet Information Services Manager

IIS Automatic with W2003 Disabled with Security Script

Local System

47 A2 11EL C-1

C. Firewall configurator

The V7000 Firewall Configurator is a Windows™ application that may be executed on a “Full V7000 Server” or on a “Remote V7000 Administration Tools” installation, from Windows 2003 SP1 or Windows XP SP2.

From Windows 2003 SP1 and Windows XP SP2, a new version of the native firewall is available. The main characteristics of this firewall are the following:

• Filters incoming and outgoing connections.

• Can be configured for applications (.exe file names) or communication ports (TCP or UDP protocols).

• In case of a configured application, the communication ports used by this application are only opened when it is running.

• The activation of the firewall is available for all connections (i.e all network cards) of the platform.

Several V7000 and Interop7 components are using network facilities, and must correctly operate when the firewall is activated on the platform.

So, the goal of the V7000 Firewall Configurator application is to configure the native firewall of Windows 2003 SP1 or Windows XP SP2 platform:

• for Windows native common components necessary for both V7000 and Interop7 components, on both types (server and remote administration) of V7000 and Interop7 installations

• for V7000 and Interop7 components on both types (server and remote administration) of V7000 and Interop7 installations

• and also for factory installed third party components* on a “Full V7000 Server” installation.

*: a factory installed third party component is a network software component necessary for a general proper working of the V7000 server platform.

Security configuration for Windows 2003 Diane systems

C-2 47 A2 11EL

However, this application does not have charge of activation or deactivation of the firewall. This is under the customer responsibility.

Two operation modes are available:

• A automatic mode, used in V7000 or Interop7 installations by the suitable tools. This mode allows to configure V7000 products, respectively Interop7 products, without a manually intervention, into the native firewall. This automatic mode is briefly described below in the paragraph C.1.

• A interactive mode, using a graphical dialog box, allowing individual modifications in V7000 and Interop7 components configuration (versus automatic configuration) and factory installed third party components configuration. This interactive mode is described below from the paragraph C.2.

• Whatever the operation mode used, information, warning and error messages are logged into the V7000 log file under a log source named V7000_FWALL.

Firewall configurator

47 A2 11EL C-3

C.1 Automatic mode

The V7000 Firewall Configurator tool is automatically called in the following cases:

through the V7000 Version Manager tool when a V7000 version is activated on a “Full V7000 Server” installation (case 1)

through the Interop7 Installation program when a Interop7 server installation is made on a “Full V7000 Server” installation (case 2)

through the V7000 Installation program when a “Remote V7000 Administration Tools” installation is made (case 3)

through the Interop7 Installation program when a Interop7 administration installation is made on a “Remote V7000 Administration Tools” installation (case 4)

through the V7000 Information Collector tool when a BCT is asked to collect the actual state of all components known by the firewall on a “Full V7000 Server” installation (case 5)

through the V7000 Information Collector tool when a BCT is asked to enumerate the actual state of all components known by the firewall on a “Remote V7000 Administration Tools” installation (case 6)

C.1.1 User rights

The necessary user rights are those of the corresponding tools from which the V7000 Firewall Configurator is called:

Administrators and V7000BullServices groups for V7000 Version Manager tool

Administrators group for V7000 and Interop7 Installation programs

Administrators or V7000BullServices or V7000Operators groups for V7000 Information Collector tool

If the user rights are not sufficient, the following error message is logged:

V7000 Firewall Configurator Error : Error: RC=CONFFW_INSUFFICIENT_USERRIGHTS (45002)


C-4 47 A2 11EL

C.1.2 Checking of Windows version

If the Windows version is less than Windows 2003 SP1 (for a “Full V7000 Server” installation) or Windows XP SP2 (for a “Remote V7000 Administration Tools” installation), the following error message is logged:

V7000 Firewall Configurator Error : The native firewall is supported from Windows 2003 SP1 or Windows XP SP2 only.

C.1.3 Checking of Windows Firewall/Internet Connection Sharing (ICS) service state

If the service Windows Firewall/Internet Connection Sharing (ICS) is not started, the following error message is logged:

V7000 Firewall Configurator Error : The service Windows Firewall/Internet Connection Sharing (ICS) is not running.

C.1.4 Automatic mode of configuration (cases 1-4)

The automatic mode of configuration takes into account of the current state of the corresponding components.

In case of the first automatic configuration, all selected components(*) are configured (i.e enabled) in the firewall.

(*) All V7000 components are automatically selected. Interop7 components to install can be selected through the installation program.

Native Windows common components are automatically selected.

In case of a non first automatic configuration, the current state of the selected components set by a preceding use of the V7000 Firewall Configurator tool in interactive mode is kept.


47 A2 11EL C-5

The Native Windows common components are the following:

• DCOM RPC:

port 135 protocol TCP

• MMC Admin :

application %windir%\system32\mmc.exe

The V7000 components are the following:

• AdminServer :

application <V7000 path component>\V7000_Service_VAS.exe

• Engine :

application <V7000 path component>\V7000_System_Control.exe

• RCF :

application <V7000 path component>\RemoteControlFacility_EXE.exe

• SDM :

application <V7000 path component>\V7000_SharedDiskManager.exe

• GCOS7 Consoles :

application <V7000 path component>\ClientConsole.exe

<V7000 path component> is the components path directory of a V7000 installation.

On a “Remote V7000 Administration Tools” installation, the only managed component is GCOS7 Consoles.


C-6 47 A2 11EL

The Interop7 components are the following:

• AdminServer :

application <Interop7 path component>\Interop7Adm.exe

• SockG7 Std :

application <Interop7 path component\v7sg7.exe

• SockG7 TDS :

application <Interop7 path component>\v7sg7tds.exe

• GFTP Client :

application <Interop7 path component>\gftp.exe

• GFTP Server :

application <Interop7 path component>\gftpd.exe

• NT7GW :

application <Interop7 path component>\NT7GW.exe

• NT7 Admin :

application <Interop7 path component>\NT7ADM.exe

• OpenGTW :

application <Interop7 path component>\openGTW.exe

• OpenGTW Admin :

application <Interop7 path component>\openGtwAdm.exe

• OpenGTW Print :

application <Interop7 path component>\opgtwPrint.exe

• CNDSA :

application <Interop7 path component>\cndsa.exe

• G7CN :

application <Interop7 path component>\G7CN.exe

• G7Ping :

application <Interop7 path component>\G7ping.exe


47 A2 11EL C-7

<Interop7 path component> is the components path directory of a Interop7 installation

On a “Remote V7000 Administration Tools” installation, , the only managed components are G7CN and G7Ping, providing that the “Interop7 Basic Administration Tools” option was chosen at installation time.

When an automatic configuration session of the V7000 Firewall Configurator is executed, a corresponding text file is created in the <Trace> directory of a “Full V7000 Server” or of a “Remote V7000 Administration Tools” installation. The name of this text file is:

• V7000ConfigFirewall_V7000_Server.txt (case 1)

• V7000ConfigFirewall_Interop7_Server.txt (case 2)

• V7000ConfigFirewall_V7000_RemoteAdministration.txt (case 3)

• V7000ConfigFirewall_Interop7_RemoteAdministration.txt (case 4)

This file is re-created at each automatic session.

C.1.5 Automatic mode of enumeration (cases 5-6)

The V7000 Information Collector tool calls the V7000 Firewall Configurator to enumerate the actual state of all components known by the firewall, whatever the selected option in the main dialog box of the V7000 Information Collector tool.

When an automatic enumeration session of the V7000 Firewall Configurator is executed, a corresponding text file is created in the <Trace> directory of a “Full V7000 Server” or of a “Remote V7000 Administration Tools” installation. The name of this text file is:

• V7000ConfigFirewall_BCT_Server.txt (case 5)

• V7000ConfigFirewall_BCT_RemoteAdministration.txt (case 6)

This file is re-created at each automatic session.


C-8 47 A2 11EL

C.2 V7000 Firewall Configurator User Rights

C.2.1 No user rights

The use of the V7000 Firewall Configurator is reserved for members belonging both to the Administrators and V7000BullServices groups for the complete set of functionalities.

If the user does not belongs neither to the Administrators group, nor to the V7000BullServices group, the following error dialog box is displayed:

Figure C-1 No user rights (on a “Full V7000 Server” installation)

Figure C-2 No user rights (on a “Remote V7000 Administration Tools” installation)

Moreover, the following error message is logged:

V7000 Firewall Configurator Error : Error: RC=CONFFW_INSUFFICIENT_USERRIGHTS (45002)


47 A2 11EL C-9

C.2.2 Read only restricted rights

If the user belongs to the Administrators group but not to the V7000BullServices group, the following warning dialog box is displayed before the main dialog box:

Figure C-3 Read only restricted rights (Administrators group only on a “Full V7000 Server” installation)

Figure C-4 Read only restricted rights (Administrators group only on a “Remote V7000 Administration Tools” installation)

If the user belongs to the V7000BullServices group but not to the Administrators group, the following warning dialog box is displayed before the main dialog box:


C-10 47 A2 11EL

Figure C-5 Read only restricted rights (V7000BullServices group only on a “Full V7000 Server” installation)

Figure C-6 Read only restricted rights (V7000BullServices group only on a “Remote V7000 Administration Tools” installation)

In these two cases, the use of the tool is restricted to a visualization mode only.

C.2.3 Full user rights

If the user belongs both to the Administrators and V7000BullServices groups, the following warning dialog box is displayed before the main dialog box:


47 A2 11EL C-11

Figure C-7 Full user rights (on a “Full V7000 Server” installation)

Figure C-8 Full user rights (on a “Remote V7000 Administration Tools” installation)


C-12 47 A2 11EL

C.3 Checking of Windows version

If the Windows version is less than Windows 2003 SP1 (for a “Full V7000 Server” installation) or Windows XP SP2 (for a “Remote V7000 Administration Tools” installation), the following error dialog box is displayed:

Figure C-9 Windows version less than W2003 SP1 or XP SP2 (on a “Full V7000 Server” installation)

Figure C-10 Windows version less than W2003 SP1 or XP SP2 (on a “Remote V7000 Administration Tools” installation)


V7000 Firewall Configurator Error : The native firewall is supported from Windows 2003 SP1 or Windows XP SP2 only.


47 A2 11EL C-13

C.4 Checking of Windows Firewall/Internet Connection Sharing (ICS) service state

If the service Windows Firewall/Internet Connection Sharing (ICS) is not started, the following error dialog box is displayed:

Figure C-11 Service Windows Firewall/Internet Connection Sharing (ICS) not started (on a “Full V7000 Server” installation)

Figure C-12 Service Windows Firewall/Internet Connection Sharing (ICS) not started (on a “Remote V7000 Administration Tools” installation)


V7000 Firewall Configurator Error : The service Windows Firewall/Internet Connection Sharing (ICS) is not running.


C-14 47 A2 11EL

C.5 Checking of a V7000 Firewall Configurator previous instance

If an instance of the V7000 Firewall Configurator application is already running, the following error dialog box is displayed:

Figure C-13 Previous instance running (on a “Full V7000 Server” installation)

Figure C-14 Previous instance running (on a “Remote V7000 Administration Tools” installation)


V7000 Firewall Configurator Error : One instance of this application is already running.


47 A2 11EL C-15

C.6 Components managed in main dialog box

The main dialog box of the V7000 Firewall Configurator application is composed of four group boxes corresponding to the four components types:

• Native Windows common components

• V7000 components

• Interop7 components

• Third party components

C.6.1 Native Windows common components

Two native Windows components are managed:

• DCOM RPC:

port 135 protocol TCP

• MMC Admin :

application %windir%\system32\mmc.exe

These components are necessary for DCOM remote administration.

The “Common components” group box is always available for update, both on a “Full V7000 Server” and on a “Remote V7000 Administration Tools” installation, unless the use of the tool is restricted to a visualization mode only (see C.2.2). In this case, all common components are grayed and are checked or unchecked depending on their state in the firewall.


C-16 47 A2 11EL

C.6.2 V7000 components

Five V7000 components are managed:

• AdminServer :

application <V7000 path component>\V7000_Service_VAS.exe

• Engine :

application <V7000 path component>\V7000_System_Control.exe

• RCF :

application <V7000 path component>\RemoteControlFacility_EXE.exe

• SDM :

application <V7000 path component>\V7000_SharedDiskManager.exe

• GCOS7 Consoles :

application <V7000 path component>\ClientConsole.exe

<V7000 path component> is the components path directory of a V7000 installation.

The “V7000 components” group box is always available for update, both on a “Full V7000 Server” and on a “Remote V7000 Administration Tools” installation, unless the use of the tool is restricted to a visualization mode only (see C.2.2). In this case, all V7000 components are grayed and are checked or unchecked depending on their state in the firewall.

Nevertheless, on a “Remote V7000 Administration Tools” installation, the following components are not available (grayed): AdminServer, Engine, RCF, SDM. They are also always unchecked.


47 A2 11EL C-17

C.6.3 Interop7 components

Thirteen Interop7 components are managed:

• AdminServer :

application <Interop7 path component>\Interop7Adm.exe

• SockG7 Std :

application <Interop7 path component\v7sg7.exe

• SockG7 TDS :

application <Interop7 path component>\v7sg7tds.exe

• GFTP Client :

application <Interop7 path component>\gftp.exe

• GFTP Server :

application <Interop7 path component>\gftpd.exe

• NT7GW :

application <Interop7 path component>\NT7GW.exe

• NT7 Admin :

application <Interop7 path component>\NT7ADM.exe

• OpenGTW :

application <Interop7 path component>\openGTW.exe

• OpenGTW Admin :

application <Interop7 path component>\openGtwAdm.exe

• OpenGTW Print :

application <Interop7 path component>\opgtwPrint.exe

• CNDSA :

application <Interop7 path component>\cndsa.exe

• G7CN :

application <Interop7 path component>\G7CN.exe

• G7Ping :

application <Interop7 path component>\G7ping.exe


C-18 47 A2 11EL

<Interop7 path component> is the components path directory of a Interop7 installation.

The “Interop7 components” group box is available for update when Interop7 is installed, on a “Full V7000 Server” or on a “Remote V7000 Administration Tools” installation.

On a “Remote V7000 Administration Tools” installation, the following components are not available (grayed): AdminServer, SockG7 Std, SockG7 TDS, GFTP Client, GFTP Server, NT7GW, NT7 Admin, OpenGTW, OpenGTW Admin, OpenGTW Print, CNDSA. They are also always unchecked.

On a “Remote V7000 Administration Tools” installation, the components G7CN and G7Ping only are available, providing that the “Interop7 Basic Administration Tools” option was chosen at installation time. Else, they are unchecked but not grayed.

If Interop7 is not installed, the “Interop7 components” group box is not available (grayed) and all components are grayed and unchecked.

If the use of the tool is restricted to a visualization mode only (see C.2.2), all components are grayed and are checked or unchecked depending on their state in the firewall.

C.6.4 Third party components

The number of third party components is given by the presence of specific configuration files in the <Config> path directory of a “Full V7000 Server” installation. These files are built by the engineering team and supplied to the factory team at post-process time.

If no such files are found, the “Third party components” group box is not available (grayed) and no component is listed.

On a “Remote V7000 Administration Tools” installation, the “Third party components” group box is not available (grayed) and no component is listed.

If the use of the tool is restricted to a visualization mode only (see C.2.2), the components are not available and are checked or unchecked depending on their state in the firewall.


47 A2 11EL C-19

C.7 Components state towards the firewall at main dialog box opening time

For each component managed by the V7000 Firewall Configurator application, the real current state towards the firewall is displayed:

• checked if enabled

• unchecked if disabled

If the application detects that the configuration of a component has been updated by another tool (Windows Security Center/Windows Firewall for example):

• a Warning icon is displayed nearby the component, for Windows native, V7000 and Interop7 components

• a yellow highlight of the component name followed by the Warning word for factory installed third party components (on a “Full V7000 Server” installation only)

In this case, the following text is also displayed at the bottom of the main dialog box:

Warning icon(s) (Common/V7000/Interop7 components) or yellow highlighted Warning text(s) (Third party components) mean that the firewall configuration has been modified outside this tool. In this case, it is strongly recommended to reestablish the desired configuration with this tool.

C.7.1 Case of Interop7 components uninstall

When Interop7 components are uninstalled from the server, neither the V7000 Firewall Configurator nor the firewall himself are informed Thus, the current state of these components towards the firewall is kept and the V7000 Firewall Configurator displays it as follow at main dialog box opening time:

• checked if enabled

• unchecked if disabled


C-20 47 A2 11EL

C.8 Components state validation/invalidation in main dialog box

The main dialog box is displayed with three buttons: OK, Cancel and Apply.

At main dialog box opening time:

• if the use of the tool is restricted to a visualization mode only (see C.2.2), the OK button is the only available (not grayed)

• else (full user rights), the Apply button is unavailable (grayed), unless Warning(s) are displayed (see C.7), and OK and Cancel buttons are available (not grayed)

The modification of a component (checked if not checked, or unchecked if checked):

• removes the corresponding Warning if it exists

• makes the Apply button available

When the Apply button is available (not grayed) (modification(s) in progress or Warning(s) displayed), a click on this button makes it unavailable (grayed) and:

• if modification(s) was (were) in progress, it is (they are) validated

• if Warning(s) was (were) displayed, the following information dialog box is displayed:

Figure C-15 No more Warning(s) after Apply button clicked (on a “Full V7000 Server” installation)


47 A2 11EL C-21

Figure C-16 No more Warning(s) after Apply button clicked (on a “Remote V7000 Administration Tools” installation)

and the Warning(s) and the specific text at the bottom of the main dialog box (see C.5) are removed when this dialog box is closed. The state of the components is validated.

The main dialog box is not closed when the Apply button is clicked.

When the Apply button is unavailable (grayed) (no modification in progress and no Warning displayed):

• a click on the OK button validates the displayed state of the components and closes the main dialog box

• a click on the Cancel button keeps the displayed state of the components and closes the main dialog box

When the Apply button is available (not grayed) (modification(s) in progress or Warning(s) displayed), a click on the OK button:

• validates modification(s) in progress (if any)

• displays the following information dialog box if Warning(s) was (were) displayed:

Figure C-17 No more Warning(s) after OK button clicked (on a “Full V7000 Server” installation)


C-22 47 A2 11EL

Figure C-18 No more Warning(s) after OK button clicked (on a “Remote V7000 Administration Tools” installation)

• and the Warning(s) and the specific text at the bottom of the main dialog box (see C.7) are removed when this dialog box is closed. The state of the components is validated.

The main dialog box is closed when the OK button is clicked.

When the Apply button is available (not grayed) (modification(s) in progress or Warning(s) displayed), a click on the Cancel button invalidates modification(s) in progress (if any) and closes the main dialog box.

When the Apply or the OK button is clicked, if the application(s) associated with (a) checked component(s) is (are) not found on the system, the following warning dialog box is displayed:

Figure C-19 Application(s) not found on system (on a “Full V7000 Server” installation)

This example is given for third party components no present (or with erroneous specific configuration files built by the engineering team) on a “Full V7000 Server” installation.


47 A2 11EL C-23

In this case, the components are unchecked in the main dialog box.

NB: The same situation can be arrived for V7000 and Interop7 components on a “Full V7000 Server” installation or on a “Remote V7000 Administration Tools” installation.

C.9 Main dialog box use cases

This paragraph shows different aspects of the main dialog box following various use cases and their combinations:

• “Full V7000 Server” installation

• “Remote V7000 Administration Tools” installation

• Interop7 installed/not installed

• Warning(s) displayed at opening time

• use of the tool restricted to a visualization mode only

• third party components specific configuration files not present


C-24 47 A2 11EL

C.9.1 Use case 1

“Full V7000 Server” installation, Interop7 not installed, no third party component, no Warning displayed at opening time.

Figure C-20 Main dialog box at opening time (use case 1)

Main dialog box at opening time: all common and V7000 components of a “Full V7000 Server” installation are enabled in the firewall and have been previously updated with the V7000 Firewall Configurator, “Interop7 components” and “Third party components” group boxes are unavailable (grayed), Apply button is unavailable (grayed).


47 A2 11EL C-25

C.9.2 Use case 2

“Remote V7000 Administration Tools” installation, Interop7 not installed, no Warning displayed at opening time.


Main dialog box at opening time: all common and V7000 components of a “Remote V7000 Administration Tools” installation are enabled in the firewall and have been previously updated with the V7000 Firewall Configurator, “Interop7 components” and “Third party components” group boxes are unavailable (grayed), Apply button is unavailable (grayed).


C-26 47 A2 11EL

C.9.3 Use case 3

“Full V7000 Server” installation, Interop7 installed, no third party component, no Warning displayed at opening time.


Main dialog box at opening time: all common, V7000 and Interop7 components of a “Full V7000 Server” installation are enabled in the firewall and have been previously updated with the V7000 Firewall Configurator, “Third party components” group box is unavailable (grayed), Apply button is unavailable (grayed).


47 A2 11EL C-27

C.9.4 Use case 4

“Full V7000 Server” installation, Interop7 not installed, third party components correctly installed, no Warning displayed at opening time.


Main dialog box at opening time: all common, V7000 and founded third party components* of a “Full V7000 Server” installation are enabled in the firewall and have been previously updated with the V7000 Firewall Configurator, “Interop7 components” group box is unavailable (grayed), Apply button is unavailable (grayed) (*these third party components are examples only).


C-28 47 A2 11EL

C.9.5 Use case 5

“Full V7000 Server” installation, Interop7 not installed, third party components correctly installed, Warnings displayed at opening time.


Main dialog box at opening time:

• the common component DCOM RPC is enabled in the firewall but has not been previously updated with the V7000 Firewall Configurator.


47 A2 11EL C-29

• the common component MMC Admin is disabled in the firewall but has not been previously updated with the V7000 Firewall Configurator.

• the V7000 component AdminServer is disabled in the firewall but has not been previously updated with the V7000 Firewall Configurator.

• the V7000 component Engine is enabled in the firewall and has been previously updated with the V7000 Firewall Configurator.

• the V7000 component RCF is disabled in the firewall but has not been previously updated with the V7000 Firewall Configurator.

• the V7000 component SDM is disabled in the firewall and has been previously updated with the V7000 Firewall Configurator.

• the V7000 component GCOS7 Consoles is enabled in the firewall but has not been previously updated with the V7000 Firewall Configurator.

• the third party component* GTS Agent is enabled in the firewall but has not been previously updated with the V7000 Firewall Configurator.

• the third party component* Navisphere Agent is disabled in the firewall but has not been previously updated with the V7000 Firewall Configurator.

• the third party component* Netop Host is enabled in the firewall and has been previously updated with the V7000 Firewall Configurator.

A specific text is displayed at the bottom of the main dialog box, “Interop7 components” group box is unavailable (grayed), Apply button is available (not grayed).

*these third party components are examples only

If the common component MMC Admin is now checked, if the V7000 component AdminServer is now checked, if the V7000 component Engine is now unchecked, if the V7000 component GCOS7 Consoles is now unchecked, if the third party component Navisphere Agent is now checked, the main dialog box is as follow:


C-30 47 A2 11EL

Figure C-25 Main dialog box after some components update (use case 5)

The Warning icons are removed nearby the corresponding common and V7000 components, the third party component* Navisphere Agent is no more yellow highlighted.

*this third party component is an example only


47 A2 11EL C-31

If the Apply button is clicked, the following information message box is displayed:

Figure C-26 No more Warning(s) after Apply button clicked (use case 5)

After closing the information dialog box, the main dialog box is as follow:


C-32 47 A2 11EL

Figure C-27 Main dialog box after Apply button clicked (use case 5)

No more Warning icons, no more yellow highlighted third party component is displayed, the specific text at the bottom of the main dialog box has been removed, the Apply button is unavailable (grayed): the state towards the firewall of all components has been validated through the V7000 Firewall Configurator.


47 A2 11EL C-33

C.9.6 Use case 6

“Full V7000 Server” installation, Interop7 not installed, third party components correctly installed, no Warning displayed at opening time, use of the V7000 Firewall Configurator restricted to a visualization mode only.


Main dialog box at opening time: all common, V7000 and third party components are unavailable (grayed for common and V7000 components, not grayed for third party components), the OK button is the only available.


C-34 47 A2 11EL

C.9.7 Use case 7

“Full V7000 Server” installation, Interop7 not installed, third party components not correctly installed (erroneous specific configuration files), no Warning displayed at opening time.



47 A2 11EL C-35

Main dialog box at opening time: all common and V7000 components of a “Full V7000 Server” installation are enabled in the firewall and have been updated with the V7000 Firewall Configurator, the third party component* GTS Agent is enabled in the firewall and has been updated with the V7000 Firewall Configurator, the third party components* ThirdComponent1, ThirdComponent2 and ThirdComponent3 have erroneous specific configuration files.

*these third party components are examples only

If the third party components ThirdComponent1, ThirdComponent2 and ThirdComponent3 are checked and then the Apply button is clicked, the following warning message box is displayed

Figure C-30 Application(s) not found on system (use case 7)

and these third party components are unchecked.


C-36 47 A2 11EL

C.10 Interactive session file

When an interactive session of the V7000 Firewall Configurator is executed, a corresponding text file is created in the <Trace> directory of a “Full V7000 Server” or of a “Remote V7000 Administration Tools” installation. The name of this text file is:

• V7000ConfigFirewall_Interactive_Server.txt on a “Full V7000 Server” installation

• V7000ConfigFirewall_Interactive_RemoteAdministration.txt on a “Remote V7000 Administration Tools” installation

This file is re-created at each interactive session. The historic of the last session is stored in this file.

Technical publication remarks form

Title : DPS7000/XTA NOVASCALE 7000 Security configuration for Windows 2003DIANE systems User Guide

Reference Nº : 47 A2 11EL 02 Date: January 2006

ERRORS IN PUBLICATION

SUGGESTIONS FOR IMPROVEMENT TO PUBLICATION

Your comments will be promptly investigated by qualified technical personnel and action will be taken as required.If you require a written reply, please include your complete mailing address below.

NAME : Date :

COMPANY :

ADDRESS :

Please give this technical publication remarks form to your BULL representative or mail to:

Bull - Documentation Dept.

1 Rue de ProvenceBP 20838432 ECHIROLLES [email protected]

Technical publications ordering form

To order additional publications, please fill in a copy of this form and send it via mail to:

BULL CEDOC357 AVENUE PATTONB.P.2084549008 ANGERS CEDEX 01FRANCE

Phone: +33 (0) 2 41 73 72 66FAX: +33 (0) 2 41 73 70 66E-Mail: [email protected]

CEDOC Reference # Designation Qty

_ _ _ _ _ _ _ _ _ [ _ _ ]

_ _ _ _ _ _ _ _ _ [ _ _ ]

_ _ _ _ _ _ _ _ _ [ _ _ ]

_ _ _ _ _ _ _ _ _ [ _ _ ]

_ _ _ _ _ _ _ _ _ [ _ _ ]

_ _ _ _ _ _ _ _ _ [ _ _ ]

_ _ _ _ _ _ _ _ _ [ _ _ ]

_ _ _ _ _ _ _ _ _ [ _ _ ]

_ _ _ _ _ _ _ _ _ [ _ _ ]

_ _ _ _ _ _ _ _ _ [ _ _ ]

_ _ _ _ _ _ _ _ _ [ _ _ ]

_ _ _ _ _ _ _ _ _ [ _ _ ]

[ _ _ ] : The latest revision will be provided if no revision number is given.

NAME: Date:

COMPANY:

ADDRESS:

PHONE: FAX:

E-MAIL:

For Bull Subsidiaries:

Identification:

For Bull Affiliated Customers:

Customer Code:

For Bull Internal Customers:

Budgetary Section:

For Others: Please ask your Bull representative.

BULL CEDOC

357 AVENUE PATTON

B.P.20845

49008 ANGERS CEDEX 01

FRANCE

47 A2 11EL 02REFERENCE

security configuration for windows 2003 diane systems user...

Documents