Upload
dangbao
View
227
Download
0
Embed Size (px)
Citation preview
Microsoft Baseline Security Analyzer
The Microsoft Baseline Security Analyzer (MBSA) checks computers running Microsoft Windows Server2008 R2 for common security misconfigurations.
The following are the scanning options selected for Cisco Unified ICM Real-Time Distributor running oneor more web applications (for example, Internet Script Editor or Agent-Reskilling).
• Windows operating system (OS) checks
• IIS checks
• SQL checks
• Security update checks
• Password checks
The report in this chapter shows example results of running the MBSA tool against a Cisco Unified ICMserver that runs most Microsoft Server Applications that the tool supports.
• Security Update Scan Results, page 1
• Windows Scan Results, page 2
• Internet Information Services (IIS) Scan Results, page 4
• SQL Server Scan Results, page 5
• Desktop Application Scan Results, page 6
Security Update Scan ResultsThe following table provides an example of security update scan results:
Table 1: Security Update Scan Results
ResultIssueScore
No critical security updates aremissing.
Windows Security Updates
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0 1
ResultIssueScore
No critical security updates aremissing.
IIS Security Updates
Instance (default): No criticalsecurity updates are missing.
SQL Server/MSDE SecurityUpdates
No critical security updates aremissing.
MDAC Security Updates
No critical security updates aremissing.
MSXML Security Updates
No Microsoft Office products areinstalled.
Office Security Updates
Windows Scan ResultsThe following table shows Windows scan results:
Table 2: Vulnerabilities
ResultIssueScore
Automatic Updates are managedthrough Group Policy on thiscomputer.
Automatic Updates
More than 2 Administrators werefound on this computer.
You can ignore this eventbecause the Cisco UnifiedICM application requiresthe addition of certaingroups to the LocalAdministrators group,which triggers this event.Review the Result Detailsand remove any knownunnecessary accounts.
Note
Administrators
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.02
Microsoft Baseline Security AnalyzerWindows Scan Results
ResultIssueScore
Some user accounts (1 of 7) havenonexpiring passwords.
When the server isproperly configured torequire expiringpasswords, this warningtypically finds the Guestaccount to have anonexpiring passwordeven though the account isdisabled. This warning canbe ignored.
Note
Password Expiration
Windows Firewall is enabled andhas exceptions configured.Windows Firewall is enabled onall network connections.
Windows Firewall
Some user accounts (1 of 7) haveblank or simple passwords, orcould not be analyzed.
Local Account Password Test
All hard drives (1) are using theNTFS file system.
File System
Autologon is not configured on thiscomputer.
Autologon
The Guest account is disabled onthis computer.
Guest Account
Computer is properly restrictinganonymous access.
Restrict Anonymous
The following table provides more scan information:
Table 3: More System Information
ResultIssueScore
Logon Success and Logon Failureauditing are both enabled.
Auditing
Some potentially unnecessaryservices are installed.
Services
2 shares are present on yourcomputer.
Shares
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0 3
Microsoft Baseline Security AnalyzerWindows Scan Results
ResultIssueScore
Computer is running WindowsServer 2008 R2 or greater.
Windows Version
Internet Information Services (IIS) Scan ResultsThe following table shows IIS scan results:
Table 4: Vulnerabilities
ResultIssueScore
The IIS Lockdown tool wasdeveloped for IIS 4.0, 5.0, and 5.1,and is not needed for newWindows Server 2008 R2installations running higherversions of IIS.
IIS Lockdown Tool
IIS sample applications are notinstalled.
Sample Applications
IISADMPWD virtual directory isnot present.
IISAdmin Virtual Directory
Parent paths are not enabled.Parent Paths
The MSADC and Scripts virtualdirectories are not present.
MSADC and Scripts VirtualDirectories
Table 5: Other System Information
ResultIssueScore
IIS is not running on a domaincontroller.
Domain Controller Test
All web and FTP sites are using thedefault logging options.
IIS Logging Enabled
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.04
Microsoft Baseline Security AnalyzerInternet Information Services (IIS) Scan Results
SQL Server Scan ResultsThe following table shows SQL Server scan results:
Instance (default)
Table 6: Vulnerabilities
ResultIssueScore
BUILTIN\Administrators group ispart of sysadmin role.
This is acceptable becausethe Cisco Unified ICMapplication adds certaingroups to the localAdministrators account onthe server which requiredbo access to the database.
Note
Sysadmin role members
No more than 2 members ofsysadmin role are present.
Sysadmins
SQL Server, SQL Server Agent,MSDE and/or MSDE Agentservice accounts are not membersof the local Administrators groupand do not run as LocalSystem.
Service Accounts
The “sa” password and SQL serviceaccount password are not exposedin text files.
Exposed SQL Server/MSDEPassword
SQL Server and/or MSDE is notrunning on a domain controller.
Domain Controller Test
SQL Server and/or MSDEauthentication mode is set toWindows Only.
SQL Server/MSDESecurityMode
The Everyone group does not havemore than Read access to the SQLServer and/orMSDE registry keys.
Registry Permissions
CmdExec is restricted to sysadminonly.
CmdExec role
Permissions on the SQL Serverand/or MSDE installation foldersare set properly.
Folder Permissions
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0 5
Microsoft Baseline Security AnalyzerSQL Server Scan Results
ResultIssueScore
The Guest account is not enabledin any of the databases.
Guest Account
The check was skipped becauseSQL Server and/or MSDE isoperating in Windows Onlyauthentication mode.
SQL Server/MSDE AccountPassword Test
Desktop Application Scan ResultsThe following table shows desktop application scan results:
Table 7: Vulnerabilities
ResultIssueScore
Internet Explorer zones have securesettings for all users.
IE Zones
The use of Internet Explorer isrestricted for administrators on thisserver.
IE Enhanced SecurityConfiguration for Administrators
The use of Internet Explorer isrestricted for nonadministrators onthis server.
IE Enhanced SecurityConfiguration forNon-Administrators
No Microsoft Office products areinstalled.
Macro Security
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.06
Microsoft Baseline Security AnalyzerDesktop Application Scan Results