ccms 6.0 security templates

Nortel – Enterprise Networks

Nortel Contact Center 6.0 Security Templates User Guide Issue 1.02 October 29, 2008

ABSTRACT

This guide describes the generic Windows Server 2003 security templates for the Nortel Contact Center 6.0 suite of servers. This guide also provides the guideline and how to deploy the security template to secure the Nortel Contact Center 6.0 suite of servers.

NOTICE TO HOLDERS OF PAPER COPIES: Upon receipt of a new issue, destroy the previous issue or mark it “OBSOLETE”.

CONFIDENTIAL INFORMATION: The information contained in this document is the property of Nortel Networks. Except as specifically authorized in writing by Nortel Networks, the holder of this document shall keep all information contained herein confidential and shall protect same in whole or in part from disclosure and dissemination to all third parties.

Trademarks Nortel Proprietary

ii Nortel Contact Center 6.0 Security Templates User Guide Issue 1.02

Trademarks

The following are trademarks of Nortel Networks: Nortel, Nortel Networks, BNR, ACD, BCS, CallPilot, DMS, DMS-100, DMS-250, DMS-MTX, DMS-SCP, DNC, DPN-100, DVS, DualMode, FastView, Helmsman, M2317, MAP, Symposium, Meridian Digital Centrex (MDC), Meridian, Meridian 1, Meridian Link, Meridian MAX, Meridian NAC, Meridian CCR, Meridian IVR, Meridian Terminal Emulator, MFA, Norstar, PowerTouch, SL-1, SL-100, SuperNode, Telesis, Unity.

Action Request System and AR System are trademarks of Remedy Corporation.

AMDEK is a trademark of Amdek Corporation.

ANSI is a trademark of the American National Standards Institute.

ClearCase is a registered trademark and ClearCase MultiSite is a trademark of Rational Software Corporation.

Continuus, continuus/CM, and Continuus/PT are trademarks of Continuus Software Corporation. CaseWare/CM, CaseWare/PT, CaseWare, ACCENT, and Amplify Control are registered trademarks of Continuus Software Corporation.

Courier is a trademark of Smith-Corona Corporation.

CT Connect, CT Media is a registered trademark of Dialogic.

Frame, FrameBuilder and FrameMaker are trademarks of Adobe Systems Incorporated.

Helvetica and Times are trademarks of Linotype AG or its subsidiaries.

InstallShield is a registered trademark of InstallShield Software Corporation.

Interleaf is a trademark of Interleaf, Inc.

Macintosh, Power Macintosh, and Apple are registered trademarks of Apple Computer, Inc. Mac OS is a trademark of Apple Computer, Inc.

Microsoft Windows, Microsoft Word, Microsoft Excel, PowerPoint, Microsoft Project, Microsoft File Extension, and MS-DOS are trademarks of Microsoft Corporation.

Novell is a trademark of Novell, Inc.

Olecera Chart is a trademark of KL Group Inc.

Portable Document Format is a trademark of Adobe Systems Incorporated.

PostScript is a trademark of Adobe Systems Incorporated.

SYBASE is a trademark of Sybase, Inc.

UNIX is a trademark of UNIX System Laboratories.

Versatility, Versatility Administrator, Versatility Call Blending, Versatility Campaign Plus, Versatility Insight, Versatility Predictive, Versatility Telesales / Teleservice are trademarks of Versatility Inc.

WinRunner, TSL and Context Sensitive are trademarks of Mercury Interactive Corporation.

© 2007 Nortel Networks Corporation

Approvals Nortel Proprietary

Issue 1.02 Nortel Contact Center 6.0 Security Templates User Guide iii

Approvals

Prepared By

Ronald Chan Date Senior Design Support Engineer, MA Design Support Enterprise Solutions, Multimedia Apps Support & Validation Nortel Networks Corporation

Reviewed and Approved By

James Chan Date Manager, MA Design Support Application R&D, Multimedia Apps Support & Validation Nortel Networks Corporation

David O’Connell Date Leader, CC Sustaining & Localization Application R&D, Multimedia Apps Support and Validation Nortel Networks Corporation

Revision history Nortel Proprietary

iv Nortel Contact Center 6.0 Security Templates User Guide Issue 1.02

Revision history

Issue Number Issue Date

Type of Review Reason(s) for Issue

Author(s)

0.01 June 23, 2005

Draft copy

Initial draft for internal review

Ronald Chan

0.02 July 5, 2005

Draft copy

Section 3.1 Add CCMS 6.0 standalone server security template definitions

Ronald Chan

0.03 August 9, 2005

Draft copy

Section 2.3.2 Add Network Domain Deployment

Ronald Chan

0.04 September 21, 2005

Draft copy

Section 2.2 Changing template files location from the CC 6.0 DVD to the Meridian PEP Library web site

Section 2.2 Table 1 Remove CCO template

Section 2.3.1 Changing template files location from the CC 6.0 DVD to the Meridian PEP Library web site

Ronald Chan

0.05 July 7, 2006

Draft copy

Section 2.2 Update Table 1 to include CCMS 6.0 Replication server

Section 2.3.1 Add new Security Template Rollback section

Section 3.1 Add Contact Center Manager Replication server

Section 3.1 Update Table 3 with the latest CCMS 6.0 security template setting

Section 3.2 Update Table 4 with the latest CCMS 6.0 co-residency security template setting including CCT

Section 3.3 Update Table 5 with the latest CCMA 6.0 security template setting

Section 3.5 Add section and Table 6 with the CCT 6.0 standalone server security template setting

Ronald Chan

0.06 October 3, 2006

Draft copy

Section 2.5 Add section to outline the network environment requirements for the CC 6.0 servers with security template to operate with

Ronald Chan

Revision history Nortel Proprietary

Issue 1.02 Nortel Contact Center 6.0 Security Templates User Guide v

Issue Number Issue Date

Type of Review Reason(s) for Issue

Author(s)

1.00 October 20, 2006

Approved Copy

Section 2.2 Add note to clarify the set of security template is only applicable to Contact Center 6.0 only, and not applicable to any earlier Symposium portfolio releases.

Ronald Chan

1.01 October 15, 2008

Approved Copy

Section 2.2 Update Table 1 to add CCMM 6.0

Section 2.3.2 Update Table 2 to add CCMM 6.0

Section 3.5 Add section and Table 8 for CCMM 6.0 security template setting

Ronald Chan

1.02 October 29, 2008

Approved Copy

Section 2.2 Update Table 1 to add CCMS 6.0 Stratus

Section 2.3.2 Update Table 2 to add CCMS 6.0 Stratus

Section 3.6 Add section and Table 9 for CCMS 6.0 Stratus security template setting

Ronald Chan

Table of contents Nortel Proprietary

vi Nortel Contact Center 6.0 Security Templates User Guide Issue 1.02

Table of contents 1 Introduction .........................................................................................................1

1.1 Purpose ...............................................................................................................................1 1.2 Scope...................................................................................................................................1 1.3 Intended audience ...............................................................................................................1

2 Contact Center 6.0 Security Templates.............................................................2 2.1 Contact Center 6.0 Security Template Baseline .................................................................2 2.2 Contact Center 6.0 Security Template Applicability ............................................................2 2.3 Contact Center 6.0 Security Templates Deployment ..........................................................3

2.3.1 Security Template Rollback....................................................................................4 2.3.2 Local Server Deployment .......................................................................................5 2.3.3 Network Domain Deployment.................................................................................9

2.4 Additional security settings..................................................................................................9 2.5 Network Environment Consideration.................................................................................10

3 Contact Center 6.0 Security Template Files ...................................................11 3.1 Contact Center Manager Server Security Template Definitions .......................................11 3.2 Contact Center Manager Server Co-residency Security Template Definitions .................35 3.3 Contact Center Manager Administration Security Template Definitions ...........................60 3.4 Communication Control Toolkit Security Template Definitions .........................................80 3.5 Contact Center Multimedia/Outbound Security Template Definitions.............................100 3.6 Contact Center Manager Server on Stratus Platform Security Template Definitions .....119

4 Glossary...........................................................................................................146

5 References.......................................................................................................148

List of tables Nortel Proprietary

Issue 1.02 Nortel Contact Center 6.0 Security Templates User Guide vii

List of tables Table 1 Contact Center 6.0 Security Template File Applicability with Contact Center Server......................3 Table 2 Contact Center 6.0 Security Template Rollback Files......................................................................4 Table 3 Contact Cetner 6.0 Security Template Additional Settings ............................................................10 Table 4 Contact Center Manager Server 6.0 Security Template Settings ..................................................11 Table 5 Contact Center Manager Server 6.0 Co-res Security Template Settings ......................................35 Table 6 Nortel Contact Center Manager Administration 6.0 Security Template Settings ...........................61 Table 7 Nortel Communication Control Toolkit 6.0 Security Template Settings .........................................80 Table 8 Contact Center Multimedia/Outbound 6.0 Security Template Setting .........................................100 Table 9 Contact Center Manager Server Stratus Security Template Settings..........................................120

Introduction Nortel Proprietary

Issue 1.02 Nortel Contact Center 6.0 Security Templates User Guide 1

1 Introduction

1.1 Purpose

Security is a critical task for all organizations and it is always mandated to secure all networked servers by locking down the server operating system setting and services. Windows Server 2003 can be secured by applying a predefined security template either locally to the computer or through a network Group Policy Objects (GPO) instead of securing manually.

Nortel Contact Center 6.0 is providing a set of predefined Windows Server 2003 security templates that can be deployed quickly to secure the Contact Center 6.0 suite of application servers. The set of Contact Center 6.0 security templates is designed to be closely match the industry consensus security setting benchmark [1] published by the Center of Internet Security (CIS), and meeting the Contact Center 6.0 suite of application servers operation requirements.

This guide provides the detail definitions of the set of Contact Center 6.0 security templates and how to deploy the security templates to the Contact Center 6.0 suite of application servers.

1.2 Scope

This guide covers the set of security templates for Nortel Contact Center 6.0. It is not intended to be a comprehensive security guide either for the Nortel Contact Center 6.0 or the Windows Server 2003.

1.3 Intended audience

This guide is intended to be used by anyone wishing to secure the Contact Center 6.0 suite of application servers that are meeting the Contact Center 6.0 security template applicability requirements. It assumes that the reader is familiar with all security subjects and features in Windows Server 2003 and Microsoft network domain (Active Directory) environment.

Contact Center 6.0 Security Templates Nortel Proprietary

2 Nortel Contact Center 6.0 Security Templates User Guide Issue 1.02

2 Contact Center 6.0 Security Templates

A set of security templates is available for the Contact Center 6.0 suite of application servers. You can apply the security template to its defined Contact Center 6.0 application server to secure the Windows Server 2003 and meeting the minimum security requirements for the Contact Center 6.0 application operation.

2.1 Contact Center 6.0 Security Template Baseline

All Contact Center 6.0 security templates are based on the consensus security benchmark document, Windows Server 2003 Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Security Settings for Domain Member Servers [1], published by the Center of Internet Security (CIS) organization. This security benchmark reflects the content of the Consensus Baseline Security Settings document developed by the National Security Agency (NSA), the Defense Information Systems Agency (DISA), The National Institute and Technology (NIST), the General Service Administration (GSA), The SANS Institute, and the Center for Internet Security.

The Contact Center 6.0 security template settings are baseline with the Enterprise security level as defined in the consensus benchmark [1]. Settings in the Enterprise level are designed for servers operation in a managed environment where interoperability with legacy system is not required. It assumes that all operating systems within the enterprise are Windows 2000 or later. In addition, the security template settings are adjusted to meet the minimum security setting requirements for its specific Contact Center 6.0 application server as defined in its corresponding Nortel Contact Center 6.0 server security guide document [2].

2.2 Contact Center 6.0 Security Template Applicability

A set of the Contact Center 6.0 security template files is provided on the Meridian PEP Library web site. Table 1 lists the set of available template files and its corresponding applicable Contact Center 6.0 application server



Table 1 Contact Center 6.0 Security Template File Applicability with Contact Center Server

Contact Center 6.0 Security Template File

Applicable Contact Center 6.0 Application Server

CCMS 6.0 Security Template.inf Contact Center Manager Server standalone server , Contact Center Manager Replication server, and Network Control Center server

CCMS 6.0 Cores Security Templt.inf Contact Center Manager Server co-residency server

CCMA 6.0 Security Template.inf Contact Center Manager Administration standalone server

CCT 6.0 Security Template.inf Communication Control Toolkit server

CCMM 6.0 Security Template.inf Contact Center Multimedia/Outbound server

CCMS 6.0 Stratus Security Temp.inf Contact Center Manager Server standalone server on Stratus platform, Contact Center Manager Replication server on Stratus platform, and Network Control Center server on Stratus platform

Note: The security template is applicable to Contact Center 6.0 only. It is not verified with its compatibility for any earlier Symposium portfolio products running on Windows Server 2003 platform. It is not applicable to any Symposium portfolio releases prior Contact Center 6.0.

The security template is designed to work with a typical server configuration and may not be compatible with some specific customer’s configuration. If customer is installing additional 3rd party software on the Contact Center 6.0 application server, customer must review and test the compatibility between the Contact Center 6.0 security template and the 3rd party software in a non-production environment. Customer may need to adjust the template if necessary.

2.3 Contact Center 6.0 Security Templates Deployment

The Contact Center 6.0 security template can be deployed either locally on the Contact Center 6.0 application server or as a group policy in an Active Directory OU where the Contact Center 6.0 application server is located. The Contact



Center 6.0 security template can be deployed either before or after the Contact Center 6.0 application is installed on the server.

2.3.1 Security Template Rollback

There are situation (like adding CCMA and CCT to a previously standalone CCMS server and convert it into a CCMS co-residency server) that one may require to rollback the originally applied Contact Center 6.0 security template and reapply a new one that is appropriate with the new Contact Center 6.0 application server configuration. A set of Contact Center 6.0 default rollback templates for the corresponding Contact Center 6.0 security templates are provided. These default rollback templates will rollback the security setting (excluding permission setting in registries and files) from the applied security template back to the default Windows Server 2003 (with SP1) setting. Table 2 lists the set of available rollback template files and its corresponding applicable Contact Center 6.0 application server.

Table 2 Contact Center 6.0 Security Template Rollback Files

Contact Center 6.0 Security Template Rollback File

Applicable Contact Center 6.0 Application Server

CCMS 6.0 Security Templt Rollb.inf Contact Center Manager Server standalone server, Contact Center Manager Replication server, and Network Control Center server

CCMS 6.0 Cores Sec Templt Rollb.inf Contact Center Manager Server co-residency server

CCMA 6.0 Security Templt Rollb.inf Contact Center Manager Administration standalone server

CCT 6.0 Security Templt Rollb.inf Communication Control Toolkit server

CCMM 6.0 Security Templ Roll.inf Contact Center Multimedia/Outbound server

CCMS 6.0 Stratus Sec Tmp Rollbk.inf Contact Center Manager Server standalone server on Stratus platform, Contact Center Manager Replication server on Stratus platform, and Network Control Center server on Stratus platform



If Windows Server 2003 configuration is different from its default installed setting before applying the Contact Center 6.0 security template, the default rollback template may not restore the configuration to its customized configuration. It is Nortel recommendation that you must create an appropriate rollback template on your Contact Center 6.0 application server before deploying the Contact Center 6.0 security template. The rollback template can be generated by issuing the “secedit /GenerateRollback /CFG <CC 6.0 Security Template.inf> /RBK <Rollback Template.inf>” (e.g., secedit /GenerateRollback /CFG “C:\CCMS 6.0 Security Template.inf” /RBK C:\rollback.inf) command in a command line prompt windows.

2.3.2 Local Server Deployment

To deploy the Contact Center 6.0 Security template locally on a Contact Center 6.0 application server, one must select the applicable security template for the Contact Center 6.0 application server and download the selected template from the Meridian PEP Library web site to the server local disk drive. The security template can then be imported and configured using the Microsoft Security Configuration and Analysis utility.

The following steps can be used to deploy the Contact Center 6.0 security template using the Security Configuration and Analysis (you must add the Security Configuration and Analysis snap-in to the Microsoft Management Console):

1) Logon to the server with an administrative account.

2) Open the management console that is having the Security Configuration and Analysis snap-in.



3) Right click the Security Configuration and Analysis scope item and click Open Database. Enter a new database name (e.g., CCMA 6.0 Security Template) in the File Name field of the Open Data dialog windows, and then press the Open button.

4) On the Import Template dialog windows, browse and select the Contact Center 6.0 security template file downloaded from the Meridian PEP Library Web site, and then press the Open button.



5) Right click the Security Configuration and Analysis scope item, and click the Analyze Computer Now to analyze the security configuration with the imported Contact Center 6.0 security template and the current server configuration.

6) On the Perform Analysis dialog windows, select the default log file path (e.g., C:\Documents and Setttings\Administrator\My Documents\Security\Logs\CCMA 6.0 Security Template.log) or select the log file path of your choice, press the OK button to perform the analysis.



7) Open the security analysis log file with a text editor and review any mismatch item that may not meet your server requirement. Adjust the security template if necessary.

8) Right click the Security Configuration and Analysis scope item from the Security Configuration and Analysis snap-in management console. Click Configure Computer Now to configure the server security configuration with the imported Contact Center 6.0 security template.

9) On the Configure System dialog windows, select the default log file path (e.g., C:\Documents and Setttings\Administrator\My Documents\Security\Logs\CCMA 6.0 Security Template.log) or select the log file path of your choice, press the OK button to configure the computer.



10) Reboot the server to activate the new security policy and configuration.

2.3.3 Network Domain Deployment

The Contact Center 6.0 security templates can be deployed in a network domain environment by importing the template into a group policy object of an OU where the Contact Center 6.0 server is a member. To import a security template:

1) Open Group Policy Management Console (GPMC)

2) In the console tree, expand the domain or OU that you want to import the security template. Right-click the Group Policy object that you want to edit, and then click Edit.

3) In the Group Policy Object Editor console tree, click Computer Configuration, click Windows Settings, right-click Security Setting, and then select Import Policy.

4) Click the Contact Center 6.0 security template that you want to import, then click Open.

2.4 Additional security settings

Due to some security setting are unique in individual computer, these security settings cannot be set through a common security template and must be set locally on the computer. Nortel recommends the following additional security settings be set manually on each Contact Center 6.0 application server after the security template has been deployed.



Table 3 Contact Cetner 6.0 Security Template Additional Settings

Security Setting Additional settings

User Right Assignments

Deny access to this computer from the network (minimum)

Built-in Administrator, Support_388945a0, Guest

Deny logon as a batch job Support_388945a0, Guest

Deny logon through Terminal Service (minimum) Support_388945a0, Guest

Security Options

Accounts: Rename Administrator Account <non-standard>

Accounts: Rename Guest Account <non-standard>

Interactive Logon: Message Text for Users Attempting to Log On

<Custom, or DoJ approved>

Interactive Logon: Message Title for Users Attempting to Log On

<Custom, or DoJ approved>

2.5 Network Environment Consideration

The Contact Center 6.0 security template settings are baseline with the Enterprise security level as defined in the consensus benchmark [1]. Settings in the Enterprise level are designed for servers operation in a managed environment where interoperability with legacy system is not required. It assumes that all operating systems within the enterprise network are Windows 2000 or later.

Contact Center 6.0 security template is following the consensus benchmark [1] recommendation to enable the security policy “Microsoft network client: Digitally sign communications (always)” to digitally sign all SMB communications. If a Contact Center 6.0 application sever that is having the security template applied and need to map a remote network share on a remote PC, the connecting remote PC muse have the corresponding security policy to be set by enabling either the “Microsoft network server: Digitally sign communications (always)” or “Micrsoft network server: Digitally sign communication (if client agrees)”.

Contact Center 6.0 Security Template Files Nortel Proprietary


3 Contact Center 6.0 Security Template Files

3.1 Contact Center Manager Server Security Template Definitions

Table 4 lists the security template setting defined for the Contact Center Manager Server in a standalone server configuration, Contact Center Manager Replication server, and Network Control Center server.

Table 4 Contact Center Manager Server 6.0 Security Template Settings

Security Setting Items Setting

Account Policies

Password Policy

Enforce password history 24 passwords remembered

Maximum password age 90 days

Minimum password age 1 days

Minimum password length 8

Password must meet complexity requirements Enabled

Store passwords using reversible encryption Disabled

Account Lockout Policy

Account lockout duration 15 minutes

Account lockout threshold 15 invalid logon attempts

Reset account lockout counter after 15 minutes

Kerberos Policy

Enforce user logon restrictions <Not defined>

Maximum lifetime for service ticket <Not defined>

Maximum lifetime for user ticket <Not defined>

Maximum lifetime for user ticket renewal <Not defined>

Maximum tolerance for computer clock synchronization <Not defined>



Local Policies

Audit Policy

Audit account logon events Success, Failure

Audit account management Success, Failure

Audit directory service access <Not defined>

Audit logon events Success, Failure

Audit object access Success, Failure

Audit policy change Success

Audit privilege use <Not defined>

Audit process tracking <Not defined>

Audit system events Success

User Rights Assignment

Access this computer from the network <Not defined>

Act as part of the operating system <None>

Add workstations to domain <Not defined>

Adjust memory quotas for a process <Not defined>

Allow log on locally Administrators

Allow log on through terminal services Administrators, Remote Desktop Users

Back up files and directories Administrators

Bypass traverse checking Users

Change the system time Administrators

Create a pagefile <Not defined>

Create a token object <None>

Create a global object <Not defined>

Create permanent shared objects <None>

Debug programs <None>

Deny access to this computer from the network ANONYMOUS LOGON, Guests

Deny log on as a batch job Guests



Deny log on as a service <Not defined>

Deny log on locally <Not defined>

Deny log on through Terminal Service Guests

Enable computer and user accounts to be trusted for delegation

<None>

Force shutdown from a remote system <Not defined>

Generate security audits <Not defined>

Impersonate a client after authentication SERVICE

Increase scheduling priority <Not defined>

Load and unload device drivers Administrators

Lock pages in memory <Not defined>

Log on as batch job <None>

Log on as a service <Not defined>

Manage auditing and security log <Not defined>

Modify firmware environment values <Not defined>

Perform volume maintenance tasks <Not defined>

Profile single process <Not defined>

Profile system performance <Not defined>

Remove computer from docking station <Not defined>

Replace a process level token LOCAL SERVICE, NETWORK SERVICE

Restore files and directories <Not defined>

Shutdown the system Administrators

Synchronize directory service data <None>

Take ownership of file or other objects Administrators

Security Options

Accounts: Administrator account status <Not defined>

Accounts: Guest account status Disabled

Accounts: Limit local account use of blank passwords to console logon only

Enabled



Accounts: Rename administrator account <Not defined>

(recommend to change it to a non-standard name)

Accounts: Rename guest account <Not defined>


Audit: Audit the access of global system objects <Not defined>

Audit: Audit the use of backup and restore privilege <Not defined>

Audit: Shut down system immediately if unable to log security alerts

<Not defined>

DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax

<Not defined>

DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax

<Not defined>

Devices: Allow undock without having to log on <Not defined>

Devices: Allowed to format and eject removal media Administrators

Devices: Prevent users from installing printer drivers Enabled

Devices: Restrict CD-ROM access to locally logged-on user only

<Not defined>

Devices: Restrict floppy access to locally logged-on user only

<Not defined>

Devices: Unsigned driver installation behavior Warn but allow installation

Domain Controller: Allow server operators to schedule tasks

<Not defined>

(Not applicable)

Domain Controller: LDAP server signing requirements <Not defined>

(Not applicable)

Domain Controller: Refuse machine account password changes

<Not defined>

(Not applicable)

Domain member: Digitally encrypt or sign secure channel data (always)

<Not defined>

Domain member: Digitally encrypt secure channel data (when possible)

Enabled

Domain member: Digitally sign secure channel data (when Enabled



possible)

Domain member: Disable machine account password changes

Disabled

Domain member: Maximum machine password age 30 days

Domain member: Require strong (Windows 2000 or later) session key

Enabled

Interactive logon: Display user information when the session is locked

<Not defined>

Interactive logon: Do not display last user name Enabled

Interactive logon: Do not required CTRL+ALT+DEL Disabled

Interactive logon: Message text for users attempting to log on

<Not defined>

(Recommend to define a custom, or DOJ approved message text)

Interactive logon: Message title for users attempting to log on

<Not defined>

(Recommend to define a custom, or DOJ approved message title)

Interactive logon: Number of previous logons to cache (in case domain controller is not available)

<Not defined>

Interactive logon: Prompt user to change password before expiration

14 days

Interactive logon: Require domain controller authentication to unlock workstation

<Not defined>

Interactive logon: Require smart card <Not defined>

Interactive logon: Smart card removal behavior Lock Workstation

Microsoft network client: Digitally sign communications (always)

Enabled

Microsoft network client: Digitally sign communications (if server agrees)

Enabled

Microsoft network client: Send unencrypted password to connect to third-party SMB servers

Disabled

Microsoft network server: Amount of idle time required before suspending session

15 minutes

Microsoft network server: Digitally sign communications (always)

<Not defined>

Microsoft network server: Digitally sign communications (if client agrees)

Enabled



Microsoft network server: Disconnect clients when logon hours expire

Enabled

MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended)

10

MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended)

Enabled

MSS: (AFD MaximumDynamicBacklog) Maximum number of ‘quasi-free’ connections for Winsock applications

20000 (recommended)

MSS: (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for system under attack, 10 otherwise)

20

MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)

Highest protection, source routing is completely disabled

MSS: (EnableDealGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)

Disabled

MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

Disabled

MSS: (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU)

<Not defined>

MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers

Enabled

MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS)

Disabled

MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)

Connections time out sooner of a SYN attach is detected

MSS: (TCPMaxConnectREsponseRetransmission) SYN-ACK retransmissions when a connection request is not acknowledged

3 & 6 secopnds, half-open connections dropped after 21 seconds

MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)

3

MSS: (TCPMazPortalExhausted) How many dropped connect requests to initiate SYN attack protection (5 is recommended)

5

MSS: Disable Autorun for all drives 255, disable Autorun for all drives

MSS: Enable Safe DLL search mode Enabled



MSS: Enable the computer to stop generating 8.3 style filenames

<Not defined>

MSS: How often keep-alive packets are sent in milliseconds

300000 or 5 minutes (recommended)

MSS Percentage threshold for the security event log at which the system will generate a warning

<Not defined>

MSS: The time in seconds before the screen saver grace period expires

0

Network access: Allow anonymous SID//Name translation Disabled

Network access: Do not allow anonymous enumeration of SAM accounts

Enabled

Network access: Do not allow anonymous enumeration of SAM accounts and shares

Enabled

Network access: Do not allow storage of credentials or .NET passports for network authentication

Enabled

Network access: Let Everyone permissions apply to anonymous users

Disabled

Network access: Named pipes that can be accessed anonymously

<None>

Network access: Remotely accessible registry paths System\CurrentControlSet\Control\ProductOptions

System\CurrentControlSet\Control\Server Applications

Software\Microsoft\WindowsNT\CurrentVersion

Network access: Remotely accessible registry paths and sub-paths

Software\Microsoft\WindowsNT\CurrentVersion\Print

Software\Microsoft\WindowsNT\CurrentVesion\Windows

System\CurrentControlSet\Control\Print\Printers

System\CurrentControlSet\Services\Eventlog

Software\Microsoft\OLAP Server

System\CurrentControlSet\Control\ContentIndex

System\CurrentControlSet\Control\Terminal Server\UserConfig



System\CurrentControlSet\Control\Terminal Server\Default\UserConfiguration

Software\Micrsoft\WIndowsNT\CurrentVersion\Perflib

System\CurrentControlSet\Services\SysmonLog

Network access: Restrict anonymous access to Named Pipes and Shares

Enabled

Network access: Shares that can be accessed anonymously <None>

Network access: Sharing and security model for local accounts

Classic – local users authenticate as themselves

Network security: Do not store LAN Manager password hash value on next password change

Enabled

Network security: Force logoff when logon hours expire <Not defined>

Network security: LAN Manager authentication level Send NTLMv2 response only\refuse LM

Network security: LDAP client signing requirements Negotiate signing

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

Require message integrity

Require message confidentiality

Require NTLMv2 Session Security

Require 128-bit Encryption

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers





Recovery console: Allow automatic administrative logon Disabled

Recovery console: Allow floppy copy and access to all drives and all folders

<Not defined>

Shutdown: Allow system to be shut down without having to log on

Disable

Shutdown: Clear virtual memory pagefile <Not defined>

System cryptography: Force strong key protection for user keys stored on computer

User must enter a password each time they use a key

System cryptography: User FIPS compliant algorithms for <Not defined>



encryption, hashing, and signing

System objects: Default owner for objects created by members of the Administrations group

<Not defined>

System objects: Require case insensitive for non-Windows subsystems

<Not defined>

System objects: Strengthen default permission of internal system objects

Enabled

System settings: Option subsystems <None>

System settings: User Certificate Rules on Windows Executables for Software Restriction Policies

<Not defined>

Event Logs

Maximum application log size 16384 kilobytes

Maximum security log size 81920 kilobytes

Maximum system log size 16384 kilobytes

Prevent local guests group from accessing application log Enabled

Prevent local guests group from accessing security log Enabled

Prevent local guests group from accessing system log Enabled

Retain application log <Not defined>

Retain security log <Not defined>

Retain system log <Not defined>

Retention method for application log <Not defined>

Retention method for security log <Not defined>

Retention method for system log <Not defined>

Restricted Groups

<Not defined>

System Services

Alerter

(Alerter)

Disabled

(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)

Application Experience Lookup Service

(AeLookupSvc)

<Not defined>



(applicable to Windows Server 2003 SP1)

Application Layer Gateway Service

(ALG)

<Not defined>

Application Management

(AppMgmt)

<Not defined>

Client Service for Netware

(NWCWorkstation)

Disabled


ASP.NET State Service

(aspnet_state)

<Not defined>

Automatic Updates

(Wuauserv)

<Not defined>

Background Intelligent Transfer Service

(BITS)

<Not defined>

CC License Manager

(CC_LM)

(Built-in CC 6.0 service)

<Not defined>

CC Replication Service

(REP_Service)

(Built-in CCMS service

<Not defined>

CCMS ASM_Service

(ASM_Service)

(Built-in CCMS Service)

<Not defined>

CCMS Audit_Service

(AUDIT_Service)

(Built-in CCMS service)

<Not defined>

CCMS Control Service

(CCMS_MasterService)


<Not defined>



CCMS DBNotifier_Service

(DBNotifier_Service)


<Not defined>

CCMS EB_Service

(EB_Service)


<Not defined>

CCMS ES_Service

(ES_Service)


<Not defined>

CCMS HDC_Service

(HDC_Service)


<Not defined>

CCMS HDM_Service

(HDM_Service)


<Not defined>

CCMS Host Application Integration

(Host Application Integration)


<Not defined>

CCMS IS_Service

(IS_Service)


<Not defined>

CCMS MAS Backup/Restore

(nbbkp)


<Not defined>

CCMS MAS Configuration Manager

(nbcfg)


<Not defined>

CCMS MAS Event Scheduler <Not defined>



(nbsch)


CCMS MAS Fault Manager

(nbflt)


<Not defined>

CCMS MAS LinkHandler Port #2

(nbalh)


<Not defined>

CCMS MAS OM Server

(nboms)


<Not defined>

CCMS MAS Security

(nbss)


<Not defined>

CCMS MAS Service Daemon

(nbsm_dae)


<Not defined>

CCMS MAS Service Manager

(nbsm)


<Not defined>

CCMS MAS Time Service

(nbts)


<Not defined>

CCMS MLSM_Service

(MLSM_Service)


<Not defined>

CCMS NBMSM_Service

(CCMS_NBMSM_Service)

<Not defined>




CCMS NBNM_Service

(NBNM_Service)


<Not defined>

CCMS NBTSM_Service

(NBTSM_Service)


<Not defined>

CCMS NCCOAM_Service

(NCCOAM_Service)


<Not defined>

CCMS NDLOAM_Service

(NDLOAM_Service)


<Not defined>

CCMS NIMSM_Service

(CCMS_NIMSM_Service)


<Not defined>

CCMS NINCCAudit_Service

(NINCCAudit_Service)


<Not defined>

CCMS NITSM_Service

(NITSM_Service)


<Not defined>

CCMS OAM_Service

(OAM_Service)


<Not defined>

CCMS OAMCMF_Service

(CCMS_OAM_CMF_Service)


<Not defined>



CCMS RDC_Service

(RDC_Service)


<Not defined>

CCMS RSM_Service

(RSM_Service)


<Not defined>

CCMS SDMCA_Service

(SDMCA_Service)


<Not defined>

CCMS SDP_Service

(SDP_Service)


<Not defined>

CCMS SIP_Service

(CCMS_SIP_Service)


<Not defined>

CCMS TFA_Service

(TFA_Service)


<Not defined>

CCMS TFABRIDGE_Service

(TFABRIDGE_Service)


<Not defined>

CCMS TFE Bridge Connector

(TfeBridgeConnector)


<Not defined>

CCMS TFE_Service

(TFE_Service)


<Not defined>

CCMS UNE_Service <Not defined>



(CCMS_UNE_Service)


CCMS VSM_Service

(VSM_Service)


<Not defined>

ClipBook

(ClipSrv)

Disabled


COM+ Event System

(EventSystem)

<Not defined>

COM+ System Application

(COMSysApp)

<Not defined>

Computer Browser

(Browser)

<Not defined>

Cryptographic Services

(CryptSvc)

<Not defined>

DCOM Server Process Launcher

(DcomLaunch)


<Not defined>

DHCP Client

(Dhcp)

<Not defined>

Distributed File System

(Dfs)

<Not defined>

Distributing Link Tracking Client

(TrkWks)

<Not defined>

Distributing Link Tracking Server

(TrkSvr)

<Not defined>

Distributed Transaction Coordinator

(MSDTC)

<Not defined>



DNS Client

(Dnscache)

<Not defined>

Error Reporting Services

(ERSvc)

<Not defined>

Event Log

(Eventlog)

<Not defined>

Fax

(Fax)

Disabled


File Replication

(NtFrs)

Disabled


File Server for Macintosh

(MacFile)

Disabled


FTP Publishing Service

(MSFtpsvc)

Disabled


Help & Support

(Helpsvc)

Disabled


HTTP SSL

(HTTPFilter)

Disabled


Human Interface Device Access

(HidServ)

<Not defined>

IIS Admin Service

(IISADMIN)

Disabled


IMAP CD-Burning COM Service

(ImapiService)

<Not defined>

Indexing Service Disabled



(Cisvc) (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)

InstallDriver Table Manager

(Built-in InstallShield service for CC installation)

<Not defined>

Intersite Messaging

(IsmServ)

<Not defined>

IPSEC Service

(PolicyAgent)

<Not defined>

Kerberos Key Distribution Center

(Kdc)

<Not defined>

License Logging Service

(LicenseService)

Disabled


Logical Disk Manager

(Dmserver)

<Not defined>

Logical Disk Manager Administrative Service

(Dmadmin)

<Not defined>

Messenger

(Messenger)

Disabled


Microsoft POP3 Service

(POP3SVC)

Disabled


Microsoft Software Shadow Copy Provider

(SwPrv)

<Not defined>

Net Logon

(Netlogon)

<Not defined>

NetMeeting Remote Desktop Sharing

(mnmsrvc)

Disabled


Network Connections Manual



(Netman) (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)

Network DDE

(NetDDE)

<Not defined>

Network DDE DSDM

(NetDDEdsdm)

<Not defined>

Network Location Awareness

(NLA)

<Not defined>

Network Provisioning Service

(xmlprov)


<Not defined>

Network News Transport Protocol (NNTP)

(NntpSvc)

Disabled


NT LM Security Support Provider

(NtLmSsp)

<Not defined>

pcAnywhere Host Service

(Built-in pcAnywhere service for CC if it is installed)

<Not defined>

Performance Logs and Alerts

(SysmonLog)

<Not defined>

Plug and Play

(PlugPlay)

<Not defined>

Portable Media Serial Number Service

(WmdmPmSN)

<Not defined>

Print Server for Macintosh

(MacPrint)

Disabled


Print Spooler

(Spooler)

<Not defined>

Protect Storage <Not defined>



(ProtectedStorage)

Remote Access Auto Connection Manager

(RasAuto)

Disabled


Remote Access Connection Manager

(RasMan)

<Not defined>

Remote Administration Service

(SrvcSurg)

Disabled


Remote Desktop Help Session Manager

(RDSessMgr)

Disabled


Remote Installation

(BINLSVC)

Disabled


Remote Procedure Call (RPC)

(RpcSs)

<Not defined>

Remote Procedure Call (RPC) Locator

(RpcLocator)

<Not defined>

Remote Registry

(RemoteRegistry)

<Not defined>

Remote Server Manager

(AppMgr)

Disabled


Remote Server Monitor

(Appmon)

Disabled


Remote Storage Notification

(Remote_Storage_User_Link)

Disabled


Remote Storage Server

(Remote_Storage_Server)

Disabled

(Permissions: Administrators=Full Control,



System=Full Control, Interactive=Read)

Removal Storage

(NtmsSvc)

<Not defined>

Resultant Set of Policy Provider

(RSoPProv)

<Not defined>

Routing and Remote Access

(RemoteAccess)

<Not defined>

Secondary Logon

(seclogon)

<Not defined>

Security Accounts Manager

(SamSs)

<Not defined>

Server

(lanmanserver)

<Not defined>

Shell Hardware Detection

(ShellHWDetection)

<Not defined>

Simple Mail Transfer Protocol (SMTP)

(SMTPSVC)

Disabled


Smart Card

(SCardSvr)

<Not defined>

SNMP Service

(SNMP)

<Not defined>

SNMP Trap Service

(SNMPTRAP)

Disabled


Special Administration Console Helper

(Sacsvr)

<Not defined>

Sybase BCKServer_<server name>_BS

(SYBBCK_<server name>_BS)

(Built-in CCMS Sybase service)

<Not defined>



Sybase MONServer_<server name>_MS

(SYBMON_<server name>_MS)


<Not defined>

Sybase SQLServer_<server name>

(SYBSQL_<server name>)


<Not defined>

Sybase XPServer_<server name>_XP

(SYBXPS_<server name>_XP)


<Not defined>

Sybase ASE Protect Service

(SybProtect)


<Not defined>

System Event Notification

(SENS)

<Not defined>

TAO NT Naming Service

(TAO_NT_Naming_Service)

(Built-in CCMS TAO service)

<Not defined>

Task Scheduler

(Schedule)

<Not defined>

TCP/IP NetBIOS Helper Service

(LMHosts)

<Not defined>

Telephony

(TapiSrv)

Disabled


Telnet

(TlntSvr)

Disabled


Terminal Services

(TermService)

<Not defined>



Terminal Service Session Directory

(Tssdis)

<Not defined>

Trivial FTP Daemon

(tftpd)

Disabled


Themes

(Themes)

<Not defined>

Uninterruptible Power Supply

(UPS)

<Not defined>

Upload Manager

(Uploadmgr)

<Not defined>

Virtual Disk Service

(VDS)

<Not defined>

Volume Shadow Copy

(VSS)

<Not defined>

Web Element Manager

(elementmgr)

<Not defined>

WebClient

(WebClient)

<Not defined>

Windows Audio

(AudioSrv)

<Not defined>

Windows Firewall/Internet Connection Sharing (ICS)

(SharedAccess)

<Not defined>

Windows Image Acquisition (WIA)

(StiSvc)

<Not defined>

Windows Installer

(MSIServer)

<Not defined>

Windows Management Instrumentation

(winmgmt)

<Not defined>



Windows Management Instrumentation Driver Extensions

(Wmi)

<Not defined>

Windows Time

(W32Time)

<Not defined>

Windows User Mode Driver Framework

(UMWdf)


<Not defined>

WinHTTP Web Proxy Auto-Discovery Service

(WinHttpAutoProxySvc)

<Not defined>

Wireless Configuration

(WZCSVC)

Disabled


WMI Performance Adapter

(WmiApSrv)

<Not defined>

Workstation

(lanmanworkstation)

<Not defined>

World Wide Web Publishing Service

(W3SVC)

Disabled


Registry

MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit

Administrators=Full Control, SYSTME=Full Control, Users=Read

MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer


MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control

MACHINE\SYSTEM\CurrentControlSet\Enum Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control

MACHINE\SYSTEM\CurrentConrtrolSet\Services\SNMP\Parameters\PermittedManagers

Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control

MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities

Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full



Control

USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots


File System

%SystemRoot%\regedit.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\at.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\attrib.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\cacls.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\debug.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\drwatson.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\drwtsn32.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\edlin.exe Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\eventcreate.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\eventtriggers.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\ftp.exe Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\net.exe Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\net1.exe Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\netsh.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\rcp.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\reg.exe Administrators=Full Control, SYSTEM=Full



Control

%SystemRoot%\system32\regedt32.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\regsvr32.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\rexec.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\rsh.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\runas.exe Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\sc.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\subst.exe Administrators=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\telnet.exe Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\tftp.exe Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control

%SystemRoot%\system32\tlntsvr.exe Administrators=Full Control, SYSTEM=Full Control

3.2 Contact Center Manager Server Co-residency Security Template Definitions

Table 5 lists the security template setting defined for the Contact Center Manager Server 6.0 Co-residency server (co-residency with CCMS, CCMA, and CCT).

Table 5 Contact Center Manager Server 6.0 Co-res Security Template Settings


Account Policies

Password Policy






Minimum password length 8 characters







Kerberos Policy






Local Policies

Audit Policy

































<None>







Log on as batch job <Not defined>















Security Options




Enabled








<Not defined>


<Not defined>


<Not defined>







<Not defined>


<Not defined>



<Not defined>

(Not applicable)


(Not applicable)


<Not defined>

(Not applicable)


<Not defined>


Enabled

Domain member: Digitally sign secure channel data (when possible)

Enabled


Disabled



Enabled


<Not defined>




<Not defined>


Interactive logon: Message title for users attempting to log <Not defined>



on (Recommend to define a custom, or DOJ approved message title)


<Not defined>


14 days


<Not defined>




Enabled


Enabled


Disabled


15 minutes


<Not defined>


Enabled


Enabled


10


Enabled


20000 (recommended)


20




Disabled




Disabled


<Not defined>


Enabled


Disabled






3


5




<Not defined>




<Not defined>


0



Enabled


Enabled


Enabled




Disabled


<None>
















Enabled





Enabled


















<Not defined>


Disable




System cryptography: User FIPS compliant algorithms for encryption, hashing, and signing

<Not defined>


<Not defined>


<Not defined>


Enabled



<Not defined>

Event Logs















Restricted Groups

<Not defined>

System Services

ACDPROXY Service <Not defined>

Alerter

(Alerter)

Disabled



(AeLookupSvc)


<Not defined>


(ALG)

<Not defined>


(AppMgmt)

<Not defined>


(NWCWorkstation)

Disabled



(aspnet_state)

<Not defined>

Automatic Updates <Not defined>



(Wuauserv)


(BITS)

<Not defined>

CCMA ICEEmHlpService

(Built-in CCMA service)

<Not defined>

CCMA IceRTDService


<Not defined>

CCMA LMService


<Not defined>

CC License Manager

(CC_LM)


<Not defined>


(REP_Service)


<Not defined>

CCMS ASM_Service

(ASM_Service)


<Not defined>

CCMS Audit_Service

(AUDIT_Service)


<Not defined>




<Not defined>




<Not defined>

CCMS EB_Service <Not defined>



(EB_Service)


CCMS ES_Service

(ES_Service)


<Not defined>

CCMS HDC_Service

(HDC_Service)


<Not defined>

CCMS HDM_Service

(HDM_Service)


<Not defined>




<Not defined>

CCMS IS_Service

(IS_Service)


<Not defined>


(nbbkp)


<Not defined>


(nbcfg)


<Not defined>

CCMS MAS Event Scheduler

(nbsch)


<Not defined>


(nbflt)

<Not defined>




CCMS MAS LinkHandler Port #2

(nbalh)


<Not defined>

CCMS MAS OM Server

(nboms)


<Not defined>

CCMS MAS Security

(nbss)


<Not defined>


(nbsm_dae)


<Not defined>


(nbsm)


<Not defined>


(nbts)


<Not defined>

CCMS MLSM_Service

(MLSM_Service)


<Not defined>

CCMS NBMSM_Service



<Not defined>

CCMS NBNM_Service

(NBNM_Service)


<Not defined>



CCMS NBTSM_Service

(NBTSM_Service)


<Not defined>

CCMS NCCOAM_Service

(NCCOAM_Service)


<Not defined>

CCMS NDLOAM_Service

(NDLOAM_Service)


<Not defined>

CCMS NIMSM_Service



<Not defined>




<Not defined>

CCMS NITSM_Service

(NITSM_Service)


<Not defined>

CCMS OAM_Service

(OAM_Service)


<Not defined>

CCMS OAMCMF_Service



<Not defined>

CCMS RDC_Service

(RDC_Service)


<Not defined>

CCMS RSM_Service <Not defined>



(RSM_Service)


CCMS SDMCA_Service

(SDMCA_Service)


<Not defined>

CCMS SDP_Service

(SDP_Service)


<Not defined>

CCMS SIP_Service

(CCMS_SIP_Service)


<Not defined>

CCMS TFA_Service

(TFA_Service)


<Not defined>


(TFABRIDGE_Service)


<Not defined>




<Not defined>

CCMS TFE_Service

(TFE_Service)


<Not defined>

CCMS UNE_Service

(CCMS_UNE_Service)


<Not defined>

CCMS VSM_Service

(VSM_Service)

<Not defined>




ClipBook

(ClipSrv)

Disabled


COM+ Event System

(EventSystem)

<Not defined>


(COMSysApp)

<Not defined>

Computer Browser

(Browser)

<Not defined>


(CryptSvc)

<Not defined>

Crystal Report Application Server

(built-in CCMA Crystal Report service)

<Not defined>


(DcomLaunch)


<Not defined>

DHCP Client

(Dhcp)

<Not defined>


(Dfs)

<Not defined>


(TrkWks)

<Not defined>


(TrkSvr)

<Not defined>


(MSDTC)

<Not defined>

DNS Client

(Dsncache)

<Not defined>




(ERSvc)

<Not defined>

Event Log

(Eventlog)

<Not defined>

Fax

(Fax)

Disabled


File Replication

(NtFrs)

Disabled



(MacFile)

Disabled



(MSFtpsvc)

Disabled


Help & Support

(Helpsvc)

Disabled


HTTP SSL

(HTTPFilter)

<Not defined>


(HidServ)

<Not defined>

IIS Admin Service

(IISADMIN)

<Not defined>


(ImapiService)

<Not defined>

Indexing Service

(Cisvc)

Disabled


InstallDriver Table Manager <Not defined>




Intersite Messaging

(IsmServ)

<Not defined>

IPSEC Service

(PolicyAgent)

<Not defined>


(Kdc)

<Not defined>

License Logging

(LicenseService)

Disabled



(Dmserver)

<Not defined>


(Dmadmin)

<Not defined>

Messenger

(Messenger)

Disabled



(POP3SVC)

Disabled



(SwPrv)

<Not defined>

MSSQL$NNCCTDB

(Built-in CCT SQL server)

<Not defined>

MSSQLServerADHelper

(Built-in CCT SQL service)

<Not defined>

NCCT Data Access Layer

(Built-in CCT service)

<Not defined>

NCCT Server


<Not defined>



NCCT TAPI Connector Service


<Not defined>

Net Logon

(Netlogon)

<Not defined>


(mnmsrvc)

Disabled


Network Connections

(Netman)

Manual


Network DDE

(NetDDE)

<Not defined>

Network DDE DSDM

(NetDDEdsdm)

<Not defined>


(NLA)

<Not defined>


(xmlprov)

<Not defined>


(NntpSvc)

Disabled



(NtLmSsp)

<Not defined>



<Not defined>


(SysmonLog)

<Not defined>

Plug and Play

(PlugPlay)

<Not defined>

Portable Media Serial Number Service <Not defined>



(WmdmPmSN)


(MacPrint)

Disabled


Print Spooler

(Spooler)

<Not defined>

Protect Storage

(ProtectedStorage)

<Not defined>


(RasAuto)

Disabled



(RasMan)

Disabled



(SrvcSurg)

Disabled



(RDSessMgr)

Disabled


Remote Installation

(BINLSVC)

Disabled



(RpcSs)

<Not defined>


(RpcLocator)

<Not defined>

Remote Registry

(RemoteRegistry)

<Not defined>


(AppMgr)

Disabled





(APPMON)

Disabled




Disabled




Disabled


Removal Storage

(NtmsSvc)

<Not defined>


(RSoPProv)

<Not defined>


(RemoteAccess)

<Not defined>

Secondary Logon

(seclogon)

<Not defined>


(SamSs)

<Not defined>

Server

(lanmanserver)

<Not defined>


(ShellHWDetection)

<Not defined>


(SMTPSVC)

<Not defined>

Smart Card

(SCardSvr)

<Not defined>

SNMP Service

(SNMP)

<Not defined>

SNMP Trap Service Disabled



(SNMPTRAP) (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)


(Sacsvr)

<Not defined>

SQLAgent$NNCCTDB

(Built-in CCT SQL Agent service)

<Not defined>




<Not defined>




<Not defined>




<Not defined>




<Not defined>


(SybProtect)


<Not defined>

SymposiumWC

(Built-in CCMA ADAM service)

<Not defined>


(SENS)

<Not defined>

Task Scheduler

(Schedule)

<Not defined>

TCP/IP NetBIOS Helper

(LMHost)

<Not defined>



Telephony

(TapiSrv)

<Not defined>

Telnet

(TlnetSvr)

Disabled


Terminal Service

(TermService)

<Not defined>


(Tssdis)

<Not defined>

Trivial FTP Daemon

(tftpd)

Disabled


Themes

(Themes)

<Not defined>


UPS)

<Not defined>

Upload Manager

(Uploadmgr)

<Not defined>


(VDS)

<Not defined>

Volume Shadow Copy

(VSS)

<Not defined>

Web Element Manager

(elementmgr)

<Not defined>

WebClient

(WebClient)

<Not defined>

Windows Audio

(AudioSrv)

<Not defined>

Windows Firewall/Internet Connection Sharing (ICS) <Not defined>



(SharedAccess)


(SuSvc)

<Not defined>

Windows Installer

(MSIServer)

<Not defined>


(winmgmt)

<Not defined>


(Wmi)

<Not defined>

Windows Time

(W32Time)

<Not defined>


(UMWdf)

<Not defined>



<Not defined>


(WZCSVC)

Disabled



(WmiApSrv)

<Not defined>

Workstation

(lanmanworkstation)

<Not defined>


(W3SVC)

<Not defined>

Registry
















File System












%SystemRoot%\system32\net.exe Administrators=Full Control, INTERACTIVE=Full Control,



SYSTEM=Full Control




%SystemRoot%\system32\reg.exe Administrators=Full Control, SYSTEM=Full Control











3.3 Contact Center Manager Administration Security Template Definitions

Table 6 lists the security template setting defined for the Nortel Contact Center Manager Administration 6.0 server.



Table 6 Nortel Contact Center Manager Administration 6.0 Security Template Settings


Account Policies

Password Policy











Kerberos Policy






Local Policies

Audit Policy

































<None>






















Security Options




Enabled










<Not defined>


<Not defined>


<Not defined>





<Not defined>


<Not defined>



<Not defined>

(Not applicable)


(Not applicable)


<Not defined>

(Not applicable)


<Not defined>


Enabled


Enabled


Disabled



Enabled




<Not defined>




<Not defined>



<Not defined>



<Not defined>


14 days


<Not defined>




Enabled


Enabled


Disabled


15 minutes


<Not defined>


Enabled


Enabled


10


Enabled




20000 (recommended)


20




Disabled


Disabled


<Not defined>


Enabled


Disabled






3


5




<Not defined>




<Not defined>




0



Enabled


Enabled


Enabled


Disabled


<None>


















Enabled





Enabled
















<Not defined>


Disable





<Not defined>


<Not defined>


<Not defined>

System objects: Strengthen default permission of internal Enabled



system objects



<Not defined>

Event Logs













Restricted Groups

<Not defined>

System Services

Alerter

(Alerter)

Disabled



(AeLookupSvc)


<Not defined>


(ALG)

<Not defined>

Application Management <Not defined>



(AppMgmt)


(NWCWorkstation)

Disabled



(aspnet_state)

<Not defined>

Automatic Updates

(Wuauserv)

<Not defined>


(BITS)

<Not defined>

CCMA ICEEmHlpService


<Not defined>

CCMA IceRTDService


<Not defined>

CCMA LMService


<Not defined>

ClipBook

(ClipSrv)

Disabled


COM+ Event System

(EventSystem)

<Not defined>


(COMSysApp)

<Not defined>

Computer Browser

(Browser)

<Not defined>


(CryptSvc)

<Not defined>

Crystal Report Application Server

(built-in CCMA Crystal Report service)

<Not defined>




(DcomLaunch)


<Not defined>

DHCP Client

(Dhcp)

<Not defined>


(Dfs)

<Not defined>


(TrkWks)

<Not defined>


(TrkSvr)

<Not defined>


(MSDTC)

<Not defined>

DNS Client

(Dnscache)

<Not defined>


(ERSvc)

<Not defined>

Event Log

(Eventlog)

<Not defined>

Fax

(Fax)

Disabled


File Replication

(NtFrs)

Disabled



(MacFile)

Disabled



(MSFtpsvc)

Disabled





Help & Support

(Helpsvc)

Disabled


HTTP SSL

(HTTPFilter)

<Not defined>


(HidServ)

<Not defined>

IIS Admin Service

(IISADMIN)

<Not defined>


(ImapiService)

<Not defined>

Indexing Service

(Cisvc)

Disabled




<Not defined>

Intersite Messaging

(IsmServ)

<Not defined>

IPSEC Service

(PolicyAgent)

<Not defined>


(Kdc)

<Not defined>

License Logging

(LicenseService)

Disabled



Dmserver)

<Not defined>


(Dmadmin)

<Not defined>



Messenger

(Messenger)

Disabled



(POP3SVC)

Disabled



(SwPrv)

<Not defined>

Net Logon

(Netlogon)

<Not defined>


(mnmsrvc)

Disabled


Network Connections

(Netman)

Manual


Network DDE

(NetDDE)

<Not defined>

Network DDE DSDM

(NetDDEdsdm)

<Not defined>

Network Location Awareness (NLA)

(NLA)

<Not defined>


(xmlprov)

<Not defined>


(NntpSvc)

Disabled



(NtLmSsp)

<Not defined>



<Not defined>




(SysmonLog)

<Not defined>

Plug and Play

(PlugPlay)

<Not defined>


(WmdmPmSN)

<Not defined>


(MacPrint)

Disabled


Print Spooler

(Spooler)

<Not defined>

Protect Storage

(ProtectStorage)

<Not defined>


(RasAuto)

Disabled



(RasMan)

Disabled



(SrvcSurg)

Disabled



(RDSessMgr)

Disabled


Remote Installation

(BINLSVC)

Disabled



(RpcSs)

<Not defined>

Remote Procedure Call (RPC) Locator <Not defined>



(PrcLocator)

Remote Registry

(RemoteRegistry)

<Not defined>


(AppMgr)

Disabled



(APPMON)

Disabled




Disabled




Disabled


Removal Storage

(NtmsSvc)

<Not defined>


(RSoPProv)

<Not defined>


(RemoteAccess)

<Not defined>

Secondary Logon

(seclogon)

<Not defined>


(SamSs)

<Not defined>

Server

(lanmanserver)

<Not defined>


ShellHWDetection)

<Not defined>

Simple Mail Transfer Protocol (SMTP) <Not defined>



(SMTPSVC)

Smart Card

(SCardSvr)

<Not defined>

SNMP Service

(SNMP)

<Not defined>

SNMP Trap Service

(SNMPTRAP)

Disabled



(Sacsvr)

<Not defined>

SymposiumWC

(Built-in CCMA ADAM service)

<Not defined>


(SENS)

<Not defined>

Task Scheduler

(Schedule)

<Not defined>


(LMHost)

<Not defined>

Telephony

(TapiSrv)

Disabled


Telnet

(TlntSvr)

Disabled


Terminal Service

(TermService)

<Not defined>


(Tssdis)

<Not defined>

Trivial FTP Daemon Disabled



(tftpd) (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)

Themes

(Themes)

<Not defined>


(UPS)

<Not defined>

Upload Manager

(Uploadmgr)

<Not defined>


(VDS)

<Not defined>

Volume Shadow Copy

VSS)

<Not defined>

Web Element Manager

(elementmgr)

<Not defined>

WebClient

(WebClient)

<Not defined>

Windows Audio

AudioSrv)

<Not defined>


(SharedAccess)

<Not defined>


(SuSvc)

<Not defined>

Windows Installer

(MSIServer)

<Not defined>


(winmgmt)

<Not defined>


(Wmi)

<Not defined>

Windows Time <Not defined>



(W32Time)


(UMWdf)

<Not defined>



<Not defined>


(WZCSVC)

Disabled



(WmiApSrv)

<Not defined>

Workstation

(lanmanworkstation)

<Not defined>


(W3SVC)

<Not defined>

Registry














File System

%SystemRoot%\regedit.exe Administrators=Full Control, SYSTEM=Full



Control




























3.4 Communication Control Toolkit Security Template Definitions

Table 7 lists the security template setting defined for the Nortel Communication Control Toolkit 6.0 server.

Table 7 Nortel Communication Control Toolkit 6.0 Security Template Settings


Account Policies

Password Policy













Kerberos Policy






Local Policies

Audit Policy

































<None>






















Security Options




Enabled








<Not defined>


<Not defined>


<Not defined>





<Not defined>




<Not defined>



<Not defined>

(Not applicable)


(Not applicable)


<Not defined>

(Not applicable)


<Not defined>


Enabled


Enabled


Disabled



Enabled


<Not defined>




<Not defined>



<Not defined>



<Not defined>


14 days




<Not defined>




Enabled


Enabled


Disabled


15 minutes


<Not defined>


Enabled


Enabled


10


Enabled


20000 (recommended)


20




Disabled


Disabled


<Not defined>

MSS: (NoNameReleaseOnDemand) Allow the computer Enabled



to ignore NetBIOS name release requests except from WINS servers


Disabled






3


5




<Not defined>




<Not defined>


0



Enabled


Enabled


Enabled


Disabled


<None>


















Enabled





Enabled


















<Not defined>


Disable





<Not defined>


<Not defined>


<Not defined>


Enabled



<Not defined>

Event Logs















Restricted Groups

<Not defined>

System Services

ACDPROXY Service <Not defined>

Alerter

(Alerter)

Disabled



(AeLookupSvc)


<Not defined>


(ALG)

<Not defined>


(AppMgmt)

<Not defined>

CC License Manager

(applicable if CC License Manager is installed on the CCT server)

<Not defined>


(NWCWorkstation)

Disabled


Automatic Updates

(Wuauserv)

<Not defined>


(BITS)

<Not defined>



ClipBook

(ClipSrv)

Disabled


COM+ Event System

(EventSystem)

<Not defined>


(COMSysApp)

<Not defined>

Computer Browser

(Browser)

<Not defined>


(CryptSvc)

<Not defined>


(DcomLaunch)


<Not defined>

DHCP Client

(Dhcp)

<Not defined>


(Dfs)

<Not defined>


(TrkWks)

<Not defined>


(TrkSvr)

<Not defined>


(MSDTC)

<Not defined>

DNS Client

(Dnscache)

<Not defined>


(ERSvc)

<Not defined>

Event Log <Not defined>



(Eventlog)

Fax

(Fax)

Disabled


File Replication

(NtFrs)

Disabled



(MacFile)

Disabled



(MSFtpsvc)

Disabled


Help & Support

(Helpsvc)

Disabled


HTTP SSL

(HTTPFilter)

Disabled



(HidServ)

<Not defined>

IIS Admin Service

(IISADMIN)

Disabled



(ImapiService)

<Not defined>

Indexing Service

(Cisvc)

Disabled




<Not defined>

Intersite Messaging <Not defined>



(IsmServ)

IPSEC Service

(PolicyAgent)

<Not defined>


(Kdc)

<Not defined>


(LicenseService)

Disabled



(Dmserver)

<Not defined>


(Dmadmin)

<Not defined>

Messenger

(Messenger)

Disabled



(POP3SVC)

Disabled



(SwPrv)

<Not defined>

MSSQL$NNCCTDB <Not defined>

MSSQLServerADHelper <Not defined>

NCCT Data Access Layer <Not defined>

NCCT Logging Service <Not defined>

NCCT Server <Not defined>

NCCT TAPI Connector Service <Not defined>

Net Logon

(Netlogon)

<Not defined>


(mnmsrvc)

Disabled





Network Connections

(Netman)

Manual


Network DDE

(NetDDE)

<Not defined>

Network DDE DSDM

(NetDDEdsdm)

<Not defined>


(NLA)

<Not defined>



<Not defined>


(NntpSvc)

Disabled



(NtLmSsp)

<Not defined>



<Not defined>


(SysmonLog)

<Not defined>

Plug and Play

(PlugPlay)

<Not defined>


(WmdmPmSN)

<Not defined>


(MacPrint)

Disabled


Print Spooler

(Spooler)

<Not defined>



Protect Storage

(ProtectedStorage)

<Not defined>


(RasAuto)

Disabled



(RasMan)

Disabled



(SrvcSurg)

Disabled



(RDSessMgr)

Disabled


Remote Installation

(BINLSVC)

Disabled



(RpcSs)

<Not defined>


(RpcLocator)

<Not defined>

Remote Registry Service

(RemoteRegistry)

<Not defined>


(AppMgr)

Disabled



(Appmon)

Disabled




Disabled






Disabled


Removal Storage

(NtmsSvc)

<Not defined>


(RSoPProv)

<Not defined>


(RemoteAccess)

<Not defined>

Secondary Logon

(seclogon)

<Not defined>


(SamSs)

<Not defined>

Server

(lanmanserver)

<Not defined>


(ShellHWDetection)

<Not defined>


(SMTPSVC)

Disabled


Smart Card

(SCardSvr)

<Not defined>

SNMP Service

(SNMP)

<Not defined>

SNMP Trap Service

(SNMPTRAP)

Disabled



(Sacsvr)

<Not defined>

SQLAgent$NNCCTDB <Not defined>




(SENS)

<Not defined>

Task Scheduler

(Schedule)

<Not defined>


(LMHosts)

<Not defined>

Telephony

(TapiSrv)

<Not defined>

Telnet

(TlntSvr)

Disabled


Terminal Services

(TermService)

<Not defined>


(Tssdis)

<Not defined>

Trivial FTP Daemon

(tftpd)

Disabled


Themes

(Themes)

<Not defined>


(UPS)

<Not defined>

Upload Manager

(Uploadmgr)

<Not defined>


(VDS)

<Not defined>

Volume Shadow Copy

(VSS)

<Not defined>

Web Element Manager <Not defined>



(elementmgr)

WebClient

(WebClient)

<Not defined>

Windows Audio

(AudioSrv)

<Not defined>


(SharedAccess)

<Not defined>


(StiSvc)

<Not defined>

Windows Installer

(MSIServer)

<Not defined>


(winmgmt)

<Not defined>


(Wmi)

<Not defined>

Windows Time

(W32Time)

<Not defined>


(UMWdf)


<Not defined>



<Not defined>


(WZCSVC)

Disabled



(WmiApSrv)

<Not defined>

Workstation

(lanmanworkstation)

<Not defined>




(W3SVC)

Disabled


Registry














File System












3.5 Contact Center Multimedia/Outbound Security Template Definitions

Table 8 lists the security template setting defined for the Nortel Contact Center Multimedia/Outbound 6.0 server.

Table 8 Contact Center Multimedia/Outbound 6.0 Security Template Setting


Account Policies

Password Policy











Kerberos Policy








Local Policies

Audit Policy



























Deny access to this computer from the network ANONYMOUS LOGON






<None>




















Security Options






Enabled








<Not defined>


<Not defined>


<Not defined>





<Not defined>


<Not defined>



<Not defined>

(Not applicable)


(Not applicable)


<Not defined>

(Not applicable)


<Not defined>




Enabled


Enabled


Disabled



Enabled


<Not defined>




<Not defined>



<Not defined>



<Not defined>


14 days


<Not defined>




Enabled


Enabled


Disabled


15 minutes

Microsoft network server: Digitally sign communications <Not defined>



(always)


Enabled


Enabled


10


Enabled


20000 (recommended)


20




Disabled


Disabled


<Not defined>


Enabled


Disabled






3


5






<Not defined>




<Not defined>


0



Enabled


Enabled


Enabled


Disabled


<None>










System\CurrentControlSet\Control\ContentIn



dex






Enabled





Enabled
















<Not defined>


Disabled


System cryptography: Force strong key protection for user User must enter a password each time they



keys stored on computer use a key


<Not defined>


<Not defined>


<Not defined>


Enabled



<Not defined>

Event Logs













Restricted Groups

<Not defined>

System Services

Alerter

(Alerter)

Disabled





(AeLookupSvc)


<Not defined>


(ALG)

<Not defined>


(AppMgmt)

<Not defined>


(NWCWorkstation)

Disabled



(aspnet_state)

<Not defined>

Automatic Updates

(Wuauserv)

<Not defined>


(BITS)

<Not defined>

Cache Controller for Nortel

(Built-in Cache service for CCMM)

<Not defined>

CCMM Email Manager Service

(Built-in CCMM service)

<Not defined>

CCMM License Service


<Not defined>

CCMM Manager Client Service


<Not defined>

CCMM OAM Service


<Not defined>

CCMM Outbound Scheduler Service


<Not defined>

CCMM Starter Service <Not defined>




ClipBook

(ClipSrv)

Disabled


COM+ Event System

(EventSystem)

<Not defined>


(COMSysApp)

<Not defined>

Computer Browser

(Browser)

<Not defined>


(CryptSvc)

<Not defined>


(DcomLaunch)


<Not defined>

DHCP Client

(Dhcp)

<Not defined>


(Dfs)

<Not defined>


(TrkWks)

<Not defined>


(TrkSvr)

<Not defined>


(MSDTC)

<Not defined>

DNS Client

(Dnscache)

<Not defined>


(ERSvc)

<Not defined>



Event Log

(Eventlog)

<Not defined>

Fax

(Fax)

Disabled


File Replication

(NtFrs)

Disabled



(MacFile)

Disabled



(MSFtpsvc)

Disabled


Help & Support

(Helpsvc)

Disabled


HTTP SSL

(HTTPFilter)

<Not defined>


(HidServ)

<Not defined>

IIS Admin Service

(IISADMIN)

<Not defined>


(ImapiService)

<Not defined>

Indexing Service

(Cisvc)

Disabled




<Not defined>

Intersite Messaging <Not defined>



(IsmServ)

IPSEC Service

(PolicyAgent)

<Not defined>


(Kdc)

<Not defined>

License Logging

(LicenseService)

Disabled



Dmserver)

<Not defined>


(Dmadmin)

<Not defined>

Messenger

(Messenger)

Disabled



(POP3SVC)

Disabled



(SwPrv)

<Not defined>

Net Logon

(Netlogon)

<Not defined>


(mnmsrvc)

Disabled


Network Connections

(Netman)

Manual


Network DDE

(NetDDE)

<Not defined>

Network DDE DSDM <Not defined>



(NetDDEdsdm)

Network Location Awareness (NLA)

(NLA)

<Not defined>


(xmlprov)

<Not defined>


(NntpSvc)

Disabled



(NtLmSsp)

<Not defined>



<Not defined>


(SysmonLog)

<Not defined>

Plug and Play

(PlugPlay)

<Not defined>


(WmdmPmSN)

<Not defined>


(MacPrint)

Disabled


Print Spooler

(Spooler)

<Not defined>

Protect Storage

(ProtectStorage)

<Not defined>


(RasAuto)

Disabled



(RasMan)

Disabled






(SrvcSurg)

Disabled



(RDSessMgr)

Disabled


Remote Installation

(BINLSVC)

Disabled



(RpcSs)

<Not defined>


(PrcLocator)

<Not defined>

Remote Registry

(RemoteRegistry)

<Not defined>


(AppMgr)

Disabled



(APPMON)

Disabled




Disabled




Disabled


Removal Storage

(NtmsSvc)

<Not defined>


(RSoPProv)

<Not defined>




(RemoteAccess)

<Not defined>

Secondary Logon

(seclogon)

<Not defined>


(SamSs)

<Not defined>

Server

(lanmanserver)

<Not defined>


ShellHWDetection)

<Not defined>


(SMTPSVC)

Disabled


Smart Card

(SCardSvr)

<Not defined>

SNMP Service

(SNMP)

<Not defined>

SNMP Trap Service

(SNMPTRAP)

Disabled



(Sacsvr)

<Not defined>


(SENS)

<Not defined>

Task Scheduler

(Schedule)

<Not defined>


(LMHost)

<Not defined>

Telephony Disabled



(TapiSrv) (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)

Telnet

(TlntSvr)

Disabled


Terminal Service

(TermService)

<Not defined>


(Tssdis)

<Not defined>

Trivial FTP Daemon

(tftpd)

Disabled


Themes

(Themes)

<Not defined>


(UPS)

<Not defined>

Upload Manager

(Uploadmgr)

<Not defined>


(VDS)

<Not defined>

Volume Shadow Copy

VSS)

<Not defined>

Web Element Manager

(elementmgr)

<Not defined>

WebClient

(WebClient)

<Not defined>

Windows Audio

AudioSrv)

<Not defined>


(SharedAccess)

<Not defined>




(SuSvc)

<Not defined>

Windows Installer

(MSIServer)

<Not defined>


(winmgmt)

<Not defined>


(Wmi)

<Not defined>

Windows Time

(W32Time)

<Not defined>


(UMWdf)

<Not defined>



<Not defined>


(WZCSVC)

Disabled



(WmiApSrv)

<Not defined>

Workstation

(lanmanworkstation)

<Not defined>


(W3SVC)

<Not defined>

Registry
















File System













%SystemRoot%\system32\net1.exe Administrators=Full Control,



INTERACTIVE=Full Control, SYSTEM=Full Control














3.6 Contact Center Manager Server on Stratus Platform Security Template Definitions

Table 9 lists the security template setting defined for the Contact Center Manager Server in a standalone server configuration, Contact Center Manager Replication server, or Network Control Center server running on the Stratus platform



Table 9 Contact Center Manager Server Stratus Security Template Settings


Account Policies

Password Policy











Kerberos Policy






Local Policies

Audit Policy

































<None>






















Security Options




Enabled










<Not defined>


<Not defined>


<Not defined>





<Not defined>


<Not defined>



<Not defined>

(Not applicable)


(Not applicable)


<Not defined>

(Not applicable)


<Not defined>


Enabled


Enabled


Disabled



Enabled


<Not defined>






<Not defined>



<Not defined>



<Not defined>


14 days


<Not defined>




Enabled


Enabled


Disabled


15 minutes


<Not defined>


Enabled


Enabled


10


Enabled

MSS: (AFD MaximumDynamicBacklog) Maximum number of ‘quasi-free’ connections for Winsock

20000 (recommended)



applications


20




Disabled


Disabled


<Not defined>


Enabled


Disabled






3


5




<Not defined>




<Not defined>


0





Enabled


Enabled


Enabled


Disabled


<None>
















Enabled







Enabled
















<Not defined>


Disable





<Not defined>


<Not defined>


<Not defined>


Enabled





<Not defined>

Event Logs













Restricted Groups

<Not defined>

System Services

Alerter

(Alerter)

Disabled



(AeLookupSvc)


<Not defined>


(ALG)

<Not defined>


(AppMgmt)

<Not defined>

Client Service for Netware Disabled



(NWCWorkstation) (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)


(aspnet_state)

<Not defined>

Automatic Updates

(Wuauserv)

<Not defined>


(BITS)

<Not defined>

CC License Manager

(CC_LM)


<Not defined>


(REP_Service)


<Not defined>

CCMS ASM_Service

(ASM_Service)


<Not defined>

CCMS Audit_Service

(AUDIT_Service)


<Not defined>




<Not defined>




<Not defined>

CCMS EB_Service

(EB_Service)


<Not defined>



CCMS ES_Service

(ES_Service)


<Not defined>

CCMS HDC_Service

(HDC_Service)


<Not defined>

CCMS HDM_Service

(HDM_Service)


<Not defined>




<Not defined>

CCMS IS_Service

(IS_Service)


<Not defined>


(nbbkp)


<Not defined>


(nbcfg)


<Not defined>

CCMS MAS Event Scheduler

(nbsch)


<Not defined>


(nbflt)


<Not defined>

CCMS MAS LinkHandler Port #2 <Not defined>



(nbalh)


CCMS MAS OM Server

(nboms)


<Not defined>

CCMS MAS Security

(nbss)


<Not defined>


(nbsm_dae)


<Not defined>


(nbsm)


<Not defined>


(nbts)


<Not defined>

CCMS MLSM_Service

(MLSM_Service)


<Not defined>

CCMS NBMSM_Service



<Not defined>

CCMS NBNM_Service

(NBNM_Service)


<Not defined>

CCMS NBTSM_Service

(NBTSM_Service)

<Not defined>




CCMS NCCOAM_Service

(NCCOAM_Service)


<Not defined>

CCMS NDLOAM_Service

(NDLOAM_Service)


<Not defined>

CCMS NIMSM_Service



<Not defined>




<Not defined>

CCMS NITSM_Service

(NITSM_Service)


<Not defined>

CCMS OAM_Service

(OAM_Service)


<Not defined>

CCMS OAMCMF_Service



<Not defined>

CCMS RDC_Service

(RDC_Service)


<Not defined>

CCMS RSM_Service

(RSM_Service)


<Not defined>



CCMS SDMCA_Service

(SDMCA_Service)


<Not defined>

CCMS SDP_Service

(SDP_Service)


<Not defined>

CCMS SIP_Service

(CCMS_SIP_Service)


<Not defined>

CCMS TFA_Service

(TFA_Service)


<Not defined>


(TFABRIDGE_Service)


<Not defined>




<Not defined>

CCMS TFE_Service

(TFE_Service)


<Not defined>

CCMS UNE_Service

(CCMS_UNE_Service)


<Not defined>

CCMS VSM_Service

(VSM_Service)


<Not defined>

ClipBook Disabled



(ClipSrv) (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)

COM+ Event System

(EventSystem)

<Not defined>


(COMSysApp)

<Not defined>

Computer Browser

(Browser)

<Not defined>


(CryptSvc)

<Not defined>


(DcomLaunch)


<Not defined>

DHCP Client

(Dhcp)

<Not defined>


(Dfs)

<Not defined>


(TrkWks)

<Not defined>


(TrkSvr)

<Not defined>


(MSDTC)

<Not defined>

DNS Client

(Dnscache)

<Not defined>


(ERSvc)

<Not defined>

Event Log

(Eventlog)

<Not defined>



Fax

(Fax)

Disabled


File Replication

(NtFrs)

Disabled



(MacFile)

Disabled



(MSFtpsvc)

Disabled


Help & Support

(Helpsvc)

Disabled


HTTP SSL

(HTTPFilter)

Disabled



(HidServ)

<Not defined>

IIS Admin Service

(IISADMIN)

Disabled



(ImapiService)

<Not defined>

Indexing Service

(Cisvc)

Disabled




<Not defined>

Intersite Messaging

(IsmServ)

<Not defined>



IPSEC Service

(PolicyAgent)

<Not defined>


(Kdc)

<Not defined>


(LicenseService)

Disabled



(Dmserver)

<Not defined>


(Dmadmin)

<Not defined>

Messenger

(Messenger)

Disabled



(POP3SVC)

Disabled



(SwPrv)

<Not defined>

Net Logon

(Netlogon)

<Not defined>


(mnmsrvc)

Disabled


Network Connections

(Netman)

Manual


Network DDE

(NetDDE)

<Not defined>

Network DDE DSDM

(NetDDEdsdm)

<Not defined>




(NLA)

<Not defined>


(xmlprov)


<Not defined>


(NntpSvc)

Disabled



(NtLmSsp)

<Not defined>



<Not defined>


(SysmonLog)

<Not defined>

Plug and Play

(PlugPlay)

<Not defined>


(WmdmPmSN)

<Not defined>


(MacPrint)

Disabled


Print Spooler

(Spooler)

<Not defined>

Protect Storage

(ProtectedStorage)

<Not defined>


(RasAuto)

Disabled



(RasMan)

<Not defined>




(SrvcSurg)

Disabled



(RDSessMgr)

Disabled


Remote Installation

(BINLSVC)

Disabled



(RpcSs)

<Not defined>


(RpcLocator)

<Not defined>

Remote Registry

(RemoteRegistry)

<Not defined>


(AppMgr)

Disabled



(Appmon)

Disabled




Disabled




Disabled


Removal Storage

(NtmsSvc)

<Not defined>


(RSoPProv)

<Not defined>

Routing and Remote Access <Not defined>



(RemoteAccess)

Secondary Logon

(seclogon)

<Not defined>


(SamSs)

<Not defined>

Server

(lanmanserver)

<Not defined>


(ShellHWDetection)

<Not defined>


(SMTPSVC)

Disabled


Smart Card

(SCardSvr)

<Not defined>

SNMP Service

(SNMP)

<Not defined>

SNMP Trap Service

(SNMPTRAP)

Disabled



(Sacsvr)

<Not defined>




<Not defined>




<Not defined>



<Not defined>







<Not defined>


(SybProtect)


<Not defined>


(SENS)

<Not defined>

TAO NT Naming Service

(TAO_NT_Naming_Service)

(Built-in CCMS TAO service)

<Not defined>

Task Scheduler

(Schedule)

<Not defined>


(LMHosts)

<Not defined>

Telephony

(TapiSrv)

<Not defined>

Telnet

(TlntSvr)

Disabled


Terminal Services

(TermService)

<Not defined>


(Tssdis)

<Not defined>

Trivial FTP Daemon

(tftpd)

Disabled


Themes <Not defined>



(Themes)


(UPS)

<Not defined>

Upload Manager

(Uploadmgr)

<Not defined>


(VDS)

<Not defined>

Volume Shadow Copy

(VSS)

<Not defined>

Web Element Manager

(elementmgr)

<Not defined>

WebClient

(WebClient)

<Not defined>

Windows Audio

(AudioSrv)

<Not defined>


(SharedAccess)

<Not defined>


(StiSvc)

<Not defined>

Windows Installer

(MSIServer)

<Not defined>


(winmgmt)

<Not defined>


(Wmi)

<Not defined>

Windows Time

(W32Time)

<Not defined>

Windows User Mode Driver Framework <Not defined>



(UMWdf)




<Not defined>


(WZCSVC)

Disabled



(WmiApSrv)

<Not defined>

Workstation

(lanmanworkstation)

<Not defined>


(W3SVC)

Disabled


Registry














File System





















%SystemRoot%\system32\rexec.exe Administrators=Full Control, SYSTEM=Full



Control










[ This page is left intentionally blank ]

Glossary Nortel Proprietary


4 Glossary

The glossary provided relates solely to this document.

CLAN Customer Local Area Network

DHCP Dynamic Host Connection Protocol

DNS Domain Name Service

ELAN Embedded Local Area Network

IT Information Technology

LAN Local Area Network

MAS Meridian Application Server

NCC Network Control Center

Nortel Servers Subnet Previously known as CLAN

PC Personal Computer

PEP Performance Enhancement Package

PRD Platform Recovery Disk

RAS Remote Access Service

SCCS Symposium Call Center Server

SMTP Simple Mail Transfer Protocol

SU Service Update

SWC Symposium Call Center Web Client

TAPI SP Symposium TAPI Service Provider

WAN Wide Area Network

Glossary Nortel Proprietary


[ This page is left intentionally blank ]

References Nortel Proprietary


5 References [1] Windows Server 2003 Operating System Legacy, Enterprise, and Specialized Security

Benchmark Consensus Security Settings for Domain Member Servers, Version 1.2, October 17, 2005, The Center for Internet Security

[2] Contact Center 6.0 Security Guide, issue 1.01, July 18 2006

Nortel Proprietary

Issue 1.02 Nortel Contact Center 6.0 Security Templates User Guide

[ Last Page ]