Windows Server Hardening for Cisco Unified Attendant Console Advanced Server
PDF(7.7 KB) View with Adobe Reader on a variety of devices
ePub(70.7 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(72.8 KB) View on Kindle device or Kindle app on multiple devices
Updated:September 15, 2017
This document describes several configuration changes that can be made on a Cisco Unified Attendant Console Advanced (CUACA) server in order to make it more secure. The process of making Windows system more secure is known as Windows Hardening. The information listed below can be used as a guide to harden your Cisco Unified Attendant Console Advanced server(s).
Firewall and Group Policies
Once the Windows server has been added to the domain, group policies could be pushed to Windows. Firewall policies and group policies pushed to CUACA server should not block or interrupt working of following services and ports:
Windows Management Instrumentation (WMI)
Distributed Transaction Coordinator (MDDTC) – only required if using SQL replication/resilience
Message Bus (MBUS) – open inbound and outbound ports 61616 and 61618 (only required if using SQL replication/resilience)
exe – For example: C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
Port Numbers (Used by CUAC):
1433 and 1434
5061 and 5062
49152 to 65535
1025 to 5000
LDAP server does not use SSL and is not configured as the Global Catalog.
LDAP server uses SSL and is not configured as the Global Catalog.
LDAP server does not use SSL and is configured as the Global Catalog.
LDAP server uses SSL and is configured as the Global Catalog.
Install an anti-virus software on the Windows server to keep it safe from malware, viruses etc. However, antivirus application slows down CUACA server functionality as it needs continuous access to few folders while anti-virus scans them. Hence it is advised to add following files and folders as exclusions on antivirus software:
System configuration databases
Software and application trace files
Active MQ folder
Cisco TSP trace files
These are default locations used by CUACA installer. In case administrator changes the location of these folders or use some other folders, exclusions on anti-virus need to be changed accordingly.
Value Name: DisableIPSourceRouting Value Type: REG_DWORD Value: 2
Cisco advises to keep Windows server patched with latest Microsoft Windows and SQL Server updates and Service Packs. Automatic updates and auto checks for updates should be disabled.
Java auto-updates are not supported as they fail sometimes and this may result in unusable system. Minor updates are supported.
All checks for updates and installation of updates should be executed outside of production. Following installation restart the server OS.
Other Hardening Requirements as per Company's policy
Cisco advices to harden Windows Server as per requirement/policy however, administrator needs to make sure that all CUACA requirements are met after hardening. For detailed knowledge on CUACA requirements, refer to CUACA Design guide and CUAC Install guide.