Installation Guide for Cisco Security Manager 4.21

Best Practices for Enhanced Server Performance and Security
Readiness Checklist for Installation

Preparing a Server for Installation

After you verify that the target server meets the requirements described in “Requirements and Dependencies,” you can use these checklists to prepare and optimize your server for installation:

Best Practices for Enhanced Server Performance and Security

A framework of best practices, recommendations, and other preparatory tasks can enable your Security Manager server to run faster and more reliably.

Caution

We do not make any assurances that completing the tasks in this checklist improves the performance of every server. Nonetheless, if you choose not to complete these tasks, Security Manager might not operate as designed.

You can use this checklist to track your progress while you complete the recommended tasks.

	Task
	1. Find and organize the installer applications for any recommended updates, patches, service packs, hot fixes, and security software to install on the server.
	2. Upgrade the server BIOS if an upgrade is available.
	3. Cisco recommends that you do not install any other product on the Security Manager Server. If you plan to install Security Manager on a server that you have used for any other purpose, first back up all important server data, then use a boot CD or DVD to wipe all data from the server. We do not support installation or coexistence on one server of Security Manager 4.21 and any release of Common Services earlier than 4.2.2. Nor do we support coexistence with any third-party software or other Cisco software, unless we state explicitly otherwise in this guide or at http://www.cisco.com/go/csmanager.
	4. Security Manager can have multiple network interface cards but teaming multiple NICs for load balancing is not recommended.
	5. Perform a clean installation of only the baseline server OS, without any manufacturer customizations for server management.
	6. Install any required OS service packs and OS patches on the target server. To check which service packs or updates are required for the version of Windows that you use, select Start > Run, then enter wupdmgr. Note Back up your Security Manager Server and stop Security Manager services before any patches or Windows updates are applied. Cisco recommends that you apply patches and Windows updates during the maintenance window, when Security Manager is not running.
	7. Install any recommended updates for drivers and firmware on the target server.
	8. Scan the system for malware. To secure the target server and its OS, scan the system for viruses, Trojan horses, spyware, key-loggers, and other malware, then mitigate all related problems that you find.
	9. Resolve security product conflicts. Study and work to resolve any known incompatibilities or limitations among your security tools, such as popup blockers, antivirus scanners, and similar products from other companies. When you understand the conflicts and interactions among those products, decide which of them to install, uninstall, or disable temporarily, and consider whether you must follow a sequence.
	10. “Harden” user accounts. To protect the target server against brute force attacks, disable the guest user account, rename the administrator user account, and remove as many other user accounts as is practical in your administrative environment.
	11. Use a strong password for the administrator user account and any other user accounts that remain. A strong password has at least eight characters and contains numbers, letters (both uppercase and lowercase), and symbols. Tip You can use the Local Security Settings tool to require strong passwords. Select Start > Administrative Tools > Local Security Policy.
	12. Remove unused, unneeded, and incompatible applications. For example: Microsoft Internet Information Server (IIS) is not compatible with Security Manager. If IIS is installed, you must uninstall it before you install Security Manager. We do not support the coexistence of Security Manager with any third-party software or other Cisco software (including any CiscoWorks-branded “solution” or “bundle,” such as the LAN Management Solution (LMS)), unless we state explicitly otherwise in this guide or at http://www.cisco.com/go/csmanager. We do support the installation of Security Manager and AUS on the same server, but we recommend that configuration only for very small networks. We do not support the installation or coexistence of this version of Security Manager on a server with any release of Common Services earlier than 4.2.2. We do not support the coexistence of Security Manager on a server with any CD-ONE components (including CiscoView Device Manager) that you do not receive when you purchase Security Manager. We do not support the coexistence of Security Manager on the same server with Cisco Secure ACS for Windows.
	13. Disable unused and unneeded services. At a minimum, Windows requires the following services to run: DNS Client, Event Log, Plug & Play, Protected Storage, and Security Accounts Manager. Check your software and server hardware documentation to learn if your particular server requires any other services.
	14. Disable all network protocols except TCP and UDP. Any protocol can be used to gain access to your server. Limiting the network protocols limits the access points to your server.
	15. Avoid creating network shares. If you must create a network share, secure the shared resources with strong passwords. Note We strongly discourage network shares. We recommend that you disable NETBIOS completely.
	16. Configure server boot settings. Set a zero-second startup time, set Windows to load by default, and enable automatic reboot in cases of system failure.

Task

1. Find and organize the installer applications for any recommended updates, patches, service packs, hot fixes, and security software to install on the server.

2. Upgrade the server BIOS if an upgrade is available.

3. Cisco recommends that you do not install any other product on the Security Manager Server.

If you plan to install Security Manager on a server that you have used for any other purpose, first back up all important server data, then use a boot CD or DVD to wipe all data from the server.

We do not support installation or coexistence on one server of Security Manager 4.21 and any release of Common Services earlier than 4.2.2. Nor do we support coexistence with any third-party software or other Cisco software, unless we state explicitly otherwise in this guide or at http://www.cisco.com/go/csmanager.

4. Security Manager can have multiple network interface cards but teaming multiple NICs for load balancing is not recommended.

5. Perform a clean installation of only the baseline server OS, without any manufacturer customizations for server management.

6. Install any required OS service packs and OS patches on the target server. To check which service packs or updates are required for the version of Windows that you use, select Start > Run, then enter wupdmgr.

Note Back up your Security Manager Server and stop Security Manager services before any patches or Windows updates are applied. Cisco recommends that you apply patches and Windows updates during the maintenance window, when Security Manager is not running.

7. Install any recommended updates for drivers and firmware on the target server.

8. Scan the system for malware. To secure the target server and its OS, scan the system for viruses, Trojan horses, spyware, key-loggers, and other malware, then mitigate all related problems that you find.

9. Resolve security product conflicts. Study and work to resolve any known incompatibilities or limitations among your security tools, such as popup blockers, antivirus scanners, and similar products from other companies. When you understand the conflicts and interactions among those products, decide which of them to install, uninstall, or disable temporarily, and consider whether you must follow a sequence.

10. “Harden” user accounts. To protect the target server against brute force attacks, disable the guest user account, rename the administrator user account, and remove as many other user accounts as is practical in your administrative environment.

11. Use a strong password for the administrator user account and any other user accounts that remain. A strong password has at least eight characters and contains numbers, letters (both uppercase and lowercase), and symbols.

Tip You can use the Local Security Settings tool to require strong passwords. Select Start > Administrative Tools > Local Security Policy.

12. Remove unused, unneeded, and incompatible applications. For example:

Microsoft Internet Information Server (IIS) is not compatible with Security Manager. If IIS is installed, you must uninstall it before you install Security Manager.
We do not support the coexistence of Security Manager with any third-party software or other Cisco software (including any CiscoWorks-branded “solution” or “bundle,” such as the LAN Management Solution (LMS)), unless we state explicitly otherwise in this guide or at http://www.cisco.com/go/csmanager. We do support the installation of Security Manager and AUS on the same server, but we recommend that configuration only for very small networks.
We do not support the installation or coexistence of this version of Security Manager on a server with any release of Common Services earlier than 4.2.2.
We do not support the coexistence of Security Manager on a server with any CD-ONE components (including CiscoView Device Manager) that you do not receive when you purchase Security Manager.
We do not support the coexistence of Security Manager on the same server with Cisco Secure ACS for Windows.

13. Disable unused and unneeded services. At a minimum, Windows requires the following services to run: DNS Client, Event Log, Plug & Play, Protected Storage, and Security Accounts Manager.

Check your software and server hardware documentation to learn if your particular server requires any other services.

14. Disable all network protocols except TCP and UDP. Any protocol can be used to gain access to your server. Limiting the network protocols limits the access points to your server.

15. Avoid creating network shares. If you must create a network share, secure the shared resources with strong passwords.

Note We strongly discourage network shares. We recommend that you disable NETBIOS completely.

16. Configure server boot settings. Set a zero-second startup time, set Windows to load by default, and enable automatic reboot in cases of system failure.

Readiness Checklist for Installation

You must complete the following tasks before you install Cisco Security Manager.

	Readiness Factor
	The following patches are required to run the critical Cisco Security Manager services on the Microsoft Windows Server 2012 R2. Failing to install the patches will bring down the services. Ensure that you have these patches installed on your server, else install the patches in the same order as follows: a. KB2919442 b. Run the clearcompressionflag.exe Note The clearcompressionflag.exe file is part of the cumulative set of security updates. This tool prepares the computer for the Windows Updates in the background. The executable file can be downloaded from the Microsoft site: https://support.microsoft.com/en-in/kb/2919355. c. KB2919355, KB2932046, KB2959977, KB2937592, KB2938439, and KB2934018 d. KB2999226 You can also install these patches after installing the Cisco Security Manager to bring up the critical services. To register the services with the windows services, you must run the “RegisterApache.bat” script which is located in “<CSMInstalledDirectory>\CSCOpx\bin”, and then restart the server. Note It might take a minimum of 30 minutes for these Windows patches to get installed, and the installation duration might vary based on the Windows servers. Errors, if any, while installing these patches pertain to Microsoft and not to Cisco Security Manager.
	Caution A server can be vulnerable to attack when you uninstall or disable security applications. 1. Disable security applications temporarily. For example, you must temporarily disable any antivirus software on the target server before you install Security Manager. Installation cannot run while these programs are active. Note Re-enable your antivirus software after installation, but you must exclude the NMSROOT directory and eventing folder from scanning as long as Security Manager is installed on the server.
	Tip You will invalidate the SSL certificate on your server if you set the server date and time outside the range of time in which the SSL certificate is valid. If the server SSL certificate is invalid, the DCRServer process cannot start. 2. Carefully consider the date and time settings that you apply to your server. Ideally, use an NTP server to synchronize the server date and time settings with those of the devices you expect to manage. Also, if you use Security Manager in conjunction with a Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) appliance, the NTP server that you use should be the same one that your Cisco Security MARS appliance uses. Synchronized times are especially important in Cisco Security MARS because timestamp information is essential to accurately reconstruct what transpires on your network. Tip If a change to the date and time settings on your server invalidates the SSL certificate, a “java.security.cert.CertificateNotYetValidException” error is visible in your NMSROOT\log\DCRServer.log file, where NMSROOT is the path to the Security Manager installation directory. The default is C:\Program Files (x86)\CSCOpx.
	3. Confirm that required services and ports are enabled and available for use by Security Manager. Security Manager uses predefined and dynamic ports for its internal operation. Port scanners might block those ports and will not let Security Manager to execute those processes. Therefore port scanners like Qualys should not be enabled. If enabled, it may result in a Security Manager process crash issue which in turn may require a complete reinstallation of Security Manager. See Required Services and Ports, page 3-1 .
	4. If Terminal Services is enabled in Application Mode, disable Terminal Services and reboot the server. Installation of Security Manager on a system with Terminal Services enabled in Application Mode is not supported. Terminal Services enabled in Remote Administration Mode is supported. If Terminal Services is enabled on the target server in Application mode when you try to install Security Manager, an error will stop the installation.
	5. Disable any domain controller service (primary or backup) that is running.
	6. Confirm that the target directory for installation is not encrypted. Any attempt to install Security Manager in an encrypted directory will fail.
	7. If you are performing a fresh installation, you should place your license file on the target server before installation. You will be prompted to select this file during installation. Note The path to the license file must not contain special characters such as the ampersand (&).
	8. If you have not done so already, uninstall IIS. It is not compatible with Security Manager.
	9. Disable every active instance of Sybase on your server, including Cisco Secure ACS for Windows if it is present. You can choose whether to re-enable or restart Sybase after you install Security Manager, but remember we do not support the coexistence of Security Manager on the same server with Cisco Secure ACS for Windows.
	10. If the Cisco Security Manager client is already installed on the server, the client needs to be stopped. This condition is checked during installation.
	11. Disable FIPS-compliant encryption. Federal Information Processing Standard (FIPS)-compliant encryption algorithms sometimes are enabled for group security policy on Windows Server 2008. When FIPS compliance is turned on, the SSL authentication may fail on CiscoWorks Server. You should disable FIPS compliance for CiscoWorks to work properly. Procedure To enable or disable FIPS on Windows Server 2008, follow these steps: a. Go to Start > Administrative Tools > Local Security Policy . The Local Security Policy window appears. b. Click Local Polices > Security Options. c. Select System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. d. Right-click the selected policy and click Properties. e. Select Enabled or Disabled to enable or disable FIPS compliant algorithms. f. Click Apply. You must reboot the server for the changes to take effect.
	12. Disable Internet Explorer Enhanced Security Configuration (IE ESC). This needs to be done because client download is prevented by IE ESC. Procedure To disable IE ESC on the server where you are preparing to install Security Manager, follow these steps: a. In Windows, open Server Manager. You can do this by right-clicking Computer and then clicking Manage. b. Under Security Information, click Configure IE ESC and then turn off IE ESC.
	13. Disable port scanner software. Security Manager uses predefined and dynamic ports for its internal operation. Port Scanners might block these ports and will not allow Security Manager to execute those processes.Therefore port scanners like Qualys should not be enabled. If enabled, it may result in a Security Manager process crash which in turn may require a complete reinstallation of Security Manager.

Readiness Factor

The following patches are required to run the critical Cisco Security Manager services on the Microsoft Windows Server 2012 R2. Failing to install the patches will bring down the services. Ensure that you have these patches installed on your server, else install the patches in the same order as follows:

a. KB2919442

b. Run the clearcompressionflag.exe

Note The clearcompressionflag.exe file is part of the cumulative set of security updates. This tool prepares the computer for the Windows Updates in the background. The executable file can be downloaded from the Microsoft site: https://support.microsoft.com/en-in/kb/2919355.

c. KB2919355, KB2932046, KB2959977, KB2937592, KB2938439, and KB2934018

d. KB2999226

You can also install these patches after installing the Cisco Security Manager to bring up the critical services. To register the services with the windows services, you must run the “RegisterApache.bat” script which is located in “<CSMInstalledDirectory>\CSCOpx\bin”, and then restart the server.

Note It might take a minimum of 30 minutes for these Windows patches to get installed, and the installation duration might vary based on the Windows servers. Errors, if any, while installing these patches pertain to Microsoft and not to Cisco Security Manager.

Caution A server can be vulnerable to attack when you uninstall or disable security applications.

1. Disable security applications temporarily. For example, you must temporarily disable any antivirus software on the target server before you install Security Manager. Installation cannot run while these programs are active.

Note Re-enable your antivirus software after installation, but you must exclude the NMSROOT directory and eventing folder from scanning as long as Security Manager is installed on the server.

Tip You will invalidate the SSL certificate on your server if you set the server date and time outside the range of time in which the SSL certificate is valid. If the server SSL certificate is invalid, the DCRServer process cannot start.

2. Carefully consider the date and time settings that you apply to your server. Ideally, use an NTP server to synchronize the server date and time settings with those of the devices you expect to manage. Also, if you use Security Manager in conjunction with a Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) appliance, the NTP server that you use should be the same one that your Cisco Security MARS appliance uses. Synchronized times are especially important in Cisco Security MARS because timestamp information is essential to accurately reconstruct what transpires on your network.

Tip If a change to the date and time settings on your server invalidates the SSL certificate, a “java.security.cert.CertificateNotYetValidException” error is visible in your NMSROOT\log\DCRServer.log file, where NMSROOT is the path to the Security Manager installation directory. The default is C:\Program Files (x86)\CSCOpx.

3. Confirm that required services and ports are enabled and available for use by Security Manager. Security Manager uses predefined and dynamic ports for its internal operation. Port scanners might block those ports and will not let Security Manager to execute those processes. Therefore port scanners like Qualys should not be enabled. If enabled, it may result in a Security Manager process crash issue which in turn may require a complete reinstallation of Security Manager. See Required Services and Ports, page 3-1 .

4. If Terminal Services is enabled in Application Mode, disable Terminal Services and reboot the server. Installation of Security Manager on a system with Terminal Services enabled in Application Mode is not supported. Terminal Services enabled in Remote Administration Mode is supported.

If Terminal Services is enabled on the target server in Application mode when you try to install Security Manager, an error will stop the installation.

5. Disable any domain controller service (primary or backup) that is running.

6. Confirm that the target directory for installation is not encrypted. Any attempt to install Security Manager in an encrypted directory will fail.

7. If you are performing a fresh installation, you should place your license file on the target server before installation. You will be prompted to select this file during installation.

Note The path to the license file must not contain special characters such as the ampersand (&).

8. If you have not done so already, uninstall IIS. It is not compatible with Security Manager.

9. Disable every active instance of Sybase on your server, including Cisco Secure ACS for Windows if it is present. You can choose whether to re-enable or restart Sybase after you install Security Manager, but remember we do not support the coexistence of Security Manager on the same server with Cisco Secure ACS for Windows.

10. If the Cisco Security Manager client is already installed on the server, the client needs to be stopped. This condition is checked during installation.

11. Disable FIPS-compliant encryption. Federal Information Processing Standard (FIPS)-compliant encryption algorithms sometimes are enabled for group security policy on Windows Server 2008. When FIPS compliance is turned on, the SSL authentication may fail on CiscoWorks Server. You should disable FIPS compliance for CiscoWorks to work properly.

Procedure

To enable or disable FIPS on Windows Server 2008, follow these steps:

a. Go to Start > Administrative Tools > Local Security Policy . The Local Security Policy window appears.

b. Click Local Polices > Security Options.

c. Select System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

d. Right-click the selected policy and click Properties.

e. Select Enabled or Disabled to enable or disable FIPS compliant algorithms.

f. Click Apply.

You must reboot the server for the changes to take effect.

12. Disable Internet Explorer Enhanced Security Configuration (IE ESC). This needs to be done because client download is prevented by IE ESC.

Procedure

To disable IE ESC on the server where you are preparing to install Security Manager, follow these steps:

a. In Windows, open Server Manager. You can do this by right-clicking Computer and then clicking Manage.

b. Under Security Information, click Configure IE ESC and then turn off IE ESC.

13. Disable port scanner software. Security Manager uses predefined and dynamic ports for its internal operation. Port Scanners might block these ports and will not allow Security Manager to execute those processes.Therefore port scanners like Qualys should not be enabled. If enabled, it may result in a Security Manager process crash which in turn may require a complete reinstallation of Security Manager.

Bias-Free Language

Book Title

Installation Guide for Cisco Security Manager 4.21

Chapter Title

Preparing a Server for Installation

Results

Chapter: Preparing a Server for Installation

Preparing a Server for Installation

Best Practices for Enhanced Server Performance and Security

Readiness Checklist for Installation

Was this Document Helpful?

Contact Cisco