Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
Additional security best practices
Downloads: This chapterpdf (PDF - 457.0KB) The complete bookPDF (PDF - 3.48MB) | Feedback

Additional security best practices

Additional security best practices

This chapter lists additional security best practices.

In addition to these best practices, you can find other ICM security considerations in the Setup and Configuration Guide for Cisco Unified Contact Center Hosted at Cisco Unified Contact Center Hosted Install and Upgrade Guides.

Additional Cisco Call Center applications

Security best practices for additional Cisco Call Center applications are as follows:

Cisco CTI Object Server (CTI OS)

In the CTI OS System Manager's Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted:

  • Desktop Users: The section "Desktop User Accounts" contains instructions for configuring privileges for desktop users.

Cisco Agent Desktop (CAD)

The Cisco Agent Desktop Documentation, found within the Unified CCE Documentation Set at http://www.cisco.com/univercd/cc/td/doc/product/icm/ipccente/index.htm.

Privileges: Required privileges of various kinds are discussed in the CAD installation guide and the CAD administrator user's guide.

Cisco Unified ICM router

The file dbagent.acl is an internal file that users should not edit. This file, however, must have the READ permission set so that it can allow users to connect to the router's real-time feed. The file works in the background without users being aware of it.

Peripheral Gateways (PGs) and Agent login

As of Release 8.0(1), there is a rate limit of Unified CCE agent login attempts with incorrect password. By default, the agent account is disabled for 15 minutes after three incorrect password attempts, counted over a period of 15 minutes.

This default can be changed through the use of registry keys. The registry keys are under: HKLM\SOFTWARE\Cisco Systems, Inc.\\ICM\<inst>\PG(n)[A/B]\PG\CurrentVersion\PIMS\pim(n)\EAGENTData\Dynamic

The registry keys include the following:

  • AccountLockoutDuration: Default. After the account is locked out as a result of unsuccessful login attempts, this is the number of minutes the account will remain locked out.
  • AccountLockoutResetCountDuration: Default 15. Number of minutes before the AccountLockoutThreshold count goes back to zero. This is applicable when the account does not get locked out, but you have unsuccessful login attempts that are less than AccountLockoutThreshold.
  • AccountLockoutThreshold: Default 3. Number of unsuccessful login attempts after which the account is locked out.

CTI OS and Monitor Mode connection

As of Release 8.0(1), there is a rate limit on Monitor Mode connection. When TLS is enabled and a password is required, Monitor Mode is disabled for 15 minutes after three incorrect password attempts (configurable). Counter resets on a valid login. Refer to the CTI OS System Manager's Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted for more information.

Microsoft Internet Information Server (IIS)

Internet Information Server (IIS) is required for Internet Script Editor. Disable, or do not install the service on any other node except for the Distributor. There are some exceptions in multimedia configuration of the solution. In this case, product documentation and system requirements must be followed.

WMI service hardening

Windows Management Instrumentation (WMI) is used to manage Windows systems. WMI security is an extension of the security subsystem built into Windows operating systems. WMI security includes: WMI namespace-level security; Distributed COM (DCOM) security; and Standard Windows OS security.

WMI namespace-level security

To configure the WMI namespace-level security:

Procedure
    Step 1   Launch the %SYSTEMROOT%\System32\Wmimgmt.msc MMC control.
    Step 2   Right-click the WMI Control icon and select Properties.
    Step 3   Select the Security properties page.
    Step 4   Select the Root folder and click the Security button.
    Step 5   Remove EVERYONE from the selection list then click the OK button.

    Only <machine>\Administrators should have ALL rights.


    Additional WMI security considerations

    The WMI services are set to Manual startup by default. These services are used by Third-Party Management agents to capture system data and must not be disabled unless specifically required.

    Perform DCOM security configuration in a manner that is consistent with your scripting environment. Refer to the WMI security documentation for additional details on using DCOM security.

    SNMP hardening

    Refer to the SNMP Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted for details on installation, setting the community names, usernames, and trap destinations.

    Although the Microsoft Management and Monitoring Tools subcomponents are necessary for SNMP manageability, the Microsoft native SNMP service will be disabled during Web Setup tool and its functionality replaced by a more secure agent infrastructure. The administrator must not attempt to re-enable the Microsoft SNMP service because this may cause conflicts with the Cisco-installed SNMP agents.

    Explicitly disable the Microsoft SNMP trap service. It is not recommended that Unified ICM/ Unified CCE servers run management software for collecting SNMP traps, thus, the Microsoft SNMP trap service is not necessary.

    Versions 1 and 2c of the SNMP protocol are less secure than Version 3. SNMP Version 3 features a significant step forward in security. For Unified ICME and Unified CCE hosts located on internal networks behind corporate firewalls, it is desirable to enable SNMP manageability by performing the additional configuration and hardening recommendations listed below:

    1. Create SNMP v1/v2c community strings or SNMP v3 user names using a combination of upper, and lowercase characters. DO NOT use the common "public" and/or "private" community strings. Create names that are difficult to guess.
    2. Use of SNMP v3 is highly preferred. Always enable authentication for each SNMP v3 username. The use of a privacy protocol is also encouraged.
    3. Limit the number of hosts that are allowed to connect to SNMP manageable devices.
    4. Configure community strings and usernames on manageable devices to accept SNMP requests only from those hosts running SNMP management applications. (This is done via the SNMP agent configuration tool when defining community strings and usernames.)
    5. Enable sending of SNMP traps for authentication failures. This will alert you to potential attackers trying to "guess" community strings and/or user names.

    SNMP manageability is installed on Unified ICM/ Unified CCE servers and is executing by default. However, for security reasons, SNMP access is denied until the configuration steps enumerated above have been completed.

    As an alternative that provides a much higher level of security, customers may choose to configure IPsec filters and an IPsec policy for SNMP traffic between an SNMP management station and SNMP agents. Follow the Microsoft recommendations on how to accomplish this. For more information on IPsec policy for SNMP traffic refer to Microsoft knowledge base article: Q324261.

    Toll fraud prevention

    Toll fraud is a serious issue in the Telecommunications Industry. The fraudulent use of telecommunications technology can be expensive for a company, so the Telecom Administrator must take the necessary precautions to prevent this. For Unified CCE environments, resources are available at Cisco.com on how to lock down Unified CM systems and to mitigate against toll fraud.

    In Unified ICM, the primary concern is in using dynamic labels in the label node of a Unified ICM script. If the dynamic label is constructed from information entered by a caller (such as with Run External Script), then it is possible to construct labels of the following form:

    • 9.....
    • 9011....
    • etc.

    These labels might cause the call to be sent to outside lines or even to international numbers. If the dial plans configured in the routing client would allow such numbers to go through, and the customer does not want such labels to be used, then the Unified ICM script must check for valid labels before using them.

    A simple example is an ICM script that prompts the caller with "If you know your party's extension, enter it now," and then uses the digits entered blindly in a dynamic label node. It is possible that the call could be transferred anywhere. If this behavior is not desired, then either the Unified ICM routing script or the routing client's dial plan must check for and disallow invalid numbers.

    An example of a Unified ICM script check is an "If" node that uses an expression such as:

    substr (Call.CallerEnteredDigits, 1, 1) = "9"

    The True branch of this node would then branch back to ask the caller again. The False branch would allow the call to proceed. This is only an example. Each customer must decide what is and what is not allowed based on their own environment.

    Unified ICM does not normally just transfer calls to arbitrary phone numbers. Numbers have to be explicitly configured as legal destinations, or alternatively, the Unified ICM routing script can contain logic that causes the call to be transferred to a phone number that is contained in a script variable. Scripts can be written so that a caller enters a series of digits and the script treats it as a destination phone number, asking the routing client to transfer the call to that number. You should add logic to such a script to make sure the requested destination phone number is reasonable.

    Syskey

    Syskey enables the encryption of the account databases. It is recommended that you use Syskey to secure any local account database.


    Note


    When configuring Syskey, you must use the System Generated Password and Store Startup Key Locally options in the Startup Key dialog box.

    Third-Party security providers

    Cisco has qualified Unified ICM software with the Operating System implementations of NTLM, Kerberos V and IPsec security protocols.

    Cisco does not support other third-party security provider implementations.

    Third-Party management agents

    Some server vendors include in their server operating system installations agents to provide convenient server management and monitoring.

    For example:

    • HP ProLiant Servers run Insight Management Agents for Windows.
    • IBM provides the IBM Director Agent.

    These and other agents enable the gathering of detailed inventory information about servers, including operating system, memory, network adapters, and hardware.

    While Cisco recognizes such agents can be of value, due to performance impact considerations, Cisco does not currently support their use on mission-critical Unified ICM/ Unified CCE servers.


    Warning


    You must configure agents in accordance to the Anti-Virus policies described in this document. Do not execute Polling or intrusive scans during peak hours, but rather schedule these activities for maintenance windows.



    Note


    Install SNMP services as recommended by these third-party management applications to take full advantage of the management capabilities provided with your servers. Failing to install, or disabling, SNMP prevents enterprise management applications from receiving hardware prefailure alerts and disables certain application functions such as advanced ProLiant status polling, inventory reporting, and version control in HP Insight Manager.