Server Security Guide: MA4000 (780KB PDF)

Server Security Guide: MA4000 (780KB PDF)
MA4000 Server
Security Best Practices Guide
October 2004
CNT-080204, Revision 1
Liability Disclaimer
NEC Unified Solutions, Inc. Reserves the right to change the
specifications, functions, or features, at any time, without notice.
NEC Unified Solutions, Inc. has prepared this document for the
exclusive use of its employees and customers. The information
contained herein is the property of NEC Unified Solutions, Inc. and
shall not be reproduced without prior written approval from NEC
Unified Solutions, Inc.
NEC GRANTS NO WARRANTIES OR CONDITIONS, EXPRESS OR
IMPLIED, BY STATUTE OR OTHERWISE REGARDING THESE
RECOMMENDATIONS, THEIR QUALITY, THEIR MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE, INCLUDING (BUT NOT
LIMITED TO) PREVENTION, DETECTION OR DETERRENCE OF TOLL
FRAUD, COMPUTER VIRUSES OR OTHER UNAUTHORIZED OR
IMPROPER USE OF THE SOFTWARE PRODUCTS. IN NO EVENT SHALL
NEC OR ANY OF ITS SUBSIDIARIES OR ITS AUTHORIZED DEALERS BE
HELD LIABLE FOR LOST PROFITS OR FOR ANY SPECIAL,
CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES CAUSED BY
THE IMPLEMENTATION OF THESE RECOMMENDATIONS. THE SECURITY
OF YOUR NEC APPLICATION IS ULTIMATELY YOUR RESPONSIBILITY.
THIS DISCLAIMER IS IN LIEU OF ALL OTHER WARRANTIES, EXPRESS
OR IMPLIED.
MA4000 is a © Copyright of NEC Corporation.
UNIVERGE SV7000 is a ™ Trademark of NEC Corporation.
© 2004 NEC Unified Solutions, Inc.
Microsoft, Windows, SQL Server and MSDE are registered trademarks
of Microsoft Corporation.
All other brand or product names are or may be trademarks or
registered trademarks of, and are used to identify products or services
of, their respective owners.
i
Contents
Introduction
1-1
Service Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
How This Guide is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Using This Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Securing the Network
2-1
Firewall Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Windows Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Securing the Operating System
3-1
Server Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Internet Information Server (IIS) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
IIS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Service Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virus Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ASP.NET. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Securing the Database
3-3
3-3
3-4
3-4
4-1
MSDE Installation and Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
System Administrator (sa) Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
MA4000 Server Security Best Practices Guide - Revision 1
ii
Contents
Post Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Service Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Securing the File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
SQL Server Installation and Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
System Administrator (sa) Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Post Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Service Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Securing the File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-3
4-4
4-5
4-5
Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Backup and Restore the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Securing the Application
5-1
NEC Centralized Authentication Service (NEC CAS) . . . . . . . . . . . . . . . . . . . . 5-1
NEC CAS Authentication Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Login Account and Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Account Lockout Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
NEC CAS Account Lock Out Policy Configuration . . . . . . . . . . . . . . . . . . . . . . 5-2
Session Time-Out Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
NEC CAS Authentication Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Database Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
LDAP Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Windows Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
MA4000 Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
MA4000 Manager Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
E-mail Notification Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
System Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
System Manager Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
System Manager Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
System Manager Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Reporting Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
MA4000 Server Security Best Practices Guide - Revision 1
iii
Figures
Figure
2-1
Title
Page
Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
MA4000 Server Security Best Practices Guide - Revision 1
iv
Figures
MA4000 Server Security Best Practices Guide - Revision 1
1-1
1
Introduction
The MA4000 Management System consists of web-based applications
designed to manage the UNIVERGE™ SV7000 Voice Server and to
integrate with the NEC Enterprise Communications Platform.
The transition to the MA4000 Management System requires detailed
planning, collaboration, and oversight from key technology
stakeholders.
Security is a primary concern with all web-based applications. The lack
of strong security policies, out-of-date anti-virus protection, or obsolete
software can place your data at risk. NEC is aware of this risk and
strives to ship its products with the latest Operating Systems, Service
Packs, and Critical Updates.
NEC promotes a secure solution which involves a layered approach. This
includes the use of a firewall, a secure database, and other readily
available security practices, in conjunction with your current security
framework.
Customers should follow best practices as they relate to their business
objectives and specific business environment.
This guide contains recommendations to secure the MA4000
Management System. These recommendations are offered for your
convenience and should be tested thoroughly prior to deployment or
integration with your IT systems.
Chapter Topics
• Service Conditions
• How This Guide is Organized
• Using This Guide
MA4000 Server Security Best Practices Guide - Revision 1
1-2
Introduction
Service Conditions
• Do not implement recommendations in this guide before testing in a
test environment.
• As it is the responsibility of the customer to secure their NEC (or thirdparty) applications, always apply the latest Service Packs, Patches,
and Critical Updates to your Operating System to maintain systemwide security.
• This document does not replace a well-structured security policy.
Consult your System or Network Administrator before adopting NEC’s
security recommendations.
• This guide does not address site-specific configuration issues.
• The procedures in this guide are limited specifically to Microsoft
Windows XP Professional.
• The following operating systems are supported:
— Windows 2000 Professional
— Windows 2000 Server
— Windows 2003 Server
— Windows XP Professional
If using one of the other types of supported Operating Systems, your procedures
may differ slightly.
NOTE
• The procedures in this guide are limited specifically to the following:
— Internet Information Services (IIS) (Version 5.1 or higher).
— Microsoft SQL 2000 Server Personal Edition (Service Pack 3 or
higher).
— Microsoft SQL Server 2000 (Service Pack 3a or higher).
— MSDE (Service Pack 3 or higher).
Microsoft SQL 2000 Server Personal Edition is only recommended for small sites or
demonstration systems.
NOTE
MSDE (Service Pack 3) is included with the purchase of MA4000 Manager.
NOTE
MA4000 Server Security Best Practices Guide - Revision 1
Introduction
1-3
How This Guide is Organized
Chapter 1
Introduction
This chapter outlines important information and includes detailed
information on how to use this guide.
Chapter 2
Securing the Network
This chapter details how to secure a network before the MA4000
Management System is installed.
Chapter 3
Securing the Operating
System
This chapter describes procedures to secure the operating system in
preparation for the MA4000 Management System.
Chapter 4
Securing the Database
This chapter describes how to secure MSDE and SQL Server.
Chapter 5
Securing the Application
This chapter defines how to setup and configure NEC CAS, the MA4000
Manager, and System Manager applications.
Using This Guide
The target audience for this guide is general. Please be advised before
you apply a recommendation from this guide, NEC recommends that
you understand the high-level concepts and methods required to apply
these recommendations.
This guide does not include step-by-step instructions for any Windows
application. Each step-by-step instruction in this guide relates to the
MA4000 Management System.
Reference your Microsoft Users Guide to locate Windows Operating
System procedures.
MA4000 Server Security Best Practices Guide - Revision 1
1-4
Introduction
MA4000 Server Security Best Practices Guide - Revision 1
2-1
2
Securing the Network
A secure network environment is a critical security component. To
protect a web server on the network from unauthorized modification,
destruction, or disclosure; develop network security policies to
safeguard data and equipment.
This chapter provides recommended security practices to create and
enforce a secure network environment.
For more information on Securing the Network, go to http://www.microsoft.com.
REFERENCE
Chapter Topics
Keywords: Network, Security, Network Security, Firewall, Disable, Disable NetBIOS
Flaw, SQL, Database
• Firewall Overview
• Firewall Configuration
• Windows Services
Firewall Overview
A firewall is a combination of hardware and software that monitors and
controls incoming and outgoing network traffic. To achieve the best
results, place a firewall between the Internet and the MA4000 Web
Server.
MA4000 Server Security Best Practices Guide - Revision 1
2-2
Securing the Network
Figure 2-1 Firewall Protection
Potential intruders scan computers from the Internet or within the Local
Area Network (LAN), probing for an open port where they can break
through and access a server.
Enable the Microsoft Windows XP Professional firewall when a third-party firewall
(hardware/software) is not in place.
IMPORTANT
To increase security, configure the firewall to allow specific types of
traffic into and out of the internal network.
An external firewall is recommended for your MA4000 Web Server.
Firewall Configuration
• Grant access to a specific set of subnets when the MA4000 Web
Server and the UNIVERGE SV7000 are located on different
subnets.
MA4000 Server Security Best Practices Guide - Revision 1
Securing the Network
2-3
• Open the following ports:
— 80 (HTTP)
— 443 (HTTPS)
— 23 (Telnet)
— 81 (System Manager)
• Add port:
—2006 (MA4000 Arena Connection)
• Grant access to protocols specifically related to the MA4000:
—HTTP
—Time Protocol
• Enable MAC Address filtering.
• Lock-down Port 81 (System Manager).
• Limit access to the MA4000 Web Server to a specific set of
authorized IP Addresses.
Windows Services
Isolation of Services
To enforce security, it is recommended that you exclude the MA4000 Web
Server from the following Windows Services:
• The MA4000 Web Server may not be used as a Domain Controller
or Global Administrator.
The MA4000 installation will fail when installed as a Domain Controller.
IMPORTANT
• Do not install Microsoft SQL Server or MSDE on a Domain
Controller.
• Disable all unnecessary Windows Services.
• Do not use the following Windows Services:
—WINS
—DHCP
—FTP
—SMTP
Disable NetBIOS
Network Basic Input/Output System (NetBIOS) provides a set of
uniform commands from the low-level services. Applications installed on
a server use these low-level services to manage the services between
nodes on a network.
Windows Operating Systems have a known security issue which allows a
hacker to find the server’s IP address or computer name over a network.
By disabling NetBIOS, a hacker is prevented from obtaining network
information.
MA4000 Server Security Best Practices Guide - Revision 1
2-4
Securing the Network
Be sure to disable NetBIOS after the MA4000 installation is complete.
Only a Network or System Administrator should disable NetBIOS.
NOTE
MA4000 Server Security Best Practices Guide - Revision 1
3-1
3
Securing the Operating System
This chapter provides recommendations to secure the Windows XP
Professional Operating System.
For more information on Securing the Operating System, go to http://
www.microsoft.com.
REFERENCE
Chapter Topics
Keywords: Patch, Patch Management, Security, Securing your Web Server
• Server Administration
• IIS Configuration
Server Administration
Follow the recommendations below to ensure your operating system is
secure. NEC recommends the basic server administration policies.
• Install the MA4000 Management System before you apply a
Windows Update, Patch, or Critical Update.
• Enable the Windows Update service to receive Critical Update and
Security Patch notices.
• Enforce strong passwords.
• Disable and delete user accounts as they become inactive.
• Restrict Remote Access to administrators.
Internet Information Server (IIS) Overview
IIS is a web site server application and a primary target for hackers
monitoring your server. To secure IIS, enable the Secure Socket Layer
(SSL) connections and 128-bit encryption.
The information in this guide relates to IIS (Version 5.1 or later), running on Windows
XP Professional.
NOTE
TIP
128-bit encryption is available in a limited number of countries. Check with your
Network or System Administrator to determine if 128-bit encryption is available in
your area.
MA4000 Server Security Best Practices Guide - Revision 1
3-2
Securing the Operating System
It is recommended to use Integrated Windows Authentication as an
additional layer of security. Because Integrated Windows Authentication
uses Windows accounts to access IIS resources, anonymous access is
not allowed. Integrated Windows Authentication also encrypts
passwords, providing extra security by not sending passwords in clear
text.
For more information on IIS, go to http://www.microsoft.com.
REFERENCE
Keywords: How to setup SSL on a Web Server, Securing your Web Server
IIS Configuration
To configure IIS it is recommended to:
• Use Windows Authentication
• Turn on 128-bit encryption
• Enable Directory Security
Windows 2003 Server enables Directory Security by default.
NOTE
• Install the default directory folder on a separate drive partition
• Configure the web server for Secure Socket Layer (SSL)
• Purchase a Certificate of Trust
• Configure IIS to use SSL
• Modify the MA4000 Manager and NEC CAS application to use
HTTPS
MA4000 Server Security Best Practices Guide - Revision 1
Securing the Operating System
3-3
Service Accounts
Failure to secure a service account enables a hacker to gain
administrative access to a web server and possibly the network.
For more information on Service Accounts, go to http://www.microsoft.com.
REFERENCE
Keywords: Service Accounts, Permissions, Security
To increase service account security, it is recommended to:
• Create all Windows accounts with the lowest possible privileges
• Label administrative accounts with a user name other than
administrator
• Disable the Windows guest account
• Set the appropriate permissions for the ISUSR_machinename
account
TIP
The ISUSR account is used to permit anonymous access to a web site installed on
the web server. When the ISUSR_machinename account is configured incorrectly,
users cannot access the web site.
• Remove or disable unused Windows accounts
• Remove descriptions which refer to account privileges
• Rename or remove privileges from the default administrator
account
• Enforce policies to limit administrative access to two accounts
Virus Detection
Maintaining a secure environment means scanning for viruses regularly.
Most anti-virus software allows you to automatically download anti-virus
software updates and schedule scans at preset intervals.
It is recommended to scan your systems nightly to reduce the chance of
infection.
Because good security is redundant security, be sure to always maintain
up-to-date anti-virus software protection and schedule downloads
nightly for patches and updates.
For more information on virus detection, go to http://www.microsoft.com.
REFERENCE
Keywords: Anti-virus Defense
MA4000 Server Security Best Practices Guide - Revision 1
3-4
Securing the Operating System
Intrusion Detection
Intrusion detection software actively analyzes packets looking for
vulnerabilities on your network.
To increase network security, closely monitor your network and use
intrusion detection software.
For more information on intrusion detection, go to http://www.microsoft.com.
REFERENCE
Keywords: Intrusion Detection Logging
ASP.NET
There is a known security issue with Microsoft ASP.NET. A hacker can
bypass authentication and gain access to secure content on the web
server without credentials.
To eliminate this vulnerability, it is recommended that you download and
install the ValidatePath Module from Microsoft.com.
For more information on the Microsoft ASP.NET security issue, go to http://
www.microsoft.com.
REFERENCE
Keywords: Microsoft ASP.NET, ValidatePath Module, Canonicalization Problems in
ASP.NET, ASP.NET vulnerability
MA4000 Server Security Best Practices Guide - Revision 1
4-1
4
Securing the Database
The database is a vital component of the MA4000 Management System
and to your organization. Sensitive data related to users, phones, and
hardware is stored in a database. A hacker can use this data to launch a
malicious attack against your organization.
Any database server that is not kept up-to-date with the latest security
patches and critical updates can become infected with a worm.
A worm attacks vulnerabilities in database applications, which can
cripple your network and render your hardware useless.
To avoid this type of attack, check nightly for software updates and
enforce strong passwords for all system administrator accounts.
Chapter Topics
• MSDE Installation and Settings
• SQL Server Installation and Settings
• Backup and Recovery
MSDE Installation and Settings
For more information on MSDE security, go to http://www.microsoft.com.
REFERENCE
Keywords: Worm, MSDE, Database
System Administrator (sa) Passwords
System Administrator (sa) passwords are the main line of defense
against hackers and malicious software. Hackers can access free
programs designed to guess an sa password. The program generates
test passwords using a combination of common words and numbers to
gain access to the server.
Complex passwords are much more secure. Never under any
circumstance, use a blank sa password.
A strong password is defined as a password containing six or more
characters, including at least one number or one special character.
It is highly recommended to enforce strong passwords and to use strong
passwords on servers with Windows Authentication.
MA4000 Server Security Best Practices Guide - Revision 1
4-2
Securing the Database
Authentication
• Mixed Mode Authentication is recommended for the MA4000
Manager and NEC CAS database instance.
By default, the System Manager database instance is set to Windows Authentication.
NOTE
Post Installation
The following post installation procedures are recommended:
• Immediately after MSDE is installed, download and install the latest
security patches and critical updates.
• Test security patches internally to understand the impact to your IT
Systems.
• Delete the following set up files from the MSSQL\Installs folder:
— Sqlstp.log
— Sqlsp.log
— Setup.iis
SQL Database Scripts
During the MSDE named instance installation, SQL scripts execute to
configure the named instance. Each SQL script contains user names and
passwords, which creates a vulnerability for a malicious internal attack.
The SQL scripts are stored in folders which remain on the server. It is
recommended that you delete these folders after you create a copy to
store on CD-ROM.
To delete SQL scripts, complete the following steps:
Step 1
Click My Computer > C > Program Files > NEC > Agile > SRC >
Manager > Data.
Step 2
(Optional) Right-click the 1.0, 1.1, and 2.0 folders. Click Copy. Paste the
folders to your local drive to burn a CD-ROM for future use.
Step 3
Select the folders > right-click > Delete.
Each folder represents a version of MSDE. As you download and install MSDE
Updates, you must delete the folders created as a result of a new installation.
NOTE
Service Accounts
• Creating MSDE service accounts with the lowest possible privileges
is recommended. Also, create a unique user account to run the
following MSDE services:
MA4000 Server Security Best Practices Guide - Revision 1
Securing the Database
4-3
— MSSQL$MA4000 (MA4000 Manager)
— MSSQL$NECCAS (NEC CAS)
— MSSQL$NMDATABASE (System Manager)
— COM+ Event System
— COM+ System Application
— DCOM Server Process Launcher
— Remote Procedure Call (RPC)
— Remote Access Connection Manager
— World Wide Web Publishing Service
The name of the named instance reflects your naming conventions.
TIP
Securing the File System
Like most web applications, the data and log files contain web
configuration files. The web applications use the web configuration files
to store user names, passwords, and other data required to configure
the web server in clear text.
To protect the information found in web server configuration files, it is
recommended to store the data and log files on a disk volume separate
from the server system files.
SQL Server Installation and Settings
For more information on SQL Database security, go to http://www.mirosfot.com.
REFERENCE
Keywords: SQL Server Security, SQL Server Slammer, Enforcing Strong Password,
SQL Server Services
System Administrator (sa) Passwords
System Administrator (sa) passwords are the main line of defense
against hackers and malicious software. Hackers can access free
programs designed to guess an sa password. The program generates
test passwords using a combination of common words and numbers to
gain access to the server.
Complex passwords are much more secure. Never under any
circumstance, use a blank sa password.
A strong password is defined as a password containing six or more
characters, including at least one number or one special character.
It is highly recommended to enforce strong passwords and to use strong
passwords on servers with Windows Authentication.
MA4000 Server Security Best Practices Guide - Revision 1
4-4
Securing the Database
Authentication
• Mixed Mode Authentication is recommended for the MA4000
Manager and NEC CAS database instance.
At this time, the System Manager application cannot be used with SQL Server.
Future releases of System Manager will support SQL Server.
NOTE
Post Installation
The following post installation procedures are recommended.
• Immediately after SQL Server is installed and before you start the
named instance, download and install the latest security patches.
• Test the security patch internally to understand the impact to your
IT Systems.
• Delete all sample databases.
• Delete the following set up files from the MSSQL\Installs folder.
— Sqlstp.log
— Sqlsp.log
— Setup.iis
SQL Database Scripts
During the SQL Server named instance installation, SQL scripts execute
to configure the named instance. Each SQL script contains user names
and passwords, which creates a vulnerability for a malicious internal
attack.
The SQL scripts are stored in folders which remain on the server. It is
recommended that you delete these folders after you create a copy to
store on CD-ROM.
To delete SQL Server scripts, complete the following steps:
Step 1
Click My Computer > C > Program Files > NEC > Agile > SRC >
Manager > Data.
Step 2
(Optional) Right-click the 1.0, 1.1, and 2.0 folders. Click Copy. Paste the
folders to your local drive to burn a CD-ROM for future use.
Step 3
Select the folders > right-click > Delete.
Each folder represents a version of SQL Server. As you download and install SQL
Server Updates, you must delete the folders created as a result of a new installation.
NOTE
MA4000 Server Security Best Practices Guide - Revision 1
Securing the Database
4-5
Service Accounts
Creating SQL service accounts with the lowest possible privileges is
recommended. Also, create a unique user account to run the following
MSDE services:
— SQLAgent$MA4000 (MA4000 Manager)
— SQLAgent$NECCAS (NEC CAS)
— SQLAgent$NMDATABASE (System Manager)
— COM+ Event System
— COM+ System Application
— DCOM Server Process Launcher
— Distributed Transaction Coordinator
— Remote Procedure Call (RPC)
— Remote Access Connection Manager
— World Wide Web Publishing Service
The name of the named instance reflects your naming conventions.
TIP
Securing the File System
Like most web applications, the data and log files contain web
configuration files. The web applications use the web configuration files
to store user names, passwords, and other data required to configure
the web server in clear text.
To protect the information found in web server configuration files, it is
recommended to store the data and log files on a disk volume separate
from the server system files.
Backup and Recovery
Backup and Recovery plans are important. A well developed plan will aid
with recovering from a virus or an attack.
Schedule regular backups for important files, and if possible, keep a
copy in a separate location in case of fire, flood, or disaster.
For more information on Backup and Recovery, go to http://www.microsoft.com.
REFERENCE
Keywords: Backup and Recovery
MA4000 Server Security Best Practices Guide - Revision 1
4-6
Securing the Database
It is recommended to:
• Develop a solid plan to recover from a virus or attack.
• Backup the MA4000 Management System after an upgrade, service
pack, or patch.
• Test your backup and recovery plan.
Backup valuable data hourly.
TIP
Backup and Restore the Database
NEC provides the Backup Assistant application to backup and restore an
MSDE or SQL Server database. Locate the Backup Assistant software on
the MA4000 CD-ROM.
To use the Backup Assistant software, reference the Backup Assistant
User Guide located on the MA4000 CD-ROM.
MA4000 Server Security Best Practices Guide - Revision 1
5-1
5
Securing the Application
The following configurations and settings are recommended to secure
the MA4000 Management System.
Chapter Topics
•
•
•
•
•
•
•
•
NEC Centralized Authentication Service (NEC CAS)
NEC CAS Authentication Policies
NEC CAS Account Lock Out Policy Configuration
NEC CAS Authentication Setup
MA4000 Manager Overview
System Manager Overview
Internet Explorer
Reporting Issues
NEC Centralized Authentication Service (NEC CAS)
The NEC CAS application is an authentication source used to
authenticate users for an NEC CAS-enabled application.
To obtain installation procedures, refer to the NEC CAS Installation
Guide located on the MA4000 CD-ROM.
NEC CAS Authentication Policies
An authentication policy is a set of rules that are applied to the
authentication process.
The authentication policies consist of the following:
• Login Account
• Password Management
• Account Lockout
• Session Time-Out
Each policy works in combination with program specific authorization
rules.
It is recommended to adhere to these policies in order to secure your
NEC CAS-enable application.
MA4000 Server Security Best Practices Guide - Revision 1
5-2
Securing the Application
Login Account and Password Management
Do not use the sysadmin account for daily use. The MA4000 Manager
audit log tracks the activity of every MA4000 login account. When
multiple users share the same username, the audit log is not effective.
• Reserve the sysadmin account for password resets, when all other
administrative accounts are inactive or locked out.
• Limit the number of administrator accounts to two or less.
• Use strong passwords for database authentication.
Account Lockout Policies Overview
The account lockout policy disables a login account after a user exceeds
the predefined number of invalid attempts. Configure the Maximum
Allowed Failure Count key to limit the number of invalid login attempts,
in the event that a malicious hacker has launched an attack using this
account.
The MA4000 Management System notifies managers via e-mail when a
NEC CAS-enabled login account becomes disabled.
To configure e-mail notification for disabled MA4000 Manager accounts,
see E-mail Notification Setup.
NEC CAS Account Lock Out Policy Configuration
NEC recommends enforcing an account lockout policy to reduce the
chance of compromising an account. Complete the following steps to
configure the account lockout threshold:
Step 1
Click My Computer > C > Program Files > NEC > NECCAS.
Step 2
Locate and save the private.config file on your local drive as a
backup.
Step 3
Open the private.config file, then select the following key:
<add key="MaxAllowedLoginFailureCount" value="3"/>.
Step 4
Change the value 3 to a number of your choice.
Step 5
Click File > Save > Close.
Session Time-Out Policy
The MA4000 Manager application contains a Session Time-Out Policy
which requires a user to login to the Manager application after a predefined period of inactivity.
This prevents unauthorized access to the MA4000 Management system.
MA4000 Server Security Best Practices Guide - Revision 1
Securing the Application
Example:
5-3
A technician walks away from the computer for an hour with
an active session of MA4000 Manager and NEC CAS open.
Without session time-out policies, an unauthorized user has
access to the MA4000 Management System (NEC CAS,
System Manager and the MA4000 Manager applications).
With a session time-out policy, the session expires after 10
minutes of inactivity. This requires a user to login to the
application before use, which maintains system security.
To configure the Session Time-Out Policy, complete the following steps:
Step 1
Click My Computer > C > Program Files > NEC > Agile >
Manager.
Step 2
Locate and save the web.config file on your local drive as a
backup.
Step 3
Modify the following string:
<sessionState mode="InProc"
stateConnectionString="tcpip=177.0.0.1:22424"
sqlConnectionString="data
source=127.0.0.1;Trusted_Connection=yes" cookieless="false"
timeout="20" />.
Step 4
Enter the desired time-out value in minute format.
Example:
<sessionState mode="InProc"
stateConnectionString="tcpip=177.0.0.1:22424"
sqlConnectionString="data
source=127.0.0.1;Trusted_Connection=yes"
cookieless="false" timeout="10" />.
The time-out value indicates the MA4000 session will expire
after 10 minutes of inactivity.
Step 5
Click File > Save > Close.
NEC CAS Authentication Setup
NEC CAS supports three types of authentication methods.
• Windows
• Database (MSDE or SQL Server)
• Internal (MSDE or SQL Server)
Windows Integrated Authentication option is the only authentication
mode supported for NEC CAS-enabled programs.
To configure NEC CAS for authentication, choose one of the following
procedures.
MA4000 Server Security Best Practices Guide - Revision 1
5-4
Securing the Application
Database Authentication
Before you change the authentication type, perform the following steps:
Step 1
Create a login name for all program users in NEC CAS.
Step 2
Create a password for each login name.
Step 3
Create a login name for all program users in the NEC CASenabled program.
To change the Authentication type to Database Authentication, perform
the following steps:
Step 1
Click My Computer > C > Program Files > NEC > NECCAS.
Step 2
Select the Private.config file.
Step 3
Set the Auth Type key to InternalDb.
Example:
Step 4
<add key="AuthType" value="InternalDb"/>.
Select the following string:
<add key="InternalDbConnString"
value="server=STARSHINE\NECCAS;uid=neccas;pwd=NecC
as;database=NecCas"/>.
Replace the bold print with the machine name, username, password, and named
instance for the NEC CAS database.
NOTE
Step 5
Click File > Save > Close.
LDAP Authentication
Perform the following steps before you configure LDAP Authentication.
Step 1
Create a NEC CAS administrator login account in the LDAP
Source.
Step 2
Create a password for the administrator account.
Step 3
Create a login name for all program users in the NEC CASenabled program.
To change the Authentication type to LDAP Authentication, perform the
following steps.
Step 1
Click C > Program Files > NEC > NECCAS.
Step 2
Select the Private.config file.
Step 3
Set the Auth Type Key to Ldap.
MA4000 Server Security Best Practices Guide - Revision 1
Securing the Application
Example:
Step 4
Example:
5-5
<add key="AuthType" value="Ldap"/>.
Remove the comment from the key, then type the address for
the LDAP Server.
Before removing comment:
<!--<add key="LDAPServer" value="LDAP://LdapServer/
DC=LdapServer120,DC=LdapServermail"/>-->
After removing comment to include the LDAP Server Address:
<add key="LDAPServer" value="LDAP://LdapServer/
DC=LdapServer120,DC=LdapServermail"/>
Step 5
(Optional) If you are using Lightweight Directory Access
Protocol over SSL (LDAPS), remove the <!--(comment)-->
from the LDAPS key.
Step 6
Type the LDAP Server Address and the port number for the SSL
connection.
Example:
Before removing comment:
<!--<add key="LDAPServer" value="LDAPS://LdapServer/
DC=LdapServer120,DC=LdapServermail"/>-->
After removing comment:
<add key="LDAPServer" value="LDAPS://LdapServer:636/
DC=LdapServer120,DC=LdapServermail"/>.
The colon and bold print display the port number for the SSL connection.
NOTE
Step 7
Click File > Save > Close.
Step 8
Login to an NEC CAS-enabled program.
Windows Authentication
Perform the following steps before you configure Windows
Authentication.
Step 1
Verify the client configuration as Windows Authentication.
Step 2
Verify the username exists in the program.
Step 3
Uncheck Anonymous Access in IIS.
To configure Windows Authentication, perform the following steps.
Step 1
Click My Computer > C > Program Files > NEC > NECCAS.
Step 2
Select the Private.config file.
MA4000 Server Security Best Practices Guide - Revision 1
5-6
Securing the Application
Step 3
Example:
Step 4
Set the Auth type key to Windows.
<add key="AuthType" value="Windows"/>.
Click File > Save > Close.
MA4000 Manager Overview
The MA4000 Manager application manages the UNIVERGE SV7000 and
NEAX 2000 IPS Voice Servers.
To obtain installation procedures, refer to the MA400 Manager
Installation Guide located on the MA4000 CD-ROM.
MA4000 Manager Services
Allow the following services for the MA4000 Management System to
function:
—NEC MA4000 Arena
—NEC MA4000 Alarm Engine
—NEC MA4000 Voice Server Engine
—NEC MA4000 Telnet Engine
—NEC MA4000 License Engine
—NEC MA4000 LDAP Engine Database Change Notification
E-mail Notification Setup
The MA4000 Management System notifies MA4000 managers when a
M4000 login account becomes disabled.
To configure e-mail notifications, log on to the MA4000 Manager
application and complete the following steps:
To configure the E-mail Notification feature, you must be using an SMTP e-mail
server.
IMPORTANT
Step 1
Select Administration > MA4000 Setup. The MA4000 Setup
screen displays.
Step 2
In the Sender e-mail field, enter an e-mail address. This email address is the default address used in e-mail notifications
to identify the sender.
Step 3
In the Reply To field, type an e-mail address.
MA4000 Server Security Best Practices Guide - Revision 1
Securing the Application
REFERENCE
5-7
Step 4
In the Default Recipient field, type an e-mail address.
Step 5
(Optional) In the E-mail Server Username field, type a user
name.
Step 6
(Optional) Check the Change E-mail Server Password check
box. The Password and Confirm Password fields display.
Step 7
In the Password field, type the password.
Step 8
Click Save.
Step 9
(Optional) To send a test e-mail to the default recipient, click
Send a Test Message. The MA4000 server will transmit a test
e-mail to the default recipient.
Reference the MA4000 Manager Help System for detailed information.
From the Help System, click Administration > MA4000 Setup > Configure E-mail
Settings.
System Manager Overview
The System Manager application is a web-based application designed to
configure the UNIVERGE SV7000 Voice Server.
System Manager Installation
For installation of System Manager, refer to the MA4000 Manager
Installation Guide located on the MA4000 CD-ROM.
System Manager Configuration
It is recommended that you enable Directory Security.
System Manager Services
Enable the NEC Device Server 2.0 service.
The Device Server displays as DeviceServerWorX Supervisor in the System Tray.
TIP
MA4000 Server Security Best Practices Guide - Revision 1
5-8
Securing the Application
Internet Explorer
The server and client PC access the MA4000 Manager via Internet
Explorer. To view the applications correctly, it is recommended to:
• Use the default Internet Explorer enhanced security settings.
• Add the following to Trusted Sites for all client PCs:
— MA4000 Manager
— NEC CAS
— MA4000 Web Updates
— System Manager
• Enable cookies on the web server and all clients PCs for the
MA4000 Manager and NEC CAS.
• Enable activeX controls not marked as safe.
ActiveX controls are required for System Manager.
IMPORTANT
• For Windows XP Professional (Service Pack 2 only), disable the
pop-up blocker for the System Manager web site for the web server
and all client PCs.
Reporting Issues
Promptly report all issues encountered to NEC or one of its authorized
dealers or partners.
Please include the following information:
• NEC application name and version
• Windows Operating System and version
• Database software and version
• Virus protection software and version
• Firewall software and version
• Hardware specifications
• Provide specific details related to the issue
• Include a list of software recently installed on the web server
• Provide details on server performance before modifications
MA4000 Server Security Best Practices Guide - Revision 1
For additional information or support contact your NEC Unified
Solutions representative.
MA4000 Server
CNT-080204, Revision 1
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement