[. . . ] Cisco TelePresence Management Suite Secure Server
Hardening Windows Server 2003 for Cisco TMS 13. 0 Product Configuration Guide
D13148. 08 December 2010
Document revision history
Contents
References and related documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Pre-install considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Installing baseline configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [. . . ] Create a local Windows User to act as the service account for Cisco TMS Services and the Cisco TMS website. The placeholder name tmsserviceuser will be referenced through the remainder of this document to refer to this account. In the Start menu, open Administrative Tools > Local Security Policy. Expand the Local Policy > User Rights Assignment in the tree navigator. Click the Add User or Group button and add the tmsserviceuser account by typing in this name. Click OK to save and add tmsserviceuser and OK to save changes to Local Security settings.
Assign file ACLs for Cisco TMS directories
Table 1 below lists the required ACLs for the Cisco TMS directories on the Cisco TMS server. When editing these ACLs, remove any additional permissions not listed in the table except for inherited permissions. Permissions added here are described assuming inheritance is allowed on all child directories. Right-click the folder, select Sharing and Security from the drop-down menu, 2. Select the Security tab and set permissions as shown in the table below for each group/user. Note: This step must be repeated after any future Cisco TMS installations or upgrades as the installer will default these directories back to the default permissions.
Cisco TMS Secure Server Configuration Guide 13. 0
Page 10 of 34
Securing Windows Server 2003 tasks
Table 1 Service account file ACLs Directory <tms installdir>\ User/Group 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users Permission 1) Full Control 2) Full Control 3) Read & Execute 1) Full Control 2) Full Control 3) Read & Execute 4) Read 1) Full Control 2) Full Control 3) Read & Execute 4) Read 1) Full Control 2) Full Control 3) Full Control 1) Full Control 2) Full Control 3) Full Control 1) Full Control 2) Full Control 3) Full Control 1) Full Control 2) Full Control 3) Full Control 1) Full Control 2) Full Control 3) Full Control 1) Full Control 2) Full Control 3) Full Control 1) Full Control 2) Full Control 3) Read & Execute 4) Read 1) Full Control 2) Full Control 3) Read & Execute 4) Read 1) Full Control 2) Full Control 3) Full Control 4) Read 1) Full Control 2) Full Control 3) Full Control 4) Read 1) Full Control 2) Full Control 3) Full Control 4) Read
<tms installdir>\OldConferenceAPI
<tms installdir>\Provisioning\web
<tms installdir>\Provisioning\OpenDS\bak <tms installdir>\Provisioning\OpenDS\config <tms installdir>\Provisioning\OpenDS\db <tms installdir>\Provisioning\OpenDS\import -tmp <tms installdir>\Provisioning\OpenDS\locks <tms installdir>\Provisioning\OpenDS\logs <tms installdir>\wwwProvisioning
<tms installdir>\wwwTMS
<tms installdir>\wwwTMS\Data\CompanyLo go <tms installdir>\wwwTMS\Data\Export
<tms installdir>\wwwTMS\Data\ExternalSou rceFiles
Cisco TMS Secure Server Configuration Guide 13. 0
Page 11 of 34
Securing Windows Server 2003 tasks
Directory <tms installdir>\wwwTMS\Data\Image
User/Group 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users 1) LocalMachine\Administrators 2) SYSTEM 3) tmsserviceuser 3) Authenticated Users
Permission 1) Full Control 2) Full Control 3) Full Control 4) Read 1) Full Control 2) Full Control 3) Full Control 4) Read 1) Full Control 2) Full Control 3) Full Control 1) Full Control 2) Full Control 3) Full Control 4) Read 1) Full Control 2) Full Control 3) Full Control 4) Read 1) Full Control 2) Full Control 3) Full Control 4) Read 1) Full Control 2) Full Control 3) Full Control 4) Read 1) Full Control 2) Full Control 3) Full Control 4) Read 1) Full Control 2) Full Control 3) Full Control 4) Read 1) Full Control 2) Full Control 3) Full Control 4) Read 1) Full Control 2) Full Control 3) Full Control 4) Read
<tms installdir>\wwwTMS\Data\Logo
<tms installdir>\wwwTMS\Data\Logs
<tms installdir>\wwwTMS\Data\Map
<tms installdir>\wwwTMS\Data\ReleaseKey
<tms installdir>\wwwTMS\Data\Reports
<tms installdir>\wwwTMS\Data\Snapshot
<tms installdir>\wwwTMS\Data\Software
<tms installdir>\wwwTMS\Data\SystemImag es <tms installdir>\wwwTMS\Data\TempFiles
<tms installdir>\wwwTMS\Public\data\SOFT WARE3
Configure Cisco TMS Services to use Service Account
Configure the tmsserviceuser to run the ASP. NET application pool for Cisco TMS.
3 This directory is configurable in TMS's Administrative Settings. If a custom directory is used, update the
permissions as necessary
Cisco TMS Secure Server Configuration Guide 13. 0
Page 12 of 34
Securing Windows Server 2003 tasks
Open a command prompt and navigate to the . NET 2 installation folder. Use the aspnet_regiis tool to register the service user to access the required IIS elements with aspnet_regiis ga <username> aspnet_regiis ga tmsserviceuser 3. Open Windows Start > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager 4. Under the name of the local server, expand the Application Pools folder. Browse or enter the tmsserviceuser for User Name and the password of this user. Right-Click the Server in the IIS Manager, go to All Tasks and select Restart IIS to restart the IIS Server Open Windows Start > Control Panel > Administrative Tools > Services Locate the services whose names start with `TMS'. Right-click the service Select Restart to have the changes take effect.
1.
Note: These steps must be repeated after any future Cisco TMS installations or upgrades as the installer will default these services back to the default settings.
Remove unnecessary user accounts
To remove unnecessary user accounts go to Windows Start > Control Panel > Administrative Tools > Computer Management> System Tools > Local Users and Groups. Disable all accounts except Your renamed Administrator account IWAM_<machinename> ASPNET Sqlserviceuser Your administrator account IUSR_<machine-name> tmsserviceuser At the very least the `Guest' account (disabled by default) should not be active. Under the General tab check the checkbox Account is disabled.
Cisco TMS Secure Server Configuration Guide 13. 0
Page 13 of 34
Securing Windows Server 2003 tasks
Remove unnecessary windows components
To reduce the attack surface of the Cisco TMS server, ensure that Windows Components that are not required by Cisco TMS are not installed. Go to Windows Start > Control Panel >Add or Remove Programs > Add/Remove Windows Components. An N in the Include column indicates that the component should be unchecked in the Windows Components Wizard. [. . . ] Delete the files and directory <TMS Install Dir>\wwwtms\public\pwx 4. Go back to Start > Control Panel > Administrative Tools > Services. Right-click TMSPLCMDirectoryService and set the start-up mode to Disabled. Note: Disabling this service will cause a Cisco TMS Ticket to be opened and remain open as Cisco TMS sees the service is not running.
Cisco TMS Secure Server Configuration Guide 13. 0
Page 32 of 34
Post installation and upgrades
Post installation and upgrades
Cisco TMS upgrades
Due to the Cisco TMS application and its components being removed and reinstalled during upgrades, it is necessary to repeat some of the hardening procedures. [. . . ]