Apéndice 13 se tiene el Calendario Mensual de Entregables Proyecto de Montaje de Molino Vertical.
5.4. EJECUCCION DE MONTAJE DE MOLINO VERTICAL
5.4.1 Montaje de Mill Stand
5.4.1.2 Proceso de Montaje de Pedestales
Number of connections to create when additional connections are necessary for Winsock
applications (10 recommended)
Chapter 5: Automated Security Hardening Settings on Windows Server 2003 Local Policies
Value: 8.0(1) Setting
Note: MSS settings are not displayed by default
in the Local Security Policy or Security Templates snap-in. Manual configuration is required to implement this.
Enabled MSS: (AFD EnableDynamicBacklog) Enable
dynamic backlog for Winsock applications (recommended)
20000 MSS: (AFD MaximumDynamicBacklog)
Maximum number of 'quasi-free' connections for Winsock applications
20 MSS: (AFD MinimumDynamicBacklog)
Minimum number of free connections for Winsock applications (20 recommended for systems under attack, 10 otherwise)
Disabled MSS: (AutoAdminLogon) Enable Automatic
Logon (not recommended)
Disabled MSS: (AutoShareWks) Enable Administrative
Shares (not recommended except for highly secure environments)
Highest Protection, source routing is automatically disabled.
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
Enabled MSS: (DisableSavePassword) Prevent the dial-up
password from being saved (recommended)
Disabled MSS: (EnableDeadGWDetect) Allow automatic
detection of dead network gateways (could lead to DoS)
Disabled MSS: (EnableICMPRedirect) Allow ICMP
redirects to override OSPF generated routes
Disabled MSS: (EnablePMTUDiscovery) Allow automatic
detection of MTU size (possible DoS by an attacker using a small MTU)
Not Defined - (not recommended except for
highly secure environments) MSS: (Hidden) Hide Computer From the Browse
List
300000 or 5 minutes (recommended) MSS: (KeepAliveTime) How often keep-alive
Value: 8.0(1) Setting
Not Defined MSS: (NoDefaultExempt) Enable
NoDefaultExempt for IPSec Filtering (recommended)
255, disable autorun for all drives MSS: (NoDriveTypeAutoRun) Disable Autorun
for all drives
Enabled MSS: (NoNameReleaseOnDemand) Allow the
computer to ignore NetBIOS name release requests except from WINS servers
Disabled MSS: (NtfsDisable8dot3NameCreation) Enable
the computer to stop generating 8.3 style filenames
Disabled MSS: (PerformRouterDiscovery) Allow IRDP to
detect and configure DefaultGateway addresses (could lead to DoS)
Enabled MSS: (SafeDllSearchMode) Enable Safe DLL
search mode (recommended)
0 MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Connections time sooner if a SYN attack is detected by the server
MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
3 & 6 seconds, half-open connections dropped after 21 seconds
MSS:
(TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
3 MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
5 MSS: (TCPMaxPortsExhausted) How many dropped connect requests to initiate SYN attack protection (5 is recommended)
90% MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Chapter 5: Automated Security Hardening Settings on Windows Server 2003 Local Policies
Event Log
Value: 8.0(1) Setting
81920 kilobytes Maximum application log size
81920 kilobytes Maximum security log size
81920 kilobytes Maximum system log size
Enabled Restrict guest access to application log
Enabled Restrict guest access to security log
Enabled Restrict guest access to system log
Seven days Retain application log
Seven days Retain security log
Seven days Retain system log
As Needed Retention method for application log
As Needed Retention method for security log
As Needed Retention method for system log
System Services
Note: ICM Security Template modifies permissions for the Alerter and ClipBook services. The
Administrators group and the SYSTEM group permissions for the Alerter and ClipBook services are set to allow full control; all other permissions are revoked.
Settings for System Services
Startup Type Service Name
Full Service Name
Disabled CORRTSvc
.NET Framework Support Service
Disabled Alerter
Startup Type Service Name
Full Service Name
Disabled ALG
Application Layer Gateway Service
Disabled AppMgmt
Application Management
Disabled aspnet_state
ASP .NET State Service
Automatic wuauserv
Automatic Updates
Manual BITS
Background Intelligent Transfer Service Disabled CertSvc Certificate Services Disabled NWCWorkstation
Client Service for NetWare
Disabled ClipSrv ClipBook Disabled ClusSvc Cluster Service Manual COMSysApp
COM+ System Application
Automatic EventSystem COM+Event Services Disabled Browser Computer Browser Automatic CryptSvc Cyrptographic Services Automatic DcomLaunch
DCOM Server Process Launcher
Automatic Dhcp DHCP Client Disabled DHCPServer DHCP Server Disabled Dfs
Distributed File System
Disabled TrkWks
Distributed Link Tracking Client
Disabled TrkSvr
Distributed Link Tracking Server
Manual MSDTC
Distributed Transaction Coordinator
Automatic Dnscache DNS Client Disabled DNS DNS Server
Chapter 5: Automated Security Hardening Settings on Windows Server 2003 System Services
Startup Type Service Name
Full Service Name
Disabled ERSvc
Error Reporting Service
Automatic Eventlog
Event Log
Disabled FastUserSwitchingCompatibility
Fast User Switching Compatibility
Disabled Fax Fax Service Disabled NtFrs File Replication Disabled MacFile
File Server for Macintosh
Disabled MSFtpsvc
FTP Publishing Service
Disabled helpsvc
Help and Support
Not Defined HTTPFilter
HTTP SSL
Disabled HidServ
Human Interface Device Access
Disabled IASJet
IAS Jet Database Access
Not Defined IISADMIN
IIS Admin Service
Disabled ImapiService
IMAPI CD-Burning COM Service
Disabled cisvc Indexing Service Disabled Irmon Infrared Monitor Disabled IAS
Internet Authentication Service
Automatic SharedAccess
Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) Not Defined IsmServ Intersite Messaging Disabled 6to4
IP Version 6 Helper Service
Automatic PolicyAgent
IPSec Policy Agent (IPSec Service)
Not Defined Kdc
Startup Type Service Name
Full Service Name
Disabled SALDM
LED/LCD Manager
Disabled LicenseService
License Logging Service
Manual dmserver
Logical Disk Manager
Manual Dmadmin
Logical Disk Manager Administrative Service Not Defined msmq Message Queuing Disabled mqds
Message Queuing Down Level Clients
Disabled Mqtgsvc
Message Queuing Triggers
Disabled Messenger
Messenger
Disabled POP3SVC
Microsoft POP3 Service
Manual SwPrv
MS Software Shadow Copy Provider
Disabled MSSEARCH MSSEARCH Disabled MSSQL$UDDI MSSQL$UDDI Disabled MSSQLServerADHelper MSSQLServerADHelper Automatic Netlogon Netlogon Disabled mnmsrvc
NetMeeting Remote Desktop Sharing
Manual Netman Network Connections Disabled NetDDE Network DDE Disabled NetDDEdsdm Network DDE DSDM Manual NLA
Network Location Awareness (NLA)
Disabled NntpSvc
Network News Transfer Protocol (NNTP)
Disabled xmlprov
Network Provisioning Service
Chapter 5: Automated Security Hardening Settings on Windows Server 2003 System Services
Startup Type Service Name
Full Service Name
Automatic NtLmSsp
NTLM Security Support Provider
Manual SysmonLog
Performance Logs and Alerts
Automatic PlugPlay
Plug and Play
Disabled WmdmPmSN
Portable Media Serial Number
Disabled MacPrint
Print Server for Macintosh
Not Defined Spooler Print Spooler Automatic ProtectedStorage Protected Storage Disabled RasAuto
Remote Access Auto Connection Manager
Manual RasMan
Remote Access Connection Manager
Disabled srvcSurg
Remote Administration Service
Disabled RDSessMgr
Remote Desktop Help Session Manager Disabled BINLSVC Remote Installation Automatic RpcSs
Remote Procedure Call (RPC)
Not Defined RpcLocator
Remote Procedure Call (RPC) Locator
Automatic RemoteRegistry
Remote Registry Service
Disabled appmgr
Remote Server Manager
Disabled Appmon
Remote Server Monitor
Disabled Remote_Storage_User_Link
Remote Storage Notification
Disabled Remote_Storage_Server
Remote Storage Server
Manual NtmsSvc
Removable Storage
Disabled RSoPProv
Startup Type Service Name
Full Service Name
Disabled RemoteAccess
Routing and Remote Access
Disabled nwsapagent SAP Agent Disabled seclogon Secondary Logon Automatic SamSs
Security Accounts Manager
Automatic lanmanserver
Server
Disabled SPTimer
SharePoint Timer Service
Disabled ShellHWDetection
Shell Hardware Detection
Disabled SMTPSVC
Simple Mail Transport Protocol (SMTP)
Disabled SimpTcp
Simple TCP/IP Services
Disabled Groveler
Single Instance Storage Groveler
Disabled SCardSvr Smart Card Disabled SNMP SNMP Service Disabled SNMPTRAP SNMP Trap Service Disabled Sacsvr
Special Administration Console Helper
Not Defined SQLAgent$WEBDB
SQLAgent$* (* UDDI or WebDB)
Automatic SENS
System Event Notification
Automatic Schedule
Task Scheduler
Automatic LmHosts
TCP/IP NetBIOS Helper Service
Disabled LPDSVC
TCP/IP Print Server
Not Defined TapiSrv Telephony Disabled TlntSvr Telnet
Chapter 5: Automated Security Hardening Settings on Windows Server 2003 System Services
Startup Type Service Name
Full Service Name
Manual TermService
Terminal Services
Disabled TermServLicensing
Terminal Services Licensing
Disabled Tssdis
Terminal Services Session Directory
Disabled Themes Themes Disabled tftpd Trivial FTP Daemon Not Defined UPS
Uninterruptible Power Supply
Disabled Uploadmgr
Upload Manager
Disabled VDS
Virtual Disk Service
Manual VSS
Volume Shadow Copy
Disabled elementmgr
Web Element Manager
Disabled WebClient WebClient Disabled AudioSrv Windows Audio Not Defined SharedAccess Windows Firewall/Internet Connection Sharing Disabled StiSvc
Windows Image Acquisition (WIA)
Manual MSIServer
Windows Installer
Disabled WINS
Windows Internet Name Service (WINS) Automatic winmgmt Windows Management Instrumentation Manual Wmi Windows Management
Instrumentation Driver Extensions
Disabled WmcCds
Windows Media Connect
Disabled WmcCdsLs
Windows Media Connect (WMC) Helper Service
Startup Type Service Name
Full Service Name
Disabled WMServer
Windows Media Services
Disabled WindowsSystemResourceManager
Windows System Resource Manager
Automatic W32Time
Windows Time
Disabled UMWdf
Windows User Mode Driver Framework
Disabled WinHttpAutoProxySvc
WinHTTP Web Proxy Auto-Discovery Service Disabled WinSIP WinSIP Disabled WZCSVC Wireless Configuration Manual WmiApSrv
WMI Performance Adapter
Automatic lanmanworkstation
Workstation
Not Defined W3SVC
World Wide Web Publishing Service
Registry
The ICM Security template modifies the access auditing for the following registry keys.
Warning: The ICMSecurityHardening script cannot rollback changes made to Registry auditing.
Auditing Group or User Name
Object Name Access Failure Everyone HKLM\Software Access Failure Everyone HKLM\System
File System
The ICM security template modifies the access auditing for the following files.
Warning: The ICMSecurityHardening script cannot rollback changes made to File System access permissions.
Chapter 5: Automated Security Hardening Settings on Windows Server 2003 Registry
Permissions Group or User Name
Object Name
Full Control (This folder, subfolders and files)
Administrator, SYSTEM %SystemDrive%
Full Control (Subfolders and files only)
CREATOR OWNER %SystemDrive%
Read and Execute (This folder, subfolders and files) Users %SystemDrive% Full Control Administrator, SYSTEM arp.exe Full Control Administrator, SYSTEM at.exe Full Control Administrator, SYSTEM attrib.exe Full Control Administrator, SYSTEM cacls.exe Full Control Administrator, SYSTEM debug.exe Full Control Administrator, SYSTEM edlin.exe Full Control Administrator, SYSTEM eventtriggers.exe Full Control Administrator, SYSTEM ftp.exe Full Control Administrator, SYSTEM nbtstst.exe Full Control Administrator, SYSTEM net.exe Full Control Administrator, SYSTEM net1.exe Full Control Administrator, SYSTEM netsh.exe Full Control Administrator, SYSTEM netstat.exe Full Control Administrator, SYSTEM nslookup.exe Full Control Administrator, SYSTEM ntbackup.exe Full Control Administrator, SYSTEM rcp.exe Full Control Administrator, SYSTEM reg.exe Full Control Administrator, SYSTEM regedt.exe Full Control Administrator, SYSTEM regini.exe Full Control Administrator, SYSTEM regsvr32.exe Full Control Administrator, SYSTEM rexec.exe Full Control Administrator, SYSTEM route.exe Full Control Administrator, SYSTEM rsh.exe Full Control Administrator, SYSTEM sc.exe.exe Full Control Administrator, SYSTEM secedit.exe Full Control Administrator, SYSTEM subst.exe Full Control Administrator, SYSTEM systeminfo.exe Full Control Administrator, SYSTEM telnet.exe Full Control Administrator, SYSTEM tftp.exe Full Control Administrator, SYSTEM tlntsvr.exe
Chapter 5: Automated Security Hardening Settings on Windows Server 2003 File System
Applying Security with the Cisco Unified Contact
Center Security Wizard
This chapter contains the following topics:
• About the Cisco Unified Contact Center Security Wizard, page 79
• Configuration and Restrictions, page 80
• How to use the Wizard, page 80
• Example Security Wizard Usage, page 82
• Example Windows Hardening Configuration Panels, page 83
• Example Windows Firewall Configuration Panels, page 85
• Example Network Isolation Configuration Panels, page 88
• Example SQL Hardening Panels, page 92
About the Cisco Unified Contact Center Security Wizard
The Cisco Unified Contact Center Security Wizard is a security deployment tool for Unified ICM/ CCE, that simplifies security configuration through its step-by-step wizard based approach. The Security Wizard is a new graphical user interface to configure security by means of the Unified ICM/ CCE security command-line utilities:
• The Windows Hardening Utility
• The Windows Firewall Utility
• The Network Isolation Utility
The Windows Hardening and Windows Firewall utility are two command-line security utilities that have existed since the 7.0 release. The Network Isolation Utility was introduced after the ICM 7.2 release, and the SQL Hardening utility was introduced in ICM 7.5 release.
For the respective individual descriptions of each of these utilities, see the following chapters/sections in this guide:
• Automated Windows Hardening Settings on Windows Server 2003 (page 55)
• Windows Server 2003 Firewall Configuration (page 45)
• Applying IPSec with the Network Isolation Utility (page 79)
• Automated SQL 2005 Hardening (page 103)
Configuration and Restrictions
The following are Security Wizard restrictions:
• While the Security Wizard does not interfere with applications that run on the network, it should be run only during the application maintenance window since it can potentially disrupt connectivity when you are setting up the network security.
• The Security Wizard works on a Windows Server 2003 platform only.
• The Firewall Configuration Utility and the Network Isolation Utility require that they be configured after Unified ICM is installed on the network. For more details, see Windows Server 2003 Firewall Configuration (page 45) and Applying IPSec with the Network Isolation Utility (page 23).
How to use the Wizard
The Security Wizard is installed by the ICM-CCE-CCH Installer and is placed in the “%SYSTEMDRIVE%\CiscoUtils\UCCSecurityWizard” directory. You must be a server administrator to use the features in the Security Wizard.
You can run the wizard using the shortcut installed under Start > Programs > Cisco Unified
CCE Tools > Security Wizard. Note:
• When you run the wizard, CSA service must be stopped.
• Before you use the wizard, you should read the chapters in this guide on each of the utilities included in the wizard to understand what the utilities do.
Chapter 6: Applying Security with the Cisco Unified Contact Center Security Wizard Configuration and Restrictions
When running the Security Wizard, you are provided with a menu list of the security utilities (the Security Hardening, the Windows Firewall, Network Isolation Utility, and SQL Utility), and you run each, one at a time.
You can go back and forth on any menu selection to understand what each one contains. However, once you click the Next button for any particular feature, then you must either complete configuring or cancel to go back to the Welcome page.
The wizard is self explanatory with each utility having an introductory panel, configuration panel(s), a confirmation panel, and a status panel:
• Introductory panel:
– Briefly describes what the specific utility does.
– Warns if security utility files are missing or not installed.
– Allows you to switch between utilities until you click the Next button.
• Configuration panel(s): Lists the options you can select to configure the utility and gathers
your configuration input.
• Confirmation panel: Allows you to confirm your configuration choices or to go back and
make changes.
After you have entered all the required input, the confirmation panel is displayed and the Next button is replaced with the Finish button. This indicates that this is your last chance to make a change to your configuration selections.
Once you click finish, you can no longer go back.
• Status panel:
– Displays the configuration command with all its required arguments.
– Displays the streaming output of the configuration command while it is executing in the background.
– Displays "Configuration Complete" and enables the "Go back to Welcome Panel' button once the command execution is complete.
The defaults are set to the recommended values and warnings are displayed if you make a selection that could cause a problem.
In the rare event of the back-end utility script dying, a temporary text file, created in the UCCSecurityWizard folder and containing the command-line output, is not deleted. You can use this text file to debug the issue.
Example Security Wizard Usage
Figure 10: Security Wizard Welcome Window
The Security Wizard requires the command line utilities to be installed on the system to configure security. It will detect if a utility is not installed and notify the user if it is not installed. The Security Wizard can execute on all Unified ICM or Unified CCE servers but will not execute on a Domain Controller.
Chapter 6: Applying Security with the Cisco Unified Contact Center Security Wizard Example Security Wizard Usage
Example Windows Hardening Configuration Panels
Figure 11: Windows Hardening Introduction PanelYou can switch between utilities until you click the Next button at the bottom of the utility panel.
Bolded titles in the left menu bar indicate the selected utility and the selected step within that utility.
In the Windows Hardening Security Template Options window, you can:
• Apply the ICM Security Hardening template.
• Roll back part of or all of a previously applied ICM Security Hardening template.
See Automated Security Hardening Settings on Windows Server 2003 (page 55) for complete descriptions of the preceding configuration options.
The Rollback File selection list is dynamically populated.
Figure 13: Windows Hardening Confirmation Panel
At this point, you can still change any configuration selections. Once you click Finish, you can no longer change your selections.
Chapter 6: Applying Security with the Cisco Unified Contact Center Security Wizard Example Windows Hardening Configuration Panels
Figure 14: Windows Hardening Status Panel
The status bar at the top of the panel tells you when the configuration is complete.
You may see some command-line windows open and close. That is normal in some command windows as different commands are executed.
Example Windows Firewall Configuration Panels
Figure 15: Windows Firewall Wizard Introduction PanelFigure 16: Windows Firewall Configuration Options Panel
In the Security Wizard Firewall Configuration panel, you can:
• Configure a Windows firewall for your Unified ICM or Unified CCE system
• Undo firewall configuration settings previously applied
• Restore to Windows Default
Warning: The Default Windows firewall configuration is not compatible with the Unified ICM application.
• Disable the Windows firewall.
• Edit the Unified ICM Firewall Exceptions XML file. Clicking the Edit ICM Firewall
Exceptions XML button opens that XML file in Notepad. You must save the file and close
it before continuing with the wizard.
The Window Firewall Configuration Utility:
• Automatically detects Unified ICM components installed and configures the Windows Firewall accordingly.
Must be executed after the Unified ICM application is installed.
• Can add custom exceptions such as an exception for VNC.
• Is installed by default on all Unified ICM and Unified CCE servers.
See Windows Server 2003 Firewall Configuration (page 45) for a complete description of these Chapter 6: Applying Security with the Cisco Unified Contact Center Security Wizard Example Windows Firewall Configuration Panels
Figure 17: Windows Firewall Confirmation Panel
Example Network Isolation Configuration Panels
Figure 19: Network Isolation Introductory PanelThe preferred choice for deploying the Network Isolation Utility when configuring it for the first time or when editing an existing policy is through the Security Wizard.
The following advantages not available in the command line interface and therefore, the Network Isolation Utility is deployed through the Security Wizard. Through the Security Wizard interface:
• You can be guided with configuration panels that dynamically change according your input.
• You can browse the current policy.
• You can see the current Network Isolation configuration and edit it if you need to.
• You can add multiple Boundary Devices through a single Security Wizard panel whereas in the command line interface you need to create a separate command for each device you want to add.
The Network Isolation Utility must be run on every server that should be set as a Trusted Device. There is no need to run the utility on Boundary Devices.
For a complete description of the Network Isolation Utility, see Applying IPSec with the Network Isolation Utility (page 23).
Chapter 6: Applying Security with the Cisco Unified Contact Center Security Wizard Example Network Isolation Configuration Panels
Figure 20: Trusted Devices Configuration Panel
This panel and the next panel are loaded from the last configuration saved in the XML Network