OW5000 System Security Guidelines - NEC Corporation of America

1-2 Introduction• The procedures in this guide do not include the use of “Home” editionsof either Windows XP, Windows Vista, or Windows 7.• The procedures in this guide are limited specifically to the following:— Internet Information Services (IIS) (Version 6 or higher)— Microsoft SQL Server 2005 Standard Edition, 2005 Express Edition(Service Pack 2 or higher), Microsoft SQL Server 2008 StandardEdition, or 2008 Express EditionHow This Guide is OrganizedChapter 1IntroductionChapter 2Securing the NetworkChapter 3Securing the OperatingSystemChapter 4Securing the DatabaseThis chapter outlines important information and includes detailedinformation on how to use this guide.This chapter provides recommended security practices to create andenforce a secure network environment.This chapter provides recommendations to secure the Windows XPProfessional Operating System.This chapter describes how to secure MSDE and SQL Server.Using This GuideThe target audience for this guide is general. Please be advised beforeyou apply a recommendation from this guide, NEC recommends thatyou understand the high-level concepts and methods required to applythese recommendations.This guide does not include step-by-step instructions for any Windowsapplication. Each step-by-step instruction in this guide relates to theOW5000 System.Reference your Microsoft Users Guide to locate Windows OperatingSystem procedures.UCE Application Platform (UNIVERGE OW5000) System Security Guidelines - Revision 7

2-2 Securing the NetworkFigure 2-1 Firewall ProtectionPotential intruders scan computers from the Internet or within the LocalArea Network (LAN), probing for an open port where they can breakthrough and access a server.To increase security, configure the firewall to allow specific types oftraffic into and out of the internal network.UCE Application Platform (UNIVERGE OW5000) System Security Guidelines - Revision 7

Securing the Network 2-3Firewall ConfigurationPlatformSource ServiceSrc PortDestinationServiceDestination Port ProtocolRemarkAll Modules - OAI Monitor 445 TCPOptional. For client logging.See the Note on page 6.All Modules - OAI Monitor 5690 TCPAll Modules - SQL Server 1433 TCP Default instanceAll Modules - SQL Server 1044 TCPSQL Express instance. It isdynamic and typically 1044All Modules - SQL Server Browser 1434 TCP/UDPPBX - Access Server 111 UDPOaiMonitor -License ManagerClient49300 TCPAccess Server -Access Server(same OW5000)6060 UDPAccess Server -Access Server(Federation)6060 TCPAccess Server - AMS 5425 TCPAccess Server - PBX 62000 UDPAccess Server 6060 PresenceGateway 6061 UDPCall Notification API - Java OAI Server 44000-44099 TCPICA - AMS 5425 TCPICA - Java OAI Server 44000-44099 TCPICA - PBX 60030 TCPInfoAPI 5061 Access Server 6060 UDPJava OAI Server - PBX 60030 TCPLSI -ApplicationMessage Service5425 TCPLSI - PBX 60030 TCPRequired in US, Australiaand Europe market only.MS OCS/LCS - Remote Call Control 5060 TCPThis port depends on thelisten port by RCC.PS1000 API 5062-5066 Access Server 6060 UDPPresenceGateway - AMS 5425 TCPTelEventNotification - AMS 5425 TCPTelEventNotification - ICA 5242 TCPTelEventNotification - Java OAI Server 44000-44099 TCPVCM Web Service - TelEventNotification 5676 TCPSentinel SMTP email Server 25 TCP/UDPSentinelSMTP email ServerSecure465 TCPSentinelSMTP emailsubmission587 TCPUCE Application Platform (UNIVERGE OW5000) System Security Guidelines - Revision 7

2-4 Securing the NetworkPlatform (cont’d)Log Viewer(Remote)Sentinel AMS 5425 TCPEmergency On-siteNotification Client- -AMS 5425 TCPShort TextMessaging5677 TCP- - E-OSN Server 8732 HTTPLog Viewer - OAI Monitor 5690 TCPDB Tool - SQL Server 1433 TCP Default instanceDB Tool (Remote) DB Tool - SQL ServerAccess Server(Remote)UA5200Source ServiceDB Tool - SQL Server Browser 1434 TCP/UDPAccess Server -Access Server(same OW5000)6060 UDPAccess Server -Access Server(Federation)6060 TCPAccess Server - AMS 5425 TCPAccess Server - PBX 62000 UDPAccess Server 6060 PresenceGateway 6061 UDPUA5200 ClientUA5200 Server onOW5000 Server5678 TCPUA5200 Client AMS 5425 TCPUA5200 Server PBX 60030 TCPUA5200 ClientSNPP Provider forUA5200 Paging444 TCP/UDPPatientLink - FLFcommunicationJava OAI Server 44000-44099 TCPWake-Up Service AMS 5425 TCPWake-Up Service PBX 60030 TCPGuest Link - LowPriority Guest4048 Agilysys PMS TCPmessage portGuest Link - HighPriority Textmessage portSrc PortAgilysys PMS 4049 TCPUA5200 ClientGuestLink - GuestMessage uploadrequest port5998 TCPWake-Up Viewer AMS 5425 TCPUC700 UC700 Client - AMS 5425 TCPUC700 Client -DestinationServiceUC700 ConferenceServerDestination Port Protocol8731 TCPRemarkSQL Express instance. It isdynamic and typically 1044.Source Port number is theUA5200 default. Usuallyassigned by the customer.Destination Port number isthe UA5200 default.Usually assigned by thecustomer.Internal applicationcommunication port.UCE Application Platform (UNIVERGE OW5000) System Security Guidelines - Revision 7

Securing the Network 2-5UC700 (cont’d)MC550MA4000Integration3rd Party AppsSource ServiceUC700 Client - UC700 Server 8080 HTTPUC700 ConferenceServerUC700 ConferenceServer- AMS 5425 TCP- Java OAI Server 44000-44099 TCPUC700 Server - ICA 5242 TCPUC700 Server - Java OAI Server 44000-44099 TCPUC700 Server - TelEventNotification 5676 TCPCallServer 5681 TCPCallServer 5683 UDPCallServer 8080 UDPUC700 Server - OWAgentService 8080 HTTPOWAgentService - ACD 60030 TCPOne connection for Infolinkand another for MISprotocol.MC550 Server49232-49234TCP Only for remote log viewingMC550 Server 49235 HTTP/S MC550ServiceAPI serverMC550 Server 60051 TCP StatsMC550 Server - PBX 60030 TCP OAI link to PBXMC550 Web App MC550 Server 49235 HTTP MC550ServiceAPI clientMC550 Web App 80 HTTP IIS Web SiteMA4000 -3rd PartyApplication3rd PartyApplication3rd PartyApplication3rd PartyApplication3rd PartyApplicationSrc Port--DBSync (MA4000Integration)Call NotificationsAPICall NotificationsAPI9657 HTTP8081 HTTP9020 TCP- InfoAPI 8080 HTTP- PS1000 API 8080 UDP-DestinationServiceSIP/SIMPLE(AccessServer)Destination Port Protocol6060 UDPRemarkUsed by MA4000application to send changenotifications to OW5000.*If the Web server is configured for a different port, other than 80, thatport should be opened instead.**If using Microsoft SQL Express Edition, either configure SQL to forceuse ports 1433/1434 (not dynamic), or ensure any possible ports thatUCE Application Platform (UNIVERGE OW5000) System Security Guidelines - Revision 7

2-6 Securing the NetworkSQL may dynamically select are open in the fire wall. Ensure SQL ServerExpress Edition listens for an incoming client connection.NOTEUNIVERGE clients, UA5200 and EOSN, log events to the OAI Logging server (i.e.the UCE server). If the the client machine operation is very slow, it may be becausethe client is unable to connect to the Logging server. Two options for fixing this are(1) configure the client to connect to the UCE server's FQDN instead of thehostname; or (2) allow the client to connect to TCP port 445 on the UCE server.Please make sure that configurable ports, such as the Access Server Listen Port, isalso added properly.NOTEWindows ServicesIsolation of ServicesTo enforce security, the following is recommended:• Do not set OW5000 Server as a Domain Controller or GlobalAdministrator.• Do not install Microsoft SQL Server on a Domain Controller.• Disable all unnecessary Windows Services on the OW5000 server.• Do not enable the following Windows Services on the OW5000 server:—WINS—DHCP—FTP—SMTPThe OW5000 installation will fail when installed on a Domain Controller.IMPORTANTUCE Application Platform (UNIVERGE OW5000) System Security Guidelines - Revision 7

3-13Securing the Operating SystemChapter TopicsThis chapter provides recommendations to secure the Windows Server2003, 2008, Windows XP, Vista, and Windows 7 Operating Systems.• Server Administration• IIS Configuration• Virus Detection• Intrusion DetectionServer AdministrationFollow the recommendations below to ensure your operating system issecure. NEC recommends the basic server administration policies.• Enable the Windows Update service to receive Critical Update andSecurity Patch notices.• Enforce strong passwords.• Disable and delete user accounts as they become inactive.• Uncheck Password never expires for the accounts from computermanagement or customer maintained. Set passwords on indicatedaccount to expire.• Restrict Remote Access to administrators.• Restrict Anonymous - Select Administrative Tools > LocalSecurity Policy > Security Settings > Local policies > SecurityOptions: Additional restrictions for anonymous connections set to:No access without explicit anonymous permissions.REFERENCEFor more information on Securing the Operating System, go to http://www.microsoft.com. Keywords: Patch, Patch Management, Security, Securingyour Web Server.TIP128-bit encryption is available in a limited number of countries. Check with yourNetwork or System Administrator to determine if 128-bit encryption is available inyour area.UCE Application Platform (UNIVERGE OW5000) System Security Guidelines - Revision 7

3-2 Securing the Operating SystemIIS ConfigurationMany applications in UCE use web services.CAUTIONEnabling SSL at the IIS web site level may inadvertently impact other applications.However, it is a best practice to secure web services where user credentials arepassed from clients to the UCE server.The following products provide instructions for securing web serviceswith SSL in their installation guides.UNIVERGE UC700UNIVERGE MC550Please refer to each product’s installation guide for instructions onenabling and requiring SSL for these services.Service AccountsFailure to secure a service account enables a hacker to gainadministrative access to a web server and possibly the network.To increase service account security, the following recommendationsapply:• Create all Windows accounts with the lowest possible privileges• Label administrative accounts with a user name other thanadministrator• Disable the Windows guest account• Set the appropriate permissions for the ISUSR_machinename accountFor more information on IIS, go to http://www.microsoft.com. Keywords: How tosetup SSL on a Web Server, Securing your Web Server.REFERENCEFor more information on Service Accounts, go to http://www.microsoft.com.Keywords: Service Accounts, Permissions, Security.REFERENCETIPThe ISUSR account is used to permit anonymous access to a web site installed onthe web server. When the ISUSR_machinename account is configured incorrectly,users cannot access the web site.• Remove or disable unused Windows accounts• Remove descriptions which refer to account privileges• Rename or remove privileges from the default administrator account• Enforce policies to limit administrative access to two accountsUCE Application Platform (UNIVERGE OW5000) System Security Guidelines - Revision 7

Securing the Operating System 3-3Virus DetectionMaintaining a secure environment means scanning for viruses regularly.Most anti-virus software allows you to automatically download anti-virussoftware updates and schedule scans at preset intervals.It is recommended to scan your systems nightly to reduce the chance ofinfection. Because good security is redundant security, be sure to alwaysmaintain up-to-date anti-virus software protection and scheduledownloads nightly for patches and updates.Intrusion DetectionIntrusion detection software actively analyzes packets looking forvulnerabilities on your network. To increase network security, closelymonitor your network and use intrusion detection software.UCE Application Platform (UNIVERGE OW5000) System Security Guidelines - Revision 7

4-14Securing the DatabaseChapter TopicsThe database is a vital component of the OW5000 System and to yourorganization. Sensitive data related to users, phones, and hardware isstored in a database. A hacker can use this data to launch a maliciousattack against your organization.Any database server that is not kept up-to-date with the latest securitypatches and critical updates can become infected with a worm.A worm attacks vulnerabilities in database applications, which cancripple your network and render your hardware useless. To avoid thistype of attack, check nightly for software updates and enforce strongpasswords for all system administrator accounts.The OW5000 supports the following SQL Servers:. Microsoft SQL Server 2005 Express Edition SP2 or later. Microsoft SQL Server 2005 Standard Edition SP2 or later. Microsoft SQL Server 2008 Express Edition SP1. Microsoft SQL Server 2008 Standard Edition SP1• SQL Installation and Settings• Backup and RecoverySQL Installation and SettingsSystem Administrator (sa) PasswordsSystem Administrator (sa) passwords are the main line of defenseagainst hackers and malicious software. Hackers can access freeprograms designed to guess a sa password. The program generates testpasswords using a combination of common words and numbers to gainaccess to the server.Complex passwords are much more secure. Never, under anycircumstance, use a blank sa password.IMPORTANTNever use example passwords found in installation manuals. For instance, do notuse the example sa password, Ow5000db1!, found in the OW5000 InstallationGuide.UCE Application Platform (UNIVERGE OW5000) System Security Guidelines - Revision 7

4-2 Securing the DatabaseREFERENCEIMPORTANTA strong password is defined as a password containing eight or morecharacters, including at least one number or one special character.Enforcing strong passwords and using strong passwords on servers withWindows Authentication is highly recommended.For more information on MSDE security, go to http://www.microsoft.com. Keywords:Worm, MSDE, DatabaseIM (Instant Messaging) histories are stored in plain text in the database, so onlytrusted individuals should have the password.Authentication• Mixed Mode Authentication is required for the OW5000 databaseinstance.Post InstallationThe following post installation procedures are recommended:• Immediately, after SQL 2005/2008 is installed, download and installthe latest security patches and critical updates.• Test security patches internally to understand the impact to your ITSystems.• Remove BUILTIN\Administrator SQL Server Enterprise Manager:Security/server roles/system administrators.• Delete all sample databases.Service Accounts• Creating SQL service accounts with the lowest possible privileges isrecommended.Securing the File SystemAs with most web applications, the data and log files contain webconfiguration files. The web applications use the web configuration filesto store user names, passwords, and other data required to configurethe web server in clear text.To protect the information found in web server configuration files, it isrecommended to store the data and log files on a disk volume separatefrom the server system files.UCE Application Platform (UNIVERGE OW5000) System Security Guidelines - Revision 7

Securing the Database 4-3Backup and RecoveryBackup and Recovery plans are important. A well developed plan will aidwith recovering from a virus or an attack.Schedule regular backups for important files, and if possible, keep acopy in a separate location in case of fire, flood, or disaster.The following recommendations apply:• Develop a solid plan to recover from a virus or attack.• Backup the OW5000 System after an upgrade, service pack, or patch.• Test your backup and recovery plan.Backup and Restore the DatabaseUse SQL Server Management Studio to run regular backups of theOW5000 Database. With the Standard Edition, these backups may alsobe scheduled to run automatically.For more detailed information about the backup process, refer to theDatabase Operation section in the OW5000 Configuration Guide. Youcan also use the OW5000 Database Backup feature for a scheduledbackup. For more information, refer to the Schedule Configurationsection of the OW5000 Configuration Guide.UCE Application Platform (UNIVERGE OW5000) System Security Guidelines - Revision 7

4-4 Securing the DatabaseUCE Application Platform (UNIVERGE OW5000) System Security Guidelines - Revision 7

For additional information or support on this NEC Corporationproduct, contact your NEC Corporation representative.

NEC NEC CorporationUC for Enterprise (UCE) Application Platform (UNIVERGE OW5000)System Security GuidelinesNDA-30560, Revision 7