-
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
-
Preface
-
Encryption support
-
IPsec and NAT support
-
IPsec with Network Isolation Utility
-
Windows Server 2008 R2 firewall configuration
-
Cisco Unified Contact Center Security Wizard
-
Microsoft Windows
-
SQL Server Hardening
-
Cisco SSL Encryption utility
-
Network Access Protection
-
Microsoft Baseline Security Analyzer
-
Auditing
-
General antivirus guidelines and recommendations
-
Remote administration
-
Additional security best practices
-
Index
-
Feedback
Contents
Cisco Unified Contact Center Security Wizard
- About Cisco Unified Contact Center Security Wizard
- Configuration and restrictions
- Run Wizard
- Example of Security Wizard usage
- Example of Windows Firewall configuration panels
- Example of Network Isolation configuration panels
- Example of SQL Hardening panels
About Cisco Unified Contact Center Security Wizard
The Cisco Unified Contact Center Security Wizard is a security deployment tool for Unified ICM/CCE that simplifies security configuration through its step-by-step wizard-based approach.
The Security Wizard is a new graphical user interface you can use to configure security by means of the following Unified ICM/CCE security command-line utilities:
- The Windows Hardening Utility
- The Windows Firewall Utility
- The Network Isolation Utility
- The SQL Hardening Utility
The Windows Hardening and Windows Firewall utility are two command-line security utilities that have existed since the 7.0 release. The Network Isolation Utility was introduced after the ICM 7.2 release, and the SQL Hardening utility was introduced in the ICM 7.5 release.
For the descriptions of each of these utilities, see the following chapters/sections in this guide:
Configuration and restrictions
The following are Security Wizard restrictions:
- While the Security Wizard does not interfere with applications that run on the network, run the Security Wizard only during the application maintenance window because it can potentially disrupt connectivity when you are setting up the network security.
- The Security Wizard works on a Windows Server 2008 platform only.
- The Firewall Configuration Utility and the Network Isolation Utility must be configured after Unified ICM is installed on the network. For more details, see Windows Server 2003 Firewall Configuration and Applying IPsec with the Network Isolation Utility.
Run Wizard
The Security Wizard is installed by the ICM-CCE-CCH Installer and is placed in the "%SYSTEMDRIVE%\CiscoUtils\UCCSecurityWizard" directory. You must be a server administrator to use the features in the Security Wizard.You can run the wizard using the shortcut installed under .
NoteBefore you use the wizard, read the chapters in this guide about each of the utilities included in the wizard to understand what the utilities do.
When running the Security Wizard, you are provided with a menu list of the security utilities (the Security Hardening, the Windows Firewall, Network Isolation Utility, and SQL Utility), and you run each, one at a time.
You can go back and forth on any menu selection to understand what each one contains. However, after you click the Next button for any particular feature, you must either complete configuration or click Cancel to go back to the Welcome page.
The Security Wizard is self-explanatory; each utility has an introductory panel, configuration panel or panels, a confirmation panel, and a status panel. The following list provides brief explanations of these panels:What to Do Next
Configuration panel(s): Lists the options you can select to configure the utility and gathers your configuration input.
Confirmation panel: Allows you to confirm your configuration choices or to go back and make changes. After you have entered all the required input, the confirmation panel is displayed and the Next button is replaced with the Finish button. This indicates that this is your last chance to make a change to your configuration selections. After you click Finish, you can no longer go back.
The defaults are set to the recommended values and warnings are displayed if you make a selection that could cause a problem.
In the rare event that the back-end utility script dies, a temporary text file created in the UCCSecurityWizard folder is not deleted. This text file contains command-line output, which you can use this file to debug the issue.
Example of Security Wizard usage
The following image shows the Cisco Unified Contact Center Security Wizard introductory panel.
The Security Wizard requires the command line utilities to be installed on the system to configure security. It will detect if a utility is not installed and notify the user.
The Security Wizard can execute on all Unified ICM or Unified CCE servers but will not execute on a Domain Controller.
Example of Windows Firewall configuration panels
The following image shows the introductory panel for the Windows Firewall Wizard.
You will get a message in this panel if the selected utility has not been installed on your system.
The following image shows the Firewall configuration panel.
In the Security Wizard Firewall Configuration panel, you can:
- Configure a Windows firewall for your Unified ICM or Unified CCE system.
- Undo firewall configuration settings that were previously applied.
- Restore to Windows Default.
WarningThe Default Windows firewall configuration is not compatible with the Unified ICM application.
- Disable the Windows firewall.
- Edit the Unified ICM Firewall Exceptions XML file. Clicking the Edit ICM Firewall Exceptions XML button opens that XML file in Notepad. You must save the file and close it before continuing with the wizard.
The Window Firewall Configuration Utility:
- Must be executed after the Unified ICM application is installed.
- Automatically detects Unified ICM components installed and configures the Windows Firewall accordingly.
- Can add custom exceptions such as an exception for VNC.
- Is installed by default on all Unified ICM and Unified CCE servers.
See Windows Server 2003 Firewall Configuration for a complete description of these configuration options.
The following image shows the confirmation panel for Windows Firewall configuration.
The following image shows the status panel for Windows Firewall configuration.
Example of Network Isolation configuration panels
The Security Wizard is the preferred choice for deploying the Network Isolation Utility when configuring it for the first time, or when editing an existing policy.
The Security Wizard interface has the following advantages:
- You can be guided by configuration panels that dynamically change according your input.
- You can browse the current policy.
- You can see the current Network Isolation configuration and edit it if you need to.
- You can add multiple Boundary Devices through a single Security Wizard panel. To add multiple Boundary Devices in the CLI, you must create a separate command for each device that you want to add.
You must run the Network Isolation Utility on every server that will be set as a Trusted Device. There is no need to run the utility on Boundary Devices.
For a complete description of the Network Isolation Utility, see Applying IPsec with the Network Isolation Utility.
This panel and the next panel are loaded from the last configuration saved in the XML Network Isolation configuration file (not the Windows IPsec policy store), if it is available.
The Trusted Devices panel:
- Shows the current status of the policy.
- Can be used to enable, modify, browse, or disable the policy.
Note
To enable or modify a device as Trusted you must enter a Preshared Key of 36 characters or more. The length of the key typed in is displayed and updated as you enter it to help you enter the correct length.
Note
You can permanently delete the Network Isolation Utility policy through the command line only.You must use the same Preshared Key on all Trusted Devices or else network connectivity between the Trusted Devices will fail.
The Boundary Device panel (Figure 3) and the preceding panel are loaded from the last configuration saved in the XML Network Isolation configuration file (not the Windows IPsec policy store), if it is available.
In the Boundary Devices panel:
- The content of the panel is dynamically modified based on the selection made in the previous panel:
- You can add or remove multiple boundary devices.
- You can add dynamically detected devices through check boxes.
- You can add manually specified devices through a port, an IP address, or a subnet. After specifying the device, you must click Add Device to add the device. The Add button validates the data and checks for duplicate entries before proceeding further.
- You can remove a device from the Boundary Devices by selecting it in the Devices List and clicking Remove Selected.
You can narrow down the exception based on:
Example of SQL Hardening panels
The following image shows the introductory panel for the SQL Hardening utility.
You can use the SQL Hardening wizard to:
- Apply the SQL Server 2008 R2 security hardening.
- Upgrade from a previously applied hardening.
- Roll back previously applied hardening.
For more information on SQL Server hardening, see the section Automated SQL 2008 R2 Hardening.
In the SQL Hardening Security Action panel, you can:
- Apply or Upgrade SQL Server 2008 R2 Security Hardening
- Roll back Previously Applied SQL Server 2008 R2 Security Hardening
NoteThe Rollback will be disabled if there is no prior history of SQL Server 2008 R2 security hardening or if the hardening was already rolled back.
The status bar at the top of the panel tells you when the configuration is complete.
