Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
Microsoft Baseline Security Analyzer
Downloads: This chapterpdf (PDF - 372.0KB) The complete bookPDF (PDF - 3.48MB) | Feedback

Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer (MBSA) checks computers running Microsoft Windows Server 2008 R2, Windows Server XP, or Windows NT 4.0 for common security misconfigurations.

The following are the scanning options selected for Cisco Unified ICM Real-Time Distributor running one or more web applications (for example, Internet Script Editor or Agent-Reskilling).

  • Windows operating system (OS) checks
  • IIS checks
  • SQL checks
  • Security update checks
  • Password checks

This report is provided to show an example of the results of running the MBSA tool against a Cisco Unified ICM server that is running the majority of Microsoft Server Applications supported by the tool.

Security update scan results

The following table provides an example of security update scan results:

Table 1 Security Update Scan Results

Score

Issue

Result

Windows Security Updates

No critical security updates are missing.

IIS Security Updates

No critical security updates are missing.

SQL Server/MSDE Security Updates

Instance (default): No critical security updates are missing.

MDAC Security Updates

No critical security updates are missing.

MSXML Security Updates

No critical security updates are missing.

 

Office Security Updates

No Microsoft Office products are installed.

Windows scan results

The following table shows Windows scan results:

Table 2 Vulnerabilities

Score

Issue

Result

Automatic Updates

Automatic Updates are managed through Group Policy on this computer.

Administrators

More than 2 Administrators were found on this computer.

Note    This warning can be ignored given that the Cisco Unified ICM application requires the addition of certain groups to the Local Administrators group, therefore triggering this event. It is recommended that you review the Result Details and remove any known unnecessary accounts.

Password Expiration

Some user accounts (1 of 7) have non-expiring passwords.

Note    When the server is properly configured to require expiring passwords, this warning will typically find the Guest account to have a non-expiring password even though the account is disabled. This warning can be ignored.

Windows Firewall

Windows Firewall is enabled and has exceptions configured. Windows Firewall is enabled on all network connections.

Local Account Password Test

Some user accounts (1 of 7) have blank or simple passwords, or could not be analyzed.

File System

All hard drives (1) are using the NTFS file system.

Autologon

Autologon is not configured on this computer.

Guest Account

The Guest account is disabled on this computer.

Restrict Anonymous

Computer is properly restricting anonymous access.

The following table provides additional scan information:

Table 3 Additional System Information

Score

Issue

Result

Auditing

Logon Success and Logon Failure auditing are both enabled.

Services

Some potentially unnecessary services are installed.

Shares

2 share(s) are present on your computer.

Windows Version

Computer is running Windows Server 2008 R2 or greater.

Internet Information Services (IIS) scan results

The following table shows IIS scan results:

Table 4 Vulnerabilities

Score

Issue

Result

IIS Lockdown Tool

The IIS Lockdown tool was developed for IIS 4.0, 5.0, and 5.1, and is not needed for new Windows Server 2008 R2 installations running IIS 6.0.

Sample Applications

IIS sample applications are not installed.

IISAdmin Virtual Directory

IISADMPWD virtual directory is not present.

Parent Paths

Parent paths are not enabled.

MSADC and Scripts Virtual Directories

The MSADC and Scripts virtual directories are not present.

Table 5 Additional System Information

Score

Issue

Result

Domain Controller Test

IIS is not running on a domain controller.

IIS Logging Enabled

All web and FTP sites are using the recommended logging options.

SQL Server scan results

The following table shows SQL Server scan results:

Instance (default)

Table 6 Vulnerabilities

Score

Issue

Result

Sysadmin role members

BUILTIN\Administrators group is part of sysadmin role.

Note    This is acceptable because the Cisco Unified ICM application adds certain groups to the local Administrators account on the server which require dbo access to the database.

Sysadmins

No more than 2 members of sysadmin role are present.

Service Accounts

SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts are not members of the local Administrators group and do not run as LocalSystem.

Exposed SQL Server/MSDE Password

The "sa" password and SQL service account password are not exposed in text files.

Domain Controller Test

SQL Server and/or MSDE is not running on a domain controller.

SQL Server/MSDE Security Mode

SQL Server and/or MSDE authentication mode is set to Windows Only.

Registry Permissions

The Everyone group does not have more than Read access to the SQL Server and/or MSDE registry keys.

CmdExec role

CmdExec is restricted to sysadmin only.

Folder Permissions

Permissions on the SQL Server and/or MSDE installation folders are set properly.

Guest Account

The Guest account is not enabled in any of the databases.

SQL Server/MSDE Account Password Test

The check was skipped because SQL Server and/or MSDE is operating in Windows Only authentication mode.

Desktop application scan results

The following table shows desktop application scan results:

Table 7 Vulnerabilities

Score

Issue

Result

IE Zones

Internet Explorer zones have secure settings for all users.

IE Enhanced Security Configuration for Administrators

The use of Internet Explorer is restricted for administrators on this server.

IE Enhanced Security Configuration for Non-Administrators

The use of Internet Explorer is restricted for non-administrators on this server.

 

Macro Security

No Microsoft Office products are installed.