Professional Documents
Culture Documents
CCMS 6.0 Security Templates
CCMS 6.0 Security Templates
CCMS 6.0 Security Templates
NOTICE TO HOLDERS OF PAPER COPIES: Upon receipt of a new issue, destroy the previous issue or mark it OBSOLETE.
CONFIDENTIAL INFORMATION: The information contained in this document is the property of Nortel Networks. Except as specifically authorized in writing by Nortel Networks, the holder of this document shall keep all information contained herein confidential and shall protect same in whole or in part from disclosure and dissemination to all third parties.
Trademarks
Nortel Proprietary
Trademarks
The following are trademarks of Nortel Networks: Nortel, Nortel Networks, BNR, ACD, BCS, CallPilot, DMS, DMS-100, DMS-250, DMS-MTX, DMS-SCP, DNC, DPN-100, DVS, DualMode, FastView, Helmsman, M2317, MAP, Symposium, Meridian Digital Centrex (MDC), Meridian, Meridian 1, Meridian Link, Meridian MAX, Meridian NAC, Meridian CCR, Meridian IVR, Meridian Terminal Emulator, MFA, Norstar, PowerTouch, SL-1, SL-100, SuperNode, Telesis, Unity. Action Request System and AR System are trademarks of Remedy Corporation. AMDEK is a trademark of Amdek Corporation. ANSI is a trademark of the American National Standards Institute. ClearCase is a registered trademark and ClearCase MultiSite is a trademark of Rational Software Corporation. Continuus, continuus/CM, and Continuus/PT are trademarks of Continuus Software Corporation. CaseWare/CM, CaseWare/PT, CaseWare, ACCENT, and Amplify Control are registered trademarks of Continuus Software Corporation. Courier is a trademark of Smith-Corona Corporation. CT Connect, CT Media is a registered trademark of Dialogic. Frame, FrameBuilder and FrameMaker are trademarks of Adobe Systems Incorporated. Helvetica and Times are trademarks of Linotype AG or its subsidiaries. InstallShield is a registered trademark of InstallShield Software Corporation. Interleaf is a trademark of Interleaf, Inc. Macintosh, Power Macintosh, and Apple are registered trademarks of Apple Computer, Inc. Mac OS is a trademark of Apple Computer, Inc. Microsoft Windows, Microsoft Word, Microsoft Excel, PowerPoint, Microsoft Project, Microsoft File Extension, and MS-DOS are trademarks of Microsoft Corporation. Novell is a trademark of Novell, Inc. Olecera Chart is a trademark of KL Group Inc. Portable Document Format is a trademark of Adobe Systems Incorporated. PostScript is a trademark of Adobe Systems Incorporated. SYBASE is a trademark of Sybase, Inc. UNIX is a trademark of UNIX System Laboratories. Versatility, Versatility Administrator, Versatility Call Blending, Versatility Campaign Plus, Versatility Insight, Versatility Predictive, Versatility Telesales / Teleservice are trademarks of Versatility Inc. WinRunner, TSL and Context Sensitive are trademarks of Mercury Interactive Corporation.
ii
Issue 1.02
Approvals
Nortel Proprietary
Approvals
Prepared By
Ronald Chan Senior Design Support Engineer, MA Design Support Enterprise Solutions, Multimedia Apps Support & Validation Nortel Networks Corporation Date
David OConnell Leader, CC Sustaining & Localization Application R&D, Multimedia Apps Support and Validation Nortel Networks Corporation
Date
Issue 1.02
iii
Revision history
Nortel Proprietary
Revision history
Issue Number Issue Date
0.01 June 23, 2005
Author(s)
Ronald Chan
Draft copy Section 3.1 Add CCMS 6.0 standalone server security template definitions
Ronald Chan
Ronald Chan
Draft copy Section 2.2 Changing template files location from the CC 6.0 DVD to the Meridian PEP Library web site Section 2.2 Table 1 Remove CCO template Section 2.3.1 Changing template files location from the CC 6.0 DVD to the Meridian PEP Library web site
Ronald Chan
Draft copy Section 2.2 Update Table 1 to include CCMS 6.0 Replication server Section 2.3.1 Add new Security Template Rollback section Section 3.1 Add Contact Center Manager Replication server Section 3.1 Update Table 3 with the latest CCMS 6.0 security template setting Section 3.2 Update Table 4 with the latest CCMS 6.0 coresidency security template setting including CCT Section 3.3 Update Table 5 with the latest CCMA 6.0 security template setting Section 3.5 Add section and Table 6 with the CCT 6.0 standalone server security template setting
Ronald Chan
Draft copy Section 2.5 Add section to outline the network environment requirements for the CC 6.0 servers with security template to operate with
Ronald Chan
iv
Issue 1.02
Ronald Chan
Approved Copy Section 2.2 Update Table 1 to add CCMM 6.0 Section 2.3.2 Update Table 2 to add CCMM 6.0 Section 3.5 Add section and Table 8 for CCMM 6.0 security template setting
Ronald Chan
Approved Copy Section 2.2 Update Table 1 to add CCMS 6.0 Stratus Section 2.3.2 Update Table 2 to add CCMS 6.0 Stratus Section 3.6 Add section and Table 9 for CCMS 6.0 Stratus security template setting
Ronald Chan
Issue 1.02
Table of contents
Nortel Proprietary
Table of contents
1 Introduction .........................................................................................................1
1.1 1.2 1.3 Purpose ...............................................................................................................................1 Scope...................................................................................................................................1 Intended audience ...............................................................................................................1 Contact Center 6.0 Security Template Baseline .................................................................2 Contact Center 6.0 Security Template Applicability ............................................................2 Contact Center 6.0 Security Templates Deployment ..........................................................3 2.3.1 Security Template Rollback....................................................................................4 2.3.2 Local Server Deployment .......................................................................................5 2.3.3 Network Domain Deployment.................................................................................9 Additional security settings ..................................................................................................9 Network Environment Consideration.................................................................................10 Contact Center Manager Server Security Template Definitions .......................................11 Contact Center Manager Server Co-residency Security Template Definitions .................35 Contact Center Manager Administration Security Template Definitions ...........................60 Communication Control Toolkit Security Template Definitions .........................................80 Contact Center Multimedia/Outbound Security Template Definitions .............................100 Contact Center Manager Server on Stratus Platform Security Template Definitions .....119
2.4 2.5
4 5
Glossary...........................................................................................................146 References.......................................................................................................148
vi
Issue 1.02
List of tables
Nortel Proprietary
List of tables
Table 1 Contact Center 6.0 Security Template File Applicability with Contact Center Server......................3 Table 2 Contact Center 6.0 Security Template Rollback Files......................................................................4 Table 3 Contact Cetner 6.0 Security Template Additional Settings ............................................................10 Table 4 Contact Center Manager Server 6.0 Security Template Settings ..................................................11 Table 5 Contact Center Manager Server 6.0 Co-res Security Template Settings ......................................35 Table 6 Nortel Contact Center Manager Administration 6.0 Security Template Settings ...........................61 Table 7 Nortel Communication Control Toolkit 6.0 Security Template Settings .........................................80 Table 8 Contact Center Multimedia/Outbound 6.0 Security Template Setting .........................................100 Table 9 Contact Center Manager Server Stratus Security Template Settings..........................................120
Issue 1.02
vii
Introduction
Nortel Proprietary
1
1.1
Introduction
Purpose
Security is a critical task for all organizations and it is always mandated to secure all networked servers by locking down the server operating system setting and services. Windows Server 2003 can be secured by applying a predefined security template either locally to the computer or through a network Group Policy Objects (GPO) instead of securing manually. Nortel Contact Center 6.0 is providing a set of predefined Windows Server 2003 security templates that can be deployed quickly to secure the Contact Center 6.0 suite of application servers. The set of Contact Center 6.0 security templates is designed to be closely match the industry consensus security setting benchmark [1] published by the Center of Internet Security (CIS), and meeting the Contact Center 6.0 suite of application servers operation requirements. This guide provides the detail definitions of the set of Contact Center 6.0 security templates and how to deploy the security templates to the Contact Center 6.0 suite of application servers.
1.2
Scope
This guide covers the set of security templates for Nortel Contact Center 6.0. It is not intended to be a comprehensive security guide either for the Nortel Contact Center 6.0 or the Windows Server 2003.
1.3
Intended audience
This guide is intended to be used by anyone wishing to secure the Contact Center 6.0 suite of application servers that are meeting the Contact Center 6.0 security template applicability requirements. It assumes that the reader is familiar with all security subjects and features in Windows Server 2003 and Microsoft network domain (Active Directory) environment.
Issue 1.02
Nortel Proprietary
2.1
2.2
Issue 1.02
Nortel Proprietary
Table 1 Contact Center 6.0 Security Template File Applicability with Contact Center Server
Contact Center 6.0 Security Template File CCMS 6.0 Security Template.inf
Applicable Contact Center 6.0 Application Server Contact Center Manager Server standalone server , Contact Center Manager Replication server, and Network Control Center server Contact Center Manager Server coresidency server Contact Center Manager Administration standalone server Communication Control Toolkit server Contact Center Multimedia/Outbound server Contact Center Manager Server standalone server on Stratus platform, Contact Center Manager Replication server on Stratus platform, and Network Control Center server on Stratus platform
CCMS 6.0 Cores Security Templt.inf CCMA 6.0 Security Template.inf CCT 6.0 Security Template.inf CCMM 6.0 Security Template.inf CCMS 6.0 Stratus Security Temp.inf
Note: The security template is applicable to Contact Center 6.0 only. It is not verified with its compatibility for any earlier Symposium portfolio products running on Windows Server 2003 platform. It is not applicable to any Symposium portfolio releases prior Contact Center 6.0. The security template is designed to work with a typical server configuration and may not be compatible with some specific customers configuration. If customer is installing additional 3rd party software on the Contact Center 6.0 application server, customer must review and test the compatibility between the Contact Center 6.0 security template and the 3rd party software in a non-production environment. Customer may need to adjust the template if necessary.
2.3
Issue 1.02
Nortel Proprietary
Center 6.0 security template can be deployed either before or after the Contact Center 6.0 application is installed on the server. 2.3.1 Security Template Rollback There are situation (like adding CCMA and CCT to a previously standalone CCMS server and convert it into a CCMS co-residency server) that one may require to rollback the originally applied Contact Center 6.0 security template and reapply a new one that is appropriate with the new Contact Center 6.0 application server configuration. A set of Contact Center 6.0 default rollback templates for the corresponding Contact Center 6.0 security templates are provided. These default rollback templates will rollback the security setting (excluding permission setting in registries and files) from the applied security template back to the default Windows Server 2003 (with SP1) setting. Table 2 lists the set of available rollback template files and its corresponding applicable Contact Center 6.0 application server.
Table 2 Contact Center 6.0 Security Template Rollback Files
Contact Center 6.0 Security Template Rollback File CCMS 6.0 Security Templt Rollb.inf
Applicable Contact Center 6.0 Application Server Contact Center Manager Server standalone server, Contact Center Manager Replication server, and Network Control Center server Contact Center Manager Server coresidency server Contact Center Manager Administration standalone server Communication Control Toolkit server Contact Center Multimedia/Outbound server Contact Center Manager Server standalone server on Stratus platform, Contact Center Manager Replication server on Stratus platform, and Network Control Center server on Stratus platform
CCMS 6.0 Cores Sec Templt Rollb.inf CCMA 6.0 Security Templt Rollb.inf CCT 6.0 Security Templt Rollb.inf CCMM 6.0 Security Templ Roll.inf CCMS 6.0 Stratus Sec Tmp Rollbk.inf
Issue 1.02
Nortel Proprietary
If Windows Server 2003 configuration is different from its default installed setting before applying the Contact Center 6.0 security template, the default rollback template may not restore the configuration to its customized configuration. It is Nortel recommendation that you must create an appropriate rollback template on your Contact Center 6.0 application server before deploying the Contact Center 6.0 security template. The rollback template can be generated by issuing the secedit /GenerateRollback /CFG <CC 6.0 Security Template.inf> /RBK <Rollback Template.inf> (e.g., secedit /GenerateRollback /CFG C:\CCMS 6.0 Security Template.inf /RBK C:\rollback.inf) command in a command line prompt windows. 2.3.2 Local Server Deployment To deploy the Contact Center 6.0 Security template locally on a Contact Center 6.0 application server, one must select the applicable security template for the Contact Center 6.0 application server and download the selected template from the Meridian PEP Library web site to the server local disk drive. The security template can then be imported and configured using the Microsoft Security Configuration and Analysis utility. The following steps can be used to deploy the Contact Center 6.0 security template using the Security Configuration and Analysis (you must add the Security Configuration and Analysis snap-in to the Microsoft Management Console): 1) Logon to the server with an administrative account. 2) Open the management console that is having the Security Configuration and Analysis snap-in.
Issue 1.02
Nortel Proprietary
3) Right click the Security Configuration and Analysis scope item and click Open Database. Enter a new database name (e.g., CCMA 6.0 Security Template) in the File Name field of the Open Data dialog windows, and then press the Open button.
4) On the Import Template dialog windows, browse and select the Contact Center 6.0 security template file downloaded from the Meridian PEP Library Web site, and then press the Open button.
6 Nortel Contact Center 6.0 Security Templates User Guide Issue 1.02
Nortel Proprietary
5) Right click the Security Configuration and Analysis scope item, and click the Analyze Computer Now to analyze the security configuration with the imported Contact Center 6.0 security template and the current server configuration.
6) On the Perform Analysis dialog windows, select the default log file path (e.g., C:\Documents and Setttings\Administrator\My Documents\Security\Logs\CCMA 6.0 Security Template.log) or select the log file path of your choice, press the OK button to perform the analysis.
Issue 1.02 Nortel Contact Center 6.0 Security Templates User Guide 7
Nortel Proprietary
7) Open the security analysis log file with a text editor and review any mismatch item that may not meet your server requirement. Adjust the security template if necessary. 8) Right click the Security Configuration and Analysis scope item from the Security Configuration and Analysis snap-in management console. Click Configure Computer Now to configure the server security configuration with the imported Contact Center 6.0 security template.
9) On the Configure System dialog windows, select the default log file path (e.g., C:\Documents and Setttings\Administrator\My Documents\Security\Logs\CCMA 6.0 Security Template.log) or select the log file path of your choice, press the OK button to configure the computer.
Issue 1.02
Nortel Proprietary
10) Reboot the server to activate the new security policy and configuration. 2.3.3 Network Domain Deployment The Contact Center 6.0 security templates can be deployed in a network domain environment by importing the template into a group policy object of an OU where the Contact Center 6.0 server is a member. To import a security template: 1) Open Group Policy Management Console (GPMC) 2) In the console tree, expand the domain or OU that you want to import the security template. Right-click the Group Policy object that you want to edit, and then click Edit. 3) In the Group Policy Object Editor console tree, click Computer Configuration, click Windows Settings, right-click Security Setting, and then select Import Policy. 4) Click the Contact Center 6.0 security template that you want to import, then click Open.
2.4
Issue 1.02
Contact Center 6.0 Security Templates Table 3 Contact Cetner 6.0 Security Template Additional Settings
Nortel Proprietary
Security Setting User Right Assignments Deny access to this computer from the network (minimum) Deny logon as a batch job Deny logon through Terminal Service (minimum) Security Options Accounts: Rename Administrator Account Accounts: Rename Guest Account Interactive Logon: Message Text for Users Attempting to Log On Interactive Logon: Message Title for Users Attempting to Log On
Additional settings
2.5
10
Issue 1.02
Nortel Proprietary
3
3.1
Security Setting Items Account Policies Password Policy Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store passwords using reversible encryption Account Lockout Policy Account lockout duration Account lockout threshold Reset account lockout counter after Kerberos Policy Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization
Setting
<Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Issue 1.02
11
Nortel Proprietary
Local Policies Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events User Rights Assignment Access this computer from the network Act as part of the operating system Add workstations to domain Adjust memory quotas for a process Allow log on locally Allow log on through terminal services Back up files and directories Bypass traverse checking Change the system time Create a pagefile Create a token object Create a global object Create permanent shared objects Debug programs Deny access to this computer from the network Deny log on as a batch job <Not defined> <None> <Not defined> <Not defined> Administrators Administrators, Remote Desktop Users Administrators Users Administrators <Not defined> <None> <Not defined> <None> <None> ANONYMOUS LOGON, Guests Guests Success, Failure Success, Failure <Not defined> Success, Failure Success, Failure Success <Not defined> <Not defined> Success
12
Issue 1.02
Nortel Proprietary
<Not defined> <Not defined> SERVICE <Not defined> Administrators <Not defined> <None> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> LOCAL SERVICE, NETWORK SERVICE <Not defined> Administrators <None> Administrators
Issue 1.02
13
Nortel Proprietary
(recommend to change it to a non-standard name) Accounts: Rename guest account <Not defined> (recommend to change it to a non-standard name) Audit: Audit the access of global system objects Audit: Audit the use of backup and restore privilege Audit: Shut down system immediately if unable to log security alerts DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax Devices: Allow undock without having to log on Devices: Allowed to format and eject removal media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain Controller: Allow server operators to schedule tasks <Not defined> <Not defined> <Not defined>
<Not defined>
<Not defined>
<Not defined>
Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when
<Not defined>
Enabled
Enabled
14
Issue 1.02
Nortel Proprietary
30 days Enabled
<Not defined>
Enabled Disabled <Not defined> (Recommend to define a custom, or DOJ approved message text)
Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require domain controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to connect to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees)
<Not defined>
14 days
<Not defined>
Enabled
Disabled
15 minutes
<Not defined>
Enabled
Issue 1.02
15
Nortel Proprietary
10
Enabled
20000 (recommended)
20
Disabled
<Not defined>
Enabled
Disabled
Connections time out sooner of a SYN attach is detected 3 & 6 secopnds, half-open connections dropped after 21 seconds
16
Issue 1.02
Nortel Proprietary
<Not defined>
Network access: Allow anonymous SID//Name translation Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or .NET passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named pipes that can be accessed anonymously Network access: Remotely accessible registry paths
Disabled Enabled
Enabled
Enabled
Disabled
<None>
Software\Microsoft\WindowsNT\CurrentVer sion\Print Software\Microsoft\WindowsNT\CurrentVes ion\Windows System\CurrentControlSet\Control\Print\Prin ters System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIn dex System\CurrentControlSet\Control\Terminal Server\UserConfig
Issue 1.02
17
Nortel Proprietary
System\CurrentControlSet\Control\Terminal Server\Default\UserConfiguration Software\Micrsoft\WIndowsNT\CurrentVers ion\Perflib System\CurrentControlSet\Services\Sysmon Log Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager password hash value on next password change Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled
<Not defined> Send NTLMv2 response only\refuse LM Negotiate signing Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption
Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Force strong key protection for user keys stored on computer System cryptography: User FIPS compliant algorithms for
Disable
<Not defined> User must enter a password each time they use a key <Not defined>
18
Issue 1.02
Nortel Proprietary
<Not defined>
Enabled
Issue 1.02
19
Nortel Proprietary
ASP.NET State Service (aspnet_state) Automatic Updates (Wuauserv) Background Intelligent Transfer Service (BITS) CC License Manager (CC_LM) (Built-in CC 6.0 service) CC Replication Service (REP_Service) (Built-in CCMS service CCMS ASM_Service (ASM_Service) (Built-in CCMS Service) CCMS Audit_Service (AUDIT_Service) (Built-in CCMS service) CCMS Control Service (CCMS_MasterService) (Built-in CCMS service)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
20
Issue 1.02
Nortel Proprietary
Issue 1.02
21
Nortel Proprietary
22
Issue 1.02
Nortel Proprietary
Issue 1.02
23
Nortel Proprietary
24
Issue 1.02
Nortel Proprietary
COM+ Event System (EventSystem) COM+ System Application (COMSysApp) Computer Browser (Browser) Cryptographic Services (CryptSvc) DCOM Server Process Launcher (DcomLaunch) (applicable to Windows Server 2003 SP1) DHCP Client (Dhcp) Distributed File System (Dfs) Distributing Link Tracking Client (TrkWks) Distributing Link Tracking Server (TrkSvr) Distributed Transaction Coordinator (MSDTC)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
25
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Disabled
26
Issue 1.02
Nortel Proprietary
InstallDriver Table Manager (Built-in InstallShield service for CC installation) Intersite Messaging (IsmServ) IPSEC Service (PolicyAgent) Kerberos Key Distribution Center (Kdc) License Logging Service (LicenseService)
<Not defined>
<Not defined>
<Not defined>
Logical Disk Manager (Dmserver) Logical Disk Manager Administrative Service (Dmadmin) Messenger (Messenger)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Microsoft Software Shadow Copy Provider (SwPrv) Net Logon (Netlogon) NetMeeting Remote Desktop Sharing (mnmsrvc)
<Not defined>
Network Connections
Issue 1.02
27
Nortel Proprietary
Network DDE (NetDDE) Network DDE DSDM (NetDDEdsdm) Network Location Awareness (NLA) Network Provisioning Service (xmlprov) (applicable to Windows Server 2003 SP1) Network News Transport Protocol (NNTP) (NntpSvc)
<Not defined>
<Not defined>
<Not defined>
NT LM Security Support Provider (NtLmSsp) pcAnywhere Host Service (Built-in pcAnywhere service for CC if it is installed) Performance Logs and Alerts (SysmonLog) Plug and Play (PlugPlay) Portable Media Serial Number Service (WmdmPmSN) Print Server for Macintosh (MacPrint)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
28
Issue 1.02
Nortel Proprietary
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Remote Procedure Call (RPC) (RpcSs) Remote Procedure Call (RPC) Locator (RpcLocator) Remote Registry (RemoteRegistry) Remote Server Manager (AppMgr)
<Not defined>
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control,
Issue 1.02
29
Nortel Proprietary
System=Full Control, Interactive=Read) Removal Storage (NtmsSvc) Resultant Set of Policy Provider (RSoPProv) Routing and Remote Access (RemoteAccess) Secondary Logon (seclogon) Security Accounts Manager (SamSs) Server (lanmanserver) Shell Hardware Detection (ShellHWDetection) Simple Mail Transfer Protocol (SMTP) (SMTPSVC) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Smart Card (SCardSvr) SNMP Service (SNMP) SNMP Trap Service (SNMPTRAP)
<Not defined>
Special Administration Console Helper (Sacsvr) Sybase BCKServer_<server name>_BS (SYBBCK_<server name>_BS) (Built-in CCMS Sybase service)
<Not defined>
30
Issue 1.02
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Telnet (TlntSvr)
Issue 1.02
31
Nortel Proprietary
Themes (Themes) Uninterruptible Power Supply (UPS) Upload Manager (Uploadmgr) Virtual Disk Service (VDS) Volume Shadow Copy (VSS) Web Element Manager (elementmgr) WebClient (WebClient) Windows Audio (AudioSrv) Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) Windows Image Acquisition (WIA) (StiSvc) Windows Installer (MSIServer) Windows Management Instrumentation (winmgmt)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
32
Issue 1.02
Nortel Proprietary
WMI Performance Adapter (WmiApSrv) Workstation (lanmanworkstation) World Wide Web Publishing Service (W3SVC)
<Not defined>
Registry MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\Installer MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\policies MACHINE\SYSTEM\CurrentControlSet\Enum Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full
MACHINE\SYSTEM\CurrentConrtrolSet\Services\SNMP\ Parameters\PermittedManagers
MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\ Parameters\ValidCommunities
Issue 1.02
33
Nortel Proprietary
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full
%SystemRoot%\system32\at.exe
%SystemRoot%\system32\attrib.exe
%SystemRoot%\system32\cacls.exe
%SystemRoot%\system32\debug.exe
%SystemRoot%\system32\drwatson.exe
%SystemRoot%\system32\drwtsn32.exe
%SystemRoot%\system32\edlin.exe
%SystemRoot%\system32\eventcreate.exe
%SystemRoot%\system32\eventtriggers.exe
%SystemRoot%\system32\ftp.exe
%SystemRoot%\system32\net.exe
%SystemRoot%\system32\net1.exe
%SystemRoot%\system32\netsh.exe
%SystemRoot%\system32\rcp.exe
%SystemRoot%\system32\reg.exe
34
Issue 1.02
Nortel Proprietary
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\regsvr32.exe
%SystemRoot%\system32\rexec.exe
%SystemRoot%\system32\rsh.exe
%SystemRoot%\system32\runas.exe
%SystemRoot%\system32\sc.exe
%SystemRoot%\system32\subst.exe
%SystemRoot%\system32\telnet.exe
%SystemRoot%\system32\tftp.exe
%SystemRoot%\system32\tlntsvr.exe
3.2
Security Setting Items Account Policies Password Policy Enforce password history
Setting
24 passwords remembered
Issue 1.02
35
Nortel Proprietary
36
Issue 1.02
Nortel Proprietary
Administrators, Remote Desktop Users Administrators Users Administrators <Not defined> <None> <Not defined> <None> <None> ANONYMOUS LOGON, Guests Guests <Not defined> <Not defined> Guests <None>
<Not defined> <Not defined> SERVICE <Not defined> Administrators <Not defined> <Not defined>
Issue 1.02
37
Nortel Proprietary
Audit: Audit the access of global system objects Audit: Audit the use of backup and restore privilege Audit: Shut down system immediately if unable to log security alerts DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
<Not defined>
<Not defined>
38
Issue 1.02
Nortel Proprietary
<Not defined>
Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Display user information when the session is locked Interactive logon: Do not display last user name Interactive logon: Do not required CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on
<Not defined>
Enabled
Enabled
Disabled
30 days Enabled
<Not defined>
Enabled Disabled <Not defined> (Recommend to define a custom, or DOJ approved message text)
<Not defined>
Issue 1.02
39
Nortel Proprietary
(Recommend to define a custom, or DOJ approved message title) Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require domain controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to connect to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended) MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended) MSS: (AFD MaximumDynamicBacklog) Maximum number of quasi-free connections for Winsock applications MSS: (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for system under attack, 10 otherwise) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) MSS: (EnableDealGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) <Not defined>
14 days
<Not defined>
Enabled
Disabled
15 minutes
<Not defined>
Enabled
Enabled
10
Enabled
20000 (recommended)
20
40
Issue 1.02
Nortel Proprietary
<Not defined>
Enabled
Disabled
Connections time out sooner of a SYN attach is detected 3 & 6 secopnds, half-open connections dropped after 21 seconds
<Not defined>
Network access: Allow anonymous SID//Name translation Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or .NET passports for network authentication
Disabled Enabled
Enabled
Enabled
Issue 1.02
41
Nortel Proprietary
<None>
Software\Microsoft\WindowsNT\CurrentVer sion\Print Software\Microsoft\WindowsNT\CurrentVes ion\Windows System\CurrentControlSet\Control\Print\Print ers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIn dex System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\Default\UserConfiguration Software\Micrsoft\WIndowsNT\CurrentVersi on\Perflib System\CurrentControlSet\Services\SysmonL og
Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager password hash value on next password change Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level
Enabled
42
Issue 1.02
Nortel Proprietary
Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption
Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Force strong key protection for user keys stored on computer System cryptography: User FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrations group System objects: Require case insensitive for non-Windows subsystems System objects: Strengthen default permission of internal system objects System settings: Option subsystems System settings: User Certificate Rules on Windows Executables for Software Restriction Policies Event Logs Maximum application log size Maximum security log size Maximum system log size
Disable
<Not defined> User must enter a password each time they use a key <Not defined>
<Not defined>
<Not defined>
Enabled
Issue 1.02
43
Nortel Proprietary
Application Experience Lookup Service (AeLookupSvc) (applicable to Windows Server 2003 SP1) Application Layer Gateway Service (ALG) Application Management (AppMgmt) Client Service for Netware (NWCWorkstation)
<Not defined>
<Not defined>
<Not defined>
44
Issue 1.02
Nortel Proprietary
Issue 1.02
45
Nortel Proprietary
46
Issue 1.02
Nortel Proprietary
Issue 1.02
47
Nortel Proprietary
48
Issue 1.02
Nortel Proprietary
Issue 1.02
49
Nortel Proprietary
COM+ Event System (EventSystem) COM+ System Application (COMSysApp) Computer Browser (Browser) Cryptographic Services (CryptSvc) Crystal Report Application Server (built-in CCMA Crystal Report service) DCOM Server Process Launcher (DcomLaunch) (applicable to Windows Server 2003 SP1) DHCP Client (Dhcp) Distributed File System (Dfs) Distributing Link Tracking Client (TrkWks) Distributing Link Tracking Server (TrkSvr) Distributed Transaction Coordinator (MSDTC) DNS Client (Dsncache)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
50
Issue 1.02
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
HTTP SSL (HTTPFilter) Human Interface Device Access (HidServ) IIS Admin Service (IISADMIN) IMAP CD-Burning COM Service (ImapiService) Indexing Service (Cisvc)
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
51
Nortel Proprietary
Logical Disk Manager (Dmserver) Logical Disk Manager Administrative Service (Dmadmin) Messenger (Messenger)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Microsoft Software Shadow Copy Provider (SwPrv) MSSQL$NNCCTDB (Built-in CCT SQL server) MSSQLServerADHelper (Built-in CCT SQL service) NCCT Data Access Layer (Built-in CCT service) NCCT Server (Built-in CCT service)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
52
Issue 1.02
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Manual (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Network DDE (NetDDE) Network DDE DSDM (NetDDEdsdm) Network Location Awareness (NLA) Network Provisioning Service (xmlprov) Network News Transport Protocol (NNTP) (NntpSvc)
<Not defined>
<Not defined>
<Not defined>
NT LM Security Support Provider (NtLmSsp) pcAnywhere Host Service (Built-in pcAnywhere service for CC if it is installed) Performance Logs and Alerts (SysmonLog) Plug and Play (PlugPlay) Portable Media Serial Number Service
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
53
Nortel Proprietary
Print Spooler (Spooler) Protect Storage (ProtectedStorage) Remote Access Auto Connection Manager (RasAuto)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Remote Procedure Call (RPC) (RpcSs) Remote Procedure Call (RPC) Locator (RpcLocator) Remote Registry (RemoteRegistry) Remote Server Manager (AppMgr)
<Not defined>
<Not defined>
54
Issue 1.02
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Removal Storage (NtmsSvc) Resultant Set of Policy Provider (RSoPProv) Routing and Remote Access (RemoteAccess) Secondary Logon (seclogon) Security Accounts Manager (SamSs) Server (lanmanserver) Shell Hardware Detection (ShellHWDetection) Simple Mail Transfer Protocol (SMTP) (SMTPSVC) Smart Card (SCardSvr) SNMP Service (SNMP) SNMP Trap Service
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Disabled
Issue 1.02
55
Nortel Proprietary
Special Administration Console Helper (Sacsvr) SQLAgent$NNCCTDB (Built-in CCT SQL Agent service) Sybase BCKServer_<server name>_BS (SYBBCK_<server name>_BS) (Built-in CCMS Sybase service) Sybase MONServer_<server name>_MS (SYBMON_<server name>_MS) (Built-in CCMS Sybase service) Sybase SQLServer_<server name> (SYBSQL_<server name>) (Built-in CCMS Sybase service) Sybase XPServer_<server name>_XP (SYBXPS_<server name>_XP) (Built-in CCMS Sybase service) Sybase ASE Protect Service (SybProtect) (Built-in CCMS Sybase service) SymposiumWC (Built-in CCMA ADAM service) System Event Notification (SENS) Task Scheduler (Schedule) TCP/IP NetBIOS Helper (LMHost)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
56
Issue 1.02
Nortel Proprietary
Terminal Service (TermService) Terminal Service Session Directory (Tssdis) Trivial FTP Daemon (tftpd)
<Not defined>
Themes (Themes) Uninterruptible Power Supply UPS) Upload Manager (Uploadmgr) Virtual Disk Service (VDS) Volume Shadow Copy (VSS) Web Element Manager (elementmgr) WebClient (WebClient) Windows Audio (AudioSrv) Windows Firewall/Internet Connection Sharing (ICS)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
57
Nortel Proprietary
WMI Performance Adapter (WmiApSrv) Workstation (lanmanworkstation) World Wide Web Publishing Service (W3SVC) Registry MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\Installer
<Not defined>
<Not defined>
Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, SYSTME=Full Control, Users=Read
58
Issue 1.02
Nortel Proprietary
Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTME=Full Control, Users=Read
MACHINE\SYSTEM\CurrentConrtrolSet\Services\SNMP \Parameters\PermittedManagers
MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\ Parameters\ValidCommunities
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control,
%SystemRoot%\system32\at.exe
%SystemRoot%\system32\attrib.exe
%SystemRoot%\system32\cacls.exe
%SystemRoot%\system32\debug.exe
%SystemRoot%\system32\drwatson.exe
%SystemRoot%\system32\drwtsn32.exe
%SystemRoot%\system32\edlin.exe
%SystemRoot%\system32\eventcreate.exe
%SystemRoot%\system32\eventtriggers.exe
%SystemRoot%\system32\ftp.exe
%SystemRoot%\system32\net.exe
Issue 1.02
59
Nortel Proprietary
Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\netsh.exe
%SystemRoot%\system32\rcp.exe
%SystemRoot%\system32\reg.exe
%SystemRoot%\system32\regedt32.exe
%SystemRoot%\system32\regsvr32.exe
%SystemRoot%\system32\rexec.exe
%SystemRoot%\system32\rsh.exe
%SystemRoot%\system32\runas.exe
%SystemRoot%\system32\sc.exe
%SystemRoot%\system32\subst.exe
%SystemRoot%\system32\telnet.exe
%SystemRoot%\system32\tftp.exe
%SystemRoot%\system32\tlntsvr.exe
3.3
60
Issue 1.02
Nortel Proprietary
Table 6 Nortel Contact Center Manager Administration 6.0 Security Template Settings
Security Setting Items Account Policies Password Policy Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store passwords using reversible encryption Account Lockout Policy Account lockout duration Account lockout threshold Reset account lockout counter after Kerberos Policy Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization Local Policies Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events
Setting
<Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Issue 1.02
61
Nortel Proprietary
Administrators, Remote Desktop Users Administrators Users Administrators <Not defined> <None> <Not defined> <None> <None> ANONYMOUS LOGON, Guests Guests <Not defined> <Not defined> Guests <None>
<Not defined>
62
Issue 1.02
Nortel Proprietary
Issue 1.02
63
Nortel Proprietary
<Not defined>
<Not defined>
<Not defined>
Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine password age Domain member: Require strong (Windows 2000 or later) session key
<Not defined>
Enabled
Enabled
Disabled
30 days Enabled
64
Issue 1.02
Nortel Proprietary
Enabled Disabled <Not defined> (Recommend to define a custom, or DOJ approved message text)
Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require domain controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to connect to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended) MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended)
<Not defined>
14 days
<Not defined>
Enabled
Disabled
15 minutes
<Not defined>
Enabled
Enabled
10
Enabled
Issue 1.02
65
Nortel Proprietary
20
Disabled
<Not defined>
Enabled
Disabled
Connections time out sooner of a SYN attach is detected 3 & 6 secopnds, half-open connections dropped after 21 seconds
<Not defined>
66
Issue 1.02
Nortel Proprietary
Network access: Allow anonymous SID//Name translation Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or .NET passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named pipes that can be accessed anonymously Network access: Remotely accessible registry paths
Disabled Enabled
Enabled
Enabled
Disabled
<None>
Software\Microsoft\WindowsNT\CurrentVer sion\Print Software\Microsoft\WindowsNT\CurrentVes ion\Windows System\CurrentControlSet\Control\Print\Print ers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIn dex System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\Default\UserConfiguration Software\Micrsoft\WIndowsNT\CurrentVersi on\Perflib System\CurrentControlSet\Services\SysmonL og
Issue 1.02
67
Nortel Proprietary
<Not defined> Send NTLMv2 response only\refuse LM Negotiate signing Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption
Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Force strong key protection for user keys stored on computer System cryptography: User FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrations group System objects: Require case insensitive for non-Windows subsystems System objects: Strengthen default permission of internal
Disable
<Not defined> User must enter a password each time they use a key <Not defined>
<Not defined>
<Not defined>
Enabled
68
Issue 1.02
Nortel Proprietary
Application Experience Lookup Service (AeLookupSvc) (applicable to Windows Server 2003 SP1) Application Layer Gateway Service (ALG) Application Management
<Not defined>
<Not defined>
Issue 1.02
69
Nortel Proprietary
ASP.NET State Service (aspnet_state) Automatic Updates (Wuauserv) Background Intelligent Transfer Service (BITS) CCMA ICEEmHlpService (Built-in CCMA service) CCMA IceRTDService (Built-in CCMA service) CCMA LMService (Built-in CCMA service) ClipBook (ClipSrv)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
COM+ Event System (EventSystem) COM+ System Application (COMSysApp) Computer Browser (Browser) Cryptographic Services (CryptSvc) Crystal Report Application Server (built-in CCMA Crystal Report service)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
70
Issue 1.02
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control,
Issue 1.02
71
Nortel Proprietary
System=Full Control, Interactive=Read) Help & Support (Helpsvc) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
HTTP SSL (HTTPFilter) Human Interface Device Access (HidServ) IIS Admin Service (IISADMIN) IMAP CD-Burning COM Service (ImapiService) Indexing Service (Cisvc)
<Not defined>
<Not defined>
<Not defined>
InstallDriver Table Manager (Built-in InstallShield service for CC installation) Intersite Messaging (IsmServ) IPSEC Service (PolicyAgent) Kerberos Key Distribution Center (Kdc) License Logging (LicenseService)
<Not defined>
<Not defined>
<Not defined>
Logical Disk Manager Dmserver) Logical Disk Manager Administrative Service (Dmadmin)
<Not defined>
72
Issue 1.02
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Microsoft Software Shadow Copy Provider (SwPrv) Net Logon (Netlogon) NetMeeting Remote Desktop Sharing (mnmsrvc)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Manual (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Network DDE (NetDDE) Network DDE DSDM (NetDDEdsdm) Network Location Awareness (NLA) (NLA) Network Provisioning Service (xmlprov) Network News Transport Protocol (NNTP) (NntpSvc)
<Not defined>
<Not defined>
<Not defined>
NT LM Security Support Provider (NtLmSsp) pcAnywhere Host Service (Built-in pcAnywhere service for CC if it is installed)
<Not defined>
Issue 1.02
73
Nortel Proprietary
Print Spooler (Spooler) Protect Storage (ProtectStorage) Remote Access Auto Connection Manager (RasAuto)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Remote Procedure Call (RPC) (RpcSs) Remote Procedure Call (RPC) Locator
<Not defined>
74
Issue 1.02
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Removal Storage (NtmsSvc) Resultant Set of Policy Provider (RSoPProv) Routing and Remote Access (RemoteAccess) Secondary Logon (seclogon) Security Accounts Manager (SamSs) Server (lanmanserver) Shell Hardware Detection ShellHWDetection) Simple Mail Transfer Protocol (SMTP)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
75
Nortel Proprietary
Special Administration Console Helper (Sacsvr) SymposiumWC (Built-in CCMA ADAM service) System Event Notification (SENS) Task Scheduler (Schedule) TCP/IP NetBIOS Helper (LMHost)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Telephony (TapiSrv)
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Telnet (TlntSvr)
Terminal Service (TermService) Terminal Service Session Directory (Tssdis) Trivial FTP Daemon
<Not defined>
Disabled
76
Issue 1.02
Nortel Proprietary
Themes (Themes) Uninterruptible Power Supply (UPS) Upload Manager (Uploadmgr) Virtual Disk Service (VDS) Volume Shadow Copy VSS) Web Element Manager (elementmgr) WebClient (WebClient) Windows Audio AudioSrv) Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) Windows Image Acquisition (WIA) (SuSvc) Windows Installer (MSIServer) Windows Management Instrumentation (winmgmt) Windows Management Instrumentation Driver Extensions (Wmi) Windows Time
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
77
Nortel Proprietary
WMI Performance Adapter (WmiApSrv) Workstation (lanmanworkstation) World Wide Web Publishing Service (W3SVC) Registry MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\Installer MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies MACHINE\SYSTEM\CurrentControlSet\Enum
<Not defined>
<Not defined>
Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTME=Full Control, Users=Read
MACHINE\SYSTEM\CurrentConrtrolSet\Services\SNMP \Parameters\PermittedManagers
MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\ Parameters\ValidCommunities
78
Issue 1.02
Nortel Proprietary
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\attrib.exe
%SystemRoot%\system32\cacls.exe
%SystemRoot%\system32\debug.exe
%SystemRoot%\system32\drwatson.exe
%SystemRoot%\system32\drwtsn32.exe
%SystemRoot%\system32\edlin.exe
%SystemRoot%\system32\eventcreate.exe
%SystemRoot%\system32\eventtriggers.exe
%SystemRoot%\system32\ftp.exe
%SystemRoot%\system32\net.exe
%SystemRoot%\system32\net1.exe
%SystemRoot%\system32\netsh.exe
%SystemRoot%\system32\rcp.exe
%SystemRoot%\system32\reg.exe
%SystemRoot%\system32\regedt32.exe
%SystemRoot%\system32\regsvr32.exe
Issue 1.02
79
Nortel Proprietary
%SystemRoot%\system32\rexec.exe
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\rsh.exe
%SystemRoot%\system32\runas.exe
%SystemRoot%\system32\sc.exe
%SystemRoot%\system32\subst.exe
%SystemRoot%\system32\telnet.exe
%SystemRoot%\system32\tftp.exe
%SystemRoot%\system32\tlntsvr.exe
3.4
Security Setting Items Account Policies Password Policy Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements
Setting
80
Issue 1.02
Nortel Proprietary
Issue 1.02
81
Nortel Proprietary
Administrators, Remote Desktop Users Administrators Users Administrators <Not defined> <None> <Not defined> <None> <None> ANONYMOUS LOGON, Guests Guests <Not defined> <Not defined> Guests <None>
<Not defined> <Not defined> SERVICE <Not defined> Administrators <Not defined> <None> <Not defined> <Not defined> <Not defined> <Not defined>
82
Issue 1.02
Nortel Proprietary
Audit: Audit the access of global system objects Audit: Audit the use of backup and restore privilege Audit: Shut down system immediately if unable to log security alerts DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax Devices: Allow undock without having to log on Devices: Allowed to format and eject removal media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only
<Not defined>
<Not defined>
Issue 1.02
83
Nortel Proprietary
Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Display user information when the session is locked Interactive logon: Do not display last user name Interactive logon: Do not required CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on
<Not defined>
Enabled
Enabled
Disabled
30 days Enabled
<Not defined>
Enabled Disabled <Not defined> (Recommend to define a custom, or DOJ approved message text)
Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration
<Not defined>
14 days
84
Issue 1.02
Nortel Proprietary
Enabled
Disabled
15 minutes
<Not defined>
Enabled
Enabled
10
Enabled
20000 (recommended)
20
Disabled
<Not defined>
Enabled
Issue 1.02
85
Nortel Proprietary
Connections time out sooner of a SYN attach is detected 3 & 6 secopnds, half-open connections dropped after 21 seconds
<Not defined>
Network access: Allow anonymous SID//Name translation Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or .NET passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named pipes that can be accessed anonymously Network access: Remotely accessible registry paths
Disabled Enabled
Enabled
Enabled
Disabled
<None>
System\CurrentControlSet\Control\ProductO ptions
86
Issue 1.02
Nortel Proprietary
System\CurrentControlSet\Control\Server Applications Software\Microsoft\WindowsNT\CurrentVer sion Network access: Remotely accessible registry paths and sub-paths Software\Microsoft\WindowsNT\CurrentVer sion\Print Software\Microsoft\WindowsNT\CurrentVes ion\Windows System\CurrentControlSet\Control\Print\Print ers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIn dex System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\Default\UserConfiguration Software\Micrsoft\WIndowsNT\CurrentVersi on\Perflib System\CurrentControlSet\Services\SysmonL og Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager password hash value on next password change Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled
<Not defined> Send NTLMv2 response only\refuse LM Negotiate signing Require message integrity Require message confidentiality Require NTLMv2 Session Security
Issue 1.02
87
Nortel Proprietary
Require 128-bit Encryption Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Force strong key protection for user keys stored on computer System cryptography: User FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrations group System objects: Require case insensitive for non-Windows subsystems System objects: Strengthen default permission of internal system objects System settings: Option subsystems System settings: User Certificate Rules on Windows Executables for Software Restriction Policies Event Logs Maximum application log size Maximum security log size Maximum system log size Prevent local guests group from accessing application log Prevent local guests group from accessing security log Prevent local guests group from accessing system log Retain application log 16384 kilobytes 81920 kilobytes 16384 kilobytes Enabled Enabled Enabled <Not defined> Disabled <Not defined>
Disable
<Not defined> User must enter a password each time they use a key <Not defined>
<Not defined>
<Not defined>
Enabled
88
Issue 1.02
Nortel Proprietary
Application Experience Lookup Service (AeLookupSvc) (applicable to Windows Server 2003 SP1) Application Layer Gateway Service (ALG) Application Management (AppMgmt) CC License Manager (applicable if CC License Manager is installed on the CCT server) Client Service for Netware (NWCWorkstation)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
89
Nortel Proprietary
COM+ Event System (EventSystem) COM+ System Application (COMSysApp) Computer Browser (Browser) Cryptographic Services (CryptSvc) DCOM Server Process Launcher (DcomLaunch) (applicable to Windows Server 2003 SP1) DHCP Client (Dhcp) Distributed File System (Dfs) Distributing Link Tracking Client (TrkWks) Distributing Link Tracking Server (TrkSvr) Distributed Transaction Coordinator (MSDTC) DNS Client (Dnscache) Error Reporting Services (ERSvc) Event Log
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
90
Issue 1.02
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
InstallDriver Table Manager (Built-in InstallShield service for CC installation) Intersite Messaging
<Not defined>
Issue 1.02
91
Nortel Proprietary
Logical Disk Manager (Dmserver) Logical Disk Manager Administrative Service (Dmadmin) Messenger (Messenger)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Microsoft Software Shadow Copy Provider (SwPrv) MSSQL$NNCCTDB MSSQLServerADHelper NCCT Data Access Layer NCCT Logging Service NCCT Server NCCT TAPI Connector Service Net Logon (Netlogon) NetMeeting Remote Desktop Sharing (mnmsrvc)
<Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
92
Issue 1.02
Nortel Proprietary
System=Full Control, Interactive=Read) Network Connections (Netman) Manual (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Network DDE (NetDDE) Network DDE DSDM (NetDDEdsdm) Network Location Awareness (NLA) Network Provisioning Service (applicable to Windows Server 2003 SP1) Network News Transport Protocol (NNTP) (NntpSvc)
<Not defined>
<Not defined>
<Not defined>
NT LM Security Support Provider (NtLmSsp) pcAnywhere Host Service (Built-in pcAnywhere service for CC if it is installed) Performance Logs and Alerts (SysmonLog) Plug and Play (PlugPlay) Portable Media Serial Number Service (WmdmPmSN) Print Server for Macintosh (MacPrint)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
93
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Remote Procedure Call (RPC) (RpcSs) Remote Procedure Call (RPC) Locator (RpcLocator) Remote Registry Service (RemoteRegistry) Remote Server Manager (AppMgr)
<Not defined>
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
94
Issue 1.02
Nortel Proprietary
Removal Storage (NtmsSvc) Resultant Set of Policy Provider (RSoPProv) Routing and Remote Access (RemoteAccess) Secondary Logon (seclogon) Security Accounts Manager (SamSs) Server (lanmanserver) Shell Hardware Detection (ShellHWDetection) Simple Mail Transfer Protocol (SMTP) (SMTPSVC)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Smart Card (SCardSvr) SNMP Service (SNMP) SNMP Trap Service (SNMPTRAP)
<Not defined>
<Not defined>
Issue 1.02
95
Nortel Proprietary
Terminal Services (TermService) Terminal Service Session Directory (Tssdis) Trivial FTP Daemon (tftpd)
<Not defined>
Themes (Themes) Uninterruptible Power Supply (UPS) Upload Manager (Uploadmgr) Virtual Disk Service (VDS) Volume Shadow Copy (VSS) Web Element Manager
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
96
Issue 1.02
Nortel Proprietary
<Not defined>
Issue 1.02
97
Nortel Proprietary
Registry MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\Installer MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies MACHINE\SYSTEM\CurrentControlSet\Enum Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTME=Full Control, Users=Read
MACHINE\SYSTEM\CurrentConrtrolSet\Services\SNMP \Parameters\PermittedManagers
MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\ Parameters\ValidCommunities
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\at.exe
%SystemRoot%\system32\attrib.exe
%SystemRoot%\system32\cacls.exe
%SystemRoot%\system32\debug.exe
%SystemRoot%\system32\drwatson.exe
%SystemRoot%\system32\drwtsn32.exe
%SystemRoot%\system32\edlin.exe
98
Issue 1.02
Nortel Proprietary
%SystemRoot%\system32\eventcreate.exe
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\eventtriggers.exe
%SystemRoot%\system32\ftp.exe
%SystemRoot%\system32\net.exe
%SystemRoot%\system32\net1.exe
%SystemRoot%\system32\netsh.exe
%SystemRoot%\system32\rcp.exe
%SystemRoot%\system32\reg.exe
%SystemRoot%\system32\regedt32.exe
%SystemRoot%\system32\regsvr32.exe
%SystemRoot%\system32\rexec.exe
%SystemRoot%\system32\rsh.exe
%SystemRoot%\system32\runas.exe
%SystemRoot%\system32\sc.exe
%SystemRoot%\system32\subst.exe
%SystemRoot%\system32\telnet.exe
%SystemRoot%\system32\tftp.exe
Issue 1.02
99
Nortel Proprietary
%SystemRoot%\system32\tlntsvr.exe
3.5
Security Setting Items Account Policies Password Policy Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store passwords using reversible encryption Account Lockout Policy Account lockout duration Account lockout threshold Reset account lockout counter after Kerberos Policy Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal
Setting
100
Issue 1.02
Nortel Proprietary
Administrators, Remote Desktop Users Administrators Users Administrators <Not defined> <None> <Not defined> <None> <None>
Issue 1.02
101
Nortel Proprietary
<Not defined> <Not defined> SERVICE <Not defined> Administrators <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> LOCAL SERVICE, NETWORK SERVICE <Not defined> Administrators <None> Administrators
102
Issue 1.02
Nortel Proprietary
Audit: Audit the access of global system objects Audit: Audit the use of backup and restore privilege Audit: Shut down system immediately if unable to log security alerts DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax Devices: Allow undock without having to log on Devices: Allowed to format and eject removal media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain Controller: Allow server operators to schedule tasks
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
103
Nortel Proprietary
Enabled
Disabled
30 days Enabled
<Not defined>
Enabled Disabled <Not defined> (Recommend to define a custom, or DOJ approved message text)
Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require domain controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to connect to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications
<Not defined>
14 days
<Not defined>
Enabled
Disabled
15 minutes
<Not defined>
104
Issue 1.02
Nortel Proprietary
Enabled
10
Enabled
20000 (recommended)
20
Disabled
<Not defined>
Enabled
Disabled
Connections time out sooner of a SYN attach is detected 3 & 6 secopnds, half-open connections dropped after 21 seconds
Issue 1.02
105
Nortel Proprietary
<Not defined>
Network access: Allow anonymous SID//Name translation Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or .NET passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named pipes that can be accessed anonymously Network access: Remotely accessible registry paths
Disabled Enabled
Enabled
Enabled
Disabled
<None>
Software\Microsoft\WindowsNT\CurrentVer sion\Print Software\Microsoft\WindowsNT\CurrentVes ion\Windows System\CurrentControlSet\Control\Print\Print ers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIn
106
Issue 1.02
Nortel Proprietary
System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\Default\UserConfiguration Software\Micrsoft\WIndowsNT\CurrentVersi on\Perflib System\CurrentControlSet\Services\SysmonL og Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager password hash value on next password change Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled
<Not defined> Send NTLMv2 response only\refuse LM Negotiate signing Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption
Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Force strong key protection for user
Disabled
Issue 1.02
107
Nortel Proprietary
<Not defined>
<Not defined>
Enabled
108
Issue 1.02
Nortel Proprietary
ASP.NET State Service (aspnet_state) Automatic Updates (Wuauserv) Background Intelligent Transfer Service (BITS) Cache Controller for Nortel (Built-in Cache service for CCMM) CCMM Email Manager Service (Built-in CCMM service) CCMM License Service (Built-in CCMM service) CCMM Manager Client Service (Built-in CCMM service) CCMM OAM Service (Built-in CCMM service) CCMM Outbound Scheduler Service (Built-in CCMM service) CCMM Starter Service
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
109
Nortel Proprietary
COM+ Event System (EventSystem) COM+ System Application (COMSysApp) Computer Browser (Browser) Cryptographic Services (CryptSvc) DCOM Server Process Launcher (DcomLaunch) (applicable to Windows Server 2003 SP1) DHCP Client (Dhcp) Distributed File System (Dfs) Distributing Link Tracking Client (TrkWks) Distributing Link Tracking Server (TrkSvr) Distributed Transaction Coordinator (MSDTC) DNS Client (Dnscache) Error Reporting Services (ERSvc)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
110
Issue 1.02
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
HTTP SSL (HTTPFilter) Human Interface Device Access (HidServ) IIS Admin Service (IISADMIN) IMAP CD-Burning COM Service (ImapiService) Indexing Service (Cisvc)
<Not defined>
<Not defined>
<Not defined>
InstallDriver Table Manager (Built-in InstallShield service for CC installation) Intersite Messaging
<Not defined>
Issue 1.02
111
Nortel Proprietary
Logical Disk Manager Dmserver) Logical Disk Manager Administrative Service (Dmadmin) Messenger (Messenger)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Microsoft Software Shadow Copy Provider (SwPrv) Net Logon (Netlogon) NetMeeting Remote Desktop Sharing (mnmsrvc)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Manual (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
<Not defined>
112
Issue 1.02
Nortel Proprietary
NT LM Security Support Provider (NtLmSsp) pcAnywhere Host Service (Built-in pcAnywhere service for CC if it is installed) Performance Logs and Alerts (SysmonLog) Plug and Play (PlugPlay) Portable Media Serial Number Service (WmdmPmSN) Print Server for Macintosh (MacPrint)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Print Spooler (Spooler) Protect Storage (ProtectStorage) Remote Access Auto Connection Manager (RasAuto)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control,
Issue 1.02
113
Nortel Proprietary
System=Full Control, Interactive=Read) Remote Administration Service (SrvcSurg) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Remote Procedure Call (RPC) (RpcSs) Remote Procedure Call (RPC) Locator (PrcLocator) Remote Registry (RemoteRegistry) Remote Server Manager (AppMgr)
<Not defined>
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
<Not defined>
114
Issue 1.02
Nortel Proprietary
Smart Card (SCardSvr) SNMP Service (SNMP) SNMP Trap Service (SNMPTRAP)
<Not defined>
Special Administration Console Helper (Sacsvr) System Event Notification (SENS) Task Scheduler (Schedule) TCP/IP NetBIOS Helper (LMHost)
<Not defined>
<Not defined>
<Not defined>
Telephony
Disabled
Issue 1.02
115
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Telnet (TlntSvr)
Terminal Service (TermService) Terminal Service Session Directory (Tssdis) Trivial FTP Daemon (tftpd)
<Not defined>
Themes (Themes) Uninterruptible Power Supply (UPS) Upload Manager (Uploadmgr) Virtual Disk Service (VDS) Volume Shadow Copy VSS) Web Element Manager (elementmgr) WebClient (WebClient) Windows Audio AudioSrv) Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
116
Issue 1.02
Nortel Proprietary
WMI Performance Adapter (WmiApSrv) Workstation (lanmanworkstation) World Wide Web Publishing Service (W3SVC) Registry MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\Installer MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies
<Not defined>
<Not defined>
Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control
Issue 1.02
117
Nortel Proprietary
MACHINE\SYSTEM\CurrentControlSet\Enum
Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTME=Full Control, Users=Read
MACHINE\SYSTEM\CurrentConrtrolSet\Services\SNMP \Parameters\PermittedManagers
MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\ Parameters\ValidCommunities
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control,
%SystemRoot%\system32\at.exe
%SystemRoot%\system32\attrib.exe
%SystemRoot%\system32\cacls.exe
%SystemRoot%\system32\debug.exe
%SystemRoot%\system32\drwatson.exe
%SystemRoot%\system32\drwtsn32.exe
%SystemRoot%\system32\edlin.exe
%SystemRoot%\system32\eventcreate.exe
%SystemRoot%\system32\eventtriggers.exe
%SystemRoot%\system32\ftp.exe
%SystemRoot%\system32\net.exe
%SystemRoot%\system32\net1.exe
118
Issue 1.02
Nortel Proprietary
INTERACTIVE=Full Control, SYSTEM=Full Control %SystemRoot%\system32\netsh.exe Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\rcp.exe
%SystemRoot%\system32\reg.exe
%SystemRoot%\system32\regedt32.exe
%SystemRoot%\system32\regsvr32.exe
%SystemRoot%\system32\rexec.exe
%SystemRoot%\system32\rsh.exe
%SystemRoot%\system32\runas.exe
%SystemRoot%\system32\sc.exe
%SystemRoot%\system32\subst.exe
%SystemRoot%\system32\telnet.exe
%SystemRoot%\system32\tftp.exe
%SystemRoot%\system32\tlntsvr.exe
3.6
Issue 1.02
119
Nortel Proprietary
Security Setting Items Account Policies Password Policy Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store passwords using reversible encryption Account Lockout Policy Account lockout duration Account lockout threshold Reset account lockout counter after Kerberos Policy Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization Local Policies Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access
Setting
<Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Success, Failure Success, Failure <Not defined> Success, Failure Success, Failure
120
Issue 1.02
Nortel Proprietary
Administrators, Remote Desktop Users Administrators Users Administrators <Not defined> <None> <Not defined> <None> <None> ANONYMOUS LOGON, Guests Guests <Not defined> <Not defined> Guests <None>
Issue 1.02
121
Nortel Proprietary
<Not defined>
122
Issue 1.02
Nortel Proprietary
<Not defined>
<Not defined>
<Not defined>
Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Display user information when the session is locked
<Not defined>
Enabled
Enabled
Disabled
30 days Enabled
<Not defined>
Issue 1.02
123
Nortel Proprietary
(Recommend to define a custom, or DOJ approved message text) Interactive logon: Message title for users attempting to log on <Not defined> (Recommend to define a custom, or DOJ approved message title) Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require domain controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to connect to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended) MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended) MSS: (AFD MaximumDynamicBacklog) Maximum number of quasi-free connections for Winsock <Not defined>
14 days
<Not defined>
Enabled
Disabled
15 minutes
<Not defined>
Enabled
Enabled
10
Enabled
20000 (recommended)
124
Issue 1.02
Nortel Proprietary
Disabled
<Not defined>
Enabled
Disabled
Connections time out sooner of a SYN attach is detected 3 & 6 secopnds, half-open connections dropped after 21 seconds
<Not defined>
Issue 1.02
125
Nortel Proprietary
Enabled
Enabled
Disabled
<None>
Software\Microsoft\WindowsNT\CurrentVer sion\Print Software\Microsoft\WindowsNT\CurrentVes ion\Windows System\CurrentControlSet\Control\Print\Prin ters System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIn dex System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\Default\UserConfiguration Software\Micrsoft\WIndowsNT\CurrentVers ion\Perflib System\CurrentControlSet\Services\Sysmon Log
Enabled
126
Issue 1.02
Nortel Proprietary
<Not defined> Send NTLMv2 response only\refuse LM Negotiate signing Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption
Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Force strong key protection for user keys stored on computer System cryptography: User FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrations group System objects: Require case insensitive for non-Windows subsystems System objects: Strengthen default permission of internal system objects System settings: Option subsystems
Disable
<Not defined> User must enter a password each time they use a key <Not defined>
<Not defined>
<Not defined>
Enabled
<None>
Issue 1.02
127
Nortel Proprietary
Application Experience Lookup Service (AeLookupSvc) (applicable to Windows Server 2003 SP1) Application Layer Gateway Service (ALG) Application Management (AppMgmt) Client Service for Netware
<Not defined>
<Not defined>
Disabled
128
Issue 1.02
Nortel Proprietary
ASP.NET State Service (aspnet_state) Automatic Updates (Wuauserv) Background Intelligent Transfer Service (BITS) CC License Manager (CC_LM) (Built-in CC 6.0 service) CC Replication Service (REP_Service) (Built-in CCMS service CCMS ASM_Service (ASM_Service) (Built-in CCMS Service) CCMS Audit_Service (AUDIT_Service) (Built-in CCMS service) CCMS Control Service (CCMS_MasterService) (Built-in CCMS service) CCMS DBNotifier_Service (DBNotifier_Service) (Built-in CCMS service) CCMS EB_Service (EB_Service) (Built-in CCMS service)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
129
Nortel Proprietary
130
Issue 1.02
Nortel Proprietary
Issue 1.02
131
Nortel Proprietary
132
Issue 1.02
Nortel Proprietary
Issue 1.02
133
Nortel Proprietary
COM+ Event System (EventSystem) COM+ System Application (COMSysApp) Computer Browser (Browser) Cryptographic Services (CryptSvc) DCOM Server Process Launcher (DcomLaunch) (applicable to Windows Server 2003 SP1) DHCP Client (Dhcp) Distributed File System (Dfs) Distributing Link Tracking Client (TrkWks) Distributing Link Tracking Server (TrkSvr) Distributed Transaction Coordinator (MSDTC) DNS Client (Dnscache) Error Reporting Services (ERSvc) Event Log (Eventlog)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
134
Issue 1.02
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
InstallDriver Table Manager (Built-in InstallShield service for CC installation) Intersite Messaging (IsmServ)
<Not defined>
Issue 1.02
135
Nortel Proprietary
Logical Disk Manager (Dmserver) Logical Disk Manager Administrative Service (Dmadmin) Messenger (Messenger)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Microsoft Software Shadow Copy Provider (SwPrv) Net Logon (Netlogon) NetMeeting Remote Desktop Sharing (mnmsrvc)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Manual (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
<Not defined>
136
Issue 1.02
Nortel Proprietary
NT LM Security Support Provider (NtLmSsp) pcAnywhere Host Service (Built-in pcAnywhere service for CC if it is installed) Performance Logs and Alerts (SysmonLog) Plug and Play (PlugPlay) Portable Media Serial Number Service (WmdmPmSN) Print Server for Macintosh (MacPrint)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Print Spooler (Spooler) Protect Storage (ProtectedStorage) Remote Access Auto Connection Manager (RasAuto)
<Not defined>
Issue 1.02
137
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Remote Procedure Call (RPC) (RpcSs) Remote Procedure Call (RPC) Locator (RpcLocator) Remote Registry (RemoteRegistry) Remote Server Manager (AppMgr)
<Not defined>
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Removal Storage (NtmsSvc) Resultant Set of Policy Provider (RSoPProv) Routing and Remote Access
<Not defined>
<Not defined>
138
Issue 1.02
Nortel Proprietary
Smart Card (SCardSvr) SNMP Service (SNMP) SNMP Trap Service (SNMPTRAP)
<Not defined>
Special Administration Console Helper (Sacsvr) Sybase BCKServer_<server name>_BS (SYBBCK_<server name>_BS) (Built-in CCMS Sybase service) Sybase MONServer_<server name>_MS (SYBMON_<server name>_MS) (Built-in CCMS Sybase service) Sybase SQLServer_<server name> (SYBSQL_<server name>)
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
139
Nortel Proprietary
Terminal Services (TermService) Terminal Service Session Directory (Tssdis) Trivial FTP Daemon (tftpd)
<Not defined>
Themes
140
Issue 1.02
Nortel Proprietary
Issue 1.02
141
Nortel Proprietary
WMI Performance Adapter (WmiApSrv) Workstation (lanmanworkstation) World Wide Web Publishing Service (W3SVC)
<Not defined>
Registry MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\Installer MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\policies MACHINE\SYSTEM\CurrentControlSet\Enum Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTME=Full Control, Users=Read
MACHINE\SYSTEM\CurrentConrtrolSet\Services\SNMP\ Parameters\PermittedManagers
MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\ Parameters\ValidCommunities
142
Issue 1.02
Nortel Proprietary
%SystemRoot%\system32\at.exe
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full
%SystemRoot%\system32\attrib.exe
%SystemRoot%\system32\cacls.exe
%SystemRoot%\system32\debug.exe
%SystemRoot%\system32\drwatson.exe
%SystemRoot%\system32\drwtsn32.exe
%SystemRoot%\system32\edlin.exe
%SystemRoot%\system32\eventcreate.exe
%SystemRoot%\system32\eventtriggers.exe
%SystemRoot%\system32\ftp.exe
%SystemRoot%\system32\net.exe
%SystemRoot%\system32\net1.exe
%SystemRoot%\system32\netsh.exe
%SystemRoot%\system32\rcp.exe
%SystemRoot%\system32\reg.exe
%SystemRoot%\system32\regedt32.exe
%SystemRoot%\system32\regsvr32.exe
%SystemRoot%\system32\rexec.exe
Issue 1.02
143
Nortel Proprietary
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\runas.exe
%SystemRoot%\system32\sc.exe
%SystemRoot%\system32\subst.exe
%SystemRoot%\system32\telnet.exe
%SystemRoot%\system32\tftp.exe
%SystemRoot%\system32\tlntsvr.exe
144
Issue 1.02
Nortel Proprietary
Issue 1.02
145
Glossary
Nortel Proprietary
Glossary
The glossary provided relates solely to this document.
CLAN DHCP DNS ELAN IT LAN MAS NCC Nortel Servers Subnet PC PEP PRD RAS SCCS SMTP SU SWC TAPI SP WAN
Customer Local Area Network Dynamic Host Connection Protocol Domain Name Service Embedded Local Area Network Information Technology Local Area Network Meridian Application Server Network Control Center Previously known as CLAN Personal Computer Performance Enhancement Package Platform Recovery Disk Remote Access Service Symposium Call Center Server Simple Mail Transfer Protocol Service Update Symposium Call Center Web Client Symposium TAPI Service Provider Wide Area Network
146
Issue 1.02
Glossary
Nortel Proprietary
Issue 1.02
147
References
Nortel Proprietary
5
[1]
References
Windows Server 2003 Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Security Settings for Domain Member Servers, Version 1.2, October 17, 2005, The Center for Internet Security Contact Center 6.0 Security Guide, issue 1.01, July 18 2006
[2]
148
Issue 1.02
Nortel Proprietary
[ Last Page ]
Issue 1.02