|
|
|
1. Find and organize the installer applications for any recommended updates, patches, service packs, hot fixes, and security software to install on the server. |
|
2. Upgrade the server BIOS if an upgrade is available. |
|
3. Cisco recommends that you do not install any other product on the Security Manager Server. If you plan to install Security Manager on a server that you have used for any other purpose, first back up all important server data, then use a boot CD or DVD to wipe all data from the server. We do not support installation or coexistence on one server of Security Manager 4.19 and any release of Common Services earlier than 4.2.2. Nor do we support coexistence with any third-party software or other Cisco software, unless we state explicitly otherwise in this guide or at http://www.cisco.com/go/csmanager. |
|
4. Security Manager can have multiple network interface cards but teaming multiple NICs for load balancing is not recommended. |
|
5. Perform a clean installation of only the baseline server OS, without any manufacturer customizations for server management. |
|
6. Install any required OS service packs and OS patches on the target server. To check which service packs or updates are required for the version of Windows that you use, select Start > Run, then enter wupdmgr. Note Back up your Security Manager Server and stop Security Manager services before any patches or Windows updates are applied. Cisco recommends that you apply patches and Windows updates during the maintenance window, when Security Manager is not running. |
|
7. Install any recommended updates for drivers and firmware on the target server. |
|
8. Scan the system for malware. To secure the target server and its OS, scan the system for viruses, Trojan horses, spyware, key-loggers, and other malware, then mitigate all related problems that you find. |
|
9. Resolve security product conflicts. Study and work to resolve any known incompatibilities or limitations among your security tools, such as popup blockers, antivirus scanners, and similar products from other companies. When you understand the conflicts and interactions among those products, decide which of them to install, uninstall, or disable temporarily, and consider whether you must follow a sequence. |
|
10. “Harden” user accounts. To protect the target server against brute force attacks, disable the guest user account, rename the administrator user account, and remove as many other user accounts as is practical in your administrative environment. |
|
11. Use a strong password for the administrator user account and any other user accounts that remain. A strong password has at least eight characters and contains numbers, letters (both uppercase and lowercase), and symbols.
Tip You can use the Local Security Settings tool to require strong passwords. Select
Start > Administrative Tools > Local Security Policy.
|
|
12. Remove unused, unneeded, and incompatible applications. For example:
- Microsoft Internet Information Server (IIS) is not compatible with Security Manager. If IIS is installed, you must uninstall it before you install Security Manager.
- We do not support the coexistence of Security Manager with any third-party software or other Cisco software (including any CiscoWorks-branded “solution” or “bundle,” such as the LAN Management Solution (LMS)), unless we state explicitly otherwise in this guide or at http://www.cisco.com/go/csmanager. We do support the installation of Security Manager and AUS on the same server, but we recommend that configuration only for very small networks.
- We do not support the installation or coexistence of this version of Security Manager on a server with any release of Common Services earlier than 4.2.2.
- We do not support the coexistence of Security Manager on a server with any CD-ONE components (including CiscoView Device Manager) that you do not receive when you purchase Security Manager.
- We do not support the coexistence of Security Manager on the same server with Cisco Secure ACS for Windows.
|
|
13. Disable unused and unneeded services. At a minimum, Windows requires the following services to run: DNS Client, Event Log, Plug & Play, Protected Storage, and Security Accounts Manager. Check your software and server hardware documentation to learn if your particular server requires any other services. |
|
14. Disable all network protocols except TCP and UDP. Any protocol can be used to gain access to your server. Limiting the network protocols limits the access points to your server. |
|
15. Avoid creating network shares. If you must create a network share, secure the shared resources with strong passwords. Note We strongly discourage network shares. We recommend that you disable NETBIOS completely. |
|
16. Configure server boot settings. Set a zero-second startup time, set Windows to load by default, and enable automatic reboot in cases of system failure. |