Nortel – Enterprise Networks
Nortel Contact Center 6.0 Security Templates User Guide Issue 1.02 October 29, 2008 ABSTRACT This guide describes the generic Windows Server 2003 security templates for the Nortel Contact Center 6.0 suite of servers. This guide also provides the guideline and how to deploy the security template to secure the Nortel Contact Center 6.0 suite of servers.
NOTICE TO HOLDERS OF PAPER COPIES: Upon receipt of a new issue, destroy the previous issue or mark it “OBSOLETE”.
CONFIDENTIAL INFORMATION: The information contained in this document is the property of Nortel Networks. Except as specifically authorized in writing by Nortel Networks, the holder of this document shall keep all information contained herein confidential and shall protect same in whole or in part from disclosure and dissemination to all third parties.
Trademarks
Nortel Proprietary
Trademarks The following are trademarks of Nortel Networks: Nortel, Nortel Networks, BNR, ACD, BCS, CallPilot, DMS, DMS-100, DMS-250, DMS-MTX, DMS-SCP, DNC, DPN-100, DVS, DualMode, FastView, Helmsman, M2317, MAP, Symposium, Meridian Digital Centrex (MDC), Meridian, Meridian 1, Meridian Link, Meridian MAX, Meridian NAC, Meridian CCR, Meridian IVR, Meridian Terminal Emulator, MFA, Norstar, PowerTouch, SL-1, SL-100, SuperNode, Telesis, Unity. Action Request System and AR System are trademarks of Remedy Corporation. AMDEK is a trademark of Amdek Corporation. ANSI is a trademark of the American National Standards Institute. ClearCase is a registered trademark and ClearCase MultiSite is a trademark of Rational Software Corporation. Continuus, continuus/CM, and Continuus/PT are trademarks of Continuus Software Corporation. CaseWare/CM, CaseWare/PT, CaseWare, ACCENT, and Amplify Control are registered trademarks of Continuus Software Corporation. Courier is a trademark of Smith-Corona Corporation. CT Connect, CT Media is a registered trademark of Dialogic. Frame, FrameBuilder and FrameMaker are trademarks of Adobe Systems Incorporated. Helvetica and Times are trademarks of Linotype AG or its subsidiaries. InstallShield is a registered trademark of InstallShield Software Corporation. Interleaf is a trademark of Interleaf, Inc. Macintosh, Power Macintosh, and Apple are registered trademarks of Apple Computer, Inc. Mac OS is a trademark of Apple Computer, Inc. Microsoft Windows, Microsoft Word, Microsoft Excel, PowerPoint, Microsoft Project, Microsoft File Extension, and MS-DOS are trademarks of Microsoft Corporation. Novell is a trademark of Novell, Inc. Olecera Chart is a trademark of KL Group Inc. Portable Document Format is a trademark of Adobe Systems Incorporated. PostScript is a trademark of Adobe Systems Incorporated. SYBASE is a trademark of Sybase, Inc. UNIX is a trademark of UNIX System Laboratories. Versatility, Versatility Administrator, Versatility Call Blending, Versatility Campaign Plus, Versatility Insight, Versatility Predictive, Versatility Telesales / Teleservice are trademarks of Versatility Inc. WinRunner, TSL and Context Sensitive are trademarks of Mercury Interactive Corporation.
© 2007 Nortel Networks Corporation
ii
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Approvals
Nortel Proprietary
Approvals Prepared By Ronald Chan Senior Design Support Engineer, MA Design Support Enterprise Solutions, Multimedia Apps Support & Validation Nortel Networks Corporation
Date
Reviewed and Approved By James Chan Manager, MA Design Support Application R&D, Multimedia Apps Support & Validation Nortel Networks Corporation
Date
David O’Connell Leader, CC Sustaining & Localization Application R&D, Multimedia Apps Support and Validation Nortel Networks Corporation
Date
Issue 1.02
Nortel Contact Center 6.0 Security Templates User Guide
iii
Revision history
Nortel Proprietary
Revision history Issue Number Issue Date
Type of Review Reason(s) for Issue
Author(s)
0.01 June 23, 2005
Draft copy
Ronald Chan
Initial draft for internal review 0.02 July 5, 2005
Draft copy
Ronald Chan
Section 3.1 Add CCMS 6.0 standalone server security template definitions 0.03 August 9, 2005
Draft copy
Ronald Chan
Section 2.3.2 Add Network Domain Deployment 0.04 September 21, 2005
Draft copy
Ronald Chan
Section 2.2 Changing template files location from the CC 6.0 DVD to the Meridian PEP Library web site Section 2.2 Table 1 Remove CCO template Section 2.3.1 Changing template files location from the CC 6.0 DVD to the Meridian PEP Library web site 0.05 July 7, 2006
Draft copy
Ronald Chan
Section 2.2 Update Table 1 to include CCMS 6.0 Replication server Section 2.3.1 Add new Security Template Rollback section Section 3.1 Add Contact Center Manager Replication server Section 3.1 Update Table 3 with the latest CCMS 6.0 security template setting Section 3.2 Update Table 4 with the latest CCMS 6.0 coresidency security template setting including CCT Section 3.3 Update Table 5 with the latest CCMA 6.0 security template setting Section 3.5 Add section and Table 6 with the CCT 6.0 standalone server security template setting 0.06 October 3, 2006
Draft copy
Ronald Chan
Section 2.5 Add section to outline the network environment requirements for the CC 6.0 servers with security template to operate with
iv
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Revision history
Nortel Proprietary
Issue Number Issue Date
Type of Review Reason(s) for Issue
Author(s)
1.00 October 20, 2006
Approved Copy
Ronald Chan
Section 2.2 Add note to clarify the set of security template is only applicable to Contact Center 6.0 only, and not applicable to any earlier Symposium portfolio releases. 1.01 October 15, 2008
Approved Copy
Ronald Chan
Section 2.2 Update Table 1 to add CCMM 6.0 Section 2.3.2 Update Table 2 to add CCMM 6.0 Section 3.5 Add section and Table 8 for CCMM 6.0 security template setting 1.02 October 29, 2008
Approved Copy
Ronald Chan
Section 2.2 Update Table 1 to add CCMS 6.0 Stratus Section 2.3.2 Update Table 2 to add CCMS 6.0 Stratus Section 3.6 Add section and Table 9 for CCMS 6.0 Stratus security template setting
Issue 1.02
Nortel Contact Center 6.0 Security Templates User Guide
v
Table of contents
Nortel Proprietary
Table of contents 1
Introduction .........................................................................................................1 1.1 1.2 1.3
2
Contact Center 6.0 Security Templates.............................................................2 2.1 2.2 2.3
2.4 2.5
3
Purpose ...............................................................................................................................1 Scope...................................................................................................................................1 Intended audience ...............................................................................................................1 Contact Center 6.0 Security Template Baseline .................................................................2 Contact Center 6.0 Security Template Applicability ............................................................2 Contact Center 6.0 Security Templates Deployment ..........................................................3 2.3.1 Security Template Rollback....................................................................................4 2.3.2 Local Server Deployment .......................................................................................5 2.3.3 Network Domain Deployment.................................................................................9 Additional security settings ..................................................................................................9 Network Environment Consideration.................................................................................10
Contact Center 6.0 Security Template Files ...................................................11 3.1 3.2 3.3 3.4 3.5 3.6
Contact Center Manager Server Security Template Definitions .......................................11 Contact Center Manager Server Co-residency Security Template Definitions .................35 Contact Center Manager Administration Security Template Definitions ...........................60 Communication Control Toolkit Security Template Definitions .........................................80 Contact Center Multimedia/Outbound Security Template Definitions .............................100 Contact Center Manager Server on Stratus Platform Security Template Definitions .....119
4
Glossary...........................................................................................................146
5
References.......................................................................................................148
vi
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
List of tables
Nortel Proprietary
List of tables Table 1 Contact Center 6.0 Security Template File Applicability with Contact Center Server......................3 Table 2 Contact Center 6.0 Security Template Rollback Files......................................................................4 Table 3 Contact Cetner 6.0 Security Template Additional Settings ............................................................10 Table 4 Contact Center Manager Server 6.0 Security Template Settings ..................................................11 Table 5 Contact Center Manager Server 6.0 Co-res Security Template Settings ......................................35 Table 6 Nortel Contact Center Manager Administration 6.0 Security Template Settings ...........................61 Table 7 Nortel Communication Control Toolkit 6.0 Security Template Settings .........................................80 Table 8 Contact Center Multimedia/Outbound 6.0 Security Template Setting .........................................100 Table 9 Contact Center Manager Server Stratus Security Template Settings..........................................120
Issue 1.02
Nortel Contact Center 6.0 Security Templates User Guide
vii
Introduction
1
Introduction
1.1
Purpose
Nortel Proprietary
Security is a critical task for all organizations and it is always mandated to secure all networked servers by locking down the server operating system setting and services. Windows Server 2003 can be secured by applying a predefined security template either locally to the computer or through a network Group Policy Objects (GPO) instead of securing manually. Nortel Contact Center 6.0 is providing a set of predefined Windows Server 2003 security templates that can be deployed quickly to secure the Contact Center 6.0 suite of application servers. The set of Contact Center 6.0 security templates is designed to be closely match the industry consensus security setting benchmark [1] published by the Center of Internet Security (CIS), and meeting the Contact Center 6.0 suite of application servers operation requirements. This guide provides the detail definitions of the set of Contact Center 6.0 security templates and how to deploy the security templates to the Contact Center 6.0 suite of application servers.
1.2
Scope This guide covers the set of security templates for Nortel Contact Center 6.0. It is not intended to be a comprehensive security guide either for the Nortel Contact Center 6.0 or the Windows Server 2003.
1.3
Intended audience This guide is intended to be used by anyone wishing to secure the Contact Center 6.0 suite of application servers that are meeting the Contact Center 6.0 security template applicability requirements. It assumes that the reader is familiar with all security subjects and features in Windows Server 2003 and Microsoft network domain (Active Directory) environment.
Issue 1.02
Nortel Contact Center 6.0 Security Templates User Guide
1
Contact Center 6.0 Security Templates
2
Nortel Proprietary
Contact Center 6.0 Security Templates A set of security templates is available for the Contact Center 6.0 suite of application servers. You can apply the security template to its defined Contact Center 6.0 application server to secure the Windows Server 2003 and meeting the minimum security requirements for the Contact Center 6.0 application operation.
2.1
Contact Center 6.0 Security Template Baseline All Contact Center 6.0 security templates are based on the consensus security benchmark document, Windows Server 2003 Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Security Settings for Domain Member Servers [1], published by the Center of Internet Security (CIS) organization. This security benchmark reflects the content of the Consensus Baseline Security Settings document developed by the National Security Agency (NSA), the Defense Information Systems Agency (DISA), The National Institute and Technology (NIST), the General Service Administration (GSA), The SANS Institute, and the Center for Internet Security. The Contact Center 6.0 security template settings are baseline with the Enterprise security level as defined in the consensus benchmark [1]. Settings in the Enterprise level are designed for servers operation in a managed environment where interoperability with legacy system is not required. It assumes that all operating systems within the enterprise are Windows 2000 or later. In addition, the security template settings are adjusted to meet the minimum security setting requirements for its specific Contact Center 6.0 application server as defined in its corresponding Nortel Contact Center 6.0 server security guide document [2].
2.2
Contact Center 6.0 Security Template Applicability A set of the Contact Center 6.0 security template files is provided on the Meridian PEP Library web site. Table 1 lists the set of available template files and its corresponding applicable Contact Center 6.0 application server
2
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Templates
Nortel Proprietary
Table 1 Contact Center 6.0 Security Template File Applicability with Contact Center Server
Contact Center 6.0 Security Template File
Applicable Contact Center 6.0 Application Server
CCMS 6.0 Security Template.inf
Contact Center Manager Server standalone server , Contact Center Manager Replication server, and Network Control Center server
CCMS 6.0 Cores Security Templt.inf
Contact Center Manager Server coresidency server
CCMA 6.0 Security Template.inf
Contact Center Manager Administration standalone server
CCT 6.0 Security Template.inf
Communication Control Toolkit server
CCMM 6.0 Security Template.inf
Contact Center Multimedia/Outbound server
CCMS 6.0 Stratus Security Temp.inf
Contact Center Manager Server standalone server on Stratus platform, Contact Center Manager Replication server on Stratus platform, and Network Control Center server on Stratus platform
Note: The security template is applicable to Contact Center 6.0 only. It is not verified with its compatibility for any earlier Symposium portfolio products running on Windows Server 2003 platform. It is not applicable to any Symposium portfolio releases prior Contact Center 6.0. The security template is designed to work with a typical server configuration and may not be compatible with some specific customer’s configuration. If customer is installing additional 3rd party software on the Contact Center 6.0 application server, customer must review and test the compatibility between the Contact Center 6.0 security template and the 3rd party software in a non-production environment. Customer may need to adjust the template if necessary.
2.3
Contact Center 6.0 Security Templates Deployment The Contact Center 6.0 security template can be deployed either locally on the Contact Center 6.0 application server or as a group policy in an Active Directory OU where the Contact Center 6.0 application server is located. The Contact
Issue 1.02
Nortel Contact Center 6.0 Security Templates User Guide
3
Contact Center 6.0 Security Templates
Nortel Proprietary
Center 6.0 security template can be deployed either before or after the Contact Center 6.0 application is installed on the server. 2.3.1 Security Template Rollback There are situation (like adding CCMA and CCT to a previously standalone CCMS server and convert it into a CCMS co-residency server) that one may require to rollback the originally applied Contact Center 6.0 security template and reapply a new one that is appropriate with the new Contact Center 6.0 application server configuration. A set of Contact Center 6.0 default rollback templates for the corresponding Contact Center 6.0 security templates are provided. These default rollback templates will rollback the security setting (excluding permission setting in registries and files) from the applied security template back to the default Windows Server 2003 (with SP1) setting. Table 2 lists the set of available rollback template files and its corresponding applicable Contact Center 6.0 application server. Table 2 Contact Center 6.0 Security Template Rollback Files
4
Contact Center 6.0 Security Template Rollback File
Applicable Contact Center 6.0 Application Server
CCMS 6.0 Security Templt Rollb.inf
Contact Center Manager Server standalone server, Contact Center Manager Replication server, and Network Control Center server
CCMS 6.0 Cores Sec Templt Rollb.inf
Contact Center Manager Server coresidency server
CCMA 6.0 Security Templt Rollb.inf
Contact Center Manager Administration standalone server
CCT 6.0 Security Templt Rollb.inf
Communication Control Toolkit server
CCMM 6.0 Security Templ Roll.inf
Contact Center Multimedia/Outbound server
CCMS 6.0 Stratus Sec Tmp Rollbk.inf
Contact Center Manager Server standalone server on Stratus platform, Contact Center Manager Replication server on Stratus platform, and Network Control Center server on Stratus platform
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Templates
Nortel Proprietary
If Windows Server 2003 configuration is different from its default installed setting before applying the Contact Center 6.0 security template, the default rollback template may not restore the configuration to its customized configuration. It is Nortel recommendation that you must create an appropriate rollback template on your Contact Center 6.0 application server before deploying the Contact Center 6.0 security template. The rollback template can be generated by issuing the “secedit /GenerateRollback /CFG /RBK ” (e.g., secedit /GenerateRollback /CFG “C:\CCMS 6.0 Security Template.inf” /RBK C:\rollback.inf) command in a command line prompt windows. 2.3.2 Local Server Deployment To deploy the Contact Center 6.0 Security template locally on a Contact Center 6.0 application server, one must select the applicable security template for the Contact Center 6.0 application server and download the selected template from the Meridian PEP Library web site to the server local disk drive. The security template can then be imported and configured using the Microsoft Security Configuration and Analysis utility. The following steps can be used to deploy the Contact Center 6.0 security template using the Security Configuration and Analysis (you must add the Security Configuration and Analysis snap-in to the Microsoft Management Console): 1) Logon to the server with an administrative account. 2) Open the management console that is having the Security Configuration and Analysis snap-in.
Issue 1.02
Nortel Contact Center 6.0 Security Templates User Guide
5
Contact Center 6.0 Security Templates
Nortel Proprietary
3) Right click the Security Configuration and Analysis scope item and click Open Database. Enter a new database name (e.g., CCMA 6.0 Security Template) in the File Name field of the Open Data dialog windows, and then press the Open button.
4) On the Import Template dialog windows, browse and select the Contact Center 6.0 security template file downloaded from the Meridian PEP Library Web site, and then press the Open button. 6
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Templates
Nortel Proprietary
5) Right click the Security Configuration and Analysis scope item, and click the Analyze Computer Now to analyze the security configuration with the imported Contact Center 6.0 security template and the current server configuration.
6) On the Perform Analysis dialog windows, select the default log file path (e.g., C:\Documents and Setttings\Administrator\My Documents\Security\Logs\CCMA 6.0 Security Template.log) or select the log file path of your choice, press the OK button to perform the analysis. Issue 1.02
Nortel Contact Center 6.0 Security Templates User Guide
7
Contact Center 6.0 Security Templates
Nortel Proprietary
7) Open the security analysis log file with a text editor and review any mismatch item that may not meet your server requirement. Adjust the security template if necessary. 8) Right click the Security Configuration and Analysis scope item from the Security Configuration and Analysis snap-in management console. Click Configure Computer Now to configure the server security configuration with the imported Contact Center 6.0 security template.
9) On the Configure System dialog windows, select the default log file path (e.g., C:\Documents and Setttings\Administrator\My Documents\Security\Logs\CCMA 6.0 Security Template.log) or select the log file path of your choice, press the OK button to configure the computer.
8
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Templates
Nortel Proprietary
10) Reboot the server to activate the new security policy and configuration. 2.3.3 Network Domain Deployment The Contact Center 6.0 security templates can be deployed in a network domain environment by importing the template into a group policy object of an OU where the Contact Center 6.0 server is a member. To import a security template: 1) Open Group Policy Management Console (GPMC) 2) In the console tree, expand the domain or OU that you want to import the security template. Right-click the Group Policy object that you want to edit, and then click Edit. 3) In the Group Policy Object Editor console tree, click Computer Configuration, click Windows Settings, right-click Security Setting, and then select Import Policy. 4) Click the Contact Center 6.0 security template that you want to import, then click Open.
2.4
Additional security settings Due to some security setting are unique in individual computer, these security settings cannot be set through a common security template and must be set locally on the computer. Nortel recommends the following additional security settings be set manually on each Contact Center 6.0 application server after the security template has been deployed.
Issue 1.02
Nortel Contact Center 6.0 Security Templates User Guide
9
Contact Center 6.0 Security Templates
Nortel Proprietary
Table 3 Contact Cetner 6.0 Security Template Additional Settings
Security Setting
Additional settings
User Right Assignments Deny access to this computer from the network (minimum)
Built-in Administrator, Support_388945a0, Guest
Deny logon as a batch job
Support_388945a0, Guest
Deny logon through Terminal Service (minimum)
Support_388945a0, Guest
Security Options
2.5
Accounts: Rename Administrator Account
Accounts: Rename Guest Account
Interactive Logon: Message Text for Users Attempting to Log On
Interactive Logon: Message Title for Users Attempting to Log On
Network Environment Consideration The Contact Center 6.0 security template settings are baseline with the Enterprise security level as defined in the consensus benchmark [1]. Settings in the Enterprise level are designed for servers operation in a managed environment where interoperability with legacy system is not required. It assumes that all operating systems within the enterprise network are Windows 2000 or later. Contact Center 6.0 security template is following the consensus benchmark [1] recommendation to enable the security policy “Microsoft network client: Digitally sign communications (always)” to digitally sign all SMB communications. If a Contact Center 6.0 application sever that is having the security template applied and need to map a remote network share on a remote PC, the connecting remote PC muse have the corresponding security policy to be set by enabling either the “Microsoft network server: Digitally sign communications (always)” or “Micrsoft network server: Digitally sign communication (if client agrees)”.
10
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Template Files
Nortel Proprietary
3
Contact Center 6.0 Security Template Files
3.1
Contact Center Manager Server Security Template Definitions Table 4 lists the security template setting defined for the Contact Center Manager Server in a standalone server configuration, Contact Center Manager Replication server, and Network Control Center server. Table 4 Contact Center Manager Server 6.0 Security Template Settings
Security Setting Items
Setting
Account Policies Password Policy Enforce password history
24 passwords remembered
Maximum password age
90 days
Minimum password age
1 days
Minimum password length
8
Password must meet complexity requirements
Enabled
Store passwords using reversible encryption
Disabled
Account Lockout Policy Account lockout duration
15 minutes
Account lockout threshold
15 invalid logon attempts
Reset account lockout counter after
15 minutes
Kerberos Policy
Issue 1.02
Enforce user logon restrictions
Maximum lifetime for service ticket
Maximum lifetime for user ticket
Maximum lifetime for user ticket renewal
Maximum tolerance for computer clock synchronization
Nortel Contact Center 6.0 Security Templates User Guide
11
Contact Center 6.0 Security Template Files
Nortel Proprietary
Local Policies Audit Policy Audit account logon events
Success, Failure
Audit account management
Success, Failure
Audit directory service access
Audit logon events
Success, Failure
Audit object access
Success, Failure
Audit policy change
Success
Audit privilege use
Audit process tracking
Audit system events
Success
User Rights Assignment
12
Access this computer from the network
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Administrators
Allow log on through terminal services
Administrators, Remote Desktop Users
Back up files and directories
Administrators
Bypass traverse checking
Users
Change the system time
Administrators
Create a pagefile
Create a token object
Create a global object
Create permanent shared objects
Debug programs
Deny access to this computer from the network
ANONYMOUS LOGON, Guests
Deny log on as a batch job
Guests
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Template Files
Nortel Proprietary
Deny log on as a service
Deny log on locally
Deny log on through Terminal Service
Guests
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
SERVICE
Increase scheduling priority
Load and unload device drivers
Administrators
Lock pages in memory
Log on as batch job
Log on as a service
Manage auditing and security log
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Replace a process level token
LOCAL SERVICE, NETWORK SERVICE
Restore files and directories
Shutdown the system
Administrators
Synchronize directory service data
Take ownership of file or other objects
Administrators
Security Options
Issue 1.02
Accounts: Administrator account status
Accounts: Guest account status
Disabled
Accounts: Limit local account use of blank passwords to console logon only
Enabled
Nortel Contact Center 6.0 Security Templates User Guide
13
Contact Center 6.0 Security Template Files Accounts: Rename administrator account
Nortel Proprietary
(recommend to change it to a non-standard name)
Accounts: Rename guest account
(recommend to change it to a non-standard name)
Audit: Audit the access of global system objects
Audit: Audit the use of backup and restore privilege
Audit: Shut down system immediately if unable to log security alerts
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removal media
Administrators
Devices: Prevent users from installing printer drivers
Enabled
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Devices: Unsigned driver installation behavior
Warn but allow installation
Domain Controller: Allow server operators to schedule tasks
(Not applicable)
Domain Controller: LDAP server signing requirements
(Not applicable)
Domain Controller: Refuse machine account password changes
(Not applicable)
14
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Enabled
Domain member: Digitally sign secure channel data (when
Enabled
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Template Files
Nortel Proprietary
possible) Domain member: Disable machine account password changes
Disabled
Domain member: Maximum machine password age
30 days
Domain member: Require strong (Windows 2000 or later) session key
Enabled
Interactive logon: Display user information when the session is locked
Interactive logon: Do not display last user name
Enabled
Interactive logon: Do not required CTRL+ALT+DEL
Disabled
Interactive logon: Message text for users attempting to log on
(Recommend to define a custom, or DOJ approved message text)
Interactive logon: Message title for users attempting to log on
(Recommend to define a custom, or DOJ approved message title)
Issue 1.02
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Interactive logon: Prompt user to change password before expiration
14 days
Interactive logon: Require domain controller authentication to unlock workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Lock Workstation
Microsoft network client: Digitally sign communications (always)
Enabled
Microsoft network client: Digitally sign communications (if server agrees)
Enabled
Microsoft network client: Send unencrypted password to connect to third-party SMB servers
Disabled
Microsoft network server: Amount of idle time required before suspending session
15 minutes
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Enabled
Nortel Contact Center 6.0 Security Templates User Guide
15
Contact Center 6.0 Security Template Files
16
Nortel Proprietary
Microsoft network server: Disconnect clients when logon hours expire
Enabled
MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended)
10
MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended)
Enabled
MSS: (AFD MaximumDynamicBacklog) Maximum number of ‘quasi-free’ connections for Winsock applications
20000 (recommended)
MSS: (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for system under attack, 10 otherwise)
20
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
Highest protection, source routing is completely disabled
MSS: (EnableDealGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
Disabled
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
Disabled
MSS: (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU)
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
Enabled
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS)
Disabled
MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
Connections time out sooner of a SYN attach is detected
MSS: (TCPMaxConnectREsponseRetransmission) SYNACK retransmissions when a connection request is not acknowledged
3 & 6 secopnds, half-open connections dropped after 21 seconds
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
3
MSS: (TCPMazPortalExhausted) How many dropped connect requests to initiate SYN attack protection (5 is recommended)
5
MSS: Disable Autorun for all drives
255, disable Autorun for all drives
MSS: Enable Safe DLL search mode
Enabled
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Template Files
Nortel Proprietary
MSS: Enable the computer to stop generating 8.3 style filenames
MSS: How often keep-alive packets are sent in milliseconds
300000 or 5 minutes (recommended)
MSS Percentage threshold for the security event log at which the system will generate a warning
MSS: The time in seconds before the screen saver grace period expires
0
Network access: Allow anonymous SID//Name translation
Disabled
Network access: Do not allow anonymous enumeration of SAM accounts
Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Enabled
Network access: Do not allow storage of credentials or .NET passports for network authentication
Enabled
Network access: Let Everyone permissions apply to anonymous users
Disabled
Network access: Named pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
System\CurrentControlSet\Control\ProductO ptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\WindowsNT\CurrentVer sion
Network access: Remotely accessible registry paths and sub-paths
Software\Microsoft\WindowsNT\CurrentVer sion\Print Software\Microsoft\WindowsNT\CurrentVes ion\Windows System\CurrentControlSet\Control\Print\Prin ters System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIn dex System\CurrentControlSet\Control\Terminal Server\UserConfig
Issue 1.02
Nortel Contact Center 6.0 Security Templates User Guide
17
Contact Center 6.0 Security Template Files
Nortel Proprietary
System\CurrentControlSet\Control\Terminal Server\Default\UserConfiguration Software\Micrsoft\WIndowsNT\CurrentVers ion\Perflib System\CurrentControlSet\Services\Sysmon Log Network access: Restrict anonymous access to Named Pipes and Shares
Enabled
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Classic – local users authenticate as themselves
Network security: Do not store LAN Manager password hash value on next password change
Enabled
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Send NTLMv2 response only\refuse LM
Network security: LDAP client signing requirements
Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption
18
Recovery console: Allow automatic administrative logon
Disabled
Recovery console: Allow floppy copy and access to all drives and all folders
Shutdown: Allow system to be shut down without having to log on
Disable
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on computer
User must enter a password each time they use a key
System cryptography: User FIPS compliant algorithms for
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Template Files
Nortel Proprietary
encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrations group
System objects: Require case insensitive for non-Windows subsystems
System objects: Strengthen default permission of internal system objects
Enabled
System settings: Option subsystems
System settings: User Certificate Rules on Windows Executables for Software Restriction Policies
Event Logs Maximum application log size
16384 kilobytes
Maximum security log size
81920 kilobytes
Maximum system log size
16384 kilobytes
Prevent local guests group from accessing application log
Enabled
Prevent local guests group from accessing security log
Enabled
Prevent local guests group from accessing system log
Enabled
Retain application log
Retain security log
Retain system log
Retention method for application log
Retention method for security log
Retention method for system log
Restricted Groups System Services Alerter
Disabled
(Alerter)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Application Experience Lookup Service
(AeLookupSvc)
Issue 1.02
Nortel Contact Center 6.0 Security Templates User Guide
19
Contact Center 6.0 Security Template Files
Nortel Proprietary
(applicable to Windows Server 2003 SP1) Application Layer Gateway Service
(ALG) Application Management
(AppMgmt) Client Service for Netware
Disabled
(NWCWorkstation)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
ASP.NET State Service
(aspnet_state) Automatic Updates
(Wuauserv) Background Intelligent Transfer Service
(BITS) CC License Manager
(CC_LM) (Built-in CC 6.0 service) CC Replication Service
(REP_Service) (Built-in CCMS service CCMS ASM_Service
(ASM_Service) (Built-in CCMS Service) CCMS Audit_Service
(AUDIT_Service) (Built-in CCMS service) CCMS Control Service
(CCMS_MasterService) (Built-in CCMS service)
20
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Template Files CCMS DBNotifier_Service
Nortel Proprietary
(DBNotifier_Service) (Built-in CCMS service) CCMS EB_Service
(EB_Service) (Built-in CCMS service) CCMS ES_Service
(ES_Service) (Built-in CCMS service) CCMS HDC_Service
(HDC_Service) (Built-in CCMS service) CCMS HDM_Service
(HDM_Service) (Built-in CCMS service) CCMS Host Application Integration
(Host Application Integration) (Built-in CCMS service) CCMS IS_Service
(IS_Service) (Built-in CCMS service) CCMS MAS Backup/Restore
(nbbkp) (Built-in CCMS service) CCMS MAS Configuration Manager
(nbcfg) (Built-in CCMS service) CCMS MAS Event Scheduler
Issue 1.02
Nortel Contact Center 6.0 Security Templates User Guide
21
Contact Center 6.0 Security Template Files
Nortel Proprietary
(nbsch) (Built-in CCMS service) CCMS MAS Fault Manager
(nbflt) (Built-in CCMS service) CCMS MAS LinkHandler Port #2
(nbalh) (Built-in CCMS service) CCMS MAS OM Server
(nboms) (Built-in CCMS service) CCMS MAS Security
(nbss) (Built-in CCMS service) CCMS MAS Service Daemon
(nbsm_dae) (Built-in CCMS service) CCMS MAS Service Manager
(nbsm) (Built-in CCMS service) CCMS MAS Time Service
(nbts) (Built-in CCMS service) CCMS MLSM_Service
(MLSM_Service) (Built-in CCMS service) CCMS NBMSM_Service
(CCMS_NBMSM_Service)
22
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Template Files
Nortel Proprietary
(Built-in CCMS service) CCMS NBNM_Service
(NBNM_Service) (Built-in CCMS service) CCMS NBTSM_Service
(NBTSM_Service) (Built-in CCMS service) CCMS NCCOAM_Service
(NCCOAM_Service) (Built-in CCMS service) CCMS NDLOAM_Service
(NDLOAM_Service) (Built-in CCMS service) CCMS NIMSM_Service
(CCMS_NIMSM_Service) (Built-in CCMS service) CCMS NINCCAudit_Service
(NINCCAudit_Service) (Built-in CCMS service) CCMS NITSM_Service
(NITSM_Service) (Built-in CCMS service) CCMS OAM_Service
(OAM_Service) (Built-in CCMS service) CCMS OAMCMF_Service
(CCMS_OAM_CMF_Service) (Built-in CCMS service)
Issue 1.02
Nortel Contact Center 6.0 Security Templates User Guide
23
Contact Center 6.0 Security Template Files CCMS RDC_Service
Nortel Proprietary
(RDC_Service) (Built-in CCMS service) CCMS RSM_Service
(RSM_Service) (Built-in CCMS service) CCMS SDMCA_Service
(SDMCA_Service) (Built-in CCMS service) CCMS SDP_Service
(SDP_Service) (Built-in CCMS Service) CCMS SIP_Service
(CCMS_SIP_Service) (Built-in CCMS service) CCMS TFA_Service
(TFA_Service) (Built-in CCMS service) CCMS TFABRIDGE_Service
(TFABRIDGE_Service) (Built-in CCMS service) CCMS TFE Bridge Connector
(TfeBridgeConnector) (Built-in CCMS service) CCMS TFE_Service
(TFE_Service) (Built-in CCMS service) CCMS UNE_Service
24
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Template Files
Nortel Proprietary
(CCMS_UNE_Service) (Built-in CCMS service) CCMS VSM_Service
(VSM_Service) (Built-in CCMS service) ClipBook
Disabled
(ClipSrv)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
COM+ Event System
(EventSystem) COM+ System Application
(COMSysApp) Computer Browser
(Browser) Cryptographic Services
(CryptSvc) DCOM Server Process Launcher
(DcomLaunch) (applicable to Windows Server 2003 SP1) DHCP Client
(Dhcp) Distributed File System
(Dfs) Distributing Link Tracking Client
(TrkWks) Distributing Link Tracking Server
(TrkSvr) Distributed Transaction Coordinator
(MSDTC)
Issue 1.02
Nortel Contact Center 6.0 Security Templates User Guide
25
Contact Center 6.0 Security Template Files DNS Client
Nortel Proprietary
(Dnscache) Error Reporting Services
(ERSvc) Event Log
(Eventlog) Fax
Disabled
(Fax)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
File Replication
Disabled
(NtFrs)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
File Server for Macintosh
Disabled
(MacFile)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
FTP Publishing Service
Disabled
(MSFtpsvc)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Help & Support
Disabled
(Helpsvc)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
HTTP SSL
Disabled
(HTTPFilter)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Human Interface Device Access
(HidServ) IIS Admin Service
Disabled
(IISADMIN)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
IMAP CD-Burning COM Service
(ImapiService) Indexing Service
26
Disabled
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Template Files
Nortel Proprietary
(Cisvc)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
InstallDriver Table Manager
(Built-in InstallShield service for CC installation) Intersite Messaging
(IsmServ) IPSEC Service
(PolicyAgent) Kerberos Key Distribution Center
(Kdc) License Logging Service
Disabled
(LicenseService)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Logical Disk Manager
(Dmserver) Logical Disk Manager Administrative Service
(Dmadmin) Messenger
Disabled
(Messenger)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Microsoft POP3 Service
Disabled
(POP3SVC)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Microsoft Software Shadow Copy Provider
(SwPrv) Net Logon
(Netlogon)
Issue 1.02
NetMeeting Remote Desktop Sharing
Disabled
(mnmsrvc)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Network Connections
Manual
Nortel Contact Center 6.0 Security Templates User Guide
27
Contact Center 6.0 Security Template Files
Nortel Proprietary
(Netman)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Network DDE
(NetDDE) Network DDE DSDM
(NetDDEdsdm) Network Location Awareness
(NLA) Network Provisioning Service
(xmlprov) (applicable to Windows Server 2003 SP1) Network News Transport Protocol (NNTP)
Disabled
(NntpSvc)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
NT LM Security Support Provider
(NtLmSsp) pcAnywhere Host Service
(Built-in pcAnywhere service for CC if it is installed) Performance Logs and Alerts
(SysmonLog) Plug and Play
(PlugPlay) Portable Media Serial Number Service
(WmdmPmSN) Print Server for Macintosh
Disabled
(MacPrint)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Print Spooler
(Spooler) Protect Storage
28
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Template Files
Nortel Proprietary
(ProtectedStorage) Remote Access Auto Connection Manager
Disabled
(RasAuto)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Remote Access Connection Manager
(RasMan) Remote Administration Service
Disabled
(SrvcSurg)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Remote Desktop Help Session Manager
Disabled
(RDSessMgr)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Remote Installation
Disabled
(BINLSVC)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Remote Procedure Call (RPC)
(RpcSs) Remote Procedure Call (RPC) Locator
(RpcLocator) Remote Registry
(RemoteRegistry)
Issue 1.02
Remote Server Manager
Disabled
(AppMgr)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Remote Server Monitor
Disabled
(Appmon)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Remote Storage Notification
Disabled
(Remote_Storage_User_Link)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Remote Storage Server
Disabled
(Remote_Storage_Server)
(Permissions: Administrators=Full Control,
Nortel Contact Center 6.0 Security Templates User Guide
29
Contact Center 6.0 Security Template Files
Nortel Proprietary
System=Full Control, Interactive=Read) Removal Storage
(NtmsSvc) Resultant Set of Policy Provider
(RSoPProv) Routing and Remote Access
(RemoteAccess) Secondary Logon
(seclogon) Security Accounts Manager
(SamSs) Server
(lanmanserver) Shell Hardware Detection
(ShellHWDetection) Simple Mail Transfer Protocol (SMTP)
Disabled
(SMTPSVC)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Smart Card
(SCardSvr) SNMP Service
(SNMP) SNMP Trap Service
Disabled
(SNMPTRAP)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Special Administration Console Helper
(Sacsvr) Sybase BCKServer__BS
(SYBBCK__BS) (Built-in CCMS Sybase service)
30
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Template Files Sybase MONServer__MS
Nortel Proprietary
(SYBMON__MS) (Built-in CCMS Sybase service) Sybase SQLServer_
(SYBSQL_) (Built-in CCMS Sybase service) Sybase XPServer__XP
(SYBXPS__XP) (Built-in CCMS Sybase service) Sybase ASE Protect Service
(SybProtect) (Built-in CCMS Sybase service) System Event Notification
(SENS) TAO NT Naming Service
(TAO_NT_Naming_Service) (Built-in CCMS TAO service) Task Scheduler
(Schedule) TCP/IP NetBIOS Helper Service
(LMHosts) Telephony
Disabled
(TapiSrv)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Telnet
Disabled
(TlntSvr)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Terminal Services
(TermService)
Issue 1.02
Nortel Contact Center 6.0 Security Templates User Guide
31
Contact Center 6.0 Security Template Files Terminal Service Session Directory
Nortel Proprietary
(Tssdis) Trivial FTP Daemon
Disabled
(tftpd)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Themes
(Themes) Uninterruptible Power Supply
(UPS) Upload Manager
(Uploadmgr) Virtual Disk Service
(VDS) Volume Shadow Copy
(VSS) Web Element Manager
(elementmgr) WebClient
(WebClient) Windows Audio
(AudioSrv) Windows Firewall/Internet Connection Sharing (ICS)
(SharedAccess) Windows Image Acquisition (WIA)
(StiSvc) Windows Installer
(MSIServer) Windows Management Instrumentation
(winmgmt)
32
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Template Files Windows Management Instrumentation Driver Extensions
Nortel Proprietary
(Wmi) Windows Time
(W32Time) Windows User Mode Driver Framework
(UMWdf) (applicable to Windows Server 2003 SP1) WinHTTP Web Proxy Auto-Discovery Service
(WinHttpAutoProxySvc) Wireless Configuration
Disabled
(WZCSVC)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
WMI Performance Adapter
(WmiApSrv) Workstation
(lanmanworkstation) World Wide Web Publishing Service
Disabled
(W3SVC)
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Registry
Issue 1.02
MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit
Administrators=Full Control, SYSTME=Full Control, Users=Read
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\Installer
Administrators=Full Control, SYSTME=Full Control, Users=Read
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\policies
Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control
MACHINE\SYSTEM\CurrentControlSet\Enum
Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control
MACHINE\SYSTEM\CurrentConrtrolSet\Services\SNMP\ Parameters\PermittedManagers
Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control
MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\ Parameters\ValidCommunities
Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full
Nortel Contact Center 6.0 Security Templates User Guide
33
Contact Center 6.0 Security Template Files
Nortel Proprietary
Control USERS\.DEFAULT\Software\Microsoft\SystemCertificate s\Root\ProtectedRoots
Administrators=Full Control, SYSTME=Full Control, Users=Read
File System
34
%SystemRoot%\regedit.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\at.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\attrib.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\cacls.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\debug.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\drwatson.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\drwtsn32.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\edlin.exe
Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\eventcreate.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\eventtriggers.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\ftp.exe
Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\net.exe
Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\net1.exe
Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\netsh.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\rcp.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\reg.exe
Administrators=Full Control, SYSTEM=Full
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Template Files
Nortel Proprietary
Control
3.2
%SystemRoot%\system32\regedt32.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\regsvr32.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\rexec.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\rsh.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\runas.exe
Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\sc.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\subst.exe
Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\telnet.exe
Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\tftp.exe
Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\tlntsvr.exe
Administrators=Full Control, SYSTEM=Full Control
Contact Center Manager Server Co-residency Security Template Definitions Table 5 lists the security template setting defined for the Contact Center Manager Server 6.0 Co-residency server (co-residency with CCMS, CCMA, and CCT). Table 5 Contact Center Manager Server 6.0 Co-res Security Template Settings
Security Setting Items
Setting
Account Policies Password Policy Enforce password history
Issue 1.02
24 passwords remembered
Nortel Contact Center 6.0 Security Templates User Guide
35
Contact Center 6.0 Security Template Files Maximum password age
90 days
Minimum password age
1 days
Minimum password length
8 characters
Password must meet complexity requirements
Enabled
Store passwords using reversible encryption
Disabled
Nortel Proprietary
Account Lockout Policy Account lockout duration
15 minutes
Account lockout threshold
15 invalid logon attempts
Reset account lockout counter after
15 minutes
Kerberos Policy Enforce user logon restrictions
Maximum lifetime for service ticket
Maximum lifetime for user ticket
Maximum lifetime for user ticket renewal
Maximum tolerance for computer clock synchronization
Local Policies Audit Policy Audit account logon events
Success, Failure
Audit account management
Success, Failure
Audit directory service access
Audit logon events
Success, Failure
Audit object access
Success, Failure
Audit policy change
Success
Audit privilege use
Audit process tracking
Audit system events
Success
User Rights Assignment
36
Nortel Contact Center 6.0 Security Templates User Guide
Issue 1.02
Contact Center 6.0 Security Template Files
Issue 1.02
Nortel Proprietary
Access this computer from the network
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Administrators
Allow log on through terminal services
Administrators, Remote Desktop Users
Back up files and directories
Administrators
Bypass traverse checking
Users
Change the system time
Administrators
Create a pagefile
Create a token object
Create a global object
Create permanent shared objects
Debug programs
Deny access to this computer from the network
ANONYMOUS LOGON, Guests
Deny log on as a batch job
Guests
Deny log on as a service
Deny log on locally
Deny log on through Terminal Service
Guests
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
SERVICE
Increase scheduling priority
Load and unload device drivers
Administrators
Lock pages in memory
Log on as batch job
Nortel Contact Center 6.0 Security Templates User Guide
37
Contact Center 6.0 Security Template Files
Nortel Proprietary
Log on as a service
Manage auditing and security log
Modify firmware environment values
Perform volume maintenance tasks
Profile single process