Security Guide for Cisco Unified ICM/Contact Center Enterprise, Release 12.6(2) - Strengthening Windows Security [Cisco Unified Contact Center Enterprise 12.6(2)] (2023)

  • Windows security protection
  • Windows Server Hardening
  • Cisco Unified Contact Center Enterprise Security Protection for Windows Server

Windows Server Hardening

As a best practice, we recommend using the Microsoft Security Baseline and CIS Benchmarks to configure ICM servers securely. Use the latest Microsoft security baseline and CIS Level 1 reference profile to reduce the attack surface without impacting functionality and performance.

Apply the security policy in the form of a Group Policy Object (GPO) on a separate organizational unit (OU) that contains ICM servers. Name the OU Cisco_ICM_Servers (or a similar, clearly identifiable name) and be sure to name these servers in accordance with your corporate policy.

Create this OU at the same level as the Computers container or the Cisco Unified ICM Root OU. If you are not familiar with Active Directory, ask your domain administrator for help with Group Policy deployments.
Security Guide for Cisco Unified ICM/Contact Center Enterprise, Release 12.6(2) - Strengthening Windows Security [Cisco Unified Contact Center Enterprise 12.6(2)] (1)

After you apply the security policy at the OU level, prevent different policies from being inherited in the Unified ICM/Unified Contact Center Enterprise Servers OU. You can override block inheritance, an OU object level configuration option, by selecting the Force/Don't Override option at a higher hierarchical level. Group policy enforcement should follow a thoughtful design that starts with the lowest common denominator. These group policies must be restrictive at the appropriate level of the hierarchy.

See Also
Skills in the workforce: why they matter to economies

Cisco Unified Contact Center Enterprise Security Protection for Windows Server

This section describes the security baseline needed to harden Windows servers running ICM servers. This security baseline is essentially a collection of Microsoft Group Policy settings based on the Microsoft Security Baseline and the CIS Level 1 Reference Profile.

To apply the security baseline on the domain controller, complete the following steps:

  1. Download the security guard templates applicable to the respective version of Windows from the Microsoft and CIS Benchmark URL. You can download these security protection templates fromhttps://www.microsoft.com/en-us/download/details.aspx?id=55319mihttps://workbench.cisecurity.org/files?q=&tags=3.

  2. Install the latest Administrative Templates (ADMX) for Windows Server. These templates can be downloaded from the Microsoft website athttps://www.microsoft.com/en-us/download/details.aspx?id=103667. You can install the.msi installeron any Windows node as per your IT policy. Windows server can be ICM or non-ICM or domain controller.

  3. Navigate to the installed location of Administrative Templates. Copy the template files listed below to the SYSVOL folder on the domain controller.

    • Copy the *.admx files from the PolicyDefinitions folder to\\SYSVOL\Policies\Policy Definitions

    • Copy the *.adml files from the PolicyDefinitions folderfor\\SYSVOL\Policies\PolicyDefinitions\en-US

      Security Guide for Cisco Unified ICM/Contact Center Enterprise, Release 12.6(2) - Strengthening Windows Security [Cisco Unified Contact Center Enterprise 12.6(2)] (2)

      Observation

      The domain controller automatically copies the admx and adml files to all domain-joined machines.

      Select the applicable language code(In us)based on your deployment configuration.

      Create the PolicyDefinitions folder if it does not exist.

  4. Create a group policy object on the domain controller using theGroup Policy Managementconsole and import the respective policy using the import configuration wizard in the console as detailed below. This can be done directly on the ICM nodes as per IT policy.

    • The downloaded Microsoft Baseline (see step 1) has a Group Policy Object (GPO) for Windows Client, Windows Server, Common GPO for Client and Server, Domain Controller, and Internet Explorer. We recommend that you import specific GPOs for Windows Server, Internet Explorer, and common GPOs for client and server.

    • The downloaded CIS baseline (see Step 1) has GPOs for Domain Controller, Microsoft, and User. We recommend importing only the GPO MS-L1 and User-L1.

  5. Create the custom GPO on the domain controller to override the policies described inSecurity baseline policy exception for ICMand import the custom exception GPO using the import configuration wizard in the console. You can manually override policies directly on the ICM nodes based on IT policy.

  6. Make sure that the imported exception policy (see Step 5) has the highest priority, so that the exception policy is applied after the Microsoft and CIS policies are applied.

    Security Guide for Cisco Unified ICM/Contact Center Enterprise, Release 12.6(2) - Strengthening Windows Security [Cisco Unified Contact Center Enterprise 12.6(2)] (3)

    Observation

    Step 6 only applies to domain controllers.

  7. Create the organizational unitCisco_ICM_Servers(or a similar identifiable name) under the domain. Assign all ICM machines to this OU. You can perform this step at any time, even before you perform step 1.

  8. Link the created GPO (see Step 4 and Step 5) to the created OU (see Step 7).

  9. Restart the ICM servers in the OU or run thegpupdateCommand on the respective target ICM nodes to apply the security baseline.

Security baseline policy exception for ICM

The following CIS reference policies affect the functionality of ICM.

The recommended values ​​(described in the table below) should be used for exception policies to override the CIS recommended values.

Policy CIS/Microsoft Baseline recommended configuration Comments
Make sure 'Run Volume Maintenance Tasks' is set to 'Administrators' he Administrators, NT Service/MSSQLServer The ICM database engine runs as a serviceSERVIDORMSSQL. ONT SERVICE/MSSQL SERVERThe service uses the login to connect to the database engine. This policy affects this connectivity. So, include theNT SERVICE/MSSQL SERVERconfiguration beyondAdministratorscontext.
Make sure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' he Sim This setting has an impact on the operations of duplex CCE systems. For example, it affects the private interface between the duplex router process.
Make sure 'Configure attack surface reduction rules' is set to 'On' he disabled This policy affects the functionality of the CCE. For example, the installation of patches is affected. Applications like snmp, msgagent, etc. they are blocked.

You can enable this only after configuring the appropriate rules in the settingsConfigure Attack Surface Reduction Rules - Set the state for each ASR rule. This includes adding trusted/known applications with path to the exception list. The list of affected applications differs, so the recommendation is to set the value todisabled.
Make sure 'Select when preview builds and feature updates are received' is set to 'On: Semi-Annual Channel, 180 days or older' he disabled Automatic updates break functionality during automatic reboots.
Make sure 'Select when receiving quality updates' is set to 'On: 0 days' he disabled Automatic updates break functionality during automatic reboots.
Make sure 'Configure automatic updates' is set to 'On' he disabled Automatic updates break functionality during automatic reboots.
Make sure 'No auto restart with logged in users for scheduled automatic update installations' is set to 'Disabled' he Able Automatic updates break functionality during automatic reboots.

The following policies are optional. You can enable these policies based on IT policy after carefully considering the comments column.

Policy CIS/Microsoft Baseline recommended configuration Comments
Make sure 'Allow local login' is set to 'Administrators' he BUILTIN\Users, BUILTIN\Administrators After applying the policy, domain-only accounts cannot log in to the machine and perform operations. We recommend that you addBUILTIN\UsersmiBUILTIN\Administrators. You can enable this policy based on your IT policy and operational requirements.
Make sure "Deny access to this computer from the network" to include "Guests, local account, and Administrators group membership" (MS only) he guests This policy may have operational impacts specifically for day 0/1 activities. We recommend setting the value toguests. You can override this policy based on IT policy and operational requirements.
Make sure 'Deny logon via Remote Desktop Services' is set to 'Guests, local account' (MS only) he guests This policy may have operational impacts specifically for day 0/1 activities. We recommend that you set the value toguests. You can override this policy based on IT policy and operational requirements.
'Prevent ignoring certificate errors' will be set to 'On' microsoft disabled CCE web applications, such as Websetup, cannot be accessed through Internet Explorer. Access to these web applications with other supported browsers, such as Mozilla Firefox and Google Chrome, will not be affected by this policy. We recommend setting the value todisabled.
'Enable Enhanced Protected Mode' to be set to 'On' microsoft disabled CCE web applications, such as Websetup, cannot be accessed through Internet Explorer. Access to these web applications with other supported browsers, such as Mozilla Firefox and Google Chrome, will not be affected by this policy. We recommend setting the value todisabled.
Make sure 'Accounts: Admin Account Status' is set to 'Disabled' (MS only) he Able This policy has operational impacts. For example, if a member server leaves the domain for any reason, with this policy in place, we must use the deprecated safe mode login to add the member server back to the domain. Other operations will also have a similar impact.

Enable the following policies after installing the ICM server. See the Notes column for observed deviations.

Policy CIS/Microsoft Baseline recommended configuration Comments
Make sure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' he Administrators, Local Service, Network Service standard IIS userIIS Application Pool\DefaultAppPoolit is automatically added to this policy after the IIS services are started. However, CIS benchmark checks flag this policy as unsupported due to the presence of the IIS default user.
Make sure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' he Local Service, Network Service standard IIS userIIS Application Pool\DefaultAppPoolit is automatically added to this policy after the IIS services are started. However, CIS benchmark checks flag this policy as unsupported due to the presence of the IIS default user.
Make sure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' he Local Service, Network Service standard IIS userIIS Application Pool\DefaultAppPoolit is automatically added to this policy after the IIS services are started. However, CIS benchmark checks flag this policy as unsupported due to the presence of the IIS default user.
Security Guide for Cisco Unified ICM/Contact Center Enterprise, Release 12.6(2) - Strengthening Windows Security [Cisco Unified Contact Center Enterprise 12.6(2)] (4)

Observation

CIS reference versions1.2.1 for Windows Server 2019, version 1.3.0 for Windows Server 2016, Microsoft Windows Server 2019 Baseline version 1809, and Microsoft Windows Server 2016 Baseline version 1607they are validated. Before applying the higher version of CIS and the Microsoft benchmark, review the additional policies introduced in the new version for the impact on ICM functionality and performance. We recommend that GPOs be tailored to the needs of your organization. We recommend deploying the GPOs to a small group of systems, preferably in a lab environment before deploying them to production.

In addition to the GPO settings, disable the following settings on Windows Server:

  • NetBIOS

  • SMBv1

References

Top Articles
Latest Posts
Article information

Author: Edwin Metz

Last Updated: 14/11/2023

Views: 5892

Rating: 4.8 / 5 (78 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Edwin Metz

Birthday: 1997-04-16

Address: 51593 Leanne Light, Kuphalmouth, DE 50012-5183

Phone: +639107620957

Job: Corporate Banking Technician

Hobby: Reading, scrapbook, role-playing games, Fishing, Fishing, Scuba diving, Beekeeping

Introduction: My name is Edwin Metz, I am a fair, energetic, helpful, brave, outstanding, nice, helpful person who loves writing and wants to share my knowledge and understanding with you.