SCCS 5 Win2k Security Guide

Nortel Networks – Metro & Enterprise Networks
Symposium Call Center Server 5.0

Security Guide for Windows 2000
Issue 1.00 May 13, 2004
ABSTRACT
This guide describes the Symposium Call Center Server R5.0 security model and architecture, and the
minimum security settings in Windows 2000 Server for a successful R5.0 installation and operation. The
guide also provides security recommendations that customers can adopt to their own security policies
and configurations.
NOTICE TO HOLDERS OF PAPER COPIES: Upon receipt of a new issue, destroy the previous issue or
mark it “OBSOLETE”.
CONFIDENTIAL INFORMATION: The information contained in this document is the property of Nortel
Networks. Except as specifically authorized in writing by Nortel Networks, the holder of this document
shall keep all information contained herein confidential and shall protect same in whole or in part from
disclosure and dissemination to all third parties.
Trademarks Nortel Networks Proprietary
Trademarks
The following are trademarks of Nortel Networks: Nortel Networks, BNR, ACD, BCS, CallPilot, DMS,
DMS-100, DMS-250, DMS-MTX, DMS-SCP, DNC, DPN-100, DVS, DualMode, FastView, Helmsman,
M2317, MAP, Symposium, Meridian Digital Centrex (MDC), Meridian, Meridian 1, Meridian Link, Meridian
MAX, Meridian NAC, Meridian CCR, Meridian IVR, Meridian Terminal Emulator, MFA, Norstar,
PowerTouch, SL-1, SL-100, SuperNode, Telesis, Unity.
Action Request System and AR System are trademarks of Remedy Corporation.
AMDEK is a trademark of Amdek Corporation.
ANSI is a trademark of the American National Standards Institute.
ClearCase is a registered trademark and ClearCase MultiSite is a trademark of Rational Software
Corporation.
Continuus, continuus/CM, and Continuus/PT are trademarks of Continuus Software Corporation.
CaseWare/CM, CaseWare/PT, CaseWare, ACCENT, and Amplify Control are registered trademarks of
Continuus Software Corporation.
Courier is a trademark of Smith-Corona Corporation.
CT Connect, CT Media is a registered trademark of Dialogic.
Frame, FrameBuilder and FrameMaker are trademarks of Adobe Systems Incorporated.
Helvetica and Times are trademarks of Linotype AG or its subsidiaries.
InstallShield is a registered trademark of InstallShield Software Corporation.
Interleaf is a trademark of Interleaf, Inc.
Macintosh, Power Macintosh, and Apple are registered trademarks of Apple Computer, Inc. Mac OS is a
trademark of Apple Computer, Inc.
Microsoft Windows, Microsoft Word, Microsoft Excel, PowerPoint, Microsoft Project, Microsoft File
Extension, and MS-DOS are trademarks of Microsoft Corporation.
Novell is a trademark of Novell, Inc.
Olecera Chart is a trademark of KL Group Inc.
Portable Document Format is a trademark of Adobe Systems Incorporated.
PostScript is a trademark of Adobe Systems Incorporated.
SYBASE is a trademark of Sybase, Inc.
UNIX is a trademark of UNIX System Laboratories.
Versatility, Versatility Administrator, Versatility Call Blending, Versatility Campaign Plus, Versatility Insight,
Versatility Predictive, Versatility Telesales / Teleservice are trademarks of Versatility Inc.
WinRunner, TSL and Context Sensitive are trademarks of Mercury Interactive Corporation.
© 2004 Nortel Networks Corporation
ii Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Approvals Nortel Networks Proprietary
Approvals
Prepared By
Ronald Chan Date

Support Engineer, Contact Center Technology Support
Enterprise Networks, Call Center Technology & Solutions
Nortel Networks Corporation
Reviewed and Approved By
Rick Medeiros Date

Manager, Contact Center Technology & Dev Support
Eugene Garvin Date

Senior Manager, Contact Center Server R&D
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 iii
Revision history Nortel Networks Proprietary
Revision history
Issue Number Type of Review Author(s)

Issue Date Reason(s) for Issue
0.01 Draft copy Ronald Chan

March 16, 2004
Initial draft for internal review
0.02 Draft copy Ronald Chan

April 27, 2004
Updates from internal review
1.00 Approval copy Ronald Chan

May 13, 2004
Updates from external review
Section 2.1 Clarify Windows 2000 Server including both

Standard and Advanced Edition
Section 4.2 Change web link to SCCS 5.0 product information

page
iv Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Table of contents Nortel Networks Proprietary
Table of contents
1 Introduction ........................................................................................................ 1
1.1 Purpose............................................................................................................................... 1
1.2 Scope.................................................................................................................................. 1
1.3 Intended audience .............................................................................................................. 2
2 Security Models.................................................................................................. 3
2.1 Symposium Call Center Server security architecture ......................................................... 3
2.1.1 Symposium Call Center Server network security layer ......................................... 3
2.1.1.1 Standalone server ........................................................................................... 5
2.1.1.2 Embedded LAN configuration ......................................................................... 5
2.1.1.3 Customer LAN configuration ........................................................................... 5
2.1.1.3.1 Default network binding protocols ............................................................ 5
2.1.1.3.2 Static IP address....................................................................................... 6
2.1.1.3.3 DNS consideration.................................................................................... 6
2.1.1.4 Firewall ............................................................................................................ 6
2.1.2 Symposium Call Center Server server security layer ............................................ 8
2.1.2.1 Windows 2000 Server configuration ............................................................... 8
2.1.2.2 Windows 2000 security settings...................................................................... 9
2.1.2.3 Server configuration ........................................................................................ 9
2.1.3 Symposium Call Center Server application security layer..................................... 9
2.1.3.1 Database access security ............................................................................... 9
2.1.3.2 MAS security server ...................................................................................... 10
2.1.3.3 Remote backup and restore security ............................................................ 10
3 Default R5.0 server security settings and configuration .............................. 11
3.1 Default Windows 2000 Server configuration .................................................................... 11
3.1.1 Default installed Windows 2000 Server components .......................................... 12
3.1.2 Default Windows 2000 services .......................................................................... 16
3.2 Default Windows 2000 security settings........................................................................... 26
3.2.1 Default password policy....................................................................................... 27
3.2.2 Default account lockout policy ............................................................................. 28
3.2.3 Default user rights assignments .......................................................................... 28
3.2.4 Default security setting ........................................................................................ 36
3.2.5 Default IP security policy ..................................................................................... 40
3.2.6 Default audit policy .............................................................................................. 41
3.3 Default Symposium Call Center Server server configuration ........................................... 42
3.3.1 Default disk partitioning type ............................................................................... 42
3.3.2 Default Windows local users ............................................................................... 42
3.3.3 Default print server and file sharing configuration ............................................... 44
3.3.4 Default Internet access ........................................................................................ 44
4 Security recommendations ............................................................................. 45
4.1 Security risk management and policy............................................................................... 45
4.1.1 Risk management................................................................................................ 45
4.1.2 Security policy...................................................................................................... 46
4.2 Windows 2000 security patches and hot fixes.................................................................. 46
4.3 Windows 2000 user accounts and passwords ................................................................. 47
4.4 Anonymous logon ............................................................................................................. 48
4.5 Third-party applications .................................................................................................... 48
4.6 Anti-virus scanning ........................................................................................................... 50
4.7 Internet access ................................................................................................................. 53
4.8 E-mail access ................................................................................................................... 53
4.9 File and folder sharing ...................................................................................................... 53
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 v
Table of contents Nortel Networks Proprietary
4.10 File and folder permission................................................................................................. 53

4.11 Encryption ......................................................................................................................... 54
4.12 Microsoft Baseline Security Advisor ................................................................................. 55
4.13 SNMP Configuration ......................................................................................................... 58
4.14 Remote support access .................................................................................................... 58
4.15 Symposium Call Center Server backup and restore strategy .......................................... 59
5 Glossary ............................................................................................................ 61
6 References ........................................................................................................ 63
vi Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
List of figure Nortel Networks Proprietary
List of figure
Figure 1 Symposium Call Center Server Security Architecture.................................................................... 3
Figure 2 Symposium Call Center Server Network Security Layer................................................................ 4
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 vii
List of tables Nortel Networks Proprietary
List of tables
Table 1 Symposium Call Center Server Default Network Protocols ............................................................ 6
Table 2 Symposium Call Center Server Ports Usage .................................................................................. 7
Table 3 Default Installed Windows 2000 Server Components ................................................................... 12
Table 4 Default Windows 2000 services .................................................................................................... 16
Table 5 Default Password Policy ................................................................................................................ 27
Table 6 Default Account Lockout Policy ..................................................................................................... 28
Table 7 Default User Rights Assignments .................................................................................................. 29
Table 8 Default Security Setting ................................................................................................................. 37
Table 9 Default IP Security Policy .............................................................................................................. 40
Table 10 Default Audit Policy...................................................................................................................... 41
Table 11 Default Symposium Call Center Server Windows Local Users ................................................... 43
Table 12 Symposium Call Center Server File and Folder Permission ....................................................... 54
Table 13 MBSA scanning items and Symposium Call Center Server recommendations .......................... 55
viii Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Introduction Nortel Networks Proprietary
1 Introduction
1.1 Purpose
Server security has become a critical issue in the software industry. It is important
for customers to protect all the servers in their network environment (including
Symposium Call Center Server) from various security attacks, threats, and
vulnerabilities. Since each customer has their own security policies and
requirements, it is impossible to present a single Symposium Call Center Server
security configuration that will meet all customer needs. This guide describes the
basic Symposium Call Center Server R5.0 security model and default security
configuration for a successful Symposium Call Center Server R5.0 installation
and operation. In addition, this guide includes a set of recommendations for
security policies and configuration. Customers can adopt the default and
recommended security policies and integrate them with their own security policy
for the Symposium Call Center Server R5.0 server.
1.2 Scope
This guide covers the security model and guidelines for Symposium Call Center
Server R5.0 (both nodal and NCC servers) running the Windows 2000 Server
(Standard and Advanced Edition) operating system. It is not intended to be a
comprehensive security guide for Windows 2000 Server, nor for the customer
network itself. This guide is only applicable to Symposium Call Center Server
R5.0 running on Windows 2000 Server (Standard and Advanced Server edition)
platform and does not include earlier releases or other Symposium products, such
as the regular Symposium Call Center Server Client application R4.0, Symposium
Web Client 4.5, Symposium Express Call Center, or Symposium Web Center
Portal.
The security settings and recommendations in this guide only cover the
Symposium Call Center Server R5.0 server running with Windows 2000 Server
(or Windows 2000 Advance Server) and do not include other components on the
same network (for example, the M1 switch, desktop PC, Symposium Web Client
application server etc.), or the actual customer network itself (for example,
routers, firewalls etc.)
This guide does not include any actual procedures on how to show or change the
Windows 2000 Server security settings. It assumes that the reader is familiar with
security administration tools, either those supplied by Microsoft (for example, the
Microsoft Management Console with appropriate plug-ins), or third-party
software that is used to manage the listed security settings for Symposium Call
Center Server.
Issue 1.00 Symposium Call Center Server 5.0 Security Guide for Windows 2000 1
Introduction Nortel Networks Proprietary
1.3 Intended audience
Caution
This guide contains sensitive security and configuration settings that a potential
hacker can use to exploit the security risks of Symposium Call Center Server.
Therefore, you must exercise caution and only release security settings
information to people on a need-to-know basis.
This guide is intended to be used by anyone wishing to setup a security policy and
configure Symposium Call Center Server R5.0 running on Windows 2000 Server
within their own security environment. It assumes that the reader is familiar with
all security subjects and features in Windows 2000 Server and in the customer
network environment.
2 Symposium Call Center Server 5.0 Security Guide for Windows 2000 Issue 1.00
Security Models Nortel Networks Proprietary
2 Security Models
2.1 Symposium Call Center Server security architecture
The Symposium Call Center Server design incorporates various security features.
Different security layers within the customer network, server PC, and the
Symposium Call Center Server application provide overall system security. The
Symposium Call Center Server security architecture can be divided into the
following three major security layers:
• Network security
• Server security
• Application security
The relationship between the three security layers is shown in Figure 1.
Symposium Call Center Server network security (customer networks)
Symposium
Call Center
Symposium
Server R5.0 server
Call Center
security
Server
application
security
Figure 1 Symposium Call Center Server Security Architecture
2.1.1 Symposium Call Center Server network security layer
The Symposium Call Center Server network security layer defines the network
environment in which the Symposium Call Center Server R5.0 server should be
configured. It also defines where the customer-supplied network firewall should
be placed within the customer network to allow the server in Symposium Call
Center Server and the Client (Standard Client and Web Client) to operate
properly. The network security layer protects Symposium Call Center Server from
possible security attacks through the customer or external networks.
Figure 2 shows an overall Symposium Call Center Server network security layer
within a typical customer network environment, including both the regular
Symposium Call Center Server Client PC and Symposium Web Client.
ELAN Subnet
VPN connection for
Symposium remote support access
Call Center
Server
Server SCCS
Standby
north
te er
lecon
m Server Nortel Contivity 1100
Telephone
Switch
Nortel Networks Servers Subnet (CLAN)
Firewall/Router
NCC Server Web Client

Symposium SCCS
Application
Call Center Replication Corporate LAN
Server
Server Clients Server
Web Client Desktops
Figure 2 Symposium Call Center Server Network Security Layer
Since each customer provides their own network and can have different
configurations and requirements, it is impossible to provide a single network
configuration for Symposium Call Center Server that meets all customer
requirements. Therefore, Nortel Networks recommends you review and consider
the following Symposium Call Center Server network and configuration settings
when implementing your own network security and configuration settings.
2.1.1.1 Standalone server
Symposium Call Center Server (nodal and NCC server) is designed as a

standalone server (Windows Workgroup) within the network instead of
integrating with a Windows Domain. Symposium Call Center Server can coexist
with and be located within a Windows Domain, but should not be registered in the
domain. By configuring Symposium Call Center Server as a standalone server
instead of integrating it with a Windows Domain, you minimize any exposure of
the Symposium Call Center Server resources to the network and prevent domain
users seeing and logging on to the server.
Symposium Call Center Server R5.0 does not require that any Windows Domain
users log on to the server and does not need Windows 2000 Active Directory to
operate, even though it runs within a Windows 2000 network environment.
2.1.1.2 Embedded LAN configuration
The Embedded LAN (ELAN) is used for the connection between the telephone
PBX switch and Symposium Call Center Server. The ELAN carries all call traffic
between the Symposium Call Center Server and the telephone switch (Meridian 1,
Meridian IE, or CSE 1000). Symposium Call Center Server only requires a
TCP/IP connection to the switch on the ELAN. There should not be a firewall
between Symposium Call Center Server and the telephone switch.
For maximum ELAN call traffic performance and security, Nortel Networks
recommends that the ELAN be completely isolated from other subnets, and from
the external LAN or WAN within the network. Since the ELAN can also carry
other telephone switch related traffic for other Nortel Networks products (for
example, OTM), you must take into consideration these additional network
configuration and security requirements to configure the ELAN (for example,
adding a router/gateway or firewall between the ELAN and other subnets, the
LAN or WAN).
2.1.1.3 Customer LAN configuration
Symposium Call Center Server (Nodal or NCC server) and the client PCs (both
Symposium Call Center Server Client and Web Client) are connected through the
Customer LAN (CLAN).
2.1.1.3.1 Default network binding protocols
The network connection protocol between Symposium Call Center server and the
client PCs (both the Symposium Call Center Server Client and the Web Client
application server) is based on TCP/IP. The Symposium Call Center Server
Network Interface Card (NIC) should have the following default network protocol
bindings:
Table 1 Symposium Call Center Server Default Network Protocols
Default network protocol Function
Client for Microsoft Network Allow Symposium Call Center Server

to operate within the Microsoft network
environment
File and Printer Sharing for Microsoft Enabled by default. Must be enable for
Network Symposium Call Center Server Remote
Database Network Backup & Restore
feature to work
Internet Protocol (TCP/IP) Base network protocol for Symposium

Call Center Server
It is the implementation personnel’s responsibility to add additional binding

protocols to the NIC, as necessary.
2.1.1.3.2 Static IP address
Symposium Call Center Server operates as a standalone server with a static IP

address. The Symposium Call Center Server network interface must not be
configured with DHCP.
2.1.1.3.3 DNS consideration
If a Domain Name Service (DNS) is configured and available on the CLAN, then
the Symposium Call Center Server network interface should be registered with
the specified DNS. If no DNS is available, then disable the DNS configuration in
the Symposium Call Center Server network interface to prevent errors and
possible performance impacts on the Symposium Call Center Server network
connection.
2.1.1.4 Firewall
Symposium Call Center Server operates on two separate Embedded LAN (ELAN)
and Customer LAN (CLAN) subnet configurations. The ELAN provides critical
call traffic between Symposium Call Center Server and the telephone switch. For
maximum network traffic performance and security, it is recommended that the
ELAN be completely isolated from other subnets, or external LANs or WANs
within the network. No firewall should be placed between Symposium Call
Center Server and the telephone switch.
The Symposium Call Center Server Client or the Symposium Web Client
application server is connected to the Symposium Call Center Server through the
CLAN. The Remote Procedure Call (RPC) communication method is used
between Symposium Call Center Server and the client PCs (both the Symposium
Call Center Server Client and the Web Client application server). Since this
communication method requires a large range of dynamic ports, it is not practical
to implement a firewall between Symposium Call Center Server and the client
PCs by restricting port access. However, you can place an appropriate firewall
between the Symposium Web Client application server and the Web Client
desktop PCs.
In spite of the requirement to open a very large range of ports in a firewall

implementation, Nortel Networks acknowledge the fact that many customers have
security policy that may requires knowing all ports being used by Symposium
Call Center Server application. Table 2 lists all ports used between a Symposium
Call Center Server and the Symposium Call Center Client, and between a
Symposium Call Center Server and another Symposium Call Center Server or
Symposium Call Center Web Client application server. The list does not include
other base ports for Windows network connection, for example port 53 for DNS
that may be needed in customer network configuration, and these ports should be
known and provided by customers.
Table 2 Symposium Call Center Server Ports Usage
Port Number Functionality
Port 135 Microsoft Windows RPC Locator Service
Port 137 Microsoft NetBIOS Name Service (needed for

SCCS Remote Database Backup & Restore
feature if deployed)
Port 138 Microsoft NetBIOS Datagram Service (needed

for SCCS Remote Database Backup & Restore
Port 139 Microsoft NetBIOS Session Service (needed

for SCCS Remote Database Backup & Restore
Port 161 SNMP (needed if SNMP NMS is connected)
Port 162 SNMP Traps (needed if SNMP NMS is

connected)
Port 530 Microsoft Windows RPC Courier Service.
Port Number Functionality

(needed if Symposium TAPI server is
connected)
Port 1024 to 65535 This is range of ports that can be used by RPC
dynamic ports.
Note: There are other hard coded ports used by

Symposium Call Center Server, however they
all fall within the range of that need to be
opened for RPC
It is the implementation personnel’s responsibility to provide and implement any

firewalls.
2.1.2 Symposium Call Center Server server security layer
The Symposium Call Center Server R5.0 server security layer defines the security
settings and configuration on the Symposium Call Center Server PC. The server
security layer protects the Symposium Call Center Server PC from various
security attacks and vulnerabilities. The security layer is implemented through
security features included in the Windows 2000 Server operating system and
through the appropriate server configuration. The overall server security layer
consists of the following main security strategies:
• Windows 2000 Server configuration
• Windows 2000 security settings
• Server configuration
2.1.2.1 Windows 2000 Server configuration
The Windows 2000 Server configuration security strategy relies on the default
Windows 2000 Server operating system installation and configuration. The
default installation and configuration only installs and configures those Windows
2000 components that are required for proper Symposium Call Center Server
R5.0 operation. By not installing any unnecessary Windows 2000 components,
you minimize the risk of possible security attacks and vulnerabilities through
these components. The details of the default Windows 2000 Server configuration
are documented in section 3 of this guide.
For details installing Windows 2000 Server according to the default Symposium
Call Center Server configuration, see the Nortel Networks Symposium Call Center
Server Installation and Maintenance Guide for Release 5.0 [1].
2.1.2.2 Windows 2000 security settings
The Windows 2000 security setting strategy includes a set of default security
settings and a users policy designed to protect Symposium Call Center Server by
minimizing possible unauthorized access and changes to the server. For details,
see section 3 of this guide.
2.1.2.3 Server configuration
The server configuration strategy includes a set of default server configuration

settings, such as file system type partitioning, file sharing etc., that help minimize
the exposure of the server to potential attackers. For details, see section 3 of this
guide.
2.1.3 Symposium Call Center Server application security layer
The Symposium Call Center Server application security layer includes built-in
security functions that protect critical information about the Symposium Call
Center Server application, customer call center configuration and statistics from
illegal access. The application security layer consists of the following major
components:
• database access security
• MAS security service
• remote backup and restore security
2.1.3.1 Database access security
Database access security is controlled by the Sybase ASE 12 SQL Server access
authorization component. Only authorized database user accounts with correct
passwords can access the database through pre-assigned access rights. All critical
call center configuration information and customer call statistics are stored in the
database. Nortel Networks proprietary information is also stored in the database
and can only be accessed by the “system administrator” (SA) account. Details of
this account are considered Nortel Networks confidential and, therefore, are not
released to any customers. Customers do not need to perform any database access
or maintenance operations that require “SA” account access. Instead, customers
use other Symposium Call Center Server user accounts to access the database and
create custom call statistic reports.
Customers can access the database through the pre-defined “sysadmin” account
and other Symposium Call Center Server user accounts created by the
Symposium Call Center Server administrators or supervisors. The sysadmin
account is different from the SA account. Customers can change the passwords
for all created Symposium Call Center Server user accounts, including the pre-
defined sysadmin account. In fact, for security purposes, customers must change
the default password for the sysadmin account when logging on to Symposium
Call Center Server for the first time.
The database access security model further protects database integrity from
unauthorized access and updates by providing pre-defined database views from
which customers retrieve database information.
2.1.3.2 MAS security server
The MAS security server is a Symposium Call Center Server service that provides
security authentication for the connection between the server in Symposium Call
Center Server and Symposium Call Center Server Client PC. The Symposium
Call Center Server Client must log on to Symposium Call Center Server through
the MAS security service using a valid Symposium Call Center Server user
account and password. The MAS security server encrypts and decrypts
Symposium Call Center user account passwords using a proprietary algorithm.
Symposium Call Center Server user accounts are separate and different from the
client PC’s local or network login account, and the server’s local Windows login
accounts. The Symposium Call Center Server user account login does not require
Windows login on the Symposium Call Center Server, nor does it require
Windows Domain Controller or Windows 2000 Active Directory.
2.1.3.3 Remote backup and restore security
Symposium Call Center Server R5.0 supports database backup and restore on a
remote network computer within the Symposium Call Center Server standalone
server configuration. Procedures are provided to setup the proper local user
account on both the remote backup computer and the server in Symposium Call
Center Server to ensure that only assigned user accounts and privileges are used
for the remote backup and restore. Customers must exercise proper security
measures for the shared remote backup folder on the remote computer to prevent
unauthorized access to the Symposium Call Center Server backup files.
Remote backup and restore configuration procedures are documented in Nortel

Networks Symposium Call Center Server Installation and Maintenance Guide for
Release 5.0 [1].
Default R5.0 server security settings and configurationNortel Networks Proprietary
3 Default R5.0 server security settings and

configuration
Caution
This guide contains sensitive security and configuration settings that a potential
hacker could use to exploit the security risks of the Symposium Call Center
Server. Therefore, you must exercise caution and only release security settings
information to people on a need-to-know basis.
3.1 Default Windows 2000 Server configuration

Symposium Call Center Server R5.0 includes a set of recommendations for the
installation and configuration of the Windows 2000 Server operating system.
When followed, these recommendations provide a security environment that
satisfies most typical customer security requirements. To install and configure
Windows 2000 Server according to these recommendations, follow the
instructions listed in the Nortel Networks Symposium Call Center Server
Installation and Maintenance Guide for Release 5.0[1]. The default configuration
listed only covers the Windows 2000 Server operating system configuration and
does not include any hardware platform-specific configuration or security
settings.
The Windows 2000 Server configuration and security settings listed in this guide
include both the default Symposium Call Center Server settings (as installed when
you follow the guidelines documented in Nortel Networks Symposium Call Center
Server Installation and Maintenance Guide for Release 5.0 [1]), and the minimum
Symposium Call Center Server settings (the minimum setting required for
Symposium Call Center Server R5.0 operation). Nortel Networks has verified the
default Windows 2000 Server configuration as listed to ensure its compatibility
with the proper Symposium Call Center Server installation and operation.
Therefore, if you choose to alter the default Windows 2000 Server configuration
to meet specific customer requirements, note that Nortel Networks will not have
verified the impact of such change on the Symposium Call Center Server
installation and operation. Customers who deviate from the recommended default
Windows 2000 Server configuration must not change or exceed any of the listed
Symposium Call Center Server minimum requirements, and must test their
Windows 2000 Server configuration with Symposium Call Center Server R5.0 in
a non-production environment before putting the configuration online.
3.1.1 Default installed Windows 2000 Server components
For proper Symposium Call Center Server R5.0 operation, Nortel Networks
recommends installing only the required Windows 2000 Server operating system
components. Table 3 lists the default Windows 2000 Server installed components
and the minimum component requirements for proper Symposium Call Center
Server R5.0 operation.
Table 3 Default Installed Windows 2000 Server Components
Windows 2000 Windows 2000 Default Symposium Call

component sub-component Symposium Call Center Server
Center Server minimum
configuration requirement
Accessories and Accessibility Installed No dependency

Utilities Wizard
Accessories Installed No dependency
Communications Installed No dependency
Games Installed No dependency
Multimedia Installed No dependency
Certificates Certificate Service Not installed No dependency

Service CA
Certificate Web Not installed No dependency

Enrollment Support
Indexing Service Installed No dependency
Internet Common Files Not installed No dependency

Information (must not be
Service (IIS) installed for
security and
performance
consideration)
Documentation Not installed No dependency

(must not be
installed for
security and
performance

consideration)
File Transfer Not installed No dependency

Protocol (FTP) (must not be
Server installed for
security and
performance
consideration)
FrontPage 2000 Not installed No dependency

Server Extension (must not be
installed for
security and
performance
consideration)
Internet Not installed No dependency

Information Service (must not be
Snap-In installed for
security and
performance
consideration)
Internet Service Not installed No dependency

Manager (HTML) (must not be
installed for
security and
performance
consideration)
NNTP Service Not installed No dependency

(must not be
installed for
security and
performance
consideration)
SMTP Service Not installed No dependency

(must not be
installed for
security and
performance

consideration)
Visual InterDev Not installed No dependency

RAD Remote (must not be
Development installed for
Support security and
performance
consideration)
World Wide Web Not installed No dependency

Server (must not be
installed for
security and
performance
consideration)
Management and Connection Not installed No dependency

Monitoring Tools Manager (must not be
Components installed for
security and
performance
consideration)
Network Monitor Not installed No dependency

Tools
Simple Network Installed Must be installed

Management for sending
Protocol Symposium Call
Center Server
event traps
Networking COM Internet Not installed No dependency

Service Service Proxy (must not be
installed for
security and
performance
consideration)
Domain Name Not installed No dependency

System (DNS) (must not be
installed for

security and
performance
consideration)
Dynamic Host Not installed Must not be

Configuration installed
Protocol (DHCP)
Internet Not installed No dependency

Authentication (must not be
Service installed for
security and
performance
consideration)
QoS Admission Not installed No dependency

Control Service (must not be
installed for
security and
performance
consideration)
Simple TCP/IP Not installed No dependency

Services (must not be
installed for
security and
performance
consideration)
Site Server ILS Not installed No dependency

Services (must not be
installed for
security and
performance
consideration)
Windows Internet Not installed No dependency

Name Service (must not be
(WINS) installed for
security and
performance
consideration)

Other Network File Service for Not installed No dependency

File and Print Macintosh (must not be
Services installed for
security and
performance
consideration)
Print Service for Not installed No dependency

Macintosh (must not be
installed for
security and
performance
consideration)
Print Service for Not installed No dependency

Unix (must not be
installed for
security and
performance
consideration)
Remote Not installed No dependency

Installation
Service
Remote Storage Not installed No dependency
Script Debugger Installed No dependency
Terminal Services Client Creator Files Not installed No dependency

(recommend not
to be installed for
security and
performance
consideration)
Enable Terminal Not installed No dependency

Services (recommend not
to be installed for
security and
performance

consideration)
Terminal Service Not installed No dependency

Licensing (must not be
installed for
security and
performance
consideration)
Windows Media Windows Media Not installed No dependency

Services Service
Windows Media Not installed No dependency

Service Admin
3.1.2 Default Windows 2000 services
When you install Windows 2000, the installation program creates and configures
default Windows services that run when the system is started. Table 4 lists the
default Windows 2000 services and the minimum service configuration for
Symposium Call Center Server if the Windows 2000 Server is installed with the
default Windows components (as listed in Table 3).
Table 4 Default Windows 2000 services
Windows 2000 service Default Symposium Symposium Call

Call Center Server Center Server
configuration minimum
requirement
Alerter Automatic No dependency
Application Management Manual No dependency
ASM_Service Automatic (Disabled Must be enabled for

for NCC server) SCCS except for
NCC server (built-
in SCCS service)

requirement
AUDIT_Service Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)
ClipBook Manual No dependency
COM+ Event System Manual No dependency
Computer Browser Automatic No dependency
DBNotifier_Service Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)
DHCP Client Automatic No dependency
Distributed File System Automatic No dependency
Distributed Link Tracking Client Automatic No dependency
Distributed Link Tracking Server Manual No dependency
Distributed Transaction Automatic No dependency

Coordinator
DNS Client Automatic Must be enabled for

Symposium Call
Center Server if the
server NIC is DNS
enabled
EB_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)
ES_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)

requirement
Event Log Automatic Must be enabled for

Symposium Call
Center Server
Fax Service Manual No dependency
File Replication Manual No dependency
HDC_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)
HDM_Service Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)
Host Application Integration Automatic (Disabled Must be enabled for

for NCC server) Symposium Call
Center Server if
Data Integration
Wizard is enabled
in keycode (built-in
SCCS service)
Indexing Service Manual No dependency
Internet Connection Sharing Manual No dependency
Intersite Messaging Disabled No dependency
IPSEC Policy Agent Automatic No dependency
IS_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)
Kerberos Key Distribution Center Disabled No dependency
Licensing Logging Service Automatic No dependency

requirement
Logical Disk Manager Automatic Must be enabled for

Symposium Call
Center Server
Logical Disk Manager Manual No dependency

Administrative Service
MAS Backup/Restore Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)
MAS Configuration Manager Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)
MAS Event Scheduler Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)
MAS Fault Manager Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)
MAS LinkHandler Port #2 Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)
MAS OM Server Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)
MAS Security Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)

requirement
MAS Service Daemon Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)
MAS Service Manager Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)
MAS Time Service Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)
Messenger Disabled No dependency
MLSM_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)
NameService Automatic (Not Must be enabled for

applicable to NCC Symposium Call
server) Center Server
(built-in SCCS
Visibroker service)
NBNM_Service Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)
NBTSM_Service Automatic (Disabled Must be enabled for

for NCC Server) SCCS except for
NCC server (built-
in SCCS service)
NCCOAM_Service Disabled (Automatic Must be disabled

if it is a NCC server) for SCCS except for
NCC server (built-

requirement
in SCCS service)
NDLOAM_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)
Net Logon Manual No dependency
Net Meeting Remote Desktop Manual No dependency

Sharing
Network Connections Manual No dependency
Network DDE Manual No dependency
Network DDE DSDM Manual No dependency
NITSM_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)
NT LM Security Support Provider Manual No dependency
OAM_Service Automatic Must be enabled for

SCCS including
NCC server (built-
in SCCS service)
pcAnywhere Host Service Automatic Must be enabled for

Symposium Call
Center Server
remote support
connection (built-in
pcAnywhere
service)
Performance Logs and Alerts Manual No dependency
Plug and Play Automatic No dependency
Print Spooler Automatic No dependency

requirement
Protected Storage Automatic No dependency
QoS RSVP Manual No dependency
RDC_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)
Remote Access Auto Manual No dependency

Communication Manager
Remote Access Connection Manual No dependency

Manager
Remote Procedure Call (RPC) Automatic Must be enabled for

Symposium Call
Center Server
Remote Procedure Call (RPC) Manual Must be enabled for

Locator Symposium Call
Center Server
Remote Registry Service Automatic No dependency
Remote Storage Automatic No dependency
Routing and Remote Access Disabled No dependency
RSM_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)
RunAs Service Automatic Must be enabled for

Symposium Call
Center Server
SDMCA_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)

requirement
SDP_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)
Security Accounts Manager Automatic Must be enabled for

Symposium Call
Center Server
Server Automatic Must be enabled for

Symposium Call
Center Server
Smart Card Manual No dependency
Smart Card Helper Manual No dependency
SNMP Service Automatic Must be enabled for

sending Symposium
Call Center Server
traps
SNMP Trap Service Manual Must be enabled for

sending Symposium
Call Center Server
traps
Sybase Automatic Must be enabled for

BCKServer_<computername>_BS SCCS including
NCC server (built-
in Sybase service)
Sybase Manual Must be enabled for

MONServer_<computername>_MS SCCS including
NCC server (built-
in Sybase service)
Sybase Automatic Must be enabled for

SQLServer_<computername> SCCS including
NCC server (built-
in Sybase service)

requirement
Sybase Manual Must be enabled for

XPServer_<computername>_XP SCCS including
NCC server (built-
in Sybase service)
System Event Notification Automatic No dependency
Task Scheduler Automatic Must be enabled for

Symposium Call
Center Server
TCP/IP NetBIOS Helper Service Automatic Must be enabled for

Symposium Call
Center Server
Remote Network
Database Backup &
Restore feature to
function
Telephony Manual No dependency
Telnet Manual No dependency
Terminal Service Disabled No dependency

(recommend
Disabled for
Symposium Call
Center Server)
TFA_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)
TFABRIDGE_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)
TFE Bridge Connector Manual (Disabled Must be enabled for


requirement
NCC server (built-
in SCCS service)
TFE_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)
Uninterrupted Power Supply Manual No dependency
Utility Manager Manual No dependency
VSM_Service Automatic (Disabled Must be enabled for

NCC server (built-
in SCCS service)
Windows Installer Manual Must be enabled for

Symposium Call
Center Server
Windows Management Manual No dependency

Instrumentation
Windows Management Manual No dependency

Instrumentation Driver Extension
Windows Time Manual No dependency
Workstation Automatic Must be enabled for

Symposium Call
Center Server
3.2 Default Windows 2000 security settings

The Windows 2000 Server operating system on the Symposium Call Center
Server R5.0 server is protected by the Windows 2000 local security policy. Since
Symposium Call Center Server R5.0 does not require Active Directory to work,
Windows 2000 Group Policies will not be discussed in this guide.
As part of Symposium Call Center Server R5.0, Nortel Networks recommends a

set of default security settings for the Windows 2000 local security policy that
provides a security environment for most typical customer security requirements.
Nortel Networks has verified that this default Windows 2000 local security policy
is compatible with the proper Symposium Call Center Server installation and
operation. Therefore, if you choose to alter the default Windows 2000 security
policy (both local and group policy) to meet specific customer security
requirements, note that Nortel Networks will not have verified the impact of such
a change on the Symposium Call Center Server installation and operation.
Customers who deviate from the recommended default Windows 2000 Server
security policy (both local and group policy) must not change or exceed any of the
listed Symposium Call Center Server minimum requirements, and must test their
Windows 2000 Server security policy with Symposium Call Center Server R5.0
in a non-production environment before putting the policy online.
3.2.1 Default password policy
Symposium Call Center Server R5.0 recommends the following default password
policy (applicable to the installed Windows 2000 user accounts).
Table 5 Default Password Policy
Policy Default Windows 2000 Symposium Call Center

setting Server minimum
requirement
Enforce password history 0 password remembered No dependency
Maximum password age 42 days No dependency
Minimum password age 0 days No dependency
Minimum password 0 characters Must be less than 6

length characters for
Symposium Call Center
Server installation.
Password length can be
changed after
Server installation.
Password must meet Disabled Disabled for Symposium

complexity requirements Call Center Server
installation
Store password using Disabled No dependency

requirement
reversible encryption for (recommend Disabled)
all users in the domain
Since the installation of the Symposium Call Center Server application creates
additional Windows accounts with default passwords, the Windows 2000
password policy should be in the default setting (as listed in Table 5) before you
install Symposium Call Center Server. Customers can change the Windows 2000
password policy as required after the Symposium Call Center Server application,
in which case, they must also make appropriate password changes for all local
Windows accounts that are created with the Symposium Call Center Server
installation. Nortel Networks recommends that all local Windows account
passwords (including accounts created by Symposium Call Center Server) be
changed from their default values immediately after installing Symposium Call
Center Server.
3.2.2 Default account lockout policy
Table 6 lists the default account lockout security setting and the minimum
requirements for Symposium Call Center Server R5.0.
Table 6 Default Account Lockout Policy

requirement
Account lockout 0 invalid logon attempts No dependency

threshold
Account lockout duration Not defined No dependency
Reset account lockout Not defined No dependency

counter after
3.2.3 Default user rights assignments
Table 7 lists the default user rights assignments security setting and the minimum
Table 7 Default User Rights Assignments
Policy Default groups Default accounts Symposium Call

with this policy with this policy Center Server
minimum
requirement
Access this NGen System, Administrator, Must be set for the

computer from NGen Distributor, NGenSys, NGen System,
the network Everyone, Users, NGenDist, NGen Distributor,
Power Users, NGenDesign and Administrator
Backup Operators, groups.
Administrator
Must be set for the
Administrator,
NGenSys,
NGenDist, and
NGenDesigner
accounts.
Act as part of the NGen System, NGenSys, Must be set for the
operating system NGen Design NGenDesign NGen System, and
NGen Design
groups.
Must be set for the

NGenSys, and
NGenDesign
accounts.
Add workstations NGen Distributor NGenDist, Must be set for the

to domain NGenDesign NGen Distributor
group.
Must be set for the

NGenDist, and
NGenDesign
accounts.
Back up files and Administrators, Administrator, Must be set for the

directory Ngen System, NgenSys, NGen System,
Ngen Distributor, NGenDist, NGen Distributor
Backup Operator NGenDesign groups.
Must be set for the

NGenSys,

minimum
requirement
NGenDist, and
NGenDesign
accounts.
Bypass traverse Administrators, Administrator, Must be set for the

checking NGen Distributor, NGenSys, NGen Distributor
Backup Operators, NGenDist, group.
Power Users, NGenDesign
Users, Everyone Must be set for the
NGenSys,
NGenDist, and
NGenDesign
accounts
Change the NGen Distributor, Administrator, Must be set for the

system time Administrators, NGenSys, NGen Distributor,
Power Users NGenDist, and Administrators
NGenDesign groups.
Must be set for the

Administrator,
NGenSys,
NGenDist, and
NGenDesign
accounts.
Create a pagefile Administrators, Administrator, Must be set for the

NGen Design NGenSys, Administrators,
NGenDist, and NGen Design
NGenDesign groups.
Must be set for the

Administrator,
NGenSys,
NGenDist, and
NGenDesign
accounts.
Create a token NGen System, NGenSys Must be set for the

object NGen Design NGen System, and
NGen Design
groups.

minimum
requirement
Must be set for the

NGenSys account.
Create permanent NGen System, NGenSys Must be set for the

shared objects NGen Design NGen System, and
NGen Design
groups.
Must be set for the

NGenSys account
Debug programs Administrators, Administrator, No dependency. If

NGen System, NGenSys, removed, Nortel
NGen Design NGenDist, Networks may
NGenDesign request to set it
again for
diagnosing
specific site
problem.
Force shutdown Administrators, Administrator, Must be set for the

from a remote NGen Design NGenSys, Administrators,
system NGenDist, and NGen Design
NGenDesign groups.
Must be set for the

Administrator,
NGenSys,
NGenDist, and
NGenDesign
accounts.
Generate security NGen Distributor NGenDist, No dependency

audits NGenDesign
Increase quotas Administrators, Administrator, Must be set for the

NGen Distributor NGenSys, Administrators,
NGenDist, and NGen
NGenDesign Distrobutor
groups.

minimum
requirement
Must be set for the

Administrator,
NGenSys,
NGenDist, and
NGenDesign
accounts.
Increase Administrators, Administrator, Must be set for the

scheduling NGen System, NGenSys, Administrators,
priority NGen Design NGenDist, NGen System, and
NGenDesign NGen Design
groups.
Must be set for the

Administrator,
NGenSys,
NGenDist, and
NGenDesign
accounts.
Load and unload Administrators, Administrator, Must be set for the

device drivers NGen System, NGenSys, Administrators,
NGen Design NGenDist, NGen System, and
groups.
Must be set for the

Administrator,
NGenSys,
NGenDist, and
NGen Design
accounts.
Lock pages in NGen System, NGenSys, Must be set for the

memory NGen Design NGenDesign NGen System, and
NGen Design
groups.
Must be set for the

NGenSys, and
NGenDesign

minimum
requirement
accounts.
Log on as a batch NGen System, NGenSys, Must be set for the

file NGen Distributor NGenDist, NGen System, and
NGenDesign NGen Distributor
groups.
Must be set for the

NGenSys,
NGenDist, and
NGenDesign
accounts.
Log on as a NGen System, NGenSys, Must be set for the

service NGen Distributor NGenDist, NGen System, and
NGenDesign NGen Distributor
groups.
Must be set for the

NGenSys,
NGenDist, and
NGenDesign
accounts.
Log on locally Administrators, Administrator, Must be set for the

NGen Distributor, NGenSys, Administrators,
TSInternetUser, NGenDist, and NGen
Guest, Users, NGenDesign Distributor groups.
Power Users,
Backup Operators Must be set for the
Administrator,
NGenSys,
NGenDist, and
NGenDesign
accounts.
Manage auditing Administrators, Administrator, Must be set for the

and security log NGen Distributor NGenSys, Administrators,
NGenDist, and NGen
NGenDesign Distributor groups.
Must be set for the

minimum
requirement
Administrator,
NGenSys,
NGenDist, and
NGenDesign
accounts.
Modify firmware Administrators, Administrator, Must be set for the

environment NGen System, NGenSys, Administrators,
values NGen Design NGenDist, and NGen System, and
groups.
Must be set for the

Administrator,
NGenSys,
NGenDist, and
NGenDesign
accounts.
Profile single Administrators, Administrator, Must be set for the

process NGen System, NGenSys, Administrators,
NGen Design, NGenDist, NGen System, and
Power Users NGenDesign NGen Design
groups.
Must be set for the

Administrator,
NGenSys,
NGenDist, and
NGenDesign
accounts.
Profile system Administrators, Administrator, Must be set for for

performance NGen System, NGenSys, Administrators,
NGen Design NGenDist, NGen System, and
groups.
Must be set for the

Administrator,
NGenSys,
NGenDist, and

minimum
requirement
NGenDesign
accounts.
Remove Administrators, Administrator, No dependency

computer from Users, Power NGenSys,
docking station Users NGenDist,
NGenDesign
Replace a process NGen System, NGenSys, Must be set for the

level token NGen Design NGenDesign NGen System
groups.
Must be set for the

NgenSys accounts.
Restore files and Administrators, Administrator, Must be set for the

directories NGen System, NGenSys, Administrators,
NGen Dsitributor, NGenDist, and NGen System, and
Backup Operators NGenDesign NGen Distributor
groups.
Must be set for the

Administrator,
NGenSys,
NGenDist, and
NGenDesign
accounts.
Shut down the Administrators, Administrator, Must be set for the

system NGen Distributor, NGenSys, Administrators,
Backup Operators, NGenDist, and NGen
Power Users NGenDesign Distributor groups.
Must be set for the

Administrator,
NGenSys,
NGenDist, and
NGenDesign
accounts
Take ownership Administrators, Administrator, Must be set for the

of files or other NGen Distributor NGenSys, Administrators,

minimum
requirement
objects NGenDist, and NGen
NGenDesign Distributor groups.
Must be set for the

Administrator,
NGenSys,
NGenDist, and
NGenDesign
accounts.
Deny access to Not defined Not defined No dependency

this computer
from the network
Deny logon as a Not defined Not defined No dependency

batch job
Deny logon as a Not defined Not defined No dependency

service
Deny logon Not defined Not defined No dependency

locally
Enable computer Not defined Not defined No dependency

and user accounts
to be trusted for
delegation
3.2.4 Default security setting
Table 8 lists the default security setting and minimum requirements for
Symposium Call Center Server R5.0.
Table 8 Default Security Setting
Policy Default Windows 2000 Symposium Call

setting Center Server
minimum requirement
Number of previous 10 logons No dependency

logons to cache (in case
domain controller is not
available)
Prompt user to change 14 days No dependency

password before expiration
Amount of idle time 15 minutes No dependency

required before
disconnecting session
Allowed to eject removal Administrator No dependency

NTFS media
Allow system to be shut Disabled No dependency

down without having to (recommend Disabled)
log on
Audit the access of global Disabled No dependency

system objects
Audit use of Backup and Disabled No dependency

Restore privilege
Clear virtual memory Disabled No dependency

pagefile when system
shutdown
Digitally sign client Disabled No dependency

communication (always)
Digitally sign server Disabled No dependency

communication (always) (recommend Disabled)
Digitally sign server Disabled No dependency

communication (when (recommend Disabled)
possible)
Disable CTRL+ALT+DEL Disabled No dependency

requirement for logon (recommend Disabled)

minimum requirement
Do not display last user Disabled No dependency

name in logon session
Prevent system Disabled No dependency

maintenance of computer (recommend Disabled)
account password
Recovery Console: Allow Disabled No dependency

automatic administrative
logon
Recovery Console: Allow Disabled No dependency

floppy copy and access to
all drives and all folders
Restrict CD-ROM access Disabled No dependency

to locally logged-on user
only
Restrict floppy access to Disabled No dependency

locally logged-on user
only
Secure channel: Digitally Disabled No dependency

encrypt or sign secure
channel data (always)
Secure channel: Require Disabled No dependency

strong (Windows 2000 or
later) session key
Send unencrypted Disabled No dependency

password to connect to
third party SMB servers
Shut down system Disabled No dependency

immediately if unable to (recommend Disabled)
log security audits
Automatically log off Enabled No dependency

users when logon time (recommend Enabled)
expires (local)

minimum requirement
Digitally sign client Enabled No dependency

communication (when
possible)
Prevent users from Enabled No dependency

installing printer driver (recommend Enabled)
Secure channel: Digitally Enabled No dependency

encrypt secure channel
data (when possible)
Secure channel: Digitally Enabled No dependency

sign secure channel data
(when possible)
Strengthen default Enabled No dependency

permissions of global
system objects (e.g.
Symbolic Links)
Smart card removal No Action No dependency

behavior
Additional restrictions for None. Rely on default No dependency

anonymous connections permissions
Allow server operators to Not defined No dependency

schedule task (domain (recommend Not
controllers only) defined)
Rename administrator Not defined No dependency

account (recommend Not
d1efined for Symposium
Call Center Server
installation)
Rename guest account Not defined No dependency
Unsigned driver Not defined No dependency

installation behavior
Unsigned non-driver Not defined No dependency

installation behavior

minimum requirement
LAN Manager Send LM & NTLM No dependency

Authentication Level responses (recommend remain in
default setting)
Message text for users On No dependency

attempting to log on
Message title for users On No dependency

attempting to log on
3.2.5 Default IP security policy
Table 9 lists the default IP security policies assigned and the minimum
Table 9 Default IP Security Policy
Name Description Default Symposium Call

policy Center Server
assigned minimum
requirement
Client Communicate normally No No dependency

(Respond (unsecured). Use the default (recommend No)
Only) response rule to negotiate with
servers that request security. Only
the requested protocol and port
traffic with that service is secured.
Secure For all IP traffic, always require No No dependency

Server security using Kerberos trust. Do (recommend No)
(Require NOT allow unsecured
Security) communication with untrusted
clients.
Server For all IP traffic, always request No No dependency

(Request security using Kerberos trust. (recommend No)
Security) Allow unsecured communication
with clients that do not respond to
Name Description Default Symposium Call

policy Center Server
assigned minimum
requirement
request
3.2.6 Default audit policy
Table 10 lists the default Windows 2000 audit policies and minimum
Table 10 Default Audit Policy

requirement
Audit account logon No auditing No dependency

events
Audit directory service No auditing No dependency

access (recommend No Auditing
to maximize Symposium
Call Center Server
performance)
Audit process tracking No auditing No dependency

(recommend No Auditing
Call Center Server
performance)
Audit account No auditing No dependency

management
Audit policy change No auditing No dependency
Audit privilege use No auditing No dependency
Audit object access No auditing No dependency

Call Center Server

requirement
performance)
Audit logon events No auditing No dependency
Audit system events No auditing No dependency

Call Center Server
performance)
3.3 Default Symposium Call Center Server server configuration

Nortel Networks recommends a default configuration for the Symposium Call
Center Server R5.0 server that provides additional security for the server. Nortel
Networks has verified the default configuration as listed to ensure its
compatibility with the proper Symposium Call Center Server installation and
operation. Therefore, if you choose to alter the default server configuration to
meet specific customer requirements, note that Nortel Networks will not have
verified the impact of such a change on the Symposium Call Center Server
installation and configuration. Customers who deviate from the recommended
default server configuration must not change or exceed any listed Symposium
Call Center Server minimum requirements, and must test their server
configuration with Symposium Call Center Server R5.0 in a non-production
environment before putting the server online.
3.3.1 Default disk partitioning type
Symposium Call Center Server R5.0 supports Windows NTFS disk partitioning
only. Windows NTFS provides additional security for server files. Symposium
Call Center Server R5.0 requires that all disk partitions be NTFS.
3.3.2 Default Windows local users
Symposium Call Center Server R5.0 installs three additional Windows 2000 local
users during the Symposium Call Center Server software installation. Table 11
lists the three default Symposium Call Center Server Windows local users and
how the accounts are used.
Table 11 Default Symposium Call Center Server Windows Local Users
Default Symposium Call Used for Symposium Call

Center Server Windows Center Server
local user minimum
requirement
NGenSys Used by customer to log in Must not be removed

to Symposium Call Center or renamed from
Server for regular server Windows
maintenance (for example,
PEP/SU installation etc.).
NGenDist Used by distribution Must not be removed

channels and support from Windows
personnel to log in to
Server for maintenance and
supports (for example,
remote support login).
NGenDesign Used by Nortel Networks to Must not be removed

log in to Symposium Call from Windows
Center Server. This account
is reserved for Nortel
Networks usage only.
Since the Symposium Call Center Server application has a dependency on the
NGenSys account, this account name must not be changed. Customers can change
the account names for NGenDist and NGenDesign after the Symposium Call
Center Server installation, but this will prevent distribution channels and Nortel
support groups from using the default account names to perform Symposium Call
Center Server maintenance or support.
All three default Symposium Call Center Server Windows local users are initially
created with default passwords. Customers are encouraged to change the default
passwords after successful Symposium Call Center Server installation. Procedures
for changing the passwords for these default accounts are documented in the
Nortel Networks Symposium Call Center Server Installation and Maintenance
Guide for Release 5.0[1].
3.3.3 Default print server and file sharing configuration
The Symposium Call Center Server R5.0 default network setting enables Print
Server and File Sharing in the installed protocol stack, but the Symposium Call
Center Server configuration does not include a default print server or a shared
network folder or file. It is a Symposium Call Center Server R5.0 minimum
requirement that no print server be configured on the Symposium Call Center
Server R5.0 server.
For security reasons, Nortel Networks recommends that customers do not share
any Symposium Call Center Server folders or files over the network. In addition,
Nortel Networks recommends that only the local Administrator and Symposium
Call Center Server default Windows users be granted write access to Symposium
Call Center Server folders. If customers need to download any Symposium Call
Center Server files (for example, PEPs or SUs), then Nortel Networks
recommends that they download them to a remote computer instead of directly to
the Symposium Call Center Server. After downloading the file to the remote
computer, the customer can then share it with the server in the Symposium Call
Center Server over the network.
3.3.4 Default Internet access
By default, Windows 2000 automatically includes a version of Internet Explorer

that you can configure and use for Internet access. However, since Symposium
Call Center Server does not require an Internet connection, it is a Symposium Call
Center Server R5.0 minimum requirement that the Internet connection remain un-
configured. Nortel Networks stipulates that there should be no Internet or Intranet
access directly from the Symposium Call Center Server R5.0 server. Failure to
meet this requirement may expose the server to severe security risks.
Security recommendations Nortel Networks Proprietary
4 Security recommendations
This section includes recommended security practices for Symposium Call Center
Server R5.0. Nortel Networks recommends that customers consider these
suggestions when deciding on their own security policies and practices. This
section is not intended to list security settings that meet specific customer
requirements. Customers should review their security requirements and compare
them with the default and minimum Symposium Call Center Server security
settings and configuration (listed in section 3 of this guide), together with the
security recommendations listed in this section, before deciding on the
appropriate overall Symposium Call Center Server security configuration.
The following security recommendations are not intended to be a comprehensive

security guideline for all security-related issues that customers might need to
consider. These security recommendations are only intended to be used as
guidelines when planning and implementing the proper Symposium Call Center
Server R5.0 security policies and practices within your specific environment and
according to your security requirements.
4.1 Security risk management and policy

Security threats are increasing constantly, and it is a high priority for all
organizations to secure all resources on the network, including Symposium Call
Center Server. There is no such thing as a completely secure Symposium Call
Center Server that fully meets all the different customer security requirements. To
secure Symposium Call Center Server, you must provide your own appropriate
security risk management and policy plan.
Symposium Call Center Server R5.0 comes with a set of default security settings
that meet most common security protection requirements. Nortel Networks has
verified the default Windows 2000 Server configuration as listed to ensure its
compatibility with the proper Symposium Call Center Server installation and
operation. Therefore, if you choose to alter the default Windows 2000 Server
operating system configuration to meet specific customer requirements, note that
Nortel Networks will not have verified the impact of such a change on the
Symposium Call Center Server installation and configuration. Customers who
deviate from the recommended Windows 2000 Server configuration (as listed in
section 3 of this guide), and must test their Windows 2000 Server configuration
with Symposium Call Center Server R5.0 in a non-production environment before
putting the configuration online.
4.1.1 Risk management
To provide a proper secure environment, you must examine your environment and
assess the risks you currently face, determine an acceptable level of risk, and
maintain the risk at or below acceptable level. Risk can be reduced by increasing
the security of your server and environment. As a general rule, the higher the level
of security, the more costly the risk management policy is to implement and the
more likely that reductions in functionality will occur. You must review the
required security level and determine how it might impact Symposium Call
Center Server.
4.1.2 Security policy
The security policy defines the procedures for configuring and managing security
in your environment. Organizations may have a predefined general server security
policy that can conflict with the Symposium Call Center Server default setting.
You must review your security policy and determine how it can be implemented
with Symposium Call Center Server. Since Symposium Call Center Server is
designed as a special real-time call processing platform instead of a general
purpose IT server, certain IT server security policies may not be compatible with
Symposium Call Center Server. In this case, you may need to relax your security
settings to meet the Symposium Call Center Server minimum requirements.
If you have additional local security policy changes for the Symposium Call
Center Server, then you must apply the additional security policy after you install
Symposium Call Center Server to minimize any possible conflict with the default
setting that are made during installation.
4.2 Windows 2000 security patches and hot fixes

Microsoft constantly identifies new Windows 2000 security vulnerabilities. Nortel
Networks will monitor and validate newly issued Windows 2000 service packs,
security patches and hot-fixes that are applicable to Symposium Call Center
Server R5.0. The list of applicable Microsoft service packs and security hot-fixes
is documented in the Symposium Products Service Packs Compatibility and
Security Hotfixes Applicability List that is available on Nortel Networks Partner
Information Center Web site:
https://app12.nortelnetworks.com/cgi-
bin/mynn/home/NN_prodDoc.jsp?BkMg=0&prodID=45280&progSrcID=-
8026&whereClause=23&curOid=12460
Nortel Networks will occasionally issue security bulletins to warn customers of

critical security issues and provide recommended actions. Customers should apply
all recommended security actions from Nortel Networks at the earliest possible
time.
Customers are encouraged to install the latest available Windows 2000 service
packs that have been validated by Nortel Networks. You should schedule regular
reviews of your configuration and apply the latest available Windows 2000
service pack as part of your security risk management plan.
Given the number of operating system security patches and the complexity
inherent in any network, Nortel Networks recommends that you create a
systematic and accountable process for identifying and applying security patches.
To help create such a process, you can follow a series of best practices guidelines,
as documented in the National Institute of Standards and Technology (NIST)
Special Bulletin 800-40, Procedures for Handling a Security Patches. This bulletin
suggests that if an organization does not have a centralized group to coordinate
the storage, evaluation, and chronicling of security patches into a library, then
system administrators or the contact center administrator must fulfill this role.
In addition to these guidelines, whenever possible, Nortel Networks recommends

that you follow Microsoft's recommendations regarding newly discovered
vulnerabilities and that you promptly install any security patches issued by
Microsoft.
Whenever possible, Nortel Networks incorporates the latest OS security

recommendations and patches in an integrated solutions testing strategy during
each test cycle. However, due to the urgent nature of security patches when
vulnerabilities are discovered, Nortel Networks recommends that customers
follow Microsoft's guidelines as they are issued, including any Microsoft
installation procedures and security patch rollback processes that may be in place.
Finally, you must make a full system backup before patching the system to ensure
that a rollback is possible, if required.
4.3 Windows 2000 user accounts and passwords

Symposium Call Center Server R5.0 installs three default Windows 2000 local
user accounts (NGenSys, NGenDist, and NGenDesign) with default passwords.
The initial Symposium Call Center Server Windows account passwords include
six characters (or less). To prevent Symposium Call Center Server software
installation errors, you must ensure that the minimum password length in the
Windows 2000 security policy does not exceed six characters before you install
the software. You can change the password length and apply any additional
changes to the account and password security policy after you install Symposium
Call Center Server. If you increase the password length, you must also make the
corresponding change to the passwords for the default Symposium Call Center
Server Windows local user accounts.
All three default Symposium Call Center Server Windows local user accounts are
created for a specific purpose. You must not change the account name for the
NGenSys account. You may change the account names for NGenDist and
NGenDesign. However, if you do so, you must provide these new account names
to the Distributor/Nortel Networks Support personnel or they will not be able to
use these default accounts to access the server remotely. If you change any of the
default Symposium Call Center Server Windows local user account names, the
changed accounts will not be removed by the Symposium Call Center Server R5.0
software uninstall program, and instead must be removed manually.
For security reasons, customers are encouraged to change the passwords for these
default accounts upon successful Symposium Call Center Server installation. If
you change the password for the “NGenSys” account, then you must also update
the Symposium Call Center Server Backup and Restore service password (refer to
the Nortel Networks Symposium Call Center Server Installation & Maintenance
Guide for Release 5.0[1] for the password change procedures).
You must not add any additional Windows 2000 user accounts to Symposium
Call Center Server (except the account for the R5.0 Remote Database Backup and
Restore feature). With the exception of the Administrator account, other default
Windows 2000 accounts (for example, Guest) can be disabled or removed to
increase the security of the server. If you change the default Administrator
account name, it has no impact on the normal operation of the Symposium Call
Center Server R5.0 server. However, it will cause the Platform Vendor
Independence Check (PVI Check) utility to notify you that an invalid
administrator account is being used. Therefore, Nortel Networks recommends that
you change the Administrator account name only after you install the Symposium
Call Center Server R5.0 software.
4.4 Anonymous logon

The Windows 2000 Server default installation allows you to log on remotely as
“Anonymous,” a feature that can expose some server information. Since
Symposium Call Center Server R5.0 does not require an Anonymous logon,
Nortel Networks recommends that you disable the Anonymous logon by changing
the Additional restriction for anonymous connections security policy to No access
without explicit anonymous permission, or changing the
“HKLM/SYSTEM/CurrentControlSet/Control/LSA/RestrictAnonymous” registry
key value from the default value of “0” to “2”.
4.5 Third-party applications

Due to the mission-critical, real-time processing performed by Symposium Call
Center Server, Nortel Networks stipulates that no other “application” class
software be installed on the server, but that certain “utility” class software may be
installed, providing that it conforms to the guidelines listed below.
• “Application” class software generally requires a certain amount of system

resources and is not to be installed on the Symposium Call Center Server.
The addition of third-party applications may cause a real-time system,
such as Symposium Call Center Server, to operate outside of the known
engineering limits and hence create potential unknown system problems
(for example, CPU contentions, increased network traffic loading, disk
access degradations, etc.)
• Certain third-party “utility” class software applications, such as hardware

diagnostics or backup tools, generally require less system resources during
the normal operations of Symposium Call Center Server and are,
therefore, permitted. Exceptions are utilities that may cause system
problems and degrade performance, such as screen savers. Anti-virus
software is classed as a utility and is subject to the generic guidelines
below, as well as to a specific series of recommendations detailed further
in this guide.
Note: Third party backup software can only be used for offline full backups.
The database backup must be performed using the utility provided by
Symposium Call Center Server due to proprietary functions called upon
during the backup routine.
Guidelines for “utility” implementations
1. During run-time, the utility must not degrade the Symposium Call
Center Server system beyond an average 50 percent CPU utilization.
Furthermore, the utility must not lower the minimum amount of free
hard disk space required by Symposium Call Center Server and the
Windows operating system.
2. The utility must not cause any improper software shutdowns or out of
sequence shutdowns.
3. The utility must not administer the Symposium Call Center Server
software.
4. If the utility has its own database, it must not impact the Symposium
Sybase database.
5. A Disk Compression utility must not be used.
6. Memory Tweaking utilities (for example, WinRAM Turbo, Memory

Zipper, etc.) that are used to “reclaim” memory unused by Microsoft
must not be used.
7. The installation or un-installation of the utility class software must not

impact/conflict with the Symposium Call Center Server software (for
example, DLL conflicts). If it does impact/conflict with the
Symposium Call Center Server software, then you may need to rebuild
the server.
8. The installation or un-installation of the utility class software must not

impact/conflict with the Symposium Call Center Server minimum
security settings and configuration (for example, enabling IIS service,
conflicts in the Windows 2000 security settings, etc.). If it does
impact/conflict with the Symposium Call Center Server minimum
security settings and configuration, then you may need to rebuild the
server.
9. The installation of the utility class software must be performed after

the Symposium Call Center Server is installed.
10. The software must not be installed within the Symposium Call Center
Server folder on the D: drive. Nortel Networks recommends that you
install the software in its own folder on the C: drive.
11. The software must be virus free. Do not install any software when the
origin of the software is not known.
It is the implementation personnel’s responsibility to perform tests to ensure that

these conditions and recommendations are met prior to putting the server into
production. As part of the fault diagnostic process, the Distributor/End User may
be asked to remove third-party software.
4.6 Anti-virus scanning

Noted that the risk of virus infection on the Symposium Call Center R5.0 server is
minimal due to the following reasons:
• The server requires limited access for support.
• Typically, only maintenance personnel have local access to the server and
remote access through pcAnywhere.
• All Nortel Networks software distributions including PEPs and SUs are
virus free.
• Customers are discouraged from installing non-Symposium Call Center

Server software on the server, which minimizes the risk of encountering
infected software on the server.
• Customers are discouraged from directly accessing the Internet from the
server, which minimizes the risk of getting a virus through the Internet.
• There should be no e-mail activity of any kind on the Symposium Call

Center Server R5.0 server, which eliminates any chance of getting a virus
through e-mail.
• There should be no shared folders or files on the Symposium Call Center

Server R5.0 server, which eliminates any chance of getting a virus through
open file/folder sharing.
In spite of the above recommendations, Nortel Networks acknowledges the fact

that many customers have security policies that may require that anti-virus
software be installed on the Symposium Call Center Server R5.0 server.
Nortel Networks has carried out testing on a representative sample of anti-virus

software packages (Norton, McAfee, and Innoculate) in order to determine the
following generic guidelines for the use of anti-virus software:
• The Symposium Call Center Server software must be installed on the

server before you install the anti-virus software. When the anti-virus
software is installed, it is the implementation personnel’s responsibility to
perform testing with the anti-virus software, in accordance with the
guidelines for “utility” implementations outlined in section 4.5 of this
guide.
• During PEP installations on both the client and server, all anti-virus
functionality should be disabled (for example, firewalls, (passive)
scanning, auto updates etc.) and should not be started up automatically
until the entire Symposium Call Center Server installation procedure is
complete. You may re-enable the anti-virus functionality afterwards, as
required.
• If personal firewalls are enabled on the Symposium Call Center Server

client PC, then the Report Listener may be flagged as trying to access the
Internet. You must configure the ‘Properties’ to allow the Report Listener
to access the Symposium Call Center Server R5.0 server through the
firewall.
• Set virus scans to run on the server during off-peak hours, and not to start
on the hour. Note that several maintenance tasks are automatically
activated on Symposium Call Center Server at midnight, so an off-
midnight time should be set for virus scans. Similarly, active virus scans
should be disabled when running diagnostic traces or logs on the
Symposium Call Center Server R5.0 server.
• Infected file quarantine policy on the Server and Client: The anti-virus
software should not be configured to deal automatically with suspected
infected files. In the event that infected files are located, do not attempt to
replace or remove them. Contact your local Nortel Networks Support
representative for assistance in determining if the files are part of the
Symposium Call Center Server application, or a critical system file.
• Nortel Networks recommends that you exclude the following files from
scanning:
F:\Nortel\Database\
<additional database drive>:\Nortel\Database
In addition, the following file should be excluded:

D:\Nortel\ICCM\bin\Tools2.exe (You will encounter file access errors in
the Scan Activity log if you do not exclude this file from scanning.)
• You must not connect the Symposium Call Center Server R5.0 server
directly to the Internet to download virus definitions or updated files. In
addition, Nortel Networks recommends that you do not connect the
Symposium Call Center Server client PC to the Internet. Instead, you
should download virus definitions and update files to another location on
your network, and then manually upload to the Symposium Call Center
Server R5.0 server. This is the same recommended procedure for
downloading Symposium Call Center Server PEPs. This recommendation
limits access to the Internet, and thus reduces the risk of downloading
infected files.
• In addition, all PEP files, CD-ROMs, and floppy disks should be scanned
prior to installing or uploading to the server. This practice minimizes any
exposure to infected files from outside sources.
• SNMP alerting on virus confirmation: At this time, Nortel Networks has

not tested this feature and is unable to ascertain whether it poses any
potential risks to Symposium Call Center Server. It is, therefore, not
recommended that you activate this feature.
• Capacity considerations: Note that running virus scan software can place
an additional load on server in Symposium Call Center Server. It is the
implementation personnel’s responsibility to run the Windows 2000
Server Performance Monitor tool on the server to gauge CPU utilization.
If the anti-virus software scan causes the server’s average CPU utilization
to exceed 50 percent for longer than 20 minutes, then the anti-virus
software should not be loaded onto the Symposium Call Center Server
R5.0 server.
Note:
• Nortel Networks does not provide support on the configuration of anti-

virus software, but it will endeavor to offer guidance where possible.
Questions or problems on anti-virus software should be directed to the
appropriate vendor.
• The above recommendations are intended as guidelines only, and do not

constitute a guarantee of compatibility. Nortel Networks does not plan to
perform ongoing compatibility testing, or testing on other anti-virus
packages.
• If performance or functionality issues are raised to Nortel Networks

Support, as part of the fault diagnosis process, the customer/distributor
may be asked to remove third-party utility software or anti-virus software.
4.7 Internet access

Internet access poses a major source of security risks, threats, and vulnerabilities
to the server. By default, Windows 2000 Server installs Internet Explorer, which
can be configured for accessing the Internet. Since Symposium Call Center Server
R5.0 does not require Internet access, Nortel Networks recommends that you
refrain from accessing the Internet or Intranet directly from the Symposium Call
Center Server R5.0 server.
Nortel Networks recommends that if you require access to the Nortel Networks
Web site (for example, to obtain the latest PEP/SU etc.), then you should use a
separate PC that is virus free.
4.8 E-mail access

Electronic mail (e-mail) and applications using the SMTP service are a major
source of security risks, threats, and vulnerabilities. By default, Windows 2000
Server installs Outlook Express, which can be configured to access an e-mail
system. Since Symposium Call Center Server R5.0 does not require SMTP
service, Nortel Networks recommends that you refrain from accessing any e-mail
systems or installing any applications that will enable the SMTP service on the
Symposium Call Center Server R5.0 server.
4.9 File and folder sharing

One of the most common forms of malicious code attack (for example, the Code
Red and Nimda viruses) occurs through file and folder sharing on the server. By
default, Symposium Call Center Server R5.0 does not include any shared folders
or files on the server. To help maintain a secure environment, you must not share
any installed file or folder at any time. Nortel Networks recommends that you
refrain from granting write access permissions to any files or folders (except for
the default permissions granted by Symposium Call Center Server) on the
Symposium Call Center Server R5.0 server. If there is an absolute need to share
files or folders on the server, then you must be cautious when granting write
access permission to users on your network and remove the shared access
immediately after the user completes the required task.
4.10 File and folder permission

By default, Windows 2000 grant “Everyone” group with Full Control permission
for all disk drives without other account or group. This default permission allows
everyone accessing the server can have full control on all files and folders, and it
is considered as a high security risk. It is a common security policy and practice to
remove the “Everyone” group permission for all disk drives and add specific
Windows user account or group with specific permission. Symposium Call Center
Server supports the removal of the “Everyone” group as long as the following
recommended accounts and groups as listed in Table 12 are added to the specified
disk. Symposium Call Center Server can fail to operate if these recommended
accounts and groups are not added with the required permission.
Table 12 Symposium Call Center Server File and Folder Permission
Account/Group Permission Applied to Granted Disk
Administrators Full Control This folder, All drives

Subfolders and files
SYSTEM Full Control This folder, All drives

Subfolders and files
Creator Owner Full Control Subfolders and files C: drive only

(Microsoft’s
recommendation)
Everyone Read & Execute This folder only Root of C: drive

only (Microsoft’s
recommendation)
Read This folder, D: drive only (do

Subfolders and files not need this
permission for
normal
Symposium Call
Center operation,
only needed for
running automatic
test suite by Nortel
Networks product
verification group)
4.11 Encryption
Windows 2000 supports file and folder encryption. However, Symposium Call
Center Server R5.0 does not support or require any form of file and folder
encryption by Windows 2000. You must not attempt to encrypt any installed
Symposium Call Center Server files or folders, including all Symposium Call
Center Server database folders and files. If Windows 2000 encryption is enabled
on any Symposium Call Center Server database folders or files, it will corrupt the
database. In this case, Symposium Call Center Server can only be recovered by
re-installing and then restoring the database from the latest available database
backup.
4.12 Microsoft Baseline Security Advisor

Symposium Call Center Server R5.0 is compatible with the Microsoft Baseline
Security Advisor (MBSA) security tool. You can use this tool to scan the
Symposium Call Center Server R5.0 server to check if it meets the Microsoft
baseline security recommendations for Windows 2000 Server. If you want to run
the MBSA tool against the Symposium Call Center Server R5.0 server, then
Nortel Networks recommends that you run this tool after the Symposium Call
Center Server R5.0 software is installed. Due to the default configuration of
Symposium Call Center Server R5.0, the MBSA may issue certain security non-
compliance statements or warnings. Table 13 lists the typical MBSA version 1.2
scanning items and Nortel Networks recommendations for Symposium Call
Center Server.
Table 13 MBSA scanning items and Symposium Call Center Server

recommendations
MBSA scanned item Symposium Call Center Server recommendation
MSXML Security MBSA may indicate that latest security updates are
Updates out-of-date. Symposium Call Center Server has no
dependency on the MSXML, and it is customer’s
option to install the latest MSXML security update as
recommended by Microsoft.
Windows Security MBSA may indicate that the latest critical security
Updates updates are missing. Check against the latest
Symposium Products Service Packs Compatibility
and Security Hotfixes Applicability list for applicable
Microsoft security updates and installed all applicable
security updates.
Microsoft VM Security MBSA may indicate that latest security updates are
Updates out-of-date. Symposium Call Center Server has no
dependency on the Microsoft VM, and it is
customer’s option to install the latest Microsoft VM
security update as recommended by Microsoft.
Office Security Updates MBSA may indicate that latest security updates are
out-of-date. Symposium Call Center Server has no
dependency on the Microsoft Office, and it is

customer’s option to install the latest Microsoft
Office security update as recommended by Microsoft.
Windows Media Player MBSA may indicate that latest security updates are
Security Updates out-of-date. Symposium Call Center Server has no
dependency on the Windows Media Player, and it is
customer’s option to install the latest Windows Media
Player security update as recommended by Microsoft.
MDAC Security Updates MBSA may indicate that the latest critical security
updates are missing. Check against the latest
Symposium Products Service Packs Compatibility
and Security Hotfixes Applicability list for applicable
Microsoft security updates and installed all applicable
security updates.
Restrict Anonymous MBSA may indicate non-compliance. Restrict

anonymous access as recommended by Microsoft.
Administrators MBSA may warn that more than two administrators

are found in the computer. Check and confirm that
only the “Administrator”, “NGenSys”, “NGenDist”,
“NGenDesign”, and the remote database backup and
restore users are listed in the Administrator group.
Remove any additional administrator accounts.
Password Expiration MBSA may warn that all user accounts have non-
expiring passwords. “NGenSys” and the remote
database backup and restore users must be configured
with non-expiring passwords. Other users can be
configured with password expiration, as required.
Internet Connection Internet Connection Firewall is not available on

Firewall Windows 2000 platform. MBSA should indicate
Internet Connection Firewall is not installed or
configured properly, or is not available on this
version of Windows.
Local Account Password MBSA may warn that some user accounts have blank
Test or simple passwords, or could not be analyzed. The
passwords for the Symposium Call Center Server
default local accounts (NGenSys, NGenDist, and
NGenDesign) should pass this test. Check and change
user passwords if required.
Automatic Updates MBSA may indicate non-compliance. Recommend to

review and configure the server with the appropriate
method to obtain the Microsoft updates.
File System MBSA should indicate that all hard drives are using
the NTFS system. Repartition and reinstall
Symposium Call Center Server if any software or
database drives used by Symposium Call Center
Server are not using NTFS.
Autologon MBSA should indicate that Autologon is not

configured on this computer. Remove Autologon if
configured.
Guest Account MBSA should indicate that the Guest account is

disabled on this computer. Disable or remove the
Guest account if enabled.
Auditing MBSA may suggest turning on Auditing. Follow the

Symposium Call Center Server R5.0 guidelines on
the auditing policy (section 3.2.6 of this guide).
Services MBSA may suggest removing unneeded services (for

example, Remote Access Connection Manager,
Telnet etc.). Do not remove the Remote Access
Connection Manager if the RAS method is used for a
remote access (pcAnywhere) connection instead of
direct modem. Since Symposium Call Center Server
does not require the Telnet service, you can remove it
as recommended by Microsoft. Review other listed
unneeded services and disable them if they are not
listed as Symposium Call Center Server required
services (section 3.1.2 of this guide).
Shares MBSA may suggest shares on the server. Ensure that

only the system default shares are on the server with
the proper permissions. Symposium Call Center
Server does not require any additional share to work.
Windows Version MBSA must list the Windows version as the

Windows 2000 Server version.
IIS Status MBSA should indicate that this service is not running
on the computer. Remove the IIS service if it is

running.
SQL Server/MSDE MBSA should indicate that SQL Server and/or

Status MSDE is not installed on this computer. Remove
SQL Server and/or MSDE if it is installed.
IE Zones MBSA may indicate that Internet Explorer zones do

not have secure settings for access. It is acceptable for
Symposium Call Center Server if IE is not configured
and used for Internet access.
Macro Security MBSA should indicate that no Microsoft Office

products are installed. Remove all Microsoft Office
products from the server.
4.13 SNMP Configuration

Symposium Call Center Server R5.0 supports sending Symposium Call Center
Server error and alarm events as SNMP traps only, and no other SNMP functions
are provided. Nortel Networks recommends the following security configuration
to reduce the security risk from SNMP service:
• If no SNMP service (including receiving Symposium Call Center Server

SNMP traps) is required by a NMS on the customer network from the
Symposium Call Center Server, Nortel Networks recommends you to
disable or remove the SNMP Service and SNMP Trap Service from the
Windows services. Disabling or removing the SNMP Service and SNMP
Trap Service only disable the Symposium Call Center Server capability to
send error and alarm events as SNMP traps and will not interfere with
other Symposium Call Center Server functions.
• Nortel Networks recommends using a customer defined community name

instead of the well known “public” community name for SNMP traps.
• Nortel Networks recommends configuring SNMP Service to accept SNMP

packets only from a specified list of known SNMP hosts instead of
accepting SNMP packets from any host.
4.14 Remote support access

Symposium Call Center Server R5.0 supports remote connection to the server
through pcAnywhere so that Distributors/Nortel Networks support groups can
perform remote server maintenance. Customers can configure either a direct
modem, Remote Access Service (RAS), or VPN (with Nortel Networks Contivity
product) connection method.
Nortel Networks recommends the VPN connection method together with the
proper firewall or subnet isolation between the Symposium Call Center Server
network subnet and the corporate network, as it provides a secure connection that
minimizes the risk of exposing other customer network resources to the remote
connection.
To prevent illegal access to the Symposium Call Center Server R5.0 server
through the remote connection, you must configure the appropriate pcAnywhere
and RAS (if configured) logon accounts and passwords. Nortel Networks
recommends that you do not use any default or simple passwords for the
pcAnywhere and RAS logon accounts.
For security reason, a firewall may be placed before the Symposium Call Center
Server in the network path for the remote connection. In order to allow
pcAnywhere remote session to be successful, the port 5631 (TCP) and port 5632
(UDP) must be opened.
4.15 Symposium Call Center Server backup and restore strategy

A proper Symposium Call Center Server backup and restore strategy is critical to
recover the Symposium Call Center Server R5.0 sever in event of virus infection
or server security damage beyond repair. The Symposium Call Center Server
R5.0 Standby Server function does not replace the requirement of regular
Symposium Call Center Server backup. It is important to note that Symposium
Call Center Server backup and restore strategy must be included as part of your
security risk management plan. Nortel Networks recommends that you schedule
and perform regular Symposium Call Center Server database backups (local tape
or remote database backups). In addition, you must have an up to date
Symposium Call Center Server Platform Recovery Disk (PRD) stored in a secure
place. Nortel Networks recommends that you create a new PRD whenever there is
a Symposium Call Center Server platform configuration change (for example, if
you run the Symposium Call Center Server R5.0 Server Setup Configuration
Utility, Database Expansion utility, etc.).
[ This page is left intentionally blank ]
Glossary Nortel Networks Proprietary
5 Glossary
The glossary provided relates solely to this document.
CLAN Customer Local Area Network

DHCP Dynamic Host Connection Protocol
DNS Domain Name Service
ELAN Embedded Local Area Network
IT Information Technology
LAN Local Area Network
MAS Meridian Application Server
NCC Network Control Center
Nortel Networks Servers Subnet Previously known as CLAN
PC Personal Computer
PEP Performance Enhancement Package
PRD Platform Recovery Disk
RAS Remote Access Service
SCCS Symposium Call Center Server
SMTP Simple Mail Transfer Protocol
SU Service Update
WAN Wide Area Network
Glossary Nortel Networks Proprietary
[ This page is left intentionally blank ]
References Nortel Networks Proprietary
6 References
[1] Nortel Networks Symposium Call Center Server Installation and Maintenance Guide,
Product release 4.2, Standard 1.0, April 2002
Nortel Networks Proprietary
[ Last Page ]

SCCS 5 Win2k Security Guide

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

SCCS 5 Win2k Security Guide

Enviado por

Direitos autorais:

Formatos disponíveis

Nortel Networks – Metro & Enterprise Networks

Symposium Call Center Server 5.0

© 2004 Nortel Networks Corporation

Ronald Chan Date

Reviewed and Approved By

Rick Medeiros Date

Eugene Garvin Date

Issue Number Type of Review Author(s)

0.01 Draft copy Ronald Chan

0.02 Draft copy Ronald Chan

1.00 Approval copy Ronald Chan

Section 2.1 Clarify Windows 2000 Server including both

Section 4.2 Change web link to SCCS 5.0 product information

4.10 File and folder permission................................................................................................. 53

1.3 Intended audience

The relationship between the three security layers is shown in Figure 1.

Symposium Call Center Server network security (customer networks)

Figure 1 Symposium Call Center Server Security Architecture

2.1.1 Symposium Call Center Server network security layer

NCC Server Web Client

Web Client Desktops

Figure 2 Symposium Call Center Server Network Security Layer

2.1.1.1 Standalone server

Symposium Call Center Server (nodal and NCC server) is designed as a

2.1.1.2 Embedded LAN configuration

2.1.1.3 Customer LAN configuration

2.1.1.3.1 Default network binding protocols

Table 1 Symposium Call Center Server Default Network Protocols

Default network protocol Function

Client for Microsoft Network Allow Symposium Call Center Server

Internet Protocol (TCP/IP) Base network protocol for Symposium

It is the implementation personnel’s responsibility to add additional binding

2.1.1.3.2 Static IP address

Symposium Call Center Server operates as a standalone server with a static IP

2.1.1.3.3 DNS consideration

In spite of the requirement to open a very large range of ports in a firewall

Table 2 Symposium Call Center Server Ports Usage

Port Number Functionality

Port 135 Microsoft Windows RPC Locator Service

Port 137 Microsoft NetBIOS Name Service (needed for

Port 138 Microsoft NetBIOS Datagram Service (needed

Port 139 Microsoft NetBIOS Session Service (needed

Port 161 SNMP (needed if SNMP NMS is connected)

Port 162 SNMP Traps (needed if SNMP NMS is

Port 530 Microsoft Windows RPC Courier Service.

Port Number Functionality

Note: There are other hard coded ports used by

It is the implementation personnel’s responsibility to provide and implement any

2.1.2 Symposium Call Center Server server security layer

• Windows 2000 Server configuration

• Windows 2000 security settings

2.1.2.1 Windows 2000 Server configuration

2.1.2.2 Windows 2000 security settings

2.1.2.3 Server configuration

The server configuration strategy includes a set of default server configuration

2.1.3 Symposium Call Center Server application security layer

• database access security

• MAS security service

• remote backup and restore security

2.1.3.1 Database access security

2.1.3.2 MAS security server

2.1.3.3 Remote backup and restore security