CCMS 6.0 Security Templates

Nortel Enterprise Networks
Nortel Contact Center 6.0 Security Templates User Guide

Issue 1.02 October 29, 2008 ABSTRACT This guide describes the generic Windows Server 2003 security templates for the Nortel Contact Center 6.0 suite of servers. This guide also provides the guideline and how to deploy the security template to secure the Nortel Contact Center 6.0 suite of servers.
NOTICE TO HOLDERS OF PAPER COPIES: Upon receipt of a new issue, destroy the previous issue or mark it OBSOLETE.
CONFIDENTIAL INFORMATION: The information contained in this document is the property of Nortel Networks. Except as specifically authorized in writing by Nortel Networks, the holder of this document shall keep all information contained herein confidential and shall protect same in whole or in part from disclosure and dissemination to all third parties.
Trademarks
Nortel Proprietary
Trademarks
The following are trademarks of Nortel Networks: Nortel, Nortel Networks, BNR, ACD, BCS, CallPilot, DMS, DMS-100, DMS-250, DMS-MTX, DMS-SCP, DNC, DPN-100, DVS, DualMode, FastView, Helmsman, M2317, MAP, Symposium, Meridian Digital Centrex (MDC), Meridian, Meridian 1, Meridian Link, Meridian MAX, Meridian NAC, Meridian CCR, Meridian IVR, Meridian Terminal Emulator, MFA, Norstar, PowerTouch, SL-1, SL-100, SuperNode, Telesis, Unity. Action Request System and AR System are trademarks of Remedy Corporation. AMDEK is a trademark of Amdek Corporation. ANSI is a trademark of the American National Standards Institute. ClearCase is a registered trademark and ClearCase MultiSite is a trademark of Rational Software Corporation. Continuus, continuus/CM, and Continuus/PT are trademarks of Continuus Software Corporation. CaseWare/CM, CaseWare/PT, CaseWare, ACCENT, and Amplify Control are registered trademarks of Continuus Software Corporation. Courier is a trademark of Smith-Corona Corporation. CT Connect, CT Media is a registered trademark of Dialogic. Frame, FrameBuilder and FrameMaker are trademarks of Adobe Systems Incorporated. Helvetica and Times are trademarks of Linotype AG or its subsidiaries. InstallShield is a registered trademark of InstallShield Software Corporation. Interleaf is a trademark of Interleaf, Inc. Macintosh, Power Macintosh, and Apple are registered trademarks of Apple Computer, Inc. Mac OS is a trademark of Apple Computer, Inc. Microsoft Windows, Microsoft Word, Microsoft Excel, PowerPoint, Microsoft Project, Microsoft File Extension, and MS-DOS are trademarks of Microsoft Corporation. Novell is a trademark of Novell, Inc. Olecera Chart is a trademark of KL Group Inc. Portable Document Format is a trademark of Adobe Systems Incorporated. PostScript is a trademark of Adobe Systems Incorporated. SYBASE is a trademark of Sybase, Inc. UNIX is a trademark of UNIX System Laboratories. Versatility, Versatility Administrator, Versatility Call Blending, Versatility Campaign Plus, Versatility Insight, Versatility Predictive, Versatility Telesales / Teleservice are trademarks of Versatility Inc. WinRunner, TSL and Context Sensitive are trademarks of Mercury Interactive Corporation.
2007 Nortel Networks Corporation
ii
Issue 1.02
Approvals
Nortel Proprietary
Approvals
Prepared By
Ronald Chan Senior Design Support Engineer, MA Design Support Enterprise Solutions, Multimedia Apps Support & Validation Nortel Networks Corporation Date
Reviewed and Approved By

James Chan Manager, MA Design Support Application R&D, Multimedia Apps Support & Validation Nortel Networks Corporation Date
David OConnell Leader, CC Sustaining & Localization Application R&D, Multimedia Apps Support and Validation Nortel Networks Corporation
Date
Issue 1.02
iii
Revision history
Nortel Proprietary
Revision history
Issue Number Issue Date
0.01 June 23, 2005
Type of Review Reason(s) for Issue

Draft copy Initial draft for internal review
Author(s)
Ronald Chan
0.02 July 5, 2005
Draft copy Section 3.1 Add CCMS 6.0 standalone server security template definitions
Ronald Chan
0.03 August 9, 2005
Draft copy Section 2.3.2 Add Network Domain Deployment
Ronald Chan
0.04 September 21, 2005
Draft copy Section 2.2 Changing template files location from the CC 6.0 DVD to the Meridian PEP Library web site Section 2.2 Table 1 Remove CCO template Section 2.3.1 Changing template files location from the CC 6.0 DVD to the Meridian PEP Library web site
Ronald Chan
0.05 July 7, 2006
Draft copy Section 2.2 Update Table 1 to include CCMS 6.0 Replication server Section 2.3.1 Add new Security Template Rollback section Section 3.1 Add Contact Center Manager Replication server Section 3.1 Update Table 3 with the latest CCMS 6.0 security template setting Section 3.2 Update Table 4 with the latest CCMS 6.0 coresidency security template setting including CCT Section 3.3 Update Table 5 with the latest CCMA 6.0 security template setting Section 3.5 Add section and Table 6 with the CCT 6.0 standalone server security template setting
Ronald Chan
0.06 October 3, 2006
Draft copy Section 2.5 Add section to outline the network environment requirements for the CC 6.0 servers with security template to operate with
Ronald Chan
iv
Issue 1.02
Revision history Issue Number Issue Date

1.00 October 20, 2006
Nortel Proprietary Author(s)
Type of Review Reason(s) for Issue

Approved Copy Section 2.2 Add note to clarify the set of security template is only applicable to Contact Center 6.0 only, and not applicable to any earlier Symposium portfolio releases.
Ronald Chan
1.01 October 15, 2008
Approved Copy Section 2.2 Update Table 1 to add CCMM 6.0 Section 2.3.2 Update Table 2 to add CCMM 6.0 Section 3.5 Add section and Table 8 for CCMM 6.0 security template setting
Ronald Chan
1.02 October 29, 2008
Approved Copy Section 2.2 Update Table 1 to add CCMS 6.0 Stratus Section 2.3.2 Update Table 2 to add CCMS 6.0 Stratus Section 3.6 Add section and Table 9 for CCMS 6.0 Stratus security template setting
Ronald Chan
Issue 1.02
Table of contents
Nortel Proprietary
Table of contents
1 Introduction .........................................................................................................1
1.1 1.2 1.3 Purpose ...............................................................................................................................1 Scope...................................................................................................................................1 Intended audience ...............................................................................................................1 Contact Center 6.0 Security Template Baseline .................................................................2 Contact Center 6.0 Security Template Applicability ............................................................2 Contact Center 6.0 Security Templates Deployment ..........................................................3 2.3.1 Security Template Rollback....................................................................................4 2.3.2 Local Server Deployment .......................................................................................5 2.3.3 Network Domain Deployment.................................................................................9 Additional security settings ..................................................................................................9 Network Environment Consideration.................................................................................10 Contact Center Manager Server Security Template Definitions .......................................11 Contact Center Manager Server Co-residency Security Template Definitions .................35 Contact Center Manager Administration Security Template Definitions ...........................60 Communication Control Toolkit Security Template Definitions .........................................80 Contact Center Multimedia/Outbound Security Template Definitions .............................100 Contact Center Manager Server on Stratus Platform Security Template Definitions .....119
Contact Center 6.0 Security Templates.............................................................2

2.1 2.2 2.3
2.4 2.5
Contact Center 6.0 Security Template Files ...................................................11

3.1 3.2 3.3 3.4 3.5 3.6
4 5
Glossary...........................................................................................................146 References.......................................................................................................148
vi
Issue 1.02
List of tables
Nortel Proprietary
List of tables
Table 1 Contact Center 6.0 Security Template File Applicability with Contact Center Server......................3 Table 2 Contact Center 6.0 Security Template Rollback Files......................................................................4 Table 3 Contact Cetner 6.0 Security Template Additional Settings ............................................................10 Table 4 Contact Center Manager Server 6.0 Security Template Settings ..................................................11 Table 5 Contact Center Manager Server 6.0 Co-res Security Template Settings ......................................35 Table 6 Nortel Contact Center Manager Administration 6.0 Security Template Settings ...........................61 Table 7 Nortel Communication Control Toolkit 6.0 Security Template Settings .........................................80 Table 8 Contact Center Multimedia/Outbound 6.0 Security Template Setting .........................................100 Table 9 Contact Center Manager Server Stratus Security Template Settings..........................................120
Issue 1.02
vii
Introduction
Nortel Proprietary
1
1.1
Introduction
Purpose
Security is a critical task for all organizations and it is always mandated to secure all networked servers by locking down the server operating system setting and services. Windows Server 2003 can be secured by applying a predefined security template either locally to the computer or through a network Group Policy Objects (GPO) instead of securing manually. Nortel Contact Center 6.0 is providing a set of predefined Windows Server 2003 security templates that can be deployed quickly to secure the Contact Center 6.0 suite of application servers. The set of Contact Center 6.0 security templates is designed to be closely match the industry consensus security setting benchmark [1] published by the Center of Internet Security (CIS), and meeting the Contact Center 6.0 suite of application servers operation requirements. This guide provides the detail definitions of the set of Contact Center 6.0 security templates and how to deploy the security templates to the Contact Center 6.0 suite of application servers.
1.2
Scope
This guide covers the set of security templates for Nortel Contact Center 6.0. It is not intended to be a comprehensive security guide either for the Nortel Contact Center 6.0 or the Windows Server 2003.
1.3
Intended audience
This guide is intended to be used by anyone wishing to secure the Contact Center 6.0 suite of application servers that are meeting the Contact Center 6.0 security template applicability requirements. It assumes that the reader is familiar with all security subjects and features in Windows Server 2003 and Microsoft network domain (Active Directory) environment.
Issue 1.02
Contact Center 6.0 Security Templates
Nortel Proprietary

A set of security templates is available for the Contact Center 6.0 suite of application servers. You can apply the security template to its defined Contact Center 6.0 application server to secure the Windows Server 2003 and meeting the minimum security requirements for the Contact Center 6.0 application operation.
2.1
Contact Center 6.0 Security Template Baseline

All Contact Center 6.0 security templates are based on the consensus security benchmark document, Windows Server 2003 Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Security Settings for Domain Member Servers [1], published by the Center of Internet Security (CIS) organization. This security benchmark reflects the content of the Consensus Baseline Security Settings document developed by the National Security Agency (NSA), the Defense Information Systems Agency (DISA), The National Institute and Technology (NIST), the General Service Administration (GSA), The SANS Institute, and the Center for Internet Security. The Contact Center 6.0 security template settings are baseline with the Enterprise security level as defined in the consensus benchmark [1]. Settings in the Enterprise level are designed for servers operation in a managed environment where interoperability with legacy system is not required. It assumes that all operating systems within the enterprise are Windows 2000 or later. In addition, the security template settings are adjusted to meet the minimum security setting requirements for its specific Contact Center 6.0 application server as defined in its corresponding Nortel Contact Center 6.0 server security guide document [2].
2.2
Contact Center 6.0 Security Template Applicability

A set of the Contact Center 6.0 security template files is provided on the Meridian PEP Library web site. Table 1 lists the set of available template files and its corresponding applicable Contact Center 6.0 application server
Issue 1.02
Nortel Proprietary
Table 1 Contact Center 6.0 Security Template File Applicability with Contact Center Server
Contact Center 6.0 Security Template File CCMS 6.0 Security Template.inf
Applicable Contact Center 6.0 Application Server Contact Center Manager Server standalone server , Contact Center Manager Replication server, and Network Control Center server Contact Center Manager Server coresidency server Contact Center Manager Administration standalone server Communication Control Toolkit server Contact Center Multimedia/Outbound server Contact Center Manager Server standalone server on Stratus platform, Contact Center Manager Replication server on Stratus platform, and Network Control Center server on Stratus platform
CCMS 6.0 Cores Security Templt.inf CCMA 6.0 Security Template.inf CCT 6.0 Security Template.inf CCMM 6.0 Security Template.inf CCMS 6.0 Stratus Security Temp.inf
Note: The security template is applicable to Contact Center 6.0 only. It is not verified with its compatibility for any earlier Symposium portfolio products running on Windows Server 2003 platform. It is not applicable to any Symposium portfolio releases prior Contact Center 6.0. The security template is designed to work with a typical server configuration and may not be compatible with some specific customers configuration. If customer is installing additional 3rd party software on the Contact Center 6.0 application server, customer must review and test the compatibility between the Contact Center 6.0 security template and the 3rd party software in a non-production environment. Customer may need to adjust the template if necessary.
2.3
Contact Center 6.0 Security Templates Deployment

The Contact Center 6.0 security template can be deployed either locally on the Contact Center 6.0 application server or as a group policy in an Active Directory OU where the Contact Center 6.0 application server is located. The Contact
Issue 1.02
Nortel Proprietary
Center 6.0 security template can be deployed either before or after the Contact Center 6.0 application is installed on the server. 2.3.1 Security Template Rollback There are situation (like adding CCMA and CCT to a previously standalone CCMS server and convert it into a CCMS co-residency server) that one may require to rollback the originally applied Contact Center 6.0 security template and reapply a new one that is appropriate with the new Contact Center 6.0 application server configuration. A set of Contact Center 6.0 default rollback templates for the corresponding Contact Center 6.0 security templates are provided. These default rollback templates will rollback the security setting (excluding permission setting in registries and files) from the applied security template back to the default Windows Server 2003 (with SP1) setting. Table 2 lists the set of available rollback template files and its corresponding applicable Contact Center 6.0 application server.
Table 2 Contact Center 6.0 Security Template Rollback Files
Contact Center 6.0 Security Template Rollback File CCMS 6.0 Security Templt Rollb.inf
Applicable Contact Center 6.0 Application Server Contact Center Manager Server standalone server, Contact Center Manager Replication server, and Network Control Center server Contact Center Manager Server coresidency server Contact Center Manager Administration standalone server Communication Control Toolkit server Contact Center Multimedia/Outbound server Contact Center Manager Server standalone server on Stratus platform, Contact Center Manager Replication server on Stratus platform, and Network Control Center server on Stratus platform
CCMS 6.0 Cores Sec Templt Rollb.inf CCMA 6.0 Security Templt Rollb.inf CCT 6.0 Security Templt Rollb.inf CCMM 6.0 Security Templ Roll.inf CCMS 6.0 Stratus Sec Tmp Rollbk.inf
Issue 1.02
Nortel Proprietary
If Windows Server 2003 configuration is different from its default installed setting before applying the Contact Center 6.0 security template, the default rollback template may not restore the configuration to its customized configuration. It is Nortel recommendation that you must create an appropriate rollback template on your Contact Center 6.0 application server before deploying the Contact Center 6.0 security template. The rollback template can be generated by issuing the secedit /GenerateRollback /CFG <CC 6.0 Security Template.inf> /RBK <Rollback Template.inf> (e.g., secedit /GenerateRollback /CFG C:\CCMS 6.0 Security Template.inf /RBK C:\rollback.inf) command in a command line prompt windows. 2.3.2 Local Server Deployment To deploy the Contact Center 6.0 Security template locally on a Contact Center 6.0 application server, one must select the applicable security template for the Contact Center 6.0 application server and download the selected template from the Meridian PEP Library web site to the server local disk drive. The security template can then be imported and configured using the Microsoft Security Configuration and Analysis utility. The following steps can be used to deploy the Contact Center 6.0 security template using the Security Configuration and Analysis (you must add the Security Configuration and Analysis snap-in to the Microsoft Management Console): 1) Logon to the server with an administrative account. 2) Open the management console that is having the Security Configuration and Analysis snap-in.
Issue 1.02
Nortel Proprietary
3) Right click the Security Configuration and Analysis scope item and click Open Database. Enter a new database name (e.g., CCMA 6.0 Security Template) in the File Name field of the Open Data dialog windows, and then press the Open button.
4) On the Import Template dialog windows, browse and select the Contact Center 6.0 security template file downloaded from the Meridian PEP Library Web site, and then press the Open button.
6 Nortel Contact Center 6.0 Security Templates User Guide Issue 1.02
Nortel Proprietary
5) Right click the Security Configuration and Analysis scope item, and click the Analyze Computer Now to analyze the security configuration with the imported Contact Center 6.0 security template and the current server configuration.
6) On the Perform Analysis dialog windows, select the default log file path (e.g., C:\Documents and Setttings\Administrator\My Documents\Security\Logs\CCMA 6.0 Security Template.log) or select the log file path of your choice, press the OK button to perform the analysis.
Issue 1.02 Nortel Contact Center 6.0 Security Templates User Guide 7
Nortel Proprietary
7) Open the security analysis log file with a text editor and review any mismatch item that may not meet your server requirement. Adjust the security template if necessary. 8) Right click the Security Configuration and Analysis scope item from the Security Configuration and Analysis snap-in management console. Click Configure Computer Now to configure the server security configuration with the imported Contact Center 6.0 security template.
9) On the Configure System dialog windows, select the default log file path (e.g., C:\Documents and Setttings\Administrator\My Documents\Security\Logs\CCMA 6.0 Security Template.log) or select the log file path of your choice, press the OK button to configure the computer.
Issue 1.02
Nortel Proprietary
10) Reboot the server to activate the new security policy and configuration. 2.3.3 Network Domain Deployment The Contact Center 6.0 security templates can be deployed in a network domain environment by importing the template into a group policy object of an OU where the Contact Center 6.0 server is a member. To import a security template: 1) Open Group Policy Management Console (GPMC) 2) In the console tree, expand the domain or OU that you want to import the security template. Right-click the Group Policy object that you want to edit, and then click Edit. 3) In the Group Policy Object Editor console tree, click Computer Configuration, click Windows Settings, right-click Security Setting, and then select Import Policy. 4) Click the Contact Center 6.0 security template that you want to import, then click Open.
2.4
Additional security settings

Due to some security setting are unique in individual computer, these security settings cannot be set through a common security template and must be set locally on the computer. Nortel recommends the following additional security settings be set manually on each Contact Center 6.0 application server after the security template has been deployed.
Issue 1.02
Contact Center 6.0 Security Templates Table 3 Contact Cetner 6.0 Security Template Additional Settings
Nortel Proprietary
Security Setting User Right Assignments Deny access to this computer from the network (minimum) Deny logon as a batch job Deny logon through Terminal Service (minimum) Security Options Accounts: Rename Administrator Account Accounts: Rename Guest Account Interactive Logon: Message Text for Users Attempting to Log On Interactive Logon: Message Title for Users Attempting to Log On
Additional settings
Built-in Administrator, Support_388945a0, Guest Support_388945a0, Guest Support_388945a0, Guest
<non-standard> <non-standard> <Custom, or DoJ approved>
<Custom, or DoJ approved>
2.5
Network Environment Consideration

The Contact Center 6.0 security template settings are baseline with the Enterprise security level as defined in the consensus benchmark [1]. Settings in the Enterprise level are designed for servers operation in a managed environment where interoperability with legacy system is not required. It assumes that all operating systems within the enterprise network are Windows 2000 or later. Contact Center 6.0 security template is following the consensus benchmark [1] recommendation to enable the security policy Microsoft network client: Digitally sign communications (always) to digitally sign all SMB communications. If a Contact Center 6.0 application sever that is having the security template applied and need to map a remote network share on a remote PC, the connecting remote PC muse have the corresponding security policy to be set by enabling either the Microsoft network server: Digitally sign communications (always) or Micrsoft network server: Digitally sign communication (if client agrees).
10
Issue 1.02
Contact Center 6.0 Security Template Files
Nortel Proprietary
3
3.1

Contact Center Manager Server Security Template Definitions
Table 4 lists the security template setting defined for the Contact Center Manager Server in a standalone server configuration, Contact Center Manager Replication server, and Network Control Center server.
Table 4 Contact Center Manager Server 6.0 Security Template Settings
Security Setting Items Account Policies Password Policy Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store passwords using reversible encryption Account Lockout Policy Account lockout duration Account lockout threshold Reset account lockout counter after Kerberos Policy Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization
Setting
24 passwords remembered 90 days 1 days 8 Enabled Disabled
15 minutes 15 invalid logon attempts 15 minutes
<Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Issue 1.02
11
Nortel Proprietary
Local Policies Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events User Rights Assignment Access this computer from the network Act as part of the operating system Add workstations to domain Adjust memory quotas for a process Allow log on locally Allow log on through terminal services Back up files and directories Bypass traverse checking Change the system time Create a pagefile Create a token object Create a global object Create permanent shared objects Debug programs Deny access to this computer from the network Deny log on as a batch job <Not defined> <None> <Not defined> <Not defined> Administrators Administrators, Remote Desktop Users Administrators Users Administrators <Not defined> <None> <Not defined> <None> <None> ANONYMOUS LOGON, Guests Guests Success, Failure Success, Failure <Not defined> Success, Failure Success, Failure Success <Not defined> <Not defined> Success
12
Issue 1.02

Deny log on as a service Deny log on locally Deny log on through Terminal Service Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Generate security audits Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Lock pages in memory Log on as batch job Log on as a service Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Replace a process level token Restore files and directories Shutdown the system Synchronize directory service data Take ownership of file or other objects Security Options Accounts: Administrator account status Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only <Not defined> Disabled Enabled <Not defined> <Not defined> Guests <None>
Nortel Proprietary
<Not defined> <Not defined> SERVICE <Not defined> Administrators <Not defined> <None> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> LOCAL SERVICE, NETWORK SERVICE <Not defined> Administrators <None> Administrators
Issue 1.02
13

Accounts: Rename administrator account <Not defined>
Nortel Proprietary
(recommend to change it to a non-standard name) Accounts: Rename guest account <Not defined> (recommend to change it to a non-standard name) Audit: Audit the access of global system objects Audit: Audit the use of backup and restore privilege Audit: Shut down system immediately if unable to log security alerts DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax Devices: Allow undock without having to log on Devices: Allowed to format and eject removal media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain Controller: Allow server operators to schedule tasks <Not defined> <Not defined> <Not defined>
<Not defined>
<Not defined>
<Not defined> Administrators Enabled <Not defined>
<Not defined>
Warn but allow installation <Not defined> (Not applicable)
Domain Controller: LDAP server signing requirements
<Not defined> (Not applicable)
Domain Controller: Refuse machine account password changes
Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when
<Not defined>
Enabled
Enabled
14
Issue 1.02

possible) Domain member: Disable machine account password changes Domain member: Maximum machine password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Display user information when the session is locked Interactive logon: Do not display last user name Interactive logon: Do not required CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on Disabled
Nortel Proprietary
30 days Enabled
<Not defined>
Enabled Disabled <Not defined> (Recommend to define a custom, or DOJ approved message text)
Interactive logon: Message title for users attempting to log on
<Not defined> (Recommend to define a custom, or DOJ approved message title)
Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require domain controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to connect to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees)
<Not defined>
14 days
<Not defined>
<Not defined> Lock Workstation Enabled
Enabled
Disabled
15 minutes
<Not defined>
Enabled
Issue 1.02
15

Microsoft network server: Disconnect clients when logon hours expire MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended) MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended) MSS: (AFD MaximumDynamicBacklog) Maximum number of quasi-free connections for Winsock applications MSS: (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for system under attack, 10 otherwise) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) MSS: (EnableDealGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes MSS: (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU) MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS) MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) MSS: (TCPMaxConnectREsponseRetransmission) SYNACK retransmissions when a connection request is not acknowledged MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) MSS: (TCPMazPortalExhausted) How many dropped connect requests to initiate SYN attack protection (5 is recommended) MSS: Disable Autorun for all drives MSS: Enable Safe DLL search mode Enabled
Nortel Proprietary
10
Enabled
20000 (recommended)
20
Highest protection, source routing is completely disabled Disabled
Disabled
<Not defined>
Enabled
Disabled
Connections time out sooner of a SYN attach is detected 3 & 6 secopnds, half-open connections dropped after 21 seconds
255, disable Autorun for all drives Enabled
16
Issue 1.02

MSS: Enable the computer to stop generating 8.3 style filenames MSS: How often keep-alive packets are sent in milliseconds MSS Percentage threshold for the security event log at which the system will generate a warning MSS: The time in seconds before the screen saver grace period expires <Not defined>
Nortel Proprietary
300000 or 5 minutes (recommended)
<Not defined>
Network access: Allow anonymous SID//Name translation Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or .NET passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named pipes that can be accessed anonymously Network access: Remotely accessible registry paths
Disabled Enabled
Enabled
Enabled
Disabled
<None>
System\CurrentControlSet\Control\ProductO ptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\WindowsNT\CurrentVer sion
Network access: Remotely accessible registry paths and sub-paths
Software\Microsoft\WindowsNT\CurrentVer sion\Print Software\Microsoft\WindowsNT\CurrentVes ion\Windows System\CurrentControlSet\Control\Print\Prin ters System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIn dex System\CurrentControlSet\Control\Terminal Server\UserConfig
Issue 1.02
17
Nortel Proprietary
System\CurrentControlSet\Control\Terminal Server\Default\UserConfiguration Software\Micrsoft\WIndowsNT\CurrentVers ion\Perflib System\CurrentControlSet\Services\Sysmon Log Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager password hash value on next password change Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled
<None> Classic local users authenticate as themselves Enabled
<Not defined> Send NTLMv2 response only\refuse LM Negotiate signing Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption
Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Force strong key protection for user keys stored on computer System cryptography: User FIPS compliant algorithms for
Disabled <Not defined>
Disable
<Not defined> User must enter a password each time they use a key <Not defined>
18
Issue 1.02

encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrations group System objects: Require case insensitive for non-Windows subsystems System objects: Strengthen default permission of internal system objects System settings: Option subsystems System settings: User Certificate Rules on Windows Executables for Software Restriction Policies Event Logs Maximum application log size Maximum security log size Maximum system log size Prevent local guests group from accessing application log Prevent local guests group from accessing security log Prevent local guests group from accessing system log Retain application log Retain security log Retain system log Retention method for application log Retention method for security log Retention method for system log Restricted Groups <Not defined> System Services Alerter (Alerter) Disabled 16384 kilobytes 81920 kilobytes 16384 kilobytes Enabled Enabled Enabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
<Not defined>
Enabled
<None> <Not defined>
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Application Experience Lookup Service (AeLookupSvc)
Issue 1.02
19

(applicable to Windows Server 2003 SP1) Application Layer Gateway Service (ALG) Application Management (AppMgmt) Client Service for Netware (NWCWorkstation) Disabled <Not defined> <Not defined>
Nortel Proprietary
ASP.NET State Service (aspnet_state) Automatic Updates (Wuauserv) Background Intelligent Transfer Service (BITS) CC License Manager (CC_LM) (Built-in CC 6.0 service) CC Replication Service (REP_Service) (Built-in CCMS service CCMS ASM_Service (ASM_Service) (Built-in CCMS Service) CCMS Audit_Service (AUDIT_Service) (Built-in CCMS service) CCMS Control Service (CCMS_MasterService) (Built-in CCMS service)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
20
Issue 1.02

CCMS DBNotifier_Service (DBNotifier_Service) (Built-in CCMS service) CCMS EB_Service (EB_Service) (Built-in CCMS service) CCMS ES_Service (ES_Service) (Built-in CCMS service) CCMS HDC_Service (HDC_Service) (Built-in CCMS service) CCMS HDM_Service (HDM_Service) (Built-in CCMS service) CCMS Host Application Integration (Host Application Integration) (Built-in CCMS service) CCMS IS_Service (IS_Service) (Built-in CCMS service) CCMS MAS Backup/Restore (nbbkp) (Built-in CCMS service) CCMS MAS Configuration Manager (nbcfg) (Built-in CCMS service) CCMS MAS Event Scheduler <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Issue 1.02
21

(nbsch) (Built-in CCMS service) CCMS MAS Fault Manager (nbflt) (Built-in CCMS service) CCMS MAS LinkHandler Port #2 (nbalh) (Built-in CCMS service) CCMS MAS OM Server (nboms) (Built-in CCMS service) CCMS MAS Security (nbss) (Built-in CCMS service) CCMS MAS Service Daemon (nbsm_dae) (Built-in CCMS service) CCMS MAS Service Manager (nbsm) (Built-in CCMS service) CCMS MAS Time Service (nbts) (Built-in CCMS service) CCMS MLSM_Service (MLSM_Service) (Built-in CCMS service) CCMS NBMSM_Service (CCMS_NBMSM_Service) <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
22
Issue 1.02

(Built-in CCMS service) CCMS NBNM_Service (NBNM_Service) (Built-in CCMS service) CCMS NBTSM_Service (NBTSM_Service) (Built-in CCMS service) CCMS NCCOAM_Service (NCCOAM_Service) (Built-in CCMS service) CCMS NDLOAM_Service (NDLOAM_Service) (Built-in CCMS service) CCMS NIMSM_Service (CCMS_NIMSM_Service) (Built-in CCMS service) CCMS NINCCAudit_Service (NINCCAudit_Service) (Built-in CCMS service) CCMS NITSM_Service (NITSM_Service) (Built-in CCMS service) CCMS OAM_Service (OAM_Service) (Built-in CCMS service) CCMS OAMCMF_Service (CCMS_OAM_CMF_Service) (Built-in CCMS service) <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Issue 1.02
23

CCMS RDC_Service (RDC_Service) (Built-in CCMS service) CCMS RSM_Service (RSM_Service) (Built-in CCMS service) CCMS SDMCA_Service (SDMCA_Service) (Built-in CCMS service) CCMS SDP_Service (SDP_Service) (Built-in CCMS Service) CCMS SIP_Service (CCMS_SIP_Service) (Built-in CCMS service) CCMS TFA_Service (TFA_Service) (Built-in CCMS service) CCMS TFABRIDGE_Service (TFABRIDGE_Service) (Built-in CCMS service) CCMS TFE Bridge Connector (TfeBridgeConnector) (Built-in CCMS service) CCMS TFE_Service (TFE_Service) (Built-in CCMS service) CCMS UNE_Service <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
24
Issue 1.02

(CCMS_UNE_Service) (Built-in CCMS service) CCMS VSM_Service (VSM_Service) (Built-in CCMS service) ClipBook (ClipSrv) Disabled <Not defined>
Nortel Proprietary
COM+ Event System (EventSystem) COM+ System Application (COMSysApp) Computer Browser (Browser) Cryptographic Services (CryptSvc) DCOM Server Process Launcher (DcomLaunch) (applicable to Windows Server 2003 SP1) DHCP Client (Dhcp) Distributed File System (Dfs) Distributing Link Tracking Client (TrkWks) Distributing Link Tracking Server (TrkSvr) Distributed Transaction Coordinator (MSDTC)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
25

DNS Client (Dnscache) Error Reporting Services (ERSvc) Event Log (Eventlog) Fax (Fax) Disabled <Not defined> <Not defined> <Not defined>
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
File Replication (NtFrs)
File Server for Macintosh (MacFile)
FTP Publishing Service (MSFtpsvc)
Help & Support (Helpsvc)
HTTP SSL (HTTPFilter)
Human Interface Device Access (HidServ) IIS Admin Service (IISADMIN)
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
IMAP CD-Burning COM Service (ImapiService) Indexing Service
Disabled
26
Issue 1.02

(Cisvc)
Nortel Proprietary
InstallDriver Table Manager (Built-in InstallShield service for CC installation) Intersite Messaging (IsmServ) IPSEC Service (PolicyAgent) Kerberos Key Distribution Center (Kdc) License Logging Service (LicenseService)
<Not defined>
<Not defined>
<Not defined>
Logical Disk Manager (Dmserver) Logical Disk Manager Administrative Service (Dmadmin) Messenger (Messenger)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Microsoft POP3 Service (POP3SVC)
Microsoft Software Shadow Copy Provider (SwPrv) Net Logon (Netlogon) NetMeeting Remote Desktop Sharing (mnmsrvc)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Manual
Network Connections
Issue 1.02
27

(Netman)
Nortel Proprietary
Network DDE (NetDDE) Network DDE DSDM (NetDDEdsdm) Network Location Awareness (NLA) Network Provisioning Service (xmlprov) (applicable to Windows Server 2003 SP1) Network News Transport Protocol (NNTP) (NntpSvc)
<Not defined>
<Not defined>
<Not defined>
NT LM Security Support Provider (NtLmSsp) pcAnywhere Host Service (Built-in pcAnywhere service for CC if it is installed) Performance Logs and Alerts (SysmonLog) Plug and Play (PlugPlay) Portable Media Serial Number Service (WmdmPmSN) Print Server for Macintosh (MacPrint)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Print Spooler (Spooler) Protect Storage
<Not defined>
28
Issue 1.02

(ProtectedStorage) Remote Access Auto Connection Manager (RasAuto) Disabled
Nortel Proprietary
Remote Access Connection Manager (RasMan) Remote Administration Service (SrvcSurg)
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Remote Desktop Help Session Manager (RDSessMgr)
Remote Installation (BINLSVC)
Remote Procedure Call (RPC) (RpcSs) Remote Procedure Call (RPC) Locator (RpcLocator) Remote Registry (RemoteRegistry) Remote Server Manager (AppMgr)
<Not defined>
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control,
Remote Server Monitor (Appmon)
Remote Storage Notification (Remote_Storage_User_Link)
Remote Storage Server (Remote_Storage_Server)
Issue 1.02
29
Nortel Proprietary
System=Full Control, Interactive=Read) Removal Storage (NtmsSvc) Resultant Set of Policy Provider (RSoPProv) Routing and Remote Access (RemoteAccess) Secondary Logon (seclogon) Security Accounts Manager (SamSs) Server (lanmanserver) Shell Hardware Detection (ShellHWDetection) Simple Mail Transfer Protocol (SMTP) (SMTPSVC) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Smart Card (SCardSvr) SNMP Service (SNMP) SNMP Trap Service (SNMPTRAP)
<Not defined>
Special Administration Console Helper (Sacsvr) Sybase BCKServer_<server name>_BS (SYBBCK_<server name>_BS) (Built-in CCMS Sybase service)
<Not defined>
30
Issue 1.02

Sybase MONServer_<server name>_MS (SYBMON_<server name>_MS) (Built-in CCMS Sybase service) Sybase SQLServer_<server name> (SYBSQL_<server name>) (Built-in CCMS Sybase service) Sybase XPServer_<server name>_XP (SYBXPS_<server name>_XP) (Built-in CCMS Sybase service) Sybase ASE Protect Service (SybProtect) (Built-in CCMS Sybase service) System Event Notification (SENS) TAO NT Naming Service (TAO_NT_Naming_Service) (Built-in CCMS TAO service) Task Scheduler (Schedule) TCP/IP NetBIOS Helper Service (LMHosts) Telephony (TapiSrv) Disabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Telnet (TlntSvr)
Terminal Services (TermService)
Issue 1.02
31

Terminal Service Session Directory (Tssdis) Trivial FTP Daemon (tftpd) Disabled <Not defined>
Nortel Proprietary
Themes (Themes) Uninterruptible Power Supply (UPS) Upload Manager (Uploadmgr) Virtual Disk Service (VDS) Volume Shadow Copy (VSS) Web Element Manager (elementmgr) WebClient (WebClient) Windows Audio (AudioSrv) Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) Windows Image Acquisition (WIA) (StiSvc) Windows Installer (MSIServer) Windows Management Instrumentation (winmgmt)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
32
Issue 1.02

Windows Management Instrumentation Driver Extensions (Wmi) Windows Time (W32Time) Windows User Mode Driver Framework (UMWdf) (applicable to Windows Server 2003 SP1) WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) Wireless Configuration (WZCSVC) Disabled <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
WMI Performance Adapter (WmiApSrv) Workstation (lanmanworkstation) World Wide Web Publishing Service (W3SVC)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Registry MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\Installer MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\policies MACHINE\SYSTEM\CurrentControlSet\Enum Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full
MACHINE\SYSTEM\CurrentConrtrolSet\Services\SNMP\ Parameters\PermittedManagers
MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\ Parameters\ValidCommunities
Issue 1.02
33

Control USERS\.DEFAULT\Software\Microsoft\SystemCertificate s\Root\ProtectedRoots File System %SystemRoot%\regedit.exe
Nortel Proprietary
Administrators=Full Control, SYSTME=Full Control, Users=Read
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full
%SystemRoot%\system32\at.exe
%SystemRoot%\system32\attrib.exe
%SystemRoot%\system32\cacls.exe
%SystemRoot%\system32\debug.exe
%SystemRoot%\system32\drwatson.exe
%SystemRoot%\system32\drwtsn32.exe
%SystemRoot%\system32\edlin.exe
%SystemRoot%\system32\eventcreate.exe
%SystemRoot%\system32\eventtriggers.exe
%SystemRoot%\system32\ftp.exe
%SystemRoot%\system32\net.exe
%SystemRoot%\system32\net1.exe
%SystemRoot%\system32\netsh.exe
%SystemRoot%\system32\rcp.exe
%SystemRoot%\system32\reg.exe
34
Issue 1.02

Control %SystemRoot%\system32\regedt32.exe
Nortel Proprietary
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\regsvr32.exe
%SystemRoot%\system32\rexec.exe
%SystemRoot%\system32\rsh.exe
%SystemRoot%\system32\runas.exe
%SystemRoot%\system32\sc.exe
%SystemRoot%\system32\subst.exe
%SystemRoot%\system32\telnet.exe
%SystemRoot%\system32\tftp.exe
%SystemRoot%\system32\tlntsvr.exe
3.2
Contact Center Manager Server Co-residency Security Template Definitions

Table 5 lists the security template setting defined for the Contact Center Manager Server 6.0 Co-residency server (co-residency with CCMS, CCMA, and CCT).
Table 5 Contact Center Manager Server 6.0 Co-res Security Template Settings
Security Setting Items Account Policies Password Policy Enforce password history
Setting
24 passwords remembered
Issue 1.02
35

Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store passwords using reversible encryption Account Lockout Policy Account lockout duration Account lockout threshold Reset account lockout counter after Kerberos Policy Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization Local Policies Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events User Rights Assignment Success, Failure Success, Failure <Not defined> Success, Failure Success, Failure Success <Not defined> <Not defined> Success <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> 15 minutes 15 invalid logon attempts 15 minutes 90 days 1 days 8 characters Enabled Disabled
Nortel Proprietary
36
Issue 1.02

Access this computer from the network Act as part of the operating system Add workstations to domain Adjust memory quotas for a process Allow log on locally Allow log on through terminal services Back up files and directories Bypass traverse checking Change the system time Create a pagefile Create a token object Create a global object Create permanent shared objects Debug programs Deny access to this computer from the network Deny log on as a batch job Deny log on as a service Deny log on locally Deny log on through Terminal Service Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Generate security audits Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Lock pages in memory Log on as batch job <Not defined> <None> <Not defined> <Not defined> Administrators
Nortel Proprietary
Administrators, Remote Desktop Users Administrators Users Administrators <Not defined> <None> <Not defined> <None> <None> ANONYMOUS LOGON, Guests Guests <Not defined> <Not defined> Guests <None>
<Not defined> <Not defined> SERVICE <Not defined> Administrators <Not defined> <Not defined>
Issue 1.02
37

Log on as a service Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Replace a process level token Restore files and directories Shutdown the system Synchronize directory service data Take ownership of file or other objects Security Options Accounts: Administrator account status Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only Accounts: Rename administrator account <Not defined> Disabled Enabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
LOCAL SERVICE, NETWORK SERVICE <Not defined> Administrators <None> Administrators
<Not defined> (recommend to change it to a non-standard name)
Accounts: Rename guest account
Audit: Audit the access of global system objects Audit: Audit the use of backup and restore privilege Audit: Shut down system immediately if unable to log security alerts DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
<Not defined> <Not defined> <Not defined>
<Not defined>
<Not defined>
38
Issue 1.02

Devices: Allow undock without having to log on Devices: Allowed to format and eject removal media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain Controller: Allow server operators to schedule tasks <Not defined> Administrators Enabled <Not defined>
Nortel Proprietary
<Not defined>
Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Display user information when the session is locked Interactive logon: Do not display last user name Interactive logon: Do not required CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on
<Not defined>
Enabled
Enabled
Disabled
30 days Enabled
<Not defined>
Interactive logon: Message title for users attempting to log
<Not defined>
Issue 1.02
39

on
Nortel Proprietary
(Recommend to define a custom, or DOJ approved message title) Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require domain controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to connect to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended) MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended) MSS: (AFD MaximumDynamicBacklog) Maximum number of quasi-free connections for Winsock applications MSS: (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for system under attack, 10 otherwise) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) MSS: (EnableDealGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) <Not defined>
14 days
<Not defined>
Enabled
Disabled
15 minutes
<Not defined>
Enabled
Enabled
10
Enabled
20000 (recommended)
20
40
Issue 1.02

MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes MSS: (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU) MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS) MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) MSS: (TCPMaxConnectREsponseRetransmission) SYNACK retransmissions when a connection request is not acknowledged MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) MSS: (TCPMazPortalExhausted) How many dropped connect requests to initiate SYN attack protection (5 is recommended) MSS: Disable Autorun for all drives MSS: Enable Safe DLL search mode MSS: Enable the computer to stop generating 8.3 style filenames MSS: How often keep-alive packets are sent in milliseconds MSS Percentage threshold for the security event log at which the system will generate a warning MSS: The time in seconds before the screen saver grace period expires Disabled
Nortel Proprietary
<Not defined>
Enabled
Disabled
255, disable Autorun for all drives Enabled <Not defined>
<Not defined>
Network access: Allow anonymous SID//Name translation Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or .NET passports for network authentication
Disabled Enabled
Enabled
Enabled
Issue 1.02
41

Network access: Let Everyone permissions apply to anonymous users Network access: Named pipes that can be accessed anonymously Network access: Remotely accessible registry paths Disabled
Nortel Proprietary
<None>
Software\Microsoft\WindowsNT\CurrentVer sion\Print Software\Microsoft\WindowsNT\CurrentVes ion\Windows System\CurrentControlSet\Control\Print\Print ers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIn dex System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\Default\UserConfiguration Software\Micrsoft\WIndowsNT\CurrentVersi on\Perflib System\CurrentControlSet\Services\SysmonL og
Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager password hash value on next password change Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level
Enabled
<Not defined> Send NTLMv2 response only\refuse LM
42
Issue 1.02

Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Negotiate signing
Nortel Proprietary
Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Force strong key protection for user keys stored on computer System cryptography: User FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrations group System objects: Require case insensitive for non-Windows subsystems System objects: Strengthen default permission of internal system objects System settings: Option subsystems System settings: User Certificate Rules on Windows Executables for Software Restriction Policies Event Logs Maximum application log size Maximum security log size Maximum system log size
Disable
<Not defined>
<Not defined>
Enabled
16384 kilobytes 81920 kilobytes 16384 kilobytes
Issue 1.02
43

Prevent local guests group from accessing application log Prevent local guests group from accessing security log Prevent local guests group from accessing system log Retain application log Retain security log Retain system log Retention method for application log Retention method for security log Retention method for system log Restricted Groups <Not defined> System Services ACDPROXY Service Alerter (Alerter) <Not defined> Disabled Enabled Enabled Enabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Application Experience Lookup Service (AeLookupSvc) (applicable to Windows Server 2003 SP1) Application Layer Gateway Service (ALG) Application Management (AppMgmt) Client Service for Netware (NWCWorkstation)
<Not defined>
<Not defined>
ASP.NET State Service (aspnet_state) Automatic Updates
<Not defined>
44
Issue 1.02

(Wuauserv) Background Intelligent Transfer Service (BITS) CCMA ICEEmHlpService (Built-in CCMA service) CCMA IceRTDService (Built-in CCMA service) CCMA LMService (Built-in CCMA service) CC License Manager (CC_LM) (Built-in CC 6.0 service) CC Replication Service (REP_Service) (Built-in CCMS service CCMS ASM_Service (ASM_Service) (Built-in CCMS Service) CCMS Audit_Service (AUDIT_Service) (Built-in CCMS service) CCMS Control Service (CCMS_MasterService) (Built-in CCMS service) CCMS DBNotifier_Service (DBNotifier_Service) (Built-in CCMS service) CCMS EB_Service <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Issue 1.02
45

(EB_Service) (Built-in CCMS service) CCMS ES_Service (ES_Service) (Built-in CCMS service) CCMS HDC_Service (HDC_Service) (Built-in CCMS service) CCMS HDM_Service (HDM_Service) (Built-in CCMS service) CCMS Host Application Integration (Host Application Integration) (Built-in CCMS service) CCMS IS_Service (IS_Service) (Built-in CCMS service) CCMS MAS Backup/Restore (nbbkp) (Built-in CCMS service) CCMS MAS Configuration Manager (nbcfg) (Built-in CCMS service) CCMS MAS Event Scheduler (nbsch) (Built-in CCMS service) CCMS MAS Fault Manager (nbflt) <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
46
Issue 1.02

(Built-in CCMS service) CCMS MAS LinkHandler Port #2 (nbalh) (Built-in CCMS service) CCMS MAS OM Server (nboms) (Built-in CCMS service) CCMS MAS Security (nbss) (Built-in CCMS service) CCMS MAS Service Daemon (nbsm_dae) (Built-in CCMS service) CCMS MAS Service Manager (nbsm) (Built-in CCMS service) CCMS MAS Time Service (nbts) (Built-in CCMS service) CCMS MLSM_Service (MLSM_Service) (Built-in CCMS service) CCMS NBMSM_Service (CCMS_NBMSM_Service) (Built-in CCMS service) CCMS NBNM_Service (NBNM_Service) (Built-in CCMS service) <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Issue 1.02
47

CCMS NBTSM_Service (NBTSM_Service) (Built-in CCMS service) CCMS NCCOAM_Service (NCCOAM_Service) (Built-in CCMS service) CCMS NDLOAM_Service (NDLOAM_Service) (Built-in CCMS service) CCMS NIMSM_Service (CCMS_NIMSM_Service) (Built-in CCMS service) CCMS NINCCAudit_Service (NINCCAudit_Service) (Built-in CCMS service) CCMS NITSM_Service (NITSM_Service) (Built-in CCMS service) CCMS OAM_Service (OAM_Service) (Built-in CCMS service) CCMS OAMCMF_Service (CCMS_OAM_CMF_Service) (Built-in CCMS service) CCMS RDC_Service (RDC_Service) (Built-in CCMS service) CCMS RSM_Service <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
48
Issue 1.02

(RSM_Service) (Built-in CCMS service) CCMS SDMCA_Service (SDMCA_Service) (Built-in CCMS service) CCMS SDP_Service (SDP_Service) (Built-in CCMS Service) CCMS SIP_Service (CCMS_SIP_Service) (Built-in CCMS service) CCMS TFA_Service (TFA_Service) (Built-in CCMS service) CCMS TFABRIDGE_Service (TFABRIDGE_Service) (Built-in CCMS service) CCMS TFE Bridge Connector (TfeBridgeConnector) (Built-in CCMS service) CCMS TFE_Service (TFE_Service) (Built-in CCMS service) CCMS UNE_Service (CCMS_UNE_Service) (Built-in CCMS service) CCMS VSM_Service (VSM_Service) <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Issue 1.02
49

(Built-in CCMS service) ClipBook (ClipSrv) Disabled
Nortel Proprietary
COM+ Event System (EventSystem) COM+ System Application (COMSysApp) Computer Browser (Browser) Cryptographic Services (CryptSvc) Crystal Report Application Server (built-in CCMA Crystal Report service) DCOM Server Process Launcher (DcomLaunch) (applicable to Windows Server 2003 SP1) DHCP Client (Dhcp) Distributed File System (Dfs) Distributing Link Tracking Client (TrkWks) Distributing Link Tracking Server (TrkSvr) Distributed Transaction Coordinator (MSDTC) DNS Client (Dsncache)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
50
Issue 1.02

Error Reporting Services (ERSvc) Event Log (Eventlog) Fax (Fax) Disabled <Not defined> <Not defined>
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
HTTP SSL (HTTPFilter) Human Interface Device Access (HidServ) IIS Admin Service (IISADMIN) IMAP CD-Burning COM Service (ImapiService) Indexing Service (Cisvc)
<Not defined>
<Not defined>
<Not defined>
InstallDriver Table Manager
Issue 1.02
51

(Built-in InstallShield service for CC installation) Intersite Messaging (IsmServ) IPSEC Service (PolicyAgent) Kerberos Key Distribution Center (Kdc) License Logging (LicenseService) Disabled <Not defined> <Not defined> <Not defined>
Nortel Proprietary
<Not defined>
Microsoft Software Shadow Copy Provider (SwPrv) MSSQL$NNCCTDB (Built-in CCT SQL server) MSSQLServerADHelper (Built-in CCT SQL service) NCCT Data Access Layer (Built-in CCT service) NCCT Server (Built-in CCT service)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
52
Issue 1.02

NCCT TAPI Connector Service (Built-in CCT service) Net Logon (Netlogon) NetMeeting Remote Desktop Sharing (mnmsrvc) Disabled <Not defined> <Not defined>
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Manual (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Network Connections (Netman)
Network DDE (NetDDE) Network DDE DSDM (NetDDEdsdm) Network Location Awareness (NLA) Network Provisioning Service (xmlprov) Network News Transport Protocol (NNTP) (NntpSvc)
<Not defined>
<Not defined>
<Not defined>
NT LM Security Support Provider (NtLmSsp) pcAnywhere Host Service (Built-in pcAnywhere service for CC if it is installed) Performance Logs and Alerts (SysmonLog) Plug and Play (PlugPlay) Portable Media Serial Number Service
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
53

(WmdmPmSN) Print Server for Macintosh (MacPrint) Disabled
Nortel Proprietary
Print Spooler (Spooler) Protect Storage (ProtectedStorage) Remote Access Auto Connection Manager (RasAuto)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Remote Access Connection Manager (RasMan)
Remote Administration Service (SrvcSurg)
<Not defined>
<Not defined>
54
Issue 1.02

Remote Server Monitor (APPMON) Disabled
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Removal Storage (NtmsSvc) Resultant Set of Policy Provider (RSoPProv) Routing and Remote Access (RemoteAccess) Secondary Logon (seclogon) Security Accounts Manager (SamSs) Server (lanmanserver) Shell Hardware Detection (ShellHWDetection) Simple Mail Transfer Protocol (SMTP) (SMTPSVC) Smart Card (SCardSvr) SNMP Service (SNMP) SNMP Trap Service
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Disabled
Issue 1.02
55

(SNMPTRAP)
Nortel Proprietary
Special Administration Console Helper (Sacsvr) SQLAgent$NNCCTDB (Built-in CCT SQL Agent service) Sybase BCKServer_<server name>_BS (SYBBCK_<server name>_BS) (Built-in CCMS Sybase service) Sybase MONServer_<server name>_MS (SYBMON_<server name>_MS) (Built-in CCMS Sybase service) Sybase SQLServer_<server name> (SYBSQL_<server name>) (Built-in CCMS Sybase service) Sybase XPServer_<server name>_XP (SYBXPS_<server name>_XP) (Built-in CCMS Sybase service) Sybase ASE Protect Service (SybProtect) (Built-in CCMS Sybase service) SymposiumWC (Built-in CCMA ADAM service) System Event Notification (SENS) Task Scheduler (Schedule) TCP/IP NetBIOS Helper (LMHost)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
56
Issue 1.02

Telephony (TapiSrv) Telnet (TlnetSvr) Disabled <Not defined>
Nortel Proprietary
Terminal Service (TermService) Terminal Service Session Directory (Tssdis) Trivial FTP Daemon (tftpd)
<Not defined>
Themes (Themes) Uninterruptible Power Supply UPS) Upload Manager (Uploadmgr) Virtual Disk Service (VDS) Volume Shadow Copy (VSS) Web Element Manager (elementmgr) WebClient (WebClient) Windows Audio (AudioSrv) Windows Firewall/Internet Connection Sharing (ICS)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
57

(SharedAccess) Windows Image Acquisition (WIA) (SuSvc) Windows Installer (MSIServer) Windows Management Instrumentation (winmgmt) Windows Management Instrumentation Driver Extensions (Wmi) Windows Time (W32Time) Windows User Mode Driver Framework (UMWdf) WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) Wireless Configuration (WZCSVC) Disabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
WMI Performance Adapter (WmiApSrv) Workstation (lanmanworkstation) World Wide Web Publishing Service (W3SVC) Registry MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\Installer
<Not defined>
<Not defined>
Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, SYSTME=Full Control, Users=Read
58
Issue 1.02
Nortel Proprietary
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies MACHINE\SYSTEM\CurrentControlSet\Enum
Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTME=Full Control, Users=Read
MACHINE\SYSTEM\CurrentConrtrolSet\Services\SNMP \Parameters\PermittedManagers
USERS\.DEFAULT\Software\Microsoft\SystemCertificate s\Root\ProtectedRoots File System %SystemRoot%\regedit.exe
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control,
Issue 1.02
59

SYSTEM=Full Control %SystemRoot%\system32\net1.exe
Nortel Proprietary
Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control
%SystemRoot%\system32\regedt32.exe
3.3
Contact Center Manager Administration Security Template Definitions

Table 6 lists the security template setting defined for the Nortel Contact Center Manager Administration 6.0 server.
60
Issue 1.02
Nortel Proprietary
Table 6 Nortel Contact Center Manager Administration 6.0 Security Template Settings
Security Setting Items Account Policies Password Policy Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store passwords using reversible encryption Account Lockout Policy Account lockout duration Account lockout threshold Reset account lockout counter after Kerberos Policy Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization Local Policies Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events
Setting
24 passwords remembered 90 days 1 days 8 characters Enabled Disabled
Success, Failure Success, Failure <Not defined> Success, Failure
Issue 1.02
61

Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events User Rights Assignment Access this computer from the network Act as part of the operating system Add workstations to domain Adjust memory quotas for a process Allow log on locally Allow log on through terminal services Back up files and directories Bypass traverse checking Change the system time Create a pagefile Create a token object Create a global object Create permanent shared objects Debug programs Deny access to this computer from the network Deny log on as a batch job Deny log on as a service Deny log on locally Deny log on through Terminal Service Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system <Not defined> <None> <Not defined> <Not defined> Administrators Success, Failure Success <Not defined> <Not defined> Success
Nortel Proprietary
<Not defined>
62
Issue 1.02

Generate security audits Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Lock pages in memory Log on as batch job Log on as a service Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Replace a process level token Restore files and directories Shutdown the system Synchronize directory service data Take ownership of file or other objects Security Options Accounts: Administrator account status Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only Accounts: Rename administrator account <Not defined> Disabled Enabled <Not defined> SERVICE <Not defined> Administrators <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Issue 1.02
63

Audit: Audit the access of global system objects Audit: Audit the use of backup and restore privilege Audit: Shut down system immediately if unable to log security alerts DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax Devices: Allow undock without having to log on Devices: Allowed to format and eject removal media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain Controller: Allow server operators to schedule tasks <Not defined> <Not defined> <Not defined>
Nortel Proprietary
<Not defined>
<Not defined>
<Not defined>
Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine password age Domain member: Require strong (Windows 2000 or later) session key
<Not defined>
Enabled
Enabled
Disabled
30 days Enabled
64
Issue 1.02

Interactive logon: Display user information when the session is locked Interactive logon: Do not display last user name Interactive logon: Do not required CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on <Not defined>
Nortel Proprietary
Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require domain controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to connect to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended) MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended)
<Not defined>
14 days
<Not defined>
Enabled
Disabled
15 minutes
<Not defined>
Enabled
Enabled
10
Enabled
Issue 1.02
65

MSS: (AFD MaximumDynamicBacklog) Maximum number of quasi-free connections for Winsock applications MSS: (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for system under attack, 10 otherwise) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) MSS: (EnableDealGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes MSS: (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU) MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS) MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) MSS: (TCPMaxConnectREsponseRetransmission) SYNACK retransmissions when a connection request is not acknowledged MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) MSS: (TCPMazPortalExhausted) How many dropped connect requests to initiate SYN attack protection (5 is recommended) MSS: Disable Autorun for all drives MSS: Enable Safe DLL search mode MSS: Enable the computer to stop generating 8.3 style filenames MSS: How often keep-alive packets are sent in milliseconds MSS Percentage threshold for the security event log at which the system will generate a warning 20000 (recommended)
Nortel Proprietary
20
Disabled
<Not defined>
Enabled
Disabled
<Not defined>
66
Issue 1.02

MSS: The time in seconds before the screen saver grace period expires 0
Nortel Proprietary
Disabled Enabled
Enabled
Enabled
Disabled
<None>
Software\Microsoft\WindowsNT\CurrentVer sion\Print Software\Microsoft\WindowsNT\CurrentVes ion\Windows System\CurrentControlSet\Control\Print\Print ers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIn dex System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\Default\UserConfiguration Software\Micrsoft\WIndowsNT\CurrentVersi on\Perflib System\CurrentControlSet\Services\SysmonL og
Issue 1.02
67

Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager password hash value on next password change Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled
Nortel Proprietary
Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Force strong key protection for user keys stored on computer System cryptography: User FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrations group System objects: Require case insensitive for non-Windows subsystems System objects: Strengthen default permission of internal
Disable
<Not defined>
<Not defined>
Enabled
68
Issue 1.02

system objects System settings: Option subsystems System settings: User Certificate Rules on Windows Executables for Software Restriction Policies Event Logs Maximum application log size Maximum security log size Maximum system log size Prevent local guests group from accessing application log Prevent local guests group from accessing security log Prevent local guests group from accessing system log Retain application log Retain security log Retain system log Retention method for application log Retention method for security log Retention method for system log Restricted Groups <Not defined> System Services Alerter (Alerter) Disabled 16384 kilobytes 81920 kilobytes 16384 kilobytes Enabled Enabled Enabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <None> <Not defined>
Nortel Proprietary
Application Experience Lookup Service (AeLookupSvc) (applicable to Windows Server 2003 SP1) Application Layer Gateway Service (ALG) Application Management
<Not defined>
<Not defined>
Issue 1.02
69

(AppMgmt) Client Service for Netware (NWCWorkstation) Disabled
Nortel Proprietary
ASP.NET State Service (aspnet_state) Automatic Updates (Wuauserv) Background Intelligent Transfer Service (BITS) CCMA ICEEmHlpService (Built-in CCMA service) CCMA IceRTDService (Built-in CCMA service) CCMA LMService (Built-in CCMA service) ClipBook (ClipSrv)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
COM+ Event System (EventSystem) COM+ System Application (COMSysApp) Computer Browser (Browser) Cryptographic Services (CryptSvc) Crystal Report Application Server (built-in CCMA Crystal Report service)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
70
Issue 1.02

DCOM Server Process Launcher (DcomLaunch) (applicable to Windows Server 2003 SP1) DHCP Client (Dhcp) Distributed File System (Dfs) Distributing Link Tracking Client (TrkWks) Distributing Link Tracking Server (TrkSvr) Distributed Transaction Coordinator (MSDTC) DNS Client (Dnscache) Error Reporting Services (ERSvc) Event Log (Eventlog) Fax (Fax) Disabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control,
Issue 1.02
71
Nortel Proprietary
System=Full Control, Interactive=Read) Help & Support (Helpsvc) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
<Not defined>
<Not defined>
<Not defined>
InstallDriver Table Manager (Built-in InstallShield service for CC installation) Intersite Messaging (IsmServ) IPSEC Service (PolicyAgent) Kerberos Key Distribution Center (Kdc) License Logging (LicenseService)
<Not defined>
<Not defined>
<Not defined>
Logical Disk Manager Dmserver) Logical Disk Manager Administrative Service (Dmadmin)
<Not defined>
72
Issue 1.02

Messenger (Messenger) Disabled
Nortel Proprietary
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Manual (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Network DDE (NetDDE) Network DDE DSDM (NetDDEdsdm) Network Location Awareness (NLA) (NLA) Network Provisioning Service (xmlprov) Network News Transport Protocol (NNTP) (NntpSvc)
<Not defined>
<Not defined>
<Not defined>
NT LM Security Support Provider (NtLmSsp) pcAnywhere Host Service (Built-in pcAnywhere service for CC if it is installed)
<Not defined>
Issue 1.02
73

Performance Logs and Alerts (SysmonLog) Plug and Play (PlugPlay) Portable Media Serial Number Service (WmdmPmSN) Print Server for Macintosh (MacPrint) Disabled <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Print Spooler (Spooler) Protect Storage (ProtectStorage) Remote Access Auto Connection Manager (RasAuto)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Remote Procedure Call (RPC) (RpcSs) Remote Procedure Call (RPC) Locator
<Not defined>
74
Issue 1.02

(PrcLocator) Remote Registry (RemoteRegistry) Remote Server Manager (AppMgr) Disabled <Not defined>
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Remote Server Monitor (APPMON)
Removal Storage (NtmsSvc) Resultant Set of Policy Provider (RSoPProv) Routing and Remote Access (RemoteAccess) Secondary Logon (seclogon) Security Accounts Manager (SamSs) Server (lanmanserver) Shell Hardware Detection ShellHWDetection) Simple Mail Transfer Protocol (SMTP)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
75

(SMTPSVC) Smart Card (SCardSvr) SNMP Service (SNMP) SNMP Trap Service (SNMPTRAP) Disabled <Not defined> <Not defined>
Nortel Proprietary
Special Administration Console Helper (Sacsvr) SymposiumWC (Built-in CCMA ADAM service) System Event Notification (SENS) Task Scheduler (Schedule) TCP/IP NetBIOS Helper (LMHost)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Telephony (TapiSrv)
Telnet (TlntSvr)
Terminal Service (TermService) Terminal Service Session Directory (Tssdis) Trivial FTP Daemon
<Not defined>
Disabled
76
Issue 1.02

(tftpd)
Nortel Proprietary
Themes (Themes) Uninterruptible Power Supply (UPS) Upload Manager (Uploadmgr) Virtual Disk Service (VDS) Volume Shadow Copy VSS) Web Element Manager (elementmgr) WebClient (WebClient) Windows Audio AudioSrv) Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) Windows Image Acquisition (WIA) (SuSvc) Windows Installer (MSIServer) Windows Management Instrumentation (winmgmt) Windows Management Instrumentation Driver Extensions (Wmi) Windows Time
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
77

(W32Time) Windows User Mode Driver Framework (UMWdf) WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) Wireless Configuration (WZCSVC) Disabled <Not defined> <Not defined>
Nortel Proprietary
WMI Performance Adapter (WmiApSrv) Workstation (lanmanworkstation) World Wide Web Publishing Service (W3SVC) Registry MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\Installer MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies MACHINE\SYSTEM\CurrentControlSet\Enum
<Not defined>
<Not defined>
Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTME=Full Control, Users=Read
Administrators=Full Control, SYSTEM=Full
78
Issue 1.02

Control %SystemRoot%\system32\at.exe
Nortel Proprietary
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control
Issue 1.02
79
Nortel Proprietary
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control
3.4
Communication Control Toolkit Security Template Definitions

Table 7 lists the security template setting defined for the Nortel Communication Control Toolkit 6.0 server.
Table 7 Nortel Communication Control Toolkit 6.0 Security Template Settings
Security Setting Items Account Policies Password Policy Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements
Setting
24 passwords remembered 90 days 1 days 8 Enabled
80
Issue 1.02

Store passwords using reversible encryption Account Lockout Policy Account lockout duration Account lockout threshold Reset account lockout counter after Kerberos Policy Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization Local Policies Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events User Rights Assignment Access this computer from the network Act as part of the operating system Add workstations to domain Adjust memory quotas for a process <Not defined> <None> <Not defined> <Not defined> Success, Failure Success, Failure <Not defined> Success, Failure Success, Failure Success <Not defined> <Not defined> Success <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> 15 minutes 15 invalid logon attempts 15 minutes Disabled
Nortel Proprietary
Issue 1.02
81

Allow log on locally Allow log on through terminal services Back up files and directories Bypass traverse checking Change the system time Create a pagefile Create a token object Create a global object Create permanent shared objects Debug programs Deny access to this computer from the network Deny log on as a batch job Deny log on as a service Deny log on locally Deny log on through Terminal Service Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Generate security audits Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Lock pages in memory Log on as batch job Log on as a service Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Administrators
Nortel Proprietary
<Not defined> <Not defined> SERVICE <Not defined> Administrators <Not defined> <None> <Not defined> <Not defined> <Not defined> <Not defined>
82
Issue 1.02

Profile single process Profile system performance Remove computer from docking station Replace a process level token Restore files and directories Shutdown the system Synchronize directory service data Take ownership of file or other objects Security Options Accounts: Administrator account status Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only Accounts: Rename administrator account <Not defined> Disabled Enabled <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Audit: Audit the access of global system objects Audit: Audit the use of backup and restore privilege Audit: Shut down system immediately if unable to log security alerts DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax Devices: Allow undock without having to log on Devices: Allowed to format and eject removal media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only
<Not defined>
<Not defined>
Issue 1.02
83

Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain Controller: Allow server operators to schedule tasks <Not defined>
Nortel Proprietary
Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Display user information when the session is locked Interactive logon: Do not display last user name Interactive logon: Do not required CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on
<Not defined>
Enabled
Enabled
Disabled
30 days Enabled
<Not defined>
Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration
<Not defined>
14 days
84
Issue 1.02

Interactive logon: Require domain controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to connect to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended) MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended) MSS: (AFD MaximumDynamicBacklog) Maximum number of quasi-free connections for Winsock applications MSS: (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for system under attack, 10 otherwise) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) MSS: (EnableDealGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes MSS: (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU) MSS: (NoNameReleaseOnDemand) Allow the computer <Not defined>
Nortel Proprietary
Enabled
Disabled
15 minutes
<Not defined>
Enabled
Enabled
10
Enabled
20000 (recommended)
20
Disabled
<Not defined>
Enabled
Issue 1.02
85

to ignore NetBIOS name release requests except from WINS servers MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS) MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) MSS: (TCPMaxConnectREsponseRetransmission) SYNACK retransmissions when a connection request is not acknowledged MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) MSS: (TCPMazPortalExhausted) How many dropped connect requests to initiate SYN attack protection (5 is recommended) MSS: Disable Autorun for all drives MSS: Enable Safe DLL search mode MSS: Enable the computer to stop generating 8.3 style filenames MSS: How often keep-alive packets are sent in milliseconds MSS Percentage threshold for the security event log at which the system will generate a warning MSS: The time in seconds before the screen saver grace period expires Disabled
Nortel Proprietary
<Not defined>
Disabled Enabled
Enabled
Enabled
Disabled
<None>
System\CurrentControlSet\Control\ProductO ptions
86
Issue 1.02
Nortel Proprietary
System\CurrentControlSet\Control\Server Applications Software\Microsoft\WindowsNT\CurrentVer sion Network access: Remotely accessible registry paths and sub-paths Software\Microsoft\WindowsNT\CurrentVer sion\Print Software\Microsoft\WindowsNT\CurrentVes ion\Windows System\CurrentControlSet\Control\Print\Print ers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIn dex System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\Default\UserConfiguration Software\Micrsoft\WIndowsNT\CurrentVersi on\Perflib System\CurrentControlSet\Services\SysmonL og Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager password hash value on next password change Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled
<Not defined> Send NTLMv2 response only\refuse LM Negotiate signing Require message integrity Require message confidentiality Require NTLMv2 Session Security
Issue 1.02
87
Nortel Proprietary
Require 128-bit Encryption Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Require message integrity Require message confidentiality Require NTLMv2 Session Security Require 128-bit Encryption Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Force strong key protection for user keys stored on computer System cryptography: User FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrations group System objects: Require case insensitive for non-Windows subsystems System objects: Strengthen default permission of internal system objects System settings: Option subsystems System settings: User Certificate Rules on Windows Executables for Software Restriction Policies Event Logs Maximum application log size Maximum security log size Maximum system log size Prevent local guests group from accessing application log Prevent local guests group from accessing security log Prevent local guests group from accessing system log Retain application log 16384 kilobytes 81920 kilobytes 16384 kilobytes Enabled Enabled Enabled <Not defined> Disabled <Not defined>
Disable
<Not defined>
<Not defined>
Enabled
88
Issue 1.02

Retain security log Retain system log Retention method for application log Retention method for security log Retention method for system log Restricted Groups <Not defined> System Services ACDPROXY Service Alerter (Alerter) <Not defined> Disabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Application Experience Lookup Service (AeLookupSvc) (applicable to Windows Server 2003 SP1) Application Layer Gateway Service (ALG) Application Management (AppMgmt) CC License Manager (applicable if CC License Manager is installed on the CCT server) Client Service for Netware (NWCWorkstation)
<Not defined>
<Not defined>
<Not defined>
Automatic Updates (Wuauserv) Background Intelligent Transfer Service (BITS)
<Not defined>
Issue 1.02
89

ClipBook (ClipSrv) Disabled
Nortel Proprietary
COM+ Event System (EventSystem) COM+ System Application (COMSysApp) Computer Browser (Browser) Cryptographic Services (CryptSvc) DCOM Server Process Launcher (DcomLaunch) (applicable to Windows Server 2003 SP1) DHCP Client (Dhcp) Distributed File System (Dfs) Distributing Link Tracking Client (TrkWks) Distributing Link Tracking Server (TrkSvr) Distributed Transaction Coordinator (MSDTC) DNS Client (Dnscache) Error Reporting Services (ERSvc) Event Log
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
90
Issue 1.02

(Eventlog) Fax (Fax) Disabled
Nortel Proprietary
IMAP CD-Burning COM Service (ImapiService) Indexing Service (Cisvc)
InstallDriver Table Manager (Built-in InstallShield service for CC installation) Intersite Messaging
<Not defined>
Issue 1.02
91

(IsmServ) IPSEC Service (PolicyAgent) Kerberos Key Distribution Center (Kdc) License Logging Service (LicenseService) Disabled <Not defined> <Not defined>
Nortel Proprietary
<Not defined>
Microsoft Software Shadow Copy Provider (SwPrv) MSSQL$NNCCTDB MSSQLServerADHelper NCCT Data Access Layer NCCT Logging Service NCCT Server NCCT TAPI Connector Service Net Logon (Netlogon) NetMeeting Remote Desktop Sharing (mnmsrvc)
<Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Disabled (Permissions: Administrators=Full Control,
92
Issue 1.02
Nortel Proprietary
System=Full Control, Interactive=Read) Network Connections (Netman) Manual (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Network DDE (NetDDE) Network DDE DSDM (NetDDEdsdm) Network Location Awareness (NLA) Network Provisioning Service (applicable to Windows Server 2003 SP1) Network News Transport Protocol (NNTP) (NntpSvc)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Print Spooler (Spooler)
Issue 1.02
93

Protect Storage (ProtectedStorage) Remote Access Auto Connection Manager (RasAuto) Disabled <Not defined>
Nortel Proprietary
Remote Procedure Call (RPC) (RpcSs) Remote Procedure Call (RPC) Locator (RpcLocator) Remote Registry Service (RemoteRegistry) Remote Server Manager (AppMgr)
<Not defined>
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
94
Issue 1.02

Remote Storage Server (Remote_Storage_Server) Disabled
Nortel Proprietary
Removal Storage (NtmsSvc) Resultant Set of Policy Provider (RSoPProv) Routing and Remote Access (RemoteAccess) Secondary Logon (seclogon) Security Accounts Manager (SamSs) Server (lanmanserver) Shell Hardware Detection (ShellHWDetection) Simple Mail Transfer Protocol (SMTP) (SMTPSVC)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Special Administration Console Helper (Sacsvr) SQLAgent$NNCCTDB
<Not defined>
Issue 1.02
95

System Event Notification (SENS) Task Scheduler (Schedule) TCP/IP NetBIOS Helper Service (LMHosts) Telephony (TapiSrv) Telnet (TlntSvr) Disabled <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Terminal Services (TermService) Terminal Service Session Directory (Tssdis) Trivial FTP Daemon (tftpd)
<Not defined>
Themes (Themes) Uninterruptible Power Supply (UPS) Upload Manager (Uploadmgr) Virtual Disk Service (VDS) Volume Shadow Copy (VSS) Web Element Manager
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
96
Issue 1.02

(elementmgr) WebClient (WebClient) Windows Audio (AudioSrv) Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) Windows Image Acquisition (WIA) (StiSvc) Windows Installer (MSIServer) Windows Management Instrumentation (winmgmt) Windows Management Instrumentation Driver Extensions (Wmi) Windows Time (W32Time) Windows User Mode Driver Framework (UMWdf) (applicable to Windows Server 2003 SP1) WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) Wireless Configuration (WZCSVC) Disabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
WMI Performance Adapter (WmiApSrv) Workstation (lanmanworkstation)
<Not defined>
Issue 1.02
97

World Wide Web Publishing Service (W3SVC) Disabled
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
Registry MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\Installer MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies MACHINE\SYSTEM\CurrentControlSet\Enum Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTME=Full Control, Users=Read
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control
98
Issue 1.02
Nortel Proprietary
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control
Issue 1.02
99
Nortel Proprietary
Administrators=Full Control, SYSTEM=Full Control
3.5
Contact Center Multimedia/Outbound Security Template Definitions

Table 8 lists the security template setting defined for the Nortel Contact Center Multimedia/Outbound 6.0 server.
Table 8 Contact Center Multimedia/Outbound 6.0 Security Template Setting
Security Setting Items Account Policies Password Policy Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store passwords using reversible encryption Account Lockout Policy Account lockout duration Account lockout threshold Reset account lockout counter after Kerberos Policy Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal
Setting
24 passwords remembered 90 days 1 days 8 characters Enabled Disabled
<Not defined> <Not defined> <Not defined> <Not defined>
100
Issue 1.02

Maximum tolerance for computer clock synchronization Local Policies Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events User Rights Assignment Access this computer from the network Act as part of the operating system Add workstations to domain Adjust memory quotas for a process Allow log on locally Allow log on through terminal services Back up files and directories Bypass traverse checking Change the system time Create a pagefile Create a token object Create a global object Create permanent shared objects Debug programs <Not defined> <None> <Not defined> <Not defined> Administrators Success, Failure Success, Failure <Not defined> Success, Failure Success, Failure Success <Not defined> <Not defined> Success <Not defined>
Nortel Proprietary
Administrators, Remote Desktop Users Administrators Users Administrators <Not defined> <None> <Not defined> <None> <None>
Issue 1.02
101

Deny access to this computer from the network Deny log on as a batch job Deny log on as a service Deny log on locally Deny log on through Terminal Service Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Generate security audits Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Lock pages in memory Log on as batch job Log on as a service Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Replace a process level token Restore files and directories Shutdown the system Synchronize directory service data Take ownership of file or other objects Security Options Accounts: Administrator account status <Not defined> ANONYMOUS LOGON Guests <Not defined> <Not defined> Guests <None>
Nortel Proprietary
<Not defined> <Not defined> SERVICE <Not defined> Administrators <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> LOCAL SERVICE, NETWORK SERVICE <Not defined> Administrators <None> Administrators
102
Issue 1.02

Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only Accounts: Rename administrator account Disabled Enabled
Nortel Proprietary
Audit: Audit the access of global system objects Audit: Audit the use of backup and restore privilege Audit: Shut down system immediately if unable to log security alerts DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax Devices: Allow undock without having to log on Devices: Allowed to format and eject removal media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain Controller: Allow server operators to schedule tasks
<Not defined>
<Not defined>
<Not defined>
Domain member: Digitally encrypt or sign secure channel data (always)
<Not defined>
Issue 1.02
103

Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Display user information when the session is locked Interactive logon: Do not display last user name Interactive logon: Do not required CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on Enabled
Nortel Proprietary
Enabled
Disabled
30 days Enabled
<Not defined>
Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require domain controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to connect to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications
<Not defined>
14 days
<Not defined>
Enabled
Disabled
15 minutes
<Not defined>
104
Issue 1.02

(always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended) MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended) MSS: (AFD MaximumDynamicBacklog) Maximum number of quasi-free connections for Winsock applications MSS: (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for system under attack, 10 otherwise) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) MSS: (EnableDealGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes MSS: (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU) MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS) MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) MSS: (TCPMaxConnectREsponseRetransmission) SYNACK retransmissions when a connection request is not acknowledged MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) MSS: (TCPMazPortalExhausted) How many dropped connect requests to initiate SYN attack protection (5 is recommended) Enabled
Nortel Proprietary
Enabled
10
Enabled
20000 (recommended)
20
Disabled
<Not defined>
Enabled
Disabled
Issue 1.02
105

MSS: Disable Autorun for all drives MSS: Enable Safe DLL search mode MSS: Enable the computer to stop generating 8.3 style filenames MSS: How often keep-alive packets are sent in milliseconds MSS Percentage threshold for the security event log at which the system will generate a warning MSS: The time in seconds before the screen saver grace period expires
Nortel Proprietary
<Not defined>
Disabled Enabled
Enabled
Enabled
Disabled
<None>
Software\Microsoft\WindowsNT\CurrentVer sion\Print Software\Microsoft\WindowsNT\CurrentVes ion\Windows System\CurrentControlSet\Control\Print\Print ers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIn
106
Issue 1.02

dex
Nortel Proprietary
System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\Default\UserConfiguration Software\Micrsoft\WIndowsNT\CurrentVersi on\Perflib System\CurrentControlSet\Services\SysmonL og Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager password hash value on next password change Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled
Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Force strong key protection for user
Disabled
<Not defined> User must enter a password each time they
Issue 1.02
107

keys stored on computer System cryptography: User FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrations group System objects: Require case insensitive for non-Windows subsystems System objects: Strengthen default permission of internal system objects System settings: Option subsystems System settings: User Certificate Rules on Windows Executables for Software Restriction Policies Event Logs Maximum application log size Maximum security log size Maximum system log size Prevent local guests group from accessing application log Prevent local guests group from accessing security log Prevent local guests group from accessing system log Retain application log Retain security log Retain system log Retention method for application log Retention method for security log Retention method for system log Restricted Groups <Not defined> System Services Alerter (Alerter) Disabled 16384 kilobytes 81920 kilobytes 16384 kilobytes Enabled Enabled Enabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> use a key <Not defined>
Nortel Proprietary
<Not defined>
<Not defined>
Enabled
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read)
108
Issue 1.02

Application Experience Lookup Service (AeLookupSvc) (applicable to Windows Server 2003 SP1) Application Layer Gateway Service (ALG) Application Management (AppMgmt) Client Service for Netware (NWCWorkstation) Disabled <Not defined> <Not defined> <Not defined>
Nortel Proprietary
ASP.NET State Service (aspnet_state) Automatic Updates (Wuauserv) Background Intelligent Transfer Service (BITS) Cache Controller for Nortel (Built-in Cache service for CCMM) CCMM Email Manager Service (Built-in CCMM service) CCMM License Service (Built-in CCMM service) CCMM Manager Client Service (Built-in CCMM service) CCMM OAM Service (Built-in CCMM service) CCMM Outbound Scheduler Service (Built-in CCMM service) CCMM Starter Service
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
109

(Built-in CCMM service) ClipBook (ClipSrv) Disabled
Nortel Proprietary
COM+ Event System (EventSystem) COM+ System Application (COMSysApp) Computer Browser (Browser) Cryptographic Services (CryptSvc) DCOM Server Process Launcher (DcomLaunch) (applicable to Windows Server 2003 SP1) DHCP Client (Dhcp) Distributed File System (Dfs) Distributing Link Tracking Client (TrkWks) Distributing Link Tracking Server (TrkSvr) Distributed Transaction Coordinator (MSDTC) DNS Client (Dnscache) Error Reporting Services (ERSvc)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
110
Issue 1.02

Event Log (Eventlog) Fax (Fax) Disabled <Not defined>
Nortel Proprietary
<Not defined>
<Not defined>
<Not defined>
InstallDriver Table Manager (Built-in InstallShield service for CC installation) Intersite Messaging
<Not defined>
Issue 1.02
111

(IsmServ) IPSEC Service (PolicyAgent) Kerberos Key Distribution Center (Kdc) License Logging (LicenseService) Disabled <Not defined> <Not defined>
Nortel Proprietary
Logical Disk Manager Dmserver) Logical Disk Manager Administrative Service (Dmadmin) Messenger (Messenger)
<Not defined>
<Not defined>
Network DDE (NetDDE) Network DDE DSDM
<Not defined>
112
Issue 1.02

(NetDDEdsdm) Network Location Awareness (NLA) (NLA) Network Provisioning Service (xmlprov) Network News Transport Protocol (NNTP) (NntpSvc) Disabled <Not defined> <Not defined>
Nortel Proprietary
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Print Spooler (Spooler) Protect Storage (ProtectStorage) Remote Access Auto Connection Manager (RasAuto)
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control,
Issue 1.02
113
Nortel Proprietary
System=Full Control, Interactive=Read) Remote Administration Service (SrvcSurg) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Remote Procedure Call (RPC) (RpcSs) Remote Procedure Call (RPC) Locator (PrcLocator) Remote Registry (RemoteRegistry) Remote Server Manager (AppMgr)
<Not defined>
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Remote Server Monitor (APPMON)
Removal Storage (NtmsSvc) Resultant Set of Policy Provider (RSoPProv)
<Not defined>
114
Issue 1.02

Routing and Remote Access (RemoteAccess) Secondary Logon (seclogon) Security Accounts Manager (SamSs) Server (lanmanserver) Shell Hardware Detection ShellHWDetection) Simple Mail Transfer Protocol (SMTP) (SMTPSVC) Disabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
<Not defined>
Special Administration Console Helper (Sacsvr) System Event Notification (SENS) Task Scheduler (Schedule) TCP/IP NetBIOS Helper (LMHost)
<Not defined>
<Not defined>
<Not defined>
Telephony
Disabled
Issue 1.02
115

(TapiSrv)
Nortel Proprietary
Telnet (TlntSvr)
Terminal Service (TermService) Terminal Service Session Directory (Tssdis) Trivial FTP Daemon (tftpd)
<Not defined>
Themes (Themes) Uninterruptible Power Supply (UPS) Upload Manager (Uploadmgr) Virtual Disk Service (VDS) Volume Shadow Copy VSS) Web Element Manager (elementmgr) WebClient (WebClient) Windows Audio AudioSrv) Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
116
Issue 1.02

Windows Image Acquisition (WIA) (SuSvc) Windows Installer (MSIServer) Windows Management Instrumentation (winmgmt) Windows Management Instrumentation Driver Extensions (Wmi) Windows Time (W32Time) Windows User Mode Driver Framework (UMWdf) WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) Wireless Configuration (WZCSVC) Disabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
WMI Performance Adapter (WmiApSrv) Workstation (lanmanworkstation) World Wide Web Publishing Service (W3SVC) Registry MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\Installer MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies
<Not defined>
<Not defined>
Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control
Issue 1.02
117
Nortel Proprietary
MACHINE\SYSTEM\CurrentControlSet\Enum
Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTME=Full Control, Users=Read
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control,
118
Issue 1.02
Nortel Proprietary
INTERACTIVE=Full Control, SYSTEM=Full Control %SystemRoot%\system32\netsh.exe Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control
3.6
Contact Center Manager Server on Stratus Platform Security Template Definitions

Table 9 lists the security template setting defined for the Contact Center Manager Server in a standalone server configuration, Contact Center Manager Replication server, or Network Control Center server running on the Stratus platform
Issue 1.02
119
Nortel Proprietary
Table 9 Contact Center Manager Server Stratus Security Template Settings
Security Setting Items Account Policies Password Policy Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store passwords using reversible encryption Account Lockout Policy Account lockout duration Account lockout threshold Reset account lockout counter after Kerberos Policy Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization Local Policies Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access
Setting
24 passwords remembered 90 days 1 days 8 Enabled Disabled
Success, Failure Success, Failure <Not defined> Success, Failure Success, Failure
120
Issue 1.02

Audit policy change Audit privilege use Audit process tracking Audit system events User Rights Assignment Access this computer from the network Act as part of the operating system Add workstations to domain Adjust memory quotas for a process Allow log on locally Allow log on through terminal services Back up files and directories Bypass traverse checking Change the system time Create a pagefile Create a token object Create a global object Create permanent shared objects Debug programs Deny access to this computer from the network Deny log on as a batch job Deny log on as a service Deny log on locally Deny log on through Terminal Service Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Generate security audits <Not defined> <None> <Not defined> <Not defined> Administrators Success <Not defined> <Not defined> Success
Nortel Proprietary
<Not defined> <Not defined>
Issue 1.02
121

Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Lock pages in memory Log on as batch job Log on as a service Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Replace a process level token Restore files and directories Shutdown the system Synchronize directory service data Take ownership of file or other objects Security Options Accounts: Administrator account status Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only Accounts: Rename administrator account <Not defined> Disabled Enabled SERVICE <Not defined> Administrators <Not defined> <None> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Audit: Audit the access of global system objects
<Not defined>
122
Issue 1.02

Audit: Audit the use of backup and restore privilege Audit: Shut down system immediately if unable to log security alerts DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax Devices: Allow undock without having to log on Devices: Allowed to format and eject removal media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain Controller: Allow server operators to schedule tasks <Not defined> <Not defined>
Nortel Proprietary
<Not defined>
<Not defined>
<Not defined>
Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Display user information when the session is locked
<Not defined>
Enabled
Enabled
Disabled
30 days Enabled
<Not defined>
Issue 1.02
123

Interactive logon: Do not display last user name Interactive logon: Do not required CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on Enabled Disabled <Not defined>
Nortel Proprietary
(Recommend to define a custom, or DOJ approved message text) Interactive logon: Message title for users attempting to log on <Not defined> (Recommend to define a custom, or DOJ approved message title) Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require domain controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to connect to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended) MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended) MSS: (AFD MaximumDynamicBacklog) Maximum number of quasi-free connections for Winsock <Not defined>
14 days
<Not defined>
Enabled
Disabled
15 minutes
<Not defined>
Enabled
Enabled
10
Enabled
20000 (recommended)
124
Issue 1.02

applications MSS: (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for system under attack, 10 otherwise) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) MSS: (EnableDealGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes MSS: (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU) MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS) MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) MSS: (TCPMaxConnectREsponseRetransmission) SYNACK retransmissions when a connection request is not acknowledged MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) MSS: (TCPMazPortalExhausted) How many dropped connect requests to initiate SYN attack protection (5 is recommended) MSS: Disable Autorun for all drives MSS: Enable Safe DLL search mode MSS: Enable the computer to stop generating 8.3 style filenames MSS: How often keep-alive packets are sent in milliseconds MSS Percentage threshold for the security event log at which the system will generate a warning MSS: The time in seconds before the screen saver grace period expires 20
Nortel Proprietary
Disabled
<Not defined>
Enabled
Disabled
<Not defined>
Issue 1.02
125

Network access: Allow anonymous SID//Name translation Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or .NET passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named pipes that can be accessed anonymously Network access: Remotely accessible registry paths Disabled Enabled
Nortel Proprietary
Enabled
Enabled
Disabled
<None>
Software\Microsoft\WindowsNT\CurrentVer sion\Print Software\Microsoft\WindowsNT\CurrentVes ion\Windows System\CurrentControlSet\Control\Print\Prin ters System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIn dex System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\Default\UserConfiguration Software\Micrsoft\WIndowsNT\CurrentVers ion\Perflib System\CurrentControlSet\Services\Sysmon Log
Network access: Restrict anonymous access to Named Pipes and Shares
Enabled
126
Issue 1.02

Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager password hash value on next password change Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients <None>
Nortel Proprietary
Classic local users authenticate as themselves Enabled
Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Force strong key protection for user keys stored on computer System cryptography: User FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrations group System objects: Require case insensitive for non-Windows subsystems System objects: Strengthen default permission of internal system objects System settings: Option subsystems
Disable
<Not defined>
<Not defined>
Enabled
<None>
Issue 1.02
127

System settings: User Certificate Rules on Windows Executables for Software Restriction Policies Event Logs Maximum application log size Maximum security log size Maximum system log size Prevent local guests group from accessing application log Prevent local guests group from accessing security log Prevent local guests group from accessing system log Retain application log Retain security log Retain system log Retention method for application log Retention method for security log Retention method for system log Restricted Groups <Not defined> System Services Alerter (Alerter) Disabled 16384 kilobytes 81920 kilobytes 16384 kilobytes Enabled Enabled Enabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Application Experience Lookup Service (AeLookupSvc) (applicable to Windows Server 2003 SP1) Application Layer Gateway Service (ALG) Application Management (AppMgmt) Client Service for Netware
<Not defined>
<Not defined>
Disabled
128
Issue 1.02

(NWCWorkstation)
Nortel Proprietary
ASP.NET State Service (aspnet_state) Automatic Updates (Wuauserv) Background Intelligent Transfer Service (BITS) CC License Manager (CC_LM) (Built-in CC 6.0 service) CC Replication Service (REP_Service) (Built-in CCMS service CCMS ASM_Service (ASM_Service) (Built-in CCMS Service) CCMS Audit_Service (AUDIT_Service) (Built-in CCMS service) CCMS Control Service (CCMS_MasterService) (Built-in CCMS service) CCMS DBNotifier_Service (DBNotifier_Service) (Built-in CCMS service) CCMS EB_Service (EB_Service) (Built-in CCMS service)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
129

CCMS ES_Service (ES_Service) (Built-in CCMS service) CCMS HDC_Service (HDC_Service) (Built-in CCMS service) CCMS HDM_Service (HDM_Service) (Built-in CCMS service) CCMS Host Application Integration (Host Application Integration) (Built-in CCMS service) CCMS IS_Service (IS_Service) (Built-in CCMS service) CCMS MAS Backup/Restore (nbbkp) (Built-in CCMS service) CCMS MAS Configuration Manager (nbcfg) (Built-in CCMS service) CCMS MAS Event Scheduler (nbsch) (Built-in CCMS service) CCMS MAS Fault Manager (nbflt) (Built-in CCMS service) CCMS MAS LinkHandler Port #2 <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
130
Issue 1.02

(nbalh) (Built-in CCMS service) CCMS MAS OM Server (nboms) (Built-in CCMS service) CCMS MAS Security (nbss) (Built-in CCMS service) CCMS MAS Service Daemon (nbsm_dae) (Built-in CCMS service) CCMS MAS Service Manager (nbsm) (Built-in CCMS service) CCMS MAS Time Service (nbts) (Built-in CCMS service) CCMS MLSM_Service (MLSM_Service) (Built-in CCMS service) CCMS NBMSM_Service (CCMS_NBMSM_Service) (Built-in CCMS service) CCMS NBNM_Service (NBNM_Service) (Built-in CCMS service) CCMS NBTSM_Service (NBTSM_Service) <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Issue 1.02
131

(Built-in CCMS service) CCMS NCCOAM_Service (NCCOAM_Service) (Built-in CCMS service) CCMS NDLOAM_Service (NDLOAM_Service) (Built-in CCMS service) CCMS NIMSM_Service (CCMS_NIMSM_Service) (Built-in CCMS service) CCMS NINCCAudit_Service (NINCCAudit_Service) (Built-in CCMS service) CCMS NITSM_Service (NITSM_Service) (Built-in CCMS service) CCMS OAM_Service (OAM_Service) (Built-in CCMS service) CCMS OAMCMF_Service (CCMS_OAM_CMF_Service) (Built-in CCMS service) CCMS RDC_Service (RDC_Service) (Built-in CCMS service) CCMS RSM_Service (RSM_Service) (Built-in CCMS service) <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
132
Issue 1.02

CCMS SDMCA_Service (SDMCA_Service) (Built-in CCMS service) CCMS SDP_Service (SDP_Service) (Built-in CCMS Service) CCMS SIP_Service (CCMS_SIP_Service) (Built-in CCMS service) CCMS TFA_Service (TFA_Service) (Built-in CCMS service) CCMS TFABRIDGE_Service (TFABRIDGE_Service) (Built-in CCMS service) CCMS TFE Bridge Connector (TfeBridgeConnector) (Built-in CCMS service) CCMS TFE_Service (TFE_Service) (Built-in CCMS service) CCMS UNE_Service (CCMS_UNE_Service) (Built-in CCMS service) CCMS VSM_Service (VSM_Service) (Built-in CCMS service) ClipBook Disabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Issue 1.02
133

(ClipSrv)
Nortel Proprietary
COM+ Event System (EventSystem) COM+ System Application (COMSysApp) Computer Browser (Browser) Cryptographic Services (CryptSvc) DCOM Server Process Launcher (DcomLaunch) (applicable to Windows Server 2003 SP1) DHCP Client (Dhcp) Distributed File System (Dfs) Distributing Link Tracking Client (TrkWks) Distributing Link Tracking Server (TrkSvr) Distributed Transaction Coordinator (MSDTC) DNS Client (Dnscache) Error Reporting Services (ERSvc) Event Log (Eventlog)
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
<Not defined>
134
Issue 1.02

Fax (Fax) Disabled
Nortel Proprietary
IMAP CD-Burning COM Service (ImapiService) Indexing Service (Cisvc)
InstallDriver Table Manager (Built-in InstallShield service for CC installation) Intersite Messaging (IsmServ)
<Not defined>
Issue 1.02
135

IPSEC Service (PolicyAgent) Kerberos Key Distribution Center (Kdc) License Logging Service (LicenseService) Disabled <Not defined> <Not defined>
Nortel Proprietary
<Not defined>
<Not defined>
Network DDE (NetDDE) Network DDE DSDM (NetDDEdsdm)
<Not defined>
136
Issue 1.02

Network Location Awareness (NLA) Network Provisioning Service (xmlprov) (applicable to Windows Server 2003 SP1) Network News Transport Protocol (NNTP) (NntpSvc) Disabled <Not defined> <Not defined>
Nortel Proprietary
<Not defined>
<Not defined>
<Not defined>
<Not defined>
Print Spooler (Spooler) Protect Storage (ProtectedStorage) Remote Access Auto Connection Manager (RasAuto)
<Not defined>
Issue 1.02
137

Remote Administration Service (SrvcSurg) Disabled
Nortel Proprietary
(Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
<Not defined>
<Not defined>
Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) Disabled (Permissions: Administrators=Full Control, System=Full Control, Interactive=Read) <Not defined>
Removal Storage (NtmsSvc) Resultant Set of Policy Provider (RSoPProv) Routing and Remote Access
<Not defined>
<Not defined>
138
Issue 1.02

(RemoteAccess) Secondary Logon (seclogon) Security Accounts Manager (SamSs) Server (lanmanserver) Shell Hardware Detection (ShellHWDetection) Simple Mail Transfer Protocol (SMTP) (SMTPSVC) Disabled <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
<Not defined>
Special Administration Console Helper (Sacsvr) Sybase BCKServer_<server name>_BS (SYBBCK_<server name>_BS) (Built-in CCMS Sybase service) Sybase MONServer_<server name>_MS (SYBMON_<server name>_MS) (Built-in CCMS Sybase service) Sybase SQLServer_<server name> (SYBSQL_<server name>)
<Not defined>
<Not defined>
<Not defined>
Issue 1.02
139

(Built-in CCMS Sybase service) Sybase XPServer_<server name>_XP (SYBXPS_<server name>_XP) (Built-in CCMS Sybase service) Sybase ASE Protect Service (SybProtect) (Built-in CCMS Sybase service) System Event Notification (SENS) TAO NT Naming Service (TAO_NT_Naming_Service) (Built-in CCMS TAO service) Task Scheduler (Schedule) TCP/IP NetBIOS Helper Service (LMHosts) Telephony (TapiSrv) Telnet (TlntSvr) Disabled <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Terminal Services (TermService) Terminal Service Session Directory (Tssdis) Trivial FTP Daemon (tftpd)
<Not defined>
Themes
140
Issue 1.02

(Themes) Uninterruptible Power Supply (UPS) Upload Manager (Uploadmgr) Virtual Disk Service (VDS) Volume Shadow Copy (VSS) Web Element Manager (elementmgr) WebClient (WebClient) Windows Audio (AudioSrv) Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) Windows Image Acquisition (WIA) (StiSvc) Windows Installer (MSIServer) Windows Management Instrumentation (winmgmt) Windows Management Instrumentation Driver Extensions (Wmi) Windows Time (W32Time) Windows User Mode Driver Framework <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined> <Not defined>
Nortel Proprietary
Issue 1.02
141

(UMWdf) (applicable to Windows Server 2003 SP1) WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) Wireless Configuration (WZCSVC) Disabled <Not defined>
Nortel Proprietary
WMI Performance Adapter (WmiApSrv) Workstation (lanmanworkstation) World Wide Web Publishing Service (W3SVC)
<Not defined>
Registry MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\Installer MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\policies MACHINE\SYSTEM\CurrentControlSet\Enum Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, SYSTME=Full Control, Users=Read Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, Authenticate Users=Read, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, CREATOR OWNER=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTME=Full Control, Users=Read
MACHINE\SYSTEM\CurrentConrtrolSet\Services\SNMP\ Parameters\PermittedManagers
Administrators=Full Control, SYSTEM=Full Control
142
Issue 1.02
Nortel Proprietary
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full
Issue 1.02
143

Control %SystemRoot%\system32\rsh.exe
Nortel Proprietary
Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, INTERACTIVE=Full Control, SYSTEM=Full Control Administrators=Full Control, SYSTEM=Full Control
144
Issue 1.02
Nortel Proprietary
[ This page is left intentionally blank ]
Issue 1.02
145
Glossary
Nortel Proprietary
Glossary
The glossary provided relates solely to this document.
CLAN DHCP DNS ELAN IT LAN MAS NCC Nortel Servers Subnet PC PEP PRD RAS SCCS SMTP SU SWC TAPI SP WAN
Customer Local Area Network Dynamic Host Connection Protocol Domain Name Service Embedded Local Area Network Information Technology Local Area Network Meridian Application Server Network Control Center Previously known as CLAN Personal Computer Performance Enhancement Package Platform Recovery Disk Remote Access Service Symposium Call Center Server Simple Mail Transfer Protocol Service Update Symposium Call Center Web Client Symposium TAPI Service Provider Wide Area Network
146
Issue 1.02
Glossary
Nortel Proprietary
[ This page is left intentionally blank ]
Issue 1.02
147
References
Nortel Proprietary
5
[1]
References
Windows Server 2003 Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Security Settings for Domain Member Servers, Version 1.2, October 17, 2005, The Center for Internet Security Contact Center 6.0 Security Guide, issue 1.01, July 18 2006
[2]
148
Issue 1.02
Nortel Proprietary
[ Last Page ]
Issue 1.02

CCMS 6.0 Security Templates

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

CCMS 6.0 Security Templates

Diunggah oleh

Hak Cipta:

Format Tersedia

Nortel Enterprise Networks

Nortel Contact Center 6.0 Security Templates User Guide

2007 Nortel Networks Corporation

Nortel Contact Center 6.0 Security Templates User Guide

Reviewed and Approved By

Nortel Contact Center 6.0 Security Templates User Guide

Type of Review Reason(s) for Issue

0.02 July 5, 2005

0.03 August 9, 2005

Draft copy Section 2.3.2 Add Network Domain Deployment

0.04 September 21, 2005

0.05 July 7, 2006

0.06 October 3, 2006

Nortel Contact Center 6.0 Security Templates User Guide

Revision history Issue Number Issue Date

Nortel Proprietary Author(s)

Type of Review Reason(s) for Issue

1.01 October 15, 2008

1.02 October 29, 2008

Nortel Contact Center 6.0 Security Templates User Guide

Contact Center 6.0 Security Templates.............................................................2

Contact Center 6.0 Security Template Files ...................................................11

Nortel Contact Center 6.0 Security Templates User Guide

Nortel Contact Center 6.0 Security Templates User Guide

Nortel Contact Center 6.0 Security Templates User Guide

Contact Center 6.0 Security Templates

Contact Center 6.0 Security Templates

Contact Center 6.0 Security Template Baseline

Contact Center 6.0 Security Template Applicability

Nortel Contact Center 6.0 Security Templates User Guide

Contact Center 6.0 Security Templates

Contact Center 6.0 Security Templates Deployment

Nortel Contact Center 6.0 Security Templates User Guide

Contact Center 6.0 Security Templates

Nortel Contact Center 6.0 Security Templates User Guide

Contact Center 6.0 Security Templates

Nortel Contact Center 6.0 Security Templates User Guide

Contact Center 6.0 Security Templates

Contact Center 6.0 Security Templates

Contact Center 6.0 Security Templates

Nortel Contact Center 6.0 Security Templates User Guide

Contact Center 6.0 Security Templates

Additional security settings

Nortel Contact Center 6.0 Security Templates User Guide

Built-in Administrator, Support_388945a0, Guest Support_388945a0, Guest Support_388945a0, Guest

<non-standard> <non-standard> <Custom, or DoJ approved>

<Custom, or DoJ approved>

Network Environment Consideration

Nortel Contact Center 6.0 Security Templates User Guide

Contact Center 6.0 Security Template Files

Contact Center 6.0 Security Template Files

24 passwords remembered 90 days 1 days 8 Enabled Disabled

15 minutes 15 invalid logon attempts 15 minutes

Nortel Contact Center 6.0 Security Templates User Guide

Contact Center 6.0 Security Template Files

Nortel Contact Center 6.0 Security Templates User Guide

Contact Center 6.0 Security Template Files

Nortel Contact Center 6.0 Security Templates User Guide

Contact Center 6.0 Security Template Files

<Not defined> Administrators Enabled <Not defined>

Warn but allow installation <Not defined> (Not applicable)

Domain Controller: LDAP server signing requirements

<Not defined> (Not applicable)