Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer (MBSA) checks computers running Microsoft Windows Server2008 R2 for common security misconfigurations.

The following are the scanning options selected for Cisco Unified ICM Real-Time Distributor running oneor more web applications (for example, Internet Script Editor or Agent-Reskilling).

• Windows operating system (OS) checks

• IIS checks

• SQL checks

• Security update checks

• Password checks

The report in this chapter shows example results of running the MBSA tool against a Cisco Unified ICMserver that runs most Microsoft Server Applications that the tool supports.

• Security Update Scan Results, page 1

• Windows Scan Results, page 2

• Internet Information Services (IIS) Scan Results, page 4

• SQL Server Scan Results, page 5

• Desktop Application Scan Results, page 6

Security Update Scan ResultsThe following table provides an example of security update scan results:

Table 1: Security Update Scan Results

ResultIssueScore

No critical security updates aremissing.

Windows Security Updates

Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0 1

ResultIssueScore

No critical security updates aremissing.

IIS Security Updates

Instance (default): No criticalsecurity updates are missing.

SQL Server/MSDE SecurityUpdates

No critical security updates aremissing.

MDAC Security Updates

No critical security updates aremissing.

MSXML Security Updates

No Microsoft Office products areinstalled.

Office Security Updates

Windows Scan ResultsThe following table shows Windows scan results:

Table 2: Vulnerabilities

ResultIssueScore

Automatic Updates are managedthrough Group Policy on thiscomputer.

Automatic Updates

More than 2 Administrators werefound on this computer.

You can ignore this eventbecause the Cisco UnifiedICM application requiresthe addition of certaingroups to the LocalAdministrators group,which triggers this event.Review the Result Detailsand remove any knownunnecessary accounts.

Note

Administrators

Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.02

Microsoft Baseline Security AnalyzerWindows Scan Results

ResultIssueScore

Some user accounts (1 of 7) havenonexpiring passwords.

When the server isproperly configured torequire expiringpasswords, this warningtypically finds the Guestaccount to have anonexpiring passwordeven though the account isdisabled. This warning canbe ignored.

Note

Password Expiration

Windows Firewall is enabled andhas exceptions configured.Windows Firewall is enabled onall network connections.

Windows Firewall

Some user accounts (1 of 7) haveblank or simple passwords, orcould not be analyzed.

Local Account Password Test

All hard drives (1) are using theNTFS file system.

File System

Autologon is not configured on thiscomputer.

Autologon

The Guest account is disabled onthis computer.

Guest Account

Computer is properly restrictinganonymous access.

Restrict Anonymous

The following table provides more scan information:

Table 3: More System Information

ResultIssueScore

Logon Success and Logon Failureauditing are both enabled.

Auditing

Some potentially unnecessaryservices are installed.

Services

2 shares are present on yourcomputer.

Shares

Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0 3

Microsoft Baseline Security AnalyzerWindows Scan Results

ResultIssueScore

Computer is running WindowsServer 2008 R2 or greater.

Windows Version

Internet Information Services (IIS) Scan ResultsThe following table shows IIS scan results:

Table 4: Vulnerabilities

ResultIssueScore

The IIS Lockdown tool wasdeveloped for IIS 4.0, 5.0, and 5.1,and is not needed for newWindows Server 2008 R2installations running higherversions of IIS.

IIS Lockdown Tool

IIS sample applications are notinstalled.

Sample Applications

IISADMPWD virtual directory isnot present.

IISAdmin Virtual Directory

Parent paths are not enabled.Parent Paths

The MSADC and Scripts virtualdirectories are not present.

MSADC and Scripts VirtualDirectories

Table 5: Other System Information

ResultIssueScore

IIS is not running on a domaincontroller.

Domain Controller Test

All web and FTP sites are using thedefault logging options.

IIS Logging Enabled

Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.04

Microsoft Baseline Security AnalyzerInternet Information Services (IIS) Scan Results

SQL Server Scan ResultsThe following table shows SQL Server scan results:

Instance (default)

Table 6: Vulnerabilities

ResultIssueScore

BUILTIN\Administrators group ispart of sysadmin role.

This is acceptable becausethe Cisco Unified ICMapplication adds certaingroups to the localAdministrators account onthe server which requiredbo access to the database.

Note

Sysadmin role members

No more than 2 members ofsysadmin role are present.

Sysadmins

SQL Server, SQL Server Agent,MSDE and/or MSDE Agentservice accounts are not membersof the local Administrators groupand do not run as LocalSystem.

Service Accounts

The “sa” password and SQL serviceaccount password are not exposedin text files.

Exposed SQL Server/MSDEPassword

SQL Server and/or MSDE is notrunning on a domain controller.

Domain Controller Test

SQL Server and/or MSDEauthentication mode is set toWindows Only.

SQL Server/MSDESecurityMode

The Everyone group does not havemore than Read access to the SQLServer and/orMSDE registry keys.

Registry Permissions

CmdExec is restricted to sysadminonly.

CmdExec role

Permissions on the SQL Serverand/or MSDE installation foldersare set properly.

Folder Permissions

Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0 5

Microsoft Baseline Security AnalyzerSQL Server Scan Results

ResultIssueScore

The Guest account is not enabledin any of the databases.

Guest Account

The check was skipped becauseSQL Server and/or MSDE isoperating in Windows Onlyauthentication mode.

SQL Server/MSDE AccountPassword Test

Desktop Application Scan ResultsThe following table shows desktop application scan results:

Table 7: Vulnerabilities

ResultIssueScore

Internet Explorer zones have securesettings for all users.

IE Zones

The use of Internet Explorer isrestricted for administrators on thisserver.

IE Enhanced SecurityConfiguration for Administrators

The use of Internet Explorer isrestricted for nonadministrators onthis server.

IE Enhanced SecurityConfiguration forNon-Administrators

No Microsoft Office products areinstalled.

Macro Security

Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.06

Microsoft Baseline Security AnalyzerDesktop Application Scan Results