Escolar Documentos
Profissional Documentos
Cultura Documentos
ABSTRACT
This guide describes the Symposium Call Center Server R5.0 security model and architecture, and the
minimum security settings in Windows 2000 Server for a successful R5.0 installation and operation. The
guide also provides security recommendations that customers can adopt to their own security policies
and configurations.
NOTICE TO HOLDERS OF PAPER COPIES: Upon receipt of a new issue, destroy the previous issue or
mark it “OBSOLETE”.
CONFIDENTIAL INFORMATION: The information contained in this document is the property of Nortel
Networks. Except as specifically authorized in writing by Nortel Networks, the holder of this document
shall keep all information contained herein confidential and shall protect same in whole or in part from
disclosure and dissemination to all third parties.
Trademarks Nortel Networks Proprietary
Trademarks
The following are trademarks of Nortel Networks: Nortel Networks, BNR, ACD, BCS, CallPilot, DMS,
DMS-100, DMS-250, DMS-MTX, DMS-SCP, DNC, DPN-100, DVS, DualMode, FastView, Helmsman,
M2317, MAP, Symposium, Meridian Digital Centrex (MDC), Meridian, Meridian 1, Meridian Link, Meridian
MAX, Meridian NAC, Meridian CCR, Meridian IVR, Meridian Terminal Emulator, MFA, Norstar,
PowerTouch, SL-1, SL-100, SuperNode, Telesis, Unity.
Action Request System and AR System are trademarks of Remedy Corporation.
AMDEK is a trademark of Amdek Corporation.
ANSI is a trademark of the American National Standards Institute.
ClearCase is a registered trademark and ClearCase MultiSite is a trademark of Rational Software
Corporation.
Continuus, continuus/CM, and Continuus/PT are trademarks of Continuus Software Corporation.
CaseWare/CM, CaseWare/PT, CaseWare, ACCENT, and Amplify Control are registered trademarks of
Continuus Software Corporation.
Courier is a trademark of Smith-Corona Corporation.
CT Connect, CT Media is a registered trademark of Dialogic.
Frame, FrameBuilder and FrameMaker are trademarks of Adobe Systems Incorporated.
Helvetica and Times are trademarks of Linotype AG or its subsidiaries.
InstallShield is a registered trademark of InstallShield Software Corporation.
Interleaf is a trademark of Interleaf, Inc.
Macintosh, Power Macintosh, and Apple are registered trademarks of Apple Computer, Inc. Mac OS is a
trademark of Apple Computer, Inc.
Microsoft Windows, Microsoft Word, Microsoft Excel, PowerPoint, Microsoft Project, Microsoft File
Extension, and MS-DOS are trademarks of Microsoft Corporation.
Novell is a trademark of Novell, Inc.
Olecera Chart is a trademark of KL Group Inc.
Portable Document Format is a trademark of Adobe Systems Incorporated.
PostScript is a trademark of Adobe Systems Incorporated.
SYBASE is a trademark of Sybase, Inc.
UNIX is a trademark of UNIX System Laboratories.
Versatility, Versatility Administrator, Versatility Call Blending, Versatility Campaign Plus, Versatility Insight,
Versatility Predictive, Versatility Telesales / Teleservice are trademarks of Versatility Inc.
WinRunner, TSL and Context Sensitive are trademarks of Mercury Interactive Corporation.
ii Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Approvals Nortel Networks Proprietary
Approvals
Prepared By
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 iii
Revision history Nortel Networks Proprietary
Revision history
iv Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Table of contents Nortel Networks Proprietary
Table of contents
1 Introduction ........................................................................................................ 1
1.1 Purpose............................................................................................................................... 1
1.2 Scope.................................................................................................................................. 1
1.3 Intended audience .............................................................................................................. 2
2 Security Models.................................................................................................. 3
2.1 Symposium Call Center Server security architecture ......................................................... 3
2.1.1 Symposium Call Center Server network security layer ......................................... 3
2.1.1.1 Standalone server ........................................................................................... 5
2.1.1.2 Embedded LAN configuration ......................................................................... 5
2.1.1.3 Customer LAN configuration ........................................................................... 5
2.1.1.3.1 Default network binding protocols ............................................................ 5
2.1.1.3.2 Static IP address....................................................................................... 6
2.1.1.3.3 DNS consideration.................................................................................... 6
2.1.1.4 Firewall ............................................................................................................ 6
2.1.2 Symposium Call Center Server server security layer ............................................ 8
2.1.2.1 Windows 2000 Server configuration ............................................................... 8
2.1.2.2 Windows 2000 security settings...................................................................... 9
2.1.2.3 Server configuration ........................................................................................ 9
2.1.3 Symposium Call Center Server application security layer..................................... 9
2.1.3.1 Database access security ............................................................................... 9
2.1.3.2 MAS security server ...................................................................................... 10
2.1.3.3 Remote backup and restore security ............................................................ 10
3 Default R5.0 server security settings and configuration .............................. 11
3.1 Default Windows 2000 Server configuration .................................................................... 11
3.1.1 Default installed Windows 2000 Server components .......................................... 12
3.1.2 Default Windows 2000 services .......................................................................... 16
3.2 Default Windows 2000 security settings........................................................................... 26
3.2.1 Default password policy....................................................................................... 27
3.2.2 Default account lockout policy ............................................................................. 28
3.2.3 Default user rights assignments .......................................................................... 28
3.2.4 Default security setting ........................................................................................ 36
3.2.5 Default IP security policy ..................................................................................... 40
3.2.6 Default audit policy .............................................................................................. 41
3.3 Default Symposium Call Center Server server configuration ........................................... 42
3.3.1 Default disk partitioning type ............................................................................... 42
3.3.2 Default Windows local users ............................................................................... 42
3.3.3 Default print server and file sharing configuration ............................................... 44
3.3.4 Default Internet access ........................................................................................ 44
4 Security recommendations ............................................................................. 45
4.1 Security risk management and policy............................................................................... 45
4.1.1 Risk management................................................................................................ 45
4.1.2 Security policy...................................................................................................... 46
4.2 Windows 2000 security patches and hot fixes.................................................................. 46
4.3 Windows 2000 user accounts and passwords ................................................................. 47
4.4 Anonymous logon ............................................................................................................. 48
4.5 Third-party applications .................................................................................................... 48
4.6 Anti-virus scanning ........................................................................................................... 50
4.7 Internet access ................................................................................................................. 53
4.8 E-mail access ................................................................................................................... 53
4.9 File and folder sharing ...................................................................................................... 53
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 v
Table of contents Nortel Networks Proprietary
vi Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
List of figure Nortel Networks Proprietary
List of figure
Figure 1 Symposium Call Center Server Security Architecture.................................................................... 3
Figure 2 Symposium Call Center Server Network Security Layer................................................................ 4
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 vii
List of tables Nortel Networks Proprietary
List of tables
Table 1 Symposium Call Center Server Default Network Protocols ............................................................ 6
Table 2 Symposium Call Center Server Ports Usage .................................................................................. 7
Table 3 Default Installed Windows 2000 Server Components ................................................................... 12
Table 4 Default Windows 2000 services .................................................................................................... 16
Table 5 Default Password Policy ................................................................................................................ 27
Table 6 Default Account Lockout Policy ..................................................................................................... 28
Table 7 Default User Rights Assignments .................................................................................................. 29
Table 8 Default Security Setting ................................................................................................................. 37
Table 9 Default IP Security Policy .............................................................................................................. 40
Table 10 Default Audit Policy...................................................................................................................... 41
Table 11 Default Symposium Call Center Server Windows Local Users ................................................... 43
Table 12 Symposium Call Center Server File and Folder Permission ....................................................... 54
Table 13 MBSA scanning items and Symposium Call Center Server recommendations .......................... 55
viii Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Introduction Nortel Networks Proprietary
1 Introduction
1.1 Purpose
Server security has become a critical issue in the software industry. It is important
for customers to protect all the servers in their network environment (including
Symposium Call Center Server) from various security attacks, threats, and
vulnerabilities. Since each customer has their own security policies and
requirements, it is impossible to present a single Symposium Call Center Server
security configuration that will meet all customer needs. This guide describes the
basic Symposium Call Center Server R5.0 security model and default security
configuration for a successful Symposium Call Center Server R5.0 installation
and operation. In addition, this guide includes a set of recommendations for
security policies and configuration. Customers can adopt the default and
recommended security policies and integrate them with their own security policy
for the Symposium Call Center Server R5.0 server.
1.2 Scope
This guide covers the security model and guidelines for Symposium Call Center
Server R5.0 (both nodal and NCC servers) running the Windows 2000 Server
(Standard and Advanced Edition) operating system. It is not intended to be a
comprehensive security guide for Windows 2000 Server, nor for the customer
network itself. This guide is only applicable to Symposium Call Center Server
R5.0 running on Windows 2000 Server (Standard and Advanced Server edition)
platform and does not include earlier releases or other Symposium products, such
as the regular Symposium Call Center Server Client application R4.0, Symposium
Web Client 4.5, Symposium Express Call Center, or Symposium Web Center
Portal.
The security settings and recommendations in this guide only cover the
Symposium Call Center Server R5.0 server running with Windows 2000 Server
(or Windows 2000 Advance Server) and do not include other components on the
same network (for example, the M1 switch, desktop PC, Symposium Web Client
application server etc.), or the actual customer network itself (for example,
routers, firewalls etc.)
This guide does not include any actual procedures on how to show or change the
Windows 2000 Server security settings. It assumes that the reader is familiar with
security administration tools, either those supplied by Microsoft (for example, the
Microsoft Management Console with appropriate plug-ins), or third-party
software that is used to manage the listed security settings for Symposium Call
Center Server.
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 1
Introduction Nortel Networks Proprietary
Caution
This guide contains sensitive security and configuration settings that a potential
hacker can use to exploit the security risks of Symposium Call Center Server.
Therefore, you must exercise caution and only release security settings
information to people on a need-to-know basis.
This guide is intended to be used by anyone wishing to setup a security policy and
configure Symposium Call Center Server R5.0 running on Windows 2000 Server
within their own security environment. It assumes that the reader is familiar with
all security subjects and features in Windows 2000 Server and in the customer
network environment.
2 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Security Models Nortel Networks Proprietary
2 Security Models
2.1 Symposium Call Center Server security architecture
The Symposium Call Center Server design incorporates various security features.
Different security layers within the customer network, server PC, and the
Symposium Call Center Server application provide overall system security. The
Symposium Call Center Server security architecture can be divided into the
following three major security layers:
• Network security
• Server security
• Application security
Symposium
Call Center
Symposium
Server R5.0 server
Call Center
security
Server
application
security
The Symposium Call Center Server network security layer defines the network
environment in which the Symposium Call Center Server R5.0 server should be
configured. It also defines where the customer-supplied network firewall should
be placed within the customer network to allow the server in Symposium Call
Center Server and the Client (Standard Client and Web Client) to operate
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 3
Security Models Nortel Networks Proprietary
properly. The network security layer protects Symposium Call Center Server from
possible security attacks through the customer or external networks.
Figure 2 shows an overall Symposium Call Center Server network security layer
within a typical customer network environment, including both the regular
Symposium Call Center Server Client PC and Symposium Web Client.
ELAN Subnet
VPN connection for
Symposium remote support access
Call Center
Server
Server SCCS
Standby
north
te er
lecon
m Server Nortel Contivity 1100
Telephone
Switch
Nortel Networks Servers Subnet (CLAN)
Firewall/Router
Since each customer provides their own network and can have different
configurations and requirements, it is impossible to provide a single network
configuration for Symposium Call Center Server that meets all customer
requirements. Therefore, Nortel Networks recommends you review and consider
the following Symposium Call Center Server network and configuration settings
when implementing your own network security and configuration settings.
4 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Security Models Nortel Networks Proprietary
Symposium Call Center Server R5.0 does not require that any Windows Domain
users log on to the server and does not need Windows 2000 Active Directory to
operate, even though it runs within a Windows 2000 network environment.
The Embedded LAN (ELAN) is used for the connection between the telephone
PBX switch and Symposium Call Center Server. The ELAN carries all call traffic
between the Symposium Call Center Server and the telephone switch (Meridian 1,
Meridian IE, or CSE 1000). Symposium Call Center Server only requires a
TCP/IP connection to the switch on the ELAN. There should not be a firewall
between Symposium Call Center Server and the telephone switch.
For maximum ELAN call traffic performance and security, Nortel Networks
recommends that the ELAN be completely isolated from other subnets, and from
the external LAN or WAN within the network. Since the ELAN can also carry
other telephone switch related traffic for other Nortel Networks products (for
example, OTM), you must take into consideration these additional network
configuration and security requirements to configure the ELAN (for example,
adding a router/gateway or firewall between the ELAN and other subnets, the
LAN or WAN).
Symposium Call Center Server (Nodal or NCC server) and the client PCs (both
Symposium Call Center Server Client and Web Client) are connected through the
Customer LAN (CLAN).
The network connection protocol between Symposium Call Center server and the
client PCs (both the Symposium Call Center Server Client and the Web Client
application server) is based on TCP/IP. The Symposium Call Center Server
Network Interface Card (NIC) should have the following default network protocol
bindings:
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 5
Security Models Nortel Networks Proprietary
File and Printer Sharing for Microsoft Enabled by default. Must be enable for
Network Symposium Call Center Server Remote
Database Network Backup & Restore
feature to work
If a Domain Name Service (DNS) is configured and available on the CLAN, then
the Symposium Call Center Server network interface should be registered with
the specified DNS. If no DNS is available, then disable the DNS configuration in
the Symposium Call Center Server network interface to prevent errors and
possible performance impacts on the Symposium Call Center Server network
connection.
2.1.1.4 Firewall
Symposium Call Center Server operates on two separate Embedded LAN (ELAN)
and Customer LAN (CLAN) subnet configurations. The ELAN provides critical
call traffic between Symposium Call Center Server and the telephone switch. For
maximum network traffic performance and security, it is recommended that the
ELAN be completely isolated from other subnets, or external LANs or WANs
within the network. No firewall should be placed between Symposium Call
Center Server and the telephone switch.
6 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Security Models Nortel Networks Proprietary
The Symposium Call Center Server Client or the Symposium Web Client
application server is connected to the Symposium Call Center Server through the
CLAN. The Remote Procedure Call (RPC) communication method is used
between Symposium Call Center Server and the client PCs (both the Symposium
Call Center Server Client and the Web Client application server). Since this
communication method requires a large range of dynamic ports, it is not practical
to implement a firewall between Symposium Call Center Server and the client
PCs by restricting port access. However, you can place an appropriate firewall
between the Symposium Web Client application server and the Web Client
desktop PCs.
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 7
Security Models Nortel Networks Proprietary
Port 1024 to 65535 This is range of ports that can be used by RPC
dynamic ports.
The Symposium Call Center Server R5.0 server security layer defines the security
settings and configuration on the Symposium Call Center Server PC. The server
security layer protects the Symposium Call Center Server PC from various
security attacks and vulnerabilities. The security layer is implemented through
security features included in the Windows 2000 Server operating system and
through the appropriate server configuration. The overall server security layer
consists of the following main security strategies:
• Server configuration
The Windows 2000 Server configuration security strategy relies on the default
Windows 2000 Server operating system installation and configuration. The
default installation and configuration only installs and configures those Windows
2000 components that are required for proper Symposium Call Center Server
R5.0 operation. By not installing any unnecessary Windows 2000 components,
you minimize the risk of possible security attacks and vulnerabilities through
these components. The details of the default Windows 2000 Server configuration
are documented in section 3 of this guide.
For details installing Windows 2000 Server according to the default Symposium
Call Center Server configuration, see the Nortel Networks Symposium Call Center
Server Installation and Maintenance Guide for Release 5.0 [1].
8 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Security Models Nortel Networks Proprietary
The Windows 2000 security setting strategy includes a set of default security
settings and a users policy designed to protect Symposium Call Center Server by
minimizing possible unauthorized access and changes to the server. For details,
see section 3 of this guide.
The Symposium Call Center Server application security layer includes built-in
security functions that protect critical information about the Symposium Call
Center Server application, customer call center configuration and statistics from
illegal access. The application security layer consists of the following major
components:
Database access security is controlled by the Sybase ASE 12 SQL Server access
authorization component. Only authorized database user accounts with correct
passwords can access the database through pre-assigned access rights. All critical
call center configuration information and customer call statistics are stored in the
database. Nortel Networks proprietary information is also stored in the database
and can only be accessed by the “system administrator” (SA) account. Details of
this account are considered Nortel Networks confidential and, therefore, are not
released to any customers. Customers do not need to perform any database access
or maintenance operations that require “SA” account access. Instead, customers
use other Symposium Call Center Server user accounts to access the database and
create custom call statistic reports.
Customers can access the database through the pre-defined “sysadmin” account
and other Symposium Call Center Server user accounts created by the
Symposium Call Center Server administrators or supervisors. The sysadmin
account is different from the SA account. Customers can change the passwords
for all created Symposium Call Center Server user accounts, including the pre-
defined sysadmin account. In fact, for security purposes, customers must change
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 9
Security Models Nortel Networks Proprietary
the default password for the sysadmin account when logging on to Symposium
Call Center Server for the first time.
The database access security model further protects database integrity from
unauthorized access and updates by providing pre-defined database views from
which customers retrieve database information.
The MAS security server is a Symposium Call Center Server service that provides
security authentication for the connection between the server in Symposium Call
Center Server and Symposium Call Center Server Client PC. The Symposium
Call Center Server Client must log on to Symposium Call Center Server through
the MAS security service using a valid Symposium Call Center Server user
account and password. The MAS security server encrypts and decrypts
Symposium Call Center user account passwords using a proprietary algorithm.
Symposium Call Center Server user accounts are separate and different from the
client PC’s local or network login account, and the server’s local Windows login
accounts. The Symposium Call Center Server user account login does not require
Windows login on the Symposium Call Center Server, nor does it require
Windows Domain Controller or Windows 2000 Active Directory.
Symposium Call Center Server R5.0 supports database backup and restore on a
remote network computer within the Symposium Call Center Server standalone
server configuration. Procedures are provided to setup the proper local user
account on both the remote backup computer and the server in Symposium Call
Center Server to ensure that only assigned user accounts and privileges are used
for the remote backup and restore. Customers must exercise proper security
measures for the shared remote backup folder on the remote computer to prevent
unauthorized access to the Symposium Call Center Server backup files.
10 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Caution
This guide contains sensitive security and configuration settings that a potential
hacker could use to exploit the security risks of the Symposium Call Center
Server. Therefore, you must exercise caution and only release security settings
information to people on a need-to-know basis.
The Windows 2000 Server configuration and security settings listed in this guide
include both the default Symposium Call Center Server settings (as installed when
you follow the guidelines documented in Nortel Networks Symposium Call Center
Server Installation and Maintenance Guide for Release 5.0 [1]), and the minimum
Symposium Call Center Server settings (the minimum setting required for
Symposium Call Center Server R5.0 operation). Nortel Networks has verified the
default Windows 2000 Server configuration as listed to ensure its compatibility
with the proper Symposium Call Center Server installation and operation.
Therefore, if you choose to alter the default Windows 2000 Server configuration
to meet specific customer requirements, note that Nortel Networks will not have
verified the impact of such change on the Symposium Call Center Server
installation and operation. Customers who deviate from the recommended default
Windows 2000 Server configuration must not change or exceed any of the listed
Symposium Call Center Server minimum requirements, and must test their
Windows 2000 Server configuration with Symposium Call Center Server R5.0 in
a non-production environment before putting the configuration online.
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 11
Default R5.0 server security settings and configurationNortel Networks Proprietary
For proper Symposium Call Center Server R5.0 operation, Nortel Networks
recommends installing only the required Windows 2000 Server operating system
components. Table 3 lists the default Windows 2000 Server installed components
and the minimum component requirements for proper Symposium Call Center
Server R5.0 operation.
12 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 13
Default R5.0 server security settings and configurationNortel Networks Proprietary
14 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 15
Default R5.0 server security settings and configurationNortel Networks Proprietary
16 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
When you install Windows 2000, the installation program creates and configures
default Windows services that run when the system is started. Table 4 lists the
default Windows 2000 services and the minimum service configuration for
Symposium Call Center Server if the Windows 2000 Server is installed with the
default Windows components (as listed in Table 3).
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 17
Default R5.0 server security settings and configurationNortel Networks Proprietary
18 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 19
Default R5.0 server security settings and configurationNortel Networks Proprietary
20 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 21
Default R5.0 server security settings and configurationNortel Networks Proprietary
22 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 23
Default R5.0 server security settings and configurationNortel Networks Proprietary
24 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 25
Default R5.0 server security settings and configurationNortel Networks Proprietary
26 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Symposium Call Center Server R5.0 recommends the following default password
policy (applicable to the installed Windows 2000 user accounts).
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 27
Default R5.0 server security settings and configurationNortel Networks Proprietary
Since the installation of the Symposium Call Center Server application creates
additional Windows accounts with default passwords, the Windows 2000
password policy should be in the default setting (as listed in Table 5) before you
install Symposium Call Center Server. Customers can change the Windows 2000
password policy as required after the Symposium Call Center Server application,
in which case, they must also make appropriate password changes for all local
Windows accounts that are created with the Symposium Call Center Server
installation. Nortel Networks recommends that all local Windows account
passwords (including accounts created by Symposium Call Center Server) be
changed from their default values immediately after installing Symposium Call
Center Server.
Table 6 lists the default account lockout security setting and the minimum
requirements for Symposium Call Center Server R5.0.
Table 7 lists the default user rights assignments security setting and the minimum
requirements for Symposium Call Center Server R5.0.
28 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Act as part of the NGen System, NGenSys, Must be set for the
operating system NGen Design NGenDesign NGen System, and
NGen Design
groups.
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 29
Default R5.0 server security settings and configurationNortel Networks Proprietary
30 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 31
Default R5.0 server security settings and configurationNortel Networks Proprietary
32 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 33
Default R5.0 server security settings and configurationNortel Networks Proprietary
34 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 35
Default R5.0 server security settings and configurationNortel Networks Proprietary
Table 8 lists the default security setting and minimum requirements for
Symposium Call Center Server R5.0.
36 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 37
Default R5.0 server security settings and configurationNortel Networks Proprietary
38 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 39
Default R5.0 server security settings and configurationNortel Networks Proprietary
Table 9 lists the default IP security policies assigned and the minimum
requirements for Symposium Call Center Server R5.0.
40 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Table 10 lists the default Windows 2000 audit policies and minimum
requirements for Symposium Call Center Server R5.0.
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 41
Default R5.0 server security settings and configurationNortel Networks Proprietary
Symposium Call Center Server R5.0 supports Windows NTFS disk partitioning
only. Windows NTFS provides additional security for server files. Symposium
Call Center Server R5.0 requires that all disk partitions be NTFS.
Symposium Call Center Server R5.0 installs three additional Windows 2000 local
users during the Symposium Call Center Server software installation. Table 11
lists the three default Symposium Call Center Server Windows local users and
how the accounts are used.
42 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Default R5.0 server security settings and configurationNortel Networks Proprietary
Since the Symposium Call Center Server application has a dependency on the
NGenSys account, this account name must not be changed. Customers can change
the account names for NGenDist and NGenDesign after the Symposium Call
Center Server installation, but this will prevent distribution channels and Nortel
support groups from using the default account names to perform Symposium Call
Center Server maintenance or support.
All three default Symposium Call Center Server Windows local users are initially
created with default passwords. Customers are encouraged to change the default
passwords after successful Symposium Call Center Server installation. Procedures
for changing the passwords for these default accounts are documented in the
Nortel Networks Symposium Call Center Server Installation and Maintenance
Guide for Release 5.0[1].
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 43
Default R5.0 server security settings and configurationNortel Networks Proprietary
The Symposium Call Center Server R5.0 default network setting enables Print
Server and File Sharing in the installed protocol stack, but the Symposium Call
Center Server configuration does not include a default print server or a shared
network folder or file. It is a Symposium Call Center Server R5.0 minimum
requirement that no print server be configured on the Symposium Call Center
Server R5.0 server.
For security reasons, Nortel Networks recommends that customers do not share
any Symposium Call Center Server folders or files over the network. In addition,
Nortel Networks recommends that only the local Administrator and Symposium
Call Center Server default Windows users be granted write access to Symposium
Call Center Server folders. If customers need to download any Symposium Call
Center Server files (for example, PEPs or SUs), then Nortel Networks
recommends that they download them to a remote computer instead of directly to
the Symposium Call Center Server. After downloading the file to the remote
computer, the customer can then share it with the server in the Symposium Call
Center Server over the network.
44 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Security recommendations Nortel Networks Proprietary
4 Security recommendations
This section includes recommended security practices for Symposium Call Center
Server R5.0. Nortel Networks recommends that customers consider these
suggestions when deciding on their own security policies and practices. This
section is not intended to list security settings that meet specific customer
requirements. Customers should review their security requirements and compare
them with the default and minimum Symposium Call Center Server security
settings and configuration (listed in section 3 of this guide), together with the
security recommendations listed in this section, before deciding on the
appropriate overall Symposium Call Center Server security configuration.
Symposium Call Center Server R5.0 comes with a set of default security settings
that meet most common security protection requirements. Nortel Networks has
verified the default Windows 2000 Server configuration as listed to ensure its
compatibility with the proper Symposium Call Center Server installation and
operation. Therefore, if you choose to alter the default Windows 2000 Server
operating system configuration to meet specific customer requirements, note that
Nortel Networks will not have verified the impact of such a change on the
Symposium Call Center Server installation and configuration. Customers who
deviate from the recommended Windows 2000 Server configuration (as listed in
section 3 of this guide), and must test their Windows 2000 Server configuration
with Symposium Call Center Server R5.0 in a non-production environment before
putting the configuration online.
To provide a proper secure environment, you must examine your environment and
assess the risks you currently face, determine an acceptable level of risk, and
maintain the risk at or below acceptable level. Risk can be reduced by increasing
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 45
Security recommendations Nortel Networks Proprietary
the security of your server and environment. As a general rule, the higher the level
of security, the more costly the risk management policy is to implement and the
more likely that reductions in functionality will occur. You must review the
required security level and determine how it might impact Symposium Call
Center Server.
The security policy defines the procedures for configuring and managing security
in your environment. Organizations may have a predefined general server security
policy that can conflict with the Symposium Call Center Server default setting.
You must review your security policy and determine how it can be implemented
with Symposium Call Center Server. Since Symposium Call Center Server is
designed as a special real-time call processing platform instead of a general
purpose IT server, certain IT server security policies may not be compatible with
Symposium Call Center Server. In this case, you may need to relax your security
settings to meet the Symposium Call Center Server minimum requirements.
If you have additional local security policy changes for the Symposium Call
Center Server, then you must apply the additional security policy after you install
Symposium Call Center Server to minimize any possible conflict with the default
setting that are made during installation.
https://app12.nortelnetworks.com/cgi-
bin/mynn/home/NN_prodDoc.jsp?BkMg=0&prodID=45280&progSrcID=-
8026&whereClause=23&curOid=12460
Customers are encouraged to install the latest available Windows 2000 service
packs that have been validated by Nortel Networks. You should schedule regular
reviews of your configuration and apply the latest available Windows 2000
service pack as part of your security risk management plan.
46 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Security recommendations Nortel Networks Proprietary
Given the number of operating system security patches and the complexity
inherent in any network, Nortel Networks recommends that you create a
systematic and accountable process for identifying and applying security patches.
To help create such a process, you can follow a series of best practices guidelines,
as documented in the National Institute of Standards and Technology (NIST)
Special Bulletin 800-40, Procedures for Handling a Security Patches. This bulletin
suggests that if an organization does not have a centralized group to coordinate
the storage, evaluation, and chronicling of security patches into a library, then
system administrators or the contact center administrator must fulfill this role.
All three default Symposium Call Center Server Windows local user accounts are
created for a specific purpose. You must not change the account name for the
NGenSys account. You may change the account names for NGenDist and
NGenDesign. However, if you do so, you must provide these new account names
to the Distributor/Nortel Networks Support personnel or they will not be able to
use these default accounts to access the server remotely. If you change any of the
default Symposium Call Center Server Windows local user account names, the
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 47
Security recommendations Nortel Networks Proprietary
changed accounts will not be removed by the Symposium Call Center Server R5.0
software uninstall program, and instead must be removed manually.
For security reasons, customers are encouraged to change the passwords for these
default accounts upon successful Symposium Call Center Server installation. If
you change the password for the “NGenSys” account, then you must also update
the Symposium Call Center Server Backup and Restore service password (refer to
the Nortel Networks Symposium Call Center Server Installation & Maintenance
Guide for Release 5.0[1] for the password change procedures).
You must not add any additional Windows 2000 user accounts to Symposium
Call Center Server (except the account for the R5.0 Remote Database Backup and
Restore feature). With the exception of the Administrator account, other default
Windows 2000 accounts (for example, Guest) can be disabled or removed to
increase the security of the server. If you change the default Administrator
account name, it has no impact on the normal operation of the Symposium Call
Center Server R5.0 server. However, it will cause the Platform Vendor
Independence Check (PVI Check) utility to notify you that an invalid
administrator account is being used. Therefore, Nortel Networks recommends that
you change the Administrator account name only after you install the Symposium
Call Center Server R5.0 software.
48 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Security recommendations Nortel Networks Proprietary
Note: Third party backup software can only be used for offline full backups.
The database backup must be performed using the utility provided by
Symposium Call Center Server due to proprietary functions called upon
during the backup routine.
1. During run-time, the utility must not degrade the Symposium Call
Center Server system beyond an average 50 percent CPU utilization.
Furthermore, the utility must not lower the minimum amount of free
hard disk space required by Symposium Call Center Server and the
Windows operating system.
2. The utility must not cause any improper software shutdowns or out of
sequence shutdowns.
3. The utility must not administer the Symposium Call Center Server
software.
4. If the utility has its own database, it must not impact the Symposium
Sybase database.
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 49
Security recommendations Nortel Networks Proprietary
security settings and configuration, then you may need to rebuild the
server.
10. The software must not be installed within the Symposium Call Center
Server folder on the D: drive. Nortel Networks recommends that you
install the software in its own folder on the C: drive.
11. The software must be virus free. Do not install any software when the
origin of the software is not known.
• Typically, only maintenance personnel have local access to the server and
remote access through pcAnywhere.
• All Nortel Networks software distributions including PEPs and SUs are
virus free.
• Customers are discouraged from directly accessing the Internet from the
server, which minimizes the risk of getting a virus through the Internet.
50 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Security recommendations Nortel Networks Proprietary
• During PEP installations on both the client and server, all anti-virus
functionality should be disabled (for example, firewalls, (passive)
scanning, auto updates etc.) and should not be started up automatically
until the entire Symposium Call Center Server installation procedure is
complete. You may re-enable the anti-virus functionality afterwards, as
required.
• Set virus scans to run on the server during off-peak hours, and not to start
on the hour. Note that several maintenance tasks are automatically
activated on Symposium Call Center Server at midnight, so an off-
midnight time should be set for virus scans. Similarly, active virus scans
should be disabled when running diagnostic traces or logs on the
Symposium Call Center Server R5.0 server.
• Infected file quarantine policy on the Server and Client: The anti-virus
software should not be configured to deal automatically with suspected
infected files. In the event that infected files are located, do not attempt to
replace or remove them. Contact your local Nortel Networks Support
representative for assistance in determining if the files are part of the
Symposium Call Center Server application, or a critical system file.
• Nortel Networks recommends that you exclude the following files from
scanning:
F:\Nortel\Database\
<additional database drive>:\Nortel\Database
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 51
Security recommendations Nortel Networks Proprietary
• You must not connect the Symposium Call Center Server R5.0 server
directly to the Internet to download virus definitions or updated files. In
addition, Nortel Networks recommends that you do not connect the
Symposium Call Center Server client PC to the Internet. Instead, you
should download virus definitions and update files to another location on
your network, and then manually upload to the Symposium Call Center
Server R5.0 server. This is the same recommended procedure for
downloading Symposium Call Center Server PEPs. This recommendation
limits access to the Internet, and thus reduces the risk of downloading
infected files.
• In addition, all PEP files, CD-ROMs, and floppy disks should be scanned
prior to installing or uploading to the server. This practice minimizes any
exposure to infected files from outside sources.
• Capacity considerations: Note that running virus scan software can place
an additional load on server in Symposium Call Center Server. It is the
implementation personnel’s responsibility to run the Windows 2000
Server Performance Monitor tool on the server to gauge CPU utilization.
If the anti-virus software scan causes the server’s average CPU utilization
to exceed 50 percent for longer than 20 minutes, then the anti-virus
software should not be loaded onto the Symposium Call Center Server
R5.0 server.
Note:
52 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Security recommendations Nortel Networks Proprietary
Nortel Networks recommends that if you require access to the Nortel Networks
Web site (for example, to obtain the latest PEP/SU etc.), then you should use a
separate PC that is virus free.
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 53
Security recommendations Nortel Networks Proprietary
remove the “Everyone” group permission for all disk drives and add specific
Windows user account or group with specific permission. Symposium Call Center
Server supports the removal of the “Everyone” group as long as the following
recommended accounts and groups as listed in Table 12 are added to the specified
disk. Symposium Call Center Server can fail to operate if these recommended
accounts and groups are not added with the required permission.
4.11 Encryption
Windows 2000 supports file and folder encryption. However, Symposium Call
Center Server R5.0 does not support or require any form of file and folder
encryption by Windows 2000. You must not attempt to encrypt any installed
Symposium Call Center Server files or folders, including all Symposium Call
Center Server database folders and files. If Windows 2000 encryption is enabled
54 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Security recommendations Nortel Networks Proprietary
on any Symposium Call Center Server database folders or files, it will corrupt the
database. In this case, Symposium Call Center Server can only be recovered by
re-installing and then restoring the database from the latest available database
backup.
MSXML Security MBSA may indicate that latest security updates are
Updates out-of-date. Symposium Call Center Server has no
dependency on the MSXML, and it is customer’s
option to install the latest MSXML security update as
recommended by Microsoft.
Windows Security MBSA may indicate that the latest critical security
Updates updates are missing. Check against the latest
Symposium Products Service Packs Compatibility
and Security Hotfixes Applicability list for applicable
Microsoft security updates and installed all applicable
security updates.
Microsoft VM Security MBSA may indicate that latest security updates are
Updates out-of-date. Symposium Call Center Server has no
dependency on the Microsoft VM, and it is
customer’s option to install the latest Microsoft VM
security update as recommended by Microsoft.
Office Security Updates MBSA may indicate that latest security updates are
out-of-date. Symposium Call Center Server has no
dependency on the Microsoft Office, and it is
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 55
Security recommendations Nortel Networks Proprietary
Windows Media Player MBSA may indicate that latest security updates are
Security Updates out-of-date. Symposium Call Center Server has no
dependency on the Windows Media Player, and it is
customer’s option to install the latest Windows Media
Player security update as recommended by Microsoft.
MDAC Security Updates MBSA may indicate that the latest critical security
updates are missing. Check against the latest
Symposium Products Service Packs Compatibility
and Security Hotfixes Applicability list for applicable
Microsoft security updates and installed all applicable
security updates.
Password Expiration MBSA may warn that all user accounts have non-
expiring passwords. “NGenSys” and the remote
database backup and restore users must be configured
with non-expiring passwords. Other users can be
configured with password expiration, as required.
Local Account Password MBSA may warn that some user accounts have blank
Test or simple passwords, or could not be analyzed. The
passwords for the Symposium Call Center Server
default local accounts (NGenSys, NGenDist, and
NGenDesign) should pass this test. Check and change
user passwords if required.
56 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Security recommendations Nortel Networks Proprietary
File System MBSA should indicate that all hard drives are using
the NTFS system. Repartition and reinstall
Symposium Call Center Server if any software or
database drives used by Symposium Call Center
Server are not using NTFS.
IIS Status MBSA should indicate that this service is not running
on the computer. Remove the IIS service if it is
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 57
Security recommendations Nortel Networks Proprietary
58 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Security recommendations Nortel Networks Proprietary
modem, Remote Access Service (RAS), or VPN (with Nortel Networks Contivity
product) connection method.
Nortel Networks recommends the VPN connection method together with the
proper firewall or subnet isolation between the Symposium Call Center Server
network subnet and the corporate network, as it provides a secure connection that
minimizes the risk of exposing other customer network resources to the remote
connection.
To prevent illegal access to the Symposium Call Center Server R5.0 server
through the remote connection, you must configure the appropriate pcAnywhere
and RAS (if configured) logon accounts and passwords. Nortel Networks
recommends that you do not use any default or simple passwords for the
pcAnywhere and RAS logon accounts.
For security reason, a firewall may be placed before the Symposium Call Center
Server in the network path for the remote connection. In order to allow
pcAnywhere remote session to be successful, the port 5631 (TCP) and port 5632
(UDP) must be opened.
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 59
Security recommendations Nortel Networks Proprietary
60 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Glossary Nortel Networks Proprietary
5 Glossary
The glossary provided relates solely to this document.
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 61
Glossary Nortel Networks Proprietary
62 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
References Nortel Networks Proprietary
6 References
[1] Nortel Networks Symposium Call Center Server Installation and Maintenance Guide,
Product release 4.2, Standard 1.0, April 2002
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 63
Nortel Networks Proprietary
[ Last Page ]
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 65