Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted, Release 10.5(1)

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted, Release 10.5(1)

Chapter Title

Other Security Considerations

Results

Updated:
November 8, 2018

Chapter: Other Security Considerations

Other Security Considerations

Other Cisco Call Center Applications

The following sections discuss security considerations for other Cisco Call Center applications.

Cisco Unified ICM Router

The file dbagent.acl is an internal, background file. Do not edit this file. However, this file must have the READ permission set, so that the file can allow users to connect to the router's real-time feed.

Peripheral Gateways (PGs) and Agent Login

There is a rate limit of Unified CCE agent login attempts with incorrect password. By default, the agent account is disabled for 15 minutes after three incorrect password attempts, counted over a period of 15 minutes.

You can change this default by using registry keys. The registry keys are under: HKLM\SOFTWARE\Cisco Systems, Inc.\\ICM\<inst>\PG(n)[A/B]\PG\CurrentVersion\PIMS\pim(n)\EAGENTData\Dynamic

The registry keys include the following:

  • AccountLockoutDuration: Default. After the account is locked out because of unsuccessful login attempts, this value is the number of minutes the account remains locked out.

  • AccountLockoutResetCountDuration: Default 15. Number of minutes before the AccountLockoutThreshold count goes back to zero. This value is applicable when the account does not get locked out, but you have unsuccessful login attempts that are less than AccountLockoutThreshold.

  • AccountLockoutThreshold: Default 3. Number of unsuccessful login attempts after which the account is locked out.

Cisco CTI Object Server (CTI OS)

In the CTI OS System Manager Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted:

  • Desktop Users: The section "Desktop User Accounts" contains instructions for configuring privileges for desktop users.

CTI OS and Monitor Mode Connection

There is a rate limit on Monitor Mode connection. When TLS is enabled and a password is required, Monitor Mode is disabled for 15 minutes after three incorrect password attempts (configurable). Counter resets on a valid login. Refer to the CTI OS System Manager Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted for more information.

Endpoint Security

Agent Desktops

The CTI OS (C++/COM toolkit) and CAD agent desktop servers both support TLS encryption to the server. This encryption protects agent sign-in and CTI data from snooping. A mutual authentication mechanism enables the CTI OS Server and client to agree on a cipher suite for authentication, key exchange, and stream encryption. The cipher suite used is as follows:

  • Protocol: SSLv3

  • Key exchange: DH

  • Authentication: RSA

  • Encryption: AES (128)

  • Message digest algorithm: SHA1

The following figure shows the encryption implementation's use of X.509 certificates on the agent desktops and on the servers. The implementation supports the integration with a Public Key Infrastructure (PKI) for the most secure deployment. By default, the application installs and relies on a self-signed certificate authority (CA) to sign client and server requests. However, Cisco supports integration with a third-party CA. This mechanism is the preferred method because of the increased security provided by a corporate-managed CA or external authority such as VeriSign.

Figure 1. Secure Agent Desktops (Certificate-Based Mutual Authentication)

The following figure shows the Certificate Authority enrollment procedure to generate certificates used by the agent and the servers. The agent desktop certificate enrollment process is manual. The process requires the creation of certificate signing requests (CSRs) at each endpoint. The CSRs are then transferred to the certificate authority responsible for signing and generating the certificates.

Figure 2. Certificate Authority Enrollment Procedure

Cisco Finesse supports HTTPS for the Administration Console and Agent and Supervisor Desktops. HTTPS is not supported for Agent and Supervisor Desktops in large deployments (over 1000 agents).

Unified IP Phone Device Authentication

When designing a Unified CCE solution based on Unified Communications Manager, customers may choose to implement device authentication for the Cisco Unified IP Phones. Unified CCE supports Unified Communications Manager’s Authenticated Device Security Mode, which ensures the following:
  • Device Identity — Mutual authentication using X.509 certificates
  • Signaling Integrity — SCCP/SIP messages authenticated using HMAC-SHA-1
  • Signaling Privacy — SCCP/SIP message content encrypted using AES-128-CBC

Media Encryption (SRTP) Considerations

Certain IP phones support Secure Real-Time Transport Protocol (SRTP). Before enabling SRTP in your deployment, consider the following points:

  • The Unified CVP VXML Browser does not support SRTP.

  • Deployments that use span-based silent monitoring do not support SRTP.

  • Mobile Agents cannot use SRTP.

  • The Cisco Outbound Option Dialers do not support SRTP. While calls are connected to the Dialer, the calls cannot use SRTP. But, calls can negotiate SRTP once the call is no longer connected to the Dialer.

IP Phone Hardening

The IP phone device configuration in Unified CM provides the ability to disable a number of phone features to harden the phones, such as disabling the phone's PC port or restricting a PC from accessing the voice VLAN. Changing some of these settings can disable the monitoring/recording feature of the Unified CCE solution. The settings are defined as follows:
  • PC Voice VLAN Access
    • Indicates whether the phone will allow a device attached to the PC port to access the Voice VLAN. Disabling Voice VLAN Access will prevent the attached PC from sending and receiving data on the Voice VLAN. It will also prevent the PC from receiving data sent and received by the phone. Disabling this feature will disable desktop-based monitoring and recording.
    • Setting: Enabled (default)
  • Span to PC Port
    • Indicates whether the phone will forward packets transmitted and received on the Phone Port to the PC Port. To use this feature, PC Voice VLAN access must be enabled. Disabling this feature will disable desktop-based monitoring and recording.
    • Setting: Enabled
Disable the following setting to prevent man-in-the-middle (MITM) attacks unless the third-party monitoring and/or recording application deployed uses this mechanism for capturing voice streams. The CTI OS Silent Monitoring feature and CAD Silent Monitoring and Recording do not depend on Gratuitous ARP.
  • Gratuitous ARP
    • Indicates whether the phone will learn MAC addresses from Gratuitous ARP responses.
    • Setting: Disabled

Java Upgrades

During installations and upgrades, Unified CCE installs the base required Java version. Oracle can release Java updates with important security fixes after you install your contact center. You can apply Java updates to your contact center as follows:

  • You can apply Java updates for the latest Java 6 minor version.

  • You may need to modify the Windows JAVA_HOME path variable to point to the new Java Runtime Environment (JRE) location if it has changed.

Note
Note

Release 10.5(2) applies JRE 1.6.087.

Microsoft Security Updates

Automatically applying security and software update patches from third-party vendors has some risk. Subtle changes in functionality or extra layers of code can alter the overall performance of Cisco Contact Center products.

Assess all security patches released by Microsoft and install those patches deemed appropriate for your environment. Do not automatically enable Microsoft Windows Update. The update schedule can conflict with other Unified ICM/Unified CCE activity. Consider using Microsoft Software Update Service or similar patch management products to selectively apply Critical and Important security patches. Follow the Microsoft guidelines about when and how you apply these updates.

Note
Note
Assess the security exposure of the critical security patches released by Microsoft for Windows, IIS, and SQL. Apply critical security patches as you deem necessary for your site.

Refer to Cisco Customer Contact Software Policy for Third-Party Software/Security Updates at https://www.cisco.com/en/US/products/sw/custcosw/ps1844/prod_bulletins_list.html.

Microsoft Service Pack Policy

Do not automatically apply Microsoft Service Packs for the operating system or SQL Server. Cisco qualifies service packs through extensive testing and defines compatible service packs on the Compatibility Matrix web page for each product.

Microsoft Software Update Services (SUS) or Windows Server Update Services are alternatives to the default Windows Update website. You can configure the Microsoft Windows Automatic Update Client to poll a server that runs one of these alternatives to retrieve updates.

This approach enables you to selectively approve updates and determine when they get deployed on production servers.

To use Automatic Updates with a server that runs Software Update Services, see the Software Update Services Deployment white paper. See the following Microsoft website: http://www.microsoft.com/windowsserversystem/updateservices/techinfo/previous/susdeployment.mspx.

Microsoft Internet Information Server (IIS)

Internet Script Editor requires Internet Information Server (IIS). Disable the service on any other node except for the Distributor. There are some exceptions for the multimedia configuration of the solution. In that case, follow the product documentation and system requirements.

Active Directory Deployment

This section describes the Active Directory and Firewall Deployment topology. For more detailed Active Directory (AD) deployment guidance, consult the Staging Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted at http://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-installation-guides-list.html.

While Unified ICM and Unified CCE systems may still be deployed in a dedicated Windows Active Directory domain, it is not a requirement. What makes this possible is the capability of the software security principals to be installed in Organizational Units. This closer integration with AD and the power of security delegation means that corporate AD directories can be used to house application servers (for domain membership), user and service accounts, and groups.

AD Site Topology

In a geographically distributed deployment of Unified ICM or Unified CCE, redundant domain controllers must be located at each of the sites, and properly configured Inter-Site Replication Connections must be established with a Global Catalog at each site. The Unified CCE application is designed to communicate with the AD servers that are in their site, but this requires an adequately implemented site topology in accordance with Microsoft guidelines.

Organizational Units

Application-Created OUs

The installation of Unified ICM or Unified CCE software requires that the AD Domain in which the VMs are members must be in Native Mode. The installation will add a number of OU objects, containers, users, and groups that are necessary for the operation of the software. Adding these objects can be done only in an Organizational Unit in AD over which the user running the install program has been delegated control. The OU can be located anywhere in the domain hierarchy, and the AD Administrator determines how deeply nested the Unified ICM/Unified CCE OU hierarchy is created and populated.

Note
Note

Local Server Accounts and groups are not created on the application servers. All created groups are Domain Local Security Groups, and all user accounts are domain accounts. The Service Logon domain account is added to the Local Administrators' group of the application servers.

Unified ICM and Unified CCE software installation is integrated with a Domain Manager tool that can be used standalone for pre-installing the OU hierarchies and objects required by the software, or can be used when the Setup program is invoked to create the same objects in AD. The AD/OU creation can be done on the domain in which the running VM is a member or on a trusted domain.

Do not confuse the creation of AD objects with Group Policy Objects (GPO). The Automated Security Hardening, which is provided and follows the standard Microsoft Security Template format, is not added to AD as part of the software installation through the configuration of a GPO. The security policy provided by this customized template (for Unified ICM/Unified CCE applications) is applied locally when a user chooses to apply hardening, or it can be pushed down through a GPO through manual AD configuration using the provided policy file, CiscoICM_Security_Template.inf.

AD Administrator-Created OUs

An administrator can create certain AD objects. A prime example is the OU container for Unified CCE Servers. This OU container is manually added to contain the VMs that are members of a given domain. You move these VMs to this OU once they are joined to the domain. This segregation controls who can or cannot administer the servers (delegation of control). Most importantly, the segregation controls the AD Domain Security Policies that the application servers in the OU can or cannot inherit.

As noted before, Unified ICM/Unified CCE servers ship with a customized security policy. You can apply this policy at this server OU level through a Group Policy Object (GPO). Block any differing policies from being inherited at the Unified ICM/Unified CCE Servers' OU. Remember that someone can override blocking inheritance, a configuration option at the OU object level, by selecting the Enforced/No Override option at a higher hierarchy level. The application of group policies must follow a well-planned design. Start with the most common denominator, and restrict those policies only at the appropriate level in the hierarchy. For a more in-depth explanation on how to deploy group policies properly, see the pages in the Microsoft Security Compliance Manager site at http://technet.microsoft.com/en-us/library/cc677002.aspx.

Figure 3. Active Directory and Firewall Deployment Topology
The following notes apply to the preceding figure:
  • The application setup creates the Cisco_ICM organizational unit object hierarchies.
  • The AD administrators create Unified ICM Servers and Unified CCE Servers organizational unit objects to separately apply custom Cisco Unified ICM Security Policies through a GPO if necessary.
  • Flexible Single Master Operation servers must be distributed across Domain Controllers in the appropriate sites according to Microsoft guidelines.

Network Access Protection

Network Access Protection (NAP) is a platform and solution introduced in Windows Server 2008 R2. NAP helps to maintain the network's overall integrity by controlling access to network resources based on a client computer's compliance with system health policies.

The NAP server validates client health using the system health policies.

The NAP server is supported on Windows Server 2008 R2.

The NAP client is supported on the following operating systems:

  • Windows Server 2008 R2

  • Windows 7

Network Policy Server

Do not use a Unified CCE server for any other purpose than for Unified CCE approved software. Do not run the Network Policy Server on any Unified CCE VM.

Unified CCE Servers and NAP

You can use NAP in a few different ways. The following are some deployment options a user can consider using with Unified CCE:

  • Unified CCE servers using a limited access environment—NOT SUPPORTED

    Warning
    Warning

    In this model, the Unified CCE servers are inaccessible if they fall out of compliance. This inaccessibility would cause the entire call center to go down until machines become compliant again.

  • Unified CCE server uses monitoring-only environment—This mode is useful to track the health status of the Unified CCE servers.

  • Unified CCE servers that are exempt from health validation— In this mode, the Unified CCE servers work in a NAP environment but do not become inaccessible from the network. A Unified CCE server's state of health does not affect communications to and from the other Unified CCE servers.

WMI Service Hardening

Windows Management Instrumentation (WMI) is used to manage Windows systems. WMI security is an extension of the security subsystem built into Windows operating systems. WMI security includes: WMI namespace-level security; Distributed COM (DCOM) security; and Standard Windows OS security.

WMI Namespace-Level Security

To configure the WMI namespace-level security:

Procedure

Step 1

Launch the %SYSTEMROOT%\System32\Wmimgmt.msc MMC control.

Step 2

Right-click the WMI Control icon and select Properties.

Step 3

Select the Security properties page.

Step 4

Select the Root folder and click the Security button.

Step 5

Remove EVERYONE from the selection list then click the OK button.

Only give ALL rights to <machine>\Administrators.

More WMI Security Considerations

The WMI services are set to Manual startup by default. Third-Party Management agents use these services to capture system data. Do not disable WMI services unless required.

Perform DCOM security configuration in a manner that is consistent with your scripting environment. Refer to the WMI security documentation for more details on using DCOM security. For information on securing a remote WMI connection, see the Microsoft Developer Network article: http://msdn.microsoft.com/en-us/library/aa393266%28v=vs.85%29.aspx.

SNMP Hardening

Refer to the SNMP Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted for details on installation, setting the community names, usernames, and trap destinations.

Although the Microsoft Management and Monitoring Tools subcomponents are necessary for SNMP manageability, the Web Setup tool disables the Microsoft native SNMP service. A more secure agent infrastructure replaces the native Microsoft native SNMP service. Do not re-enable the Microsoft SNMP service. It can cause conflicts with the Cisco-installed SNMP agents.

Explicitly disable the Microsoft SNMP trap service. Do not run management software for collecting SNMP traps on contact center servers. This restriction makes the Microsoft SNMP trap service unnecessary.

Versions 1 and 2c of the SNMP protocol are less secure than Version 3. SNMP Version 3 features a significant step forward in security. For contact center hosts located on internal networks behind corporate firewalls, enable SNMP manageability by applying the following configuration and hardening:

  1. Create SNMP v1/v2c community strings or SNMP v3 usernames using a combination of upper, and lowercase characters. DO NOT use the common "public" and "private" community strings. Create names that are difficult to guess.

  2. Use of SNMP v3 is highly preferred. Always enable authentication for each SNMP v3 username. The use of a privacy protocol is also encouraged.

  3. Limit the number of hosts that are allowed to connect to SNMP manageable devices.

  4. Configure community strings and usernames on manageable devices to accept SNMP requests only from those hosts running SNMP management applications. (This configuration is done through the SNMP agent configuration tool when defining community strings and usernames.)

  5. Enable sending of SNMP traps for authentication failures. These traps alert you to potential attackers trying to "guess" community strings and usernames.

SNMP manageability is installed on contact center servers and is executing by default. However, for security reasons, SNMP access is denied until the previous configuration steps have been completed.

For greater security, you can configure IPsec filters and an IPsec policy for SNMP traffic between an SNMP management station and SNMP agents. Follow the Microsoft advice on how to configure the filters and policy. For more information on IPsec policy for SNMP traffic, see the Microsoft TechNet articles.

Toll Fraud Prevention

Toll fraud is a serious issue in the Telecommunications Industry. The fraudulent use of telecommunications technology can be expensive for a company, so the Telecom Administrator must take the necessary precautions to prevent fraud. For Unified CCE environments, resources are available at Cisco.com on how to lock down Unified CM systems and to mitigate against toll fraud.

In Unified ICM, the primary concern is in using dynamic labels in the label node of a Unified ICM script. If the dynamic label is constructed from information entered by a caller (such as with Run External Script), then constructing labels of the following form is possible:

  • 9.....

  • 9011....

  • And similar patterns

These labels can send the call to outside lines or even to international numbers. Some dial plans configured in the routing client can allow such numbers to go through. If the customer does not want such labels used, then the Unified ICM script must check for valid labels before using them.

A simple example is an ICM script that prompts the caller with "If you know your party's extension, enter it now,". The script then uses the digits entered blindly in a dynamic label node. This script might transfer the call anywhere. If you do not want this behavior, then either the Unified ICM routing script or the routing client's dial plan must check for and disallow invalid numbers.

An example of a Unified ICM script check is an "If" node that uses an expression such as:

substr (Call.CallerEnteredDigits, 1, 1) = "9"

The True branch of this node would then branch back to ask the caller again. The False branch would allow the call to proceed. This case is only an example. Each customer must decide what is and what is not allowed based on their own environment.

Unified ICM does not normally transfer calls to arbitrary phone numbers. Numbers have to be explicitly configured as legal destinations. Alternatively, the logic in the Unified ICM routing script can transfer the call to a phone number from a script variable. You can write scripts so that a caller enters a series of digits and the script treats it as a destination phone number, asking the routing client to transfer the call to that number. Add logic to such a script to make sure the requested destination phone number is reasonable.

Third-Party Security Providers

Cisco has qualified Unified ICM software with the Operating System implementations of NTLM, Kerberos V, and IPsec security protocols.

Note
Note

NTLMv1 is required on the Administration Server and Real-Time Data Server (AW) for integration of Cisco Finesse, Release 10.5. NTLMv2 is allowed with later versions of Cisco Finesse with Unified CCE, Release 10.5(x). Select the LAN Manager authentication level accordingly.

Cisco does not support other third-party security provider implementations.

Third-Party Management Agents

In their server operating system installations, some vendors include agents to provide convenient server management and monitoring.

Such agents can be valuable, but also impact performance. Cisco does not support their use on mission-critical Unified ICM/CCE servers.

Warning
Warning

Configure agents in accordance to the antivirus policies described in this document. Do not execute Polling or intrusive scans during peak hours, but rather schedule these activities for maintenance windows.

Note
Note

Install SNMP services as instructed by these third-party management applications to take full advantage of the management capabilities provided with your servers. Without SNMP, enterprise management applications do not receive hardware prefailure alerts. Unified CCE servers only support 32-bit extension agents.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco