Introducing the New Cisco PowerPoint Templates

Transcription

CCE Security Best
Practice Guide
Carlos Gonzales, CBABU Engineering Manager
BRKCCT-1041
Agenda
•
Cisco Secure Development Lifecycle
•
UCCE Security Best Practice Guide
•
Security Reference Information
•
PCI-DSS Guidance
•
UCCE Security Update for 11.0
Cisco Secure Development
Lifecycle (CSDL)
Purpose and Intent
•
Provide awareness.
•
Cisco Secure Development Lifecycle is an internal security baseline.
•
CSDL does not intend to full fill customer certification requirements.
•
Security is a broad and endless topic to be covered in a 90 min. presentation.
Product Security Requirements
•
Product Security Baseline (PSB)
•
•
•
•
•
•
Attack Surface Reduction /
Documentation
Logging / Audit Infrastructure
Trusted Product Architecture
Credential / Password Controls
Traffic Controls
Processes
•
Product Security Baseline 5.1
•
•
•
•
•
•
•
•
•
Privacy and Data Security
Secure Development
Application Security
Authentication and Authorization
Encryption
Infrastructure Security
Logging and Auditability
Vulnerability Management
Support and Operations
3rd Party Security
•
Cisco Open Source Initiative (COSI)
•
Register libraries in IP Central
•
Establish maintenance plan
•
Address known vulnerabilities
•
Cisco Intelishield Alert Manager (CIAM)
•
Register for alerts on any 3rd party code
Secure Design
•
Threat Modeling
•
Identify system data flow and trust boundaries
• Review auto-generated threats
• Prioritize and implement mitigations
Secure Coding
•
Cisco/CBABU Secure Coding Guidelines
•
Use “SAFE” libraries
Cisco’s Safe C libraries
• Open Web Application Security Project (OWASP)
•
•
•
Enterprise Security API (ESAPI) Toolkit
Security Awareness/Training/Emphasis
•
Cisco White/Green/Black Belt Ninja Training
• Annual Security Conference
Static Analysis
•
Tools
•
Coverity for C/C++
• Jtest or Sonar for Java
•
70+ rule checks for code inspection
•
Automated as part of the build and Continuous Integration
Vulnerability Testing
•
Fuzz testing
•
All protocols implemented in the product
•
All ports and services
• Cisco Internal VT Tool,
• Codenomicon for Protocol
Robustness Testing
• IBM Rational AppScan for
Application VT.
Takeaways
•
CBABU is working hard to secure the application in the solution. By performing
application security, it will increase product quality and decrease TCO.
•
Cisco CSDL is the practice in CBABU and within the Cisco development
community.
•
Security Baseline, Threat Modeling, COSI, Coding Best Practice (SA and Secure
Coding) and Vulnerability Testing are key elements into securing the CCE
application.
UCCE Security Best
Practice Guide
Purpose and Intent
•
Provide the current published security strategy for CCE.
•
CUCM, IOS, UCS, and other products references are found in the appendix.
•
Active Directory and GPO information are found in the appendix.
•
Intent is to start a discussion through feedback and use case to build a solid
security story in the long run.
UCCE Security Best Practice Guide 10.0(1)/10.5
•
Deployment Coverage: UCCE
•
Not Covered: Finesse, CVP, CUIC/LiveData, MediaSense, UCS, CUCM, Nexus
Switches, IOS, Unified EIM/WIM, RSM, etc.
•
OS Covers: Windows Server 2008 R2
•
Enabling CTI OS Security and IPSec will have scalability impact. See the design
guide for details.
CCE Encryption Support
•
Application user and contact center agent passwords are stored in the Logger databases as well
as the Distributor databases as an RSA MD5 Message-Digest Algorithm hash.
•
The passwords are passed as MD5 hashes as opposed to clear text between Router/Logger
and PG.
•
Data sent in Call Variables or Expanded Call Context (ECC) variable relies on the IPSec
between servers running Windows 2008 R2.
• IPSec between CUCM and the Agent PG is supported.
•
•
•
•
Use SHA-1 as integrity algorithm and 3DES as your encryption algorithm.
For Internet Key Exchange (IKE), use at least Diffie-Hellman Group 2 for 1024 bit key.
Diffie-Hellman 2048-bit key is also supported if processing and compute resources are available.
By default, ISE, Web Setup, and Agent Re-Skilling supports TLS v1.0 protocol using the
OpenSSL library. It uses 128-bit SSL encryption in Microsoft Internet Information Services (IIS).
CCE Encryption Support - Continued
•
CTIOS and CAD implements TLS v1.0 protocol using the OpenSSL libraries
between Agent Desktop and CTI Object Server.
•
The cipher suite uses Diffie-Hellman for Key exchange, RSA for Authentication, AES
(128-bit) for encryption, and SHA1 for message digest algorithm. This is not enabled by
default and scaling needs to be considered when security is enabled.
•
For SNMP service, CCE supports SNMPv1, 2c, & 3 with SHA-1 for message
digest algorithm and the following for encryption: 3DES, AES-192, and AES256.
•
From a deployment level, CCE supports Cisco IOS IPSec in Tunnel Mode with
HMAC-SHA1 Authentication (ESP-SHA-HMAC) and 3DES Encryption (ESP3DES).
•
Encryption needs to be enabled between devices through tunneling mode.
RSA MD5 Hash and IPSEC between CCE
Components
HTTPS: Finesse,
CTIOS, and CAD
TLS1.0
Generic PG
CUCM PIM
MD5 HASH – Agent
Information in DB
MD5 HASH transmitted
over unencrypted wire
VRU PIMs
CTI Server
CUCM
JTAPI
Rogger
CTI OS
Router
SIP Dialer
Logger
MR PG
IPSEC Tunnel Mode
AW/HDS/DDS
Campgn Mgr
IPSEC Transport
Mode or Tunnel
Mode
HTTPS: ISE,
WebSetup, and
Agent Reskilling
TLSv1.0
SNMPv3
CCE IPSec Overview
•
CCE support IPSec Tunnel Mode (Layer 3) between Central Controller and remote
Peripheral Gateway using Cisco IOS gateways as IPSec peers.
•
CCE also support IPSec in Transport Mode (Layer 4) via Windows Server 2008 R2 OS to
secure server to server communications:
•
•
•
•
•
•
•
Between NAM Router and CICM Router
Between Public/Private Connections of a Router/Logger pair.
Between Public/Private Connections of a PG Pair.
All Connections between Router and the PG.
All Connections between the Router/Logger and the AW/HDS.
All Connections between the CUCM and the Agent PG (via AD/Kerberos).
MRPG connections to Multi-Channel Systems (i.e. SocialMiner or EIM/WIM) is Tunneled
via IOS Gateways
Clustering over the WAN
Deployment Example – Tunnel Mode
RLG SIDE B
RLG SIDE A
Public/Private
Public/Private
Public/Private
Public/Private
PG SIDE A
PG SIDE B
IPSEC Tunnel Mode
Cluster over the WAN Deployment Example –
Transport Mode
RLG SIDE A
RLG SIDE B
Public/Private
Public/Private
Public/Private
Public/Private
PG SIDE B
PG SIDE A
IPSEC Transport Mode
(via AD Kerberos
Authentication or x.509
certificate)
IPSec Network Isolation Utility Overview
•
Tool that automatically sets a preconfigured policy to/from each CCE server.
•
CLI (c:\CiscoUtils\NetworkIsolation\cscript) or Security Wizard deployment
•
Each server shares the same policy and can be configured to accept exceptions.
•
Trusted Devices are devices with IPSec policy configured.
•
•
•
Router, Logger, PG(s), AW/HDS, CTIOS,
Sets Trusted components using authentication and optional encryption between Trusted devices. Untrusted devices
are denied unless it is classified as a Boundary device. Each Trusted device has a list of its own Boundary device
defined as IP address, IP Subnet, or IP/port address. Boundary devices are configured manually.
Boundary Devices do not have IPSec Policy but are allowed access to Trusted Devices:
•
•
Domain Controller, Serviceability servers, NTP, Unified CM, Gateways, CTI OS Desktops, etc.
No configuration needed on Boundary devices.
IPSec Network Isolation Utility Tips
•
If remotely provisioning, make sure the host you are using is in the boundary list.
•
AD/DNS and NTP needs to be in the boundary list of all trusted devices.
•
Adding new devices or change in pre-shared key requires change to the IPSec policy.
•
Enable encryption on ALL or NONE on the Trusted Devices.
•
Do not use Windows IPSec MMC plug-in. The Network Isolation Utility tool creates and manages its
own changes.
•
If behind the firewall, allow port 50 (ESP) and UDP source/destination port 5000 (IKE).
•
If using NAT, allow port 4500 UDP-ESP encapsulation
IPSec Network Isolation Utility Deployment Example
Step 1 : Fully Functional Unified CCE System with no
existing IPSec Policy.
Step 2 : Run Network Isolation Utility on Router/Logger, and AW/HDS.
Set IPSec Policy on each server and boundary devices such as
serviceability devices, AD/DNS, etc..
Step 2 : Put PGs as Trusted Devices and then put clients, UCM, or ACD
servers as boundary devices to the PG.
Network Isolation Utility Troubleshooting
•
Disable the policy
•
Verify IP Address or port is in the boundary device list.
•
Verify there were no changes in the boundary device list.
•
Verify that the device is not configured for both Trusted and Boundary device.
•
Verify that encryption is set to ALL or NONE.
•
Verify that Microsoft MMC did not change the IPSec policy set by the tool.
Branch, Remote, & Home Office Deployment
Latency:
• Not to exceed 400ms RTT
Bandwidth Considerations:
• RTP Stream
• UCM Signaling to IP Phones
• CTI Data (Agent Desktop Traffic)
• ISE Client to ISE Server
• Administration Client
• CUIC Client to Server Traffic
• Recording RTP
• Music On Hold
Home Office w/ Broadband Considerations
•
•
•
•
Minimum supported bandwidth: 256kbps upload / 1.0Mbs download.
Cisco Virtual Office 88x Series Router for Secure VPN, Firewall, Content Filtering, etc.
• http://www.cisco.com/c/en/us/products/routers/888-integrated-services-router-isr/index.html
Mobile Agent Latency must not exceed 150ms RTT; jitter must not exceed 60ms.
Firewall Configuration for Mobile Agent – Verify that the firewall is not blocking the media
stream.
• In a nailed up connection, the firewall idle timeout should be longer than the nailed
connection mode time out value. If not, then the media stream will be blocked by the
firewall.
AS5500 SSL/IPSec VPN Enterprise
•
Wide Range of Options from the ASA 5505 supporting 25 concurrent sessions
to ASA5585-S60 supporting 10,000 concurrent connection.
•
With ASA Software Release, customers can combine up to eight Cisco ASA
5580 or 5585-X Adaptive Security Appliance firewall modules to be joined in a
single cluster for up to 128 Gbps of real-world throughput (320 Gbps max) and
more than 50 million concurrent connections.
•
Supports Cisco AnyConnect
•
For more information:
•
•
•
•
http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/models-comparison.html#~tab-a
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generationfirewalls/prod_brochure0900aecd80402e39.html
http://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-appliance-asa-software/data_sheet_c78714849.html
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/data_sheet_c78527494.html
NAT Support
•
Supported: IP Phones, Remote PG from the Central Controller via NAT router,
Agent Desktop.
•
Not Supported: CTIOS Agent Desktop with Silent Monitoring and Recording
•
Sniffing packets : Call Center IP Scheme (local) vs. Datacenter IP Scheme (NAT);
CTIOS Server detects NAT IP which is not the local AD IP in order for the sniffing to
work.
•
IPSec NAT Transparency enables IPSec to travel through NAT/PAT which is
automatically detected and negotiated using NAT-T. Use Cisco IOS 12.2(13)T
and later and both end VPN devices are NAT-T capable.
•
No NAT between MediaSense and other systems.
•
Finesse supports basic NAT between server and clients.
Unified Contact Center Security Wizard
•
GUI interface that enables you to configure the
following:
•
•
•
Windows Server 2008 R2 Firewall Utility
IPSec Network Isolation Utility
Automated SQL 2008 R2 Hardening Utility
•
Run via
%SYSTEMDRIVE%\CiscoUtils\UCCSecurityWizard
or START> PROGRAMS> Cisco Unified CCE
Tools>Security Wizard.
•
Relies on the CLI tools to be installed.
•
Needs to run after the CCE environment has been
configured and working properly.
SQL Server Hardening
•
Top SQL Hardening Consideration:
•
•
•
•
•
•
•
Do not install SQL Server on an Active Directory Domain Controller
Install the latest applicable SQL Server service pack and security updates.
Set a strong password for the “sa” account before installing ICM.
Always install SQL Server service to run using a least privilege account. Never install
SQL Server to run using the built-in Local System account.
Apply a strict password policy and do not set the password to expire. If it expires, the
SQL Server service and Administration & Data Server fails.
Mixed mode authentication is enforced through SQL Server 2008 R2 automated
hardening.
During web setup, if the “sa” password is blank, an auto generated strong password is
used.
SQL Server Hardening
SQL Server Password and Account Setting minimum recommendation:
SETTING
VALUE
Enforce Password History
24 Passwords Remembered
Minimum Password Length
12 characters
Password Complexity
Enabled
Minimum Password Age
1 Day
Account Lockout Duration
15 minutes
Account Lockout Threshold
3 Invalid Logo Attempts
Reset Account Lockout Counter After
15 minutes
Automated SQL 2008 R2 Hardening
•
Hardens or Rolls Back the SQL Server security on Logger and AD/HDS.
•
Utility Location: %SYSTEMDRIVE%\CiscoUtils\SQLSecurity
•
Current SQL Server configuration is backed up and saved at the following:
<ICMInstallDrive>:\CiscoUtils\SQLSecurity\ICMSQLSecurity.bkp
-
•
CLI
•
•
•
To Harden: “Perl ICMSQLSecurity.pl HARDEN”
To Rollback: “Perl ICMSQLSecurity.pl ROLLBACK”
Log:
•
%SYSTEMDRIVE%\CiscoUtils\SQLSecurity\Logs\ICMSQLSecurity.log
•
By default without hardening, SQL Server 2008 R2 disables VIA endpoint and limits the Dedicated
Administrator Connection (DAC) to local access.
•
Enable only Named Pipes and TCP/IP endpoints during setup for ICM/CCE. Named pipes has higher
priority than TCP/IP. By default, other logins are enabled (i.e. Shared Memory, VIA, etc.)
Automated SQL 2008 R2 Hardening
•
Hardening performs the following:
•
Enforces mixed mode authentication
• Verifies that Named Pipe (np) is listed before TCP/IP (tcp) in the SQL Server Client
Network Protocol Order.
• Disabled SQLWriter, SQLBrowser, and MSSQLServerADHelper100 Services.
• Forces SQL server user ‘sa’ password if found blank.
•
Rollback does not remove the following:
•
SQL Server security mode is set to Windows Only Authentication
• SQL Server “sa” is set to random password
• SQLVSSWriter, SQLBrowser, and MSSQLServerADHelper100 services are disabled.
SSL Encryption Utility – IIS Security
•
Only supported on Windows 2008 R2
•
SSLUtil.exe – helps with the task of configuring web servers for use with SSL (HTTPS).
Can be invoked as standalone or automatically as part of setup.
•
Located: <ICMInstallDrive>\icm\bin folder.
•
Log: <SystemDrive>\temp\SSLUtil.log
•
Performs the following:
•
•
•
SSL Configuration
SSL Certificate Administration
Available only on ICM Web Applications running on Windows Server 2008 R2
-
Internet Script Editor (ISE)
Agent Re-Skilling
SSL Encryption Utility
•
Do not use IIS security setup and the utility at the
same time.
•
If IIS SSL port is blank, the utility sets IIS port to 443.
•
Certificate Administration:
•
•
•
•
•
•
Creates self-signed certificates.
Installs self-signed certificate in IIS.
Removal of certificate from IIS.
Generates certificates via OpenSSL.
Management of certificates – if it exist, it does not create a
new one but logs an entry.
Enables Virtual Directories and configures it for 128 bit
encryption
Secured Endpoints – SRTP
•
Unified CCE supports Unified Communication
Manager’s Authenticated Device Security Mode
•
CTI OS and CAD support TLS encryption to the server.
•
Cisco Finesse supports HTTPS for the Administration
Console and Agent and Supervisor Desktops.
•
HTTPS is not supported for Agent and Supervisor Desktops
in large deployments (over 1000 agents).
•
Unified CVP VXML Browser does not support Secure
Real-Time Transport Protocol (SRTP)
•
UCCE does not support SRTP when using Spanbased Silent Monitoring.
•
Mobile Agents does not support SRTP.
•
Outbound Option does not support SRTP.
•
RSM SimPhone does not support SRTP.
Active Directory Guidance
•
Use Case 1: Administration Users and Agent Supervisors moving to another OU
in the same domain.
•
No impact as long as the native services (Logger/Distributor) are not moved.
• Drag and Drop using MSFT AD Users and Computers Tool
•
Use Case 2: Changing AD structure but still in the same domain.
•
Yes and most common activity
• Stop all services and use the MSFT AD Users and Computer Tool.
•
Use Case 3: Migration to a new domain
•
Create a new Cisco_ICM root OU – DO NOT COPY from old to new target domain (not
supported).
Check out the Appendix and Staging Guide for
more details.
GPOs
•
Most Group Policy Restrictions Do Not Apply To Nor Affect Cisco Root OU
•
•
The Cisco_ICM OU structure does not contain any servers and only contains service
account users in the Instance OU
Applying GPO’s To An OU
•
Indirectly via top-down inheritance from a higher-level OU or domain root
• Directly linked within the OU
•
Block Policy Inheritance (Indirect GPO)
•
Prevents higher-level policies from applying to users and computers within a site,
domain, or OU
• This can be overridden if higher-level policies have the “Enforced” option checked
Check out the Appendix and Staging Guide for
more details.
Put it all together…
SNMPv3
Active Directory
GPO
Direct/Indirect
Policy
Router ACL and AAA
Configuration
Generic PG CSDL
IPSEC Tunnel Mode
CUCM PIM
MD5 HASH – Agent
Information in DB
MD5 HASH transmitted
over unencrypted wire
VRU PIMs
CUCM
JTAPI
CSDL
CTI Server
Rogger
CTI OS
Router
SIP Dialer
Logger
MR PG
CSDL
AW/HDS/DDS
Campgn Mgr
IPSEC Transport
Mode or Tunnel
Mode
AnyConnect
VPN
Cisco CVO
88x
Certificates/Anti-Virus
Protections
Remote Agents:
Finesse/CTIOS
(HTTPS)
SSL/TLS1.0
Client SSL
Certificates/Anti-Virus
Protections
Premise Agents:
Finesse/CTIOS
(HTTPS)
SSL/TLS1.0
Administrators: ISE,
WebSetup, and Agent
Reskilling
(HTTPS)
TLSv1.0
Security Reference Links
Security Guides
•
CUCM 10.0 (1) Security Guide
•
•
CUCM Phone Security
•
•
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_B
K_C68276B4_00_cucm-security-guide-100.html
K_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide100_chapter_0110.html
CTI/JTAPI Security
•
K_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide100_chapter_010111.html
Security Guides
•
UCS
•
•
IOS
•
•
https://www.youtube.com/watch?v=FeSdFhsKGG0
Best Practice for Securing Microsoft Active Directory
•
•
http://www.vmware.com/security/hardening-guides.html
REST/JSON Security
•
•
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
VMWARE
•
•
https://supportforums.cisco.com/document/111121/securing-and-hardening-cisco-ucs-systems
http://www.microsoft.com/en-us/download/details.aspx?id=38785
Windows Firewall Administration
•
http://technet.microsoft.com/en-us/library/cc739696(v=WS.10).aspx
PCI-DSS Guidance
PCI-DSS compliance requires corporate policy
and operational practice in addition to product
features, so customers that are crafting PCI-DSS
compliant systems should plan to provide those
in addition to security features that are needed
to achieve compliance in their specific
deployment.
– CCE Product Manager
PCI-DSS Guidance
High Level Requirements
Build and Maintain a Secure
Network and Systems
Future PCI Guidance Whitepaper Location:
https://communities.cisco.com/community/partner/collaboration/contactcenter
PCI DSS Requirements
Reference Information
1. Install and maintain a firewall
configuration to protect cardholder data
Use Cisco Firewall products to secure the network
http://www.cisco.com/c/en/us/products/security/firew
alls/index.html
2. Do not use vendor-supplied defaults for
system passwords and other security
parameters
CCE Security Guide recommends using strong custom
password for SQL and other accounts.
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm
/cust_contact/contact_center/icm_enterprise/icm_ente
rprise_10_5_1/Configuration/Guide/UCCE_BK_S02F26F
D_00_security-best-practices-guide-cce.html
3. Protect stored cardholder data
Protect Cardholder Data
4. Encrypt transmission of cardholder data
across open, public networks
5. Protect all systems against malware and
regularly update anti-virus software or
programs
Maintain a Vulnerability
Management Program
Cisco UCCE Enterprise Position
6. Develop and maintain secure systems and
applications
Customers should use PCI certified 3rd party data storage
devices to store sensitive customer information. PCI
certified 3rd party storage devices is beyond the scope of
Cisco UCCE documentation or guidelines. Its also best
practice to only store cardholder data in memory for the
Specific Customer Enterprise Implementation
real-time transaction and not stored permanently in any
database. Cardholder data should also be partially (last
four digits) be stored for tracking purposes. Lastly, call
recording should be disabled when cardholder data is
being discussed.
CCE Security Guide recommends using Transport or
Tunnel IPSEC in order to encrypt data.
CCE Security Guide documents Anti-Virus Guidelines,
Chapter 9.
CBABU implements Cisco Secure Development Lifecycle
(CSDL) to develop secure systems and applications. Using
3rd party software for protection and monitoring is
allowed but Cisco 3rd party software policy should be
followed. Lastly, for Windows based patches, customers
should follow Microsoft guidelines when applying
updates. This does not include Service Packs.
http://www.cisco.com/c/en/us/products/collateral/cust
omer-collaboration/unified-ip-interactive-voiceresponse-ivr/prod_bulletin09186a0080207fb9.html;
http://www.cisco.com/c/en/us/products/collateral/cust
omer-collaboration/unified-contact-centerenterprise/product_bulletin_c25-455396.html
PCI-DSS Guidance
Implement Strong Access
Control Measures
Regularly Monitor and Test
Networks
Maintain an Information
Security Policy
Future Whitepaper Location:
https://communities.cisco.com/community/partner/collaboration/contactcenter
PCI DSS Requirements
Cisco UCCE Enterprise Position
Reference Information
7. Restrict access to cardholder data by
business need to know
Due to the integration of Active Directory supervisors
and administrators, user credentials are limited to the
inherited privileges set in the AD Organization Unit,
Group Policy, and/or User Policy. Please review the
UCCE Staging Guide.
http://www.cisco.com/c/en/us/td/docs/voice_ip_com
m/cust_contact/contact_center/icm_enterprise/UCCE_
BK_S737967D_00_staging-guide-for-cisco-unified.html
8. Identify and authenticate access to
system components
The UCCE system component has the capability to
identify and authenticate access via agent and AD
credentials in order to identify, trace, and account user
access to the system.
http://www.cisco.com/c/en/us/td/docs/voice_ip_com
m/cust_contact/contact_center/icm_enterprise/icm_e
nterprise_10_5_1/Administration/UCCE_BK_S0A920A1
_00_ucce-administration-guide.html
9. Restrict physical access to cardholder
data
Use Cisco Connected Safety and Security
http://www.cisco.com/c/en/us/products/physicalsecurity/index.html
10. Track and monitor all access to network
resources and cardholder data
Use Cisco Cloud and Systems Management - Network
Management for IT Organizations Products such as Cisco
http://www.cisco.com/c/en/us/products/cloudPrime Infrastructure and Prime Collaboration. In
systems-management/index.html
addition, Cisco UCCE supports Audit Trail/Report and
Syslog functionality.
11. Regularly test security systems and
processes
Customers should implement security policies, process,
and testing activities in order to improve the enterprise
security integrity. This topic is beyond the scope of Cisco
Specific Customer Enterprise Policy
UCCE documentation and guidelines. The UCCE Security
Best Practice Guide should be considered as a
component of an overall Enterprise solution.
12. Maintain a policy that addresses
information security for all personnel
Customers should implement security policies, process,
and testing activities in order to improve the enterprise
security integrity. This topic is beyond the scope of Cisco
Specific Customer Enterprise Policy
UCCE documentation and guidelines. The UCCE Security
Best Practice Guide should be considered as a
component of an overall Enterprise solution.
Security Update for 11.0
CCE Security Update – 11.0
•
Windows 2012 and SQL 2014 Platform Update
•
REST API – SQL Column Encryption – AES 256-bits
•
Security Hardening Update
•
GPO Documentation Publication
•
VOS 10.5 Update
•
Antivirus Software Updates
•
Tomcat and JRE/JVM Update
•
Struts Update
•
SQL Rule and Code Update
•
OpenSSL Update
•
Bash Shell and GlibC Update
Participate in the “My Favorite Speaker” Contest
Promote Your Favorite Speaker and You Could Be a Winner
•
Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
•
Send a tweet and include
Your favorite speaker’s Twitter handle @CiscoCC
• Two hashtags: #CLUS #MyFavoriteSpeaker
•
•
You can submit an entry for more than one of your “favorite” speakers
•
Don’t forget to follow @CiscoLive and @CiscoPress
•
View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
•
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
•
Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
•
Demos in the Cisco campus
•
Walk-in Self-Paced Labs
•
Table Topics
•
Meet the Engineer 1:1 meetings
•
Related sessions
Thank you
Contact Center Sessions Week at a Glance
Monday
Tuesday
Wednesday
Thursday
8:00-9:30 (90)
BRKCCT- 1011
Cisco Unified Contact Center
Express Update and Roadmap
8:00-9:30 (90)
BRKCCT-1041
CCE Security Best Practice Guide
Overview
8:00-9:30 (90)
BRKCCT-1002
Hosted Collaboration Service
Contact Center Update
(G.Variyath)
(C. Gonzales)
9:30-10:30 (60)
PSOCCT-1008
Omnichannel Customer Care Preparing for the Mobile
Customer
11:30-12:30 Table Topic
Reporting and Analytics
8:00-10:00 (2hr)
BRKCCT-2007 Cisco Unified
Contact Center Enterprise Planning
and Design (M. Berenjian,M.Eady)
8:00-10:00 (2hr)
BRKCCT-2019 Cisco Unified
Contact Center Express Planning
and Design and Support
(K.McPartlan,K.Gouda))
10:00-11:30 (90)
BRKCCT- 1051
Cisco Unified Contact Center
Enterprise and CVP Overview
and Roadmap
(J.Lundy/S.Vashist)
11:00-11:30 (30)
DEVNET-1130
Cisco Finesse API’s (T.Phipps)
12:00-1:00 Table Topics
UCCX (G.Variyath)
Finesse(T.Phipps)
Color Coding
UCCE
UCCX
MediaSense
Omnichannel
(C.Logue/G.Variyath)
1:00-2:00 (60)
CCSCOL-1400
Case Study: Providing a Total Customer
Experience (C.Botting, M.Voornhout)
1:00-2:30 (90)
BRKCCT-1006
Omnichannel Contact Center Solutions
Overview (W.E.Nijenhuis)
1:00-3:00 (2 hr)
BRKCCT-3005
Solution Troubleshooting for Unified
Contact Center Enterprise (C.Palau)
3:30-5:00 (90)
BRKCCT-1031 Cisco Finesse - The Next
Generation Agent Collaboration
Experience (T.Phipps)
4:00-5:00 (60)
CCSCCT-1405
Case Study: American Century
Investments (N.Westvold)
(G.Burton,M.Turnbow)
8:00-10:00 (2hr)
BRKUCC-2270 Network Media
Recording and Streaming with
Cisco MediaSense (C.Ward)
11:30-12:30 Table Topic
UCCE(PCCE,HCS) & CVP
(J.Lundy, C.Logue)
1:00-3:00 (2hr)
BRKCCT-2050 Building recording
and monitoring applications with the
MediaSense API (K.Rehor)
1:00-3:00 (2hr)
BRKCCT-2056 Contact Center
Reporting & Analytics: Unified
Intelligence Center (V.Gururaj,C.Logue)
3:00-5:00 (2hr)
BRKCCT-2027 UCCE Solution
Service Creation (including CCE
and CVP Scripting) (S.Vashist,,B.Cole)
(A.Mermel,M.Varghese)
10:00-12:00 (2hr)
BRKCCT-2080
Deliver omnichannel Customer
Experience with Remote Expert
Mobile
(R.Gupta,Y.Fedotov)
10:00-11:30 (90)
BRKCCT-1005 Context Service:
the new cloud-based
omnichannel solution for Contact
Center Enterprise and Express
(V.Chhabra)
1:00-2:30 (90)
BRKCCT-1009
Cisco Customer Collaboration
Architectural Vision and Cloud
Evolution
(M.Lepore,T.Famous)
Appendix: Extra CCE
Security Materials
Windows 2008 R2 Firewall
•
Stateful Firewall – drops packets that are unsolicited.
•
Disabled by default on SP1 but new installs have it enabled.
•
Remote configuration is not recommended.
•
“Cscript” or ConfigFirewall.bat is used to configure the firewall for CCE applications. It uses the
CiscoICMfwConfig_exc.xml file.
•
The CiscoICMfwConfig_exc.xml file contains: Allowed Services, Open Ports, and excluded
Applications.
•
Verify it using START > SETTINGS > CONTROL PANEL > WINDOWS FIREWALL tool.
•
Exceptions and Inbound/Outbound Rules tab will show the configuration settings based on the .xml file.
•
Use “Ntfrsult” and “Portqry” tools to test and validate connectivity between two Domain Controller with
firewall configured.
•
Undo Firewall Settings:
•
•
•
Stop all applications.
Use %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\UndoConfigFirewall.bat
Reboot Server
Windows Server 2008 R2 Firewall Ports
Server Port
Protocol
Protocol
Services
135
TCP
RPC
RPC Connector Helper
137
TCP
UDP
NetBIOS Name
UDP
NetBIOS NetLogon and Browsing
138
139
NetBIOS Session
123
UDP
389
TCP
636
TCP
NTP
LDAP
UDP
LDAP SSL
3268
LDAP GC
Server Port
Reference the “Port Utilization Guide”
in order to determine CCE ports that
need to be open for your firewall
configuration.
Protocol Protocol
Services
3269
LDAP GC SSL
42
WINS Replication
53
TCP
UDP
DNS
88
TCP
UDP
Kerberos
445
TCP
UDP
SMB over IP (Microsoft-DS)
10000
TCP
RPC NTFRS
10001
TCP
RPC NTDS
10002 to
10200
TCP
RPC – Dynamic High Open
Ports
Domain Controller (DC) in the DMZ
•
When deploying a DC in the Demilitarized Zone (DMZ), we recommend the
following:
•
Restrict File Replication Services (FRS) to a specific static port.
• Restrict Active Directory Replication traffic to a specific port.
• Configure Remote Procedure Call (RPC) port allocation.
Security Monitoring
•
IP Security Monitor (ipsecmon) – monitors IPSec traffic
•
Network Monitor (netmon) – captures frames sent to/from the server.
•
System Monitoring (perfmon) – system performance data and network activity –
see pg. 11 for recommended counters.
•
Enable IPSec Logging
•
\\System\CurrentControlSet\Services\PolicyAgent
•
•
•
•
Add Key = Oakley
DWORD Value = EnableLogging
DWORD Value = 1
Enable/Disable PolicyAgent
•
•
“net stop policyagent” and “net start policyagent”
Log found at %winddir%\debug\Oakley.log
Auditing
•
Tracks events per system.
•
Types:
Local Policies: Start > Programs > Administrative Tools > Local Security Policies
- SNMP Real-Time Alerts: polls events from Windows eventlog and converts to SNMP
traps (evntwin.exe or evntcmd.exe).
- SQL Server C2 Auditing is not supported with ICM/UCCE. May have significant impact
to the system.
- Active Directory tools to audit logins and management of hosts.
-
Antivirus Guidelines
•
Update AV software scanning engines and definition files regularly, following your organization's
current policies.
•
Upgrade to the latest supported version of the third-party antivirus application. Newer versions
improve scanning speed over previous versions, resulting in lower overhead on servers.
•
Avoid scanning of any files accessed from remote drives (such as network mappings or UNC
connections). Where possible, ensure that each of these remote machines has its own antivirus
software installed, thus keeping all scanning local. With a multitiered antivirus strategy, scanning across
the network and adding to the network load is not required.
•
Schedule full scans of systems by AV software only during scheduled maintenance windows, and
when the AV scan cannot interrupt other Unified ICM maintenance activities.
•
Do not set AV software to run in an automatic or background mode for which all incoming data or
modified files are scanned in real time.
•
Due to the higher scanning overhead of heuristics scanning over traditional antivirus scanning, use this
advanced scanning option only at key points of data entry from untrusted networks (such as email
and internet gateways).
•
Real-time or on-access scanning can be enabled, but only on incoming files (when writing to disk).
This approach is the default setting for most antivirus applications. Implementing on-access scanning
on file reads yields a higher impact on system resources than necessary in a high-performance
application environment.
•
While on-demand and real-time scanning of all files gives optimum protection, this configuration does
have the overhead of scanning those files that cannot support malicious code (for example, ASCII text
files). Exclude files or directories of files, in all scanning modes, that are known to present no risk to the
system.
•
Schedule regular disk scans only during low-usage times and at times when application activity is
lowest.
•
Disable the email scanner if the server does not use email.
•
Additionally, set the AV software to block port 25 to block any outgoing email.
•
Block IRC ports.
•
If your AV software has spyware detection and removal, then enable this feature. Clean
infected files, or delete them (if these files cannot be cleaned).
•
Enable logging in your AV application. Limit the log size to 2 MB.
•
Set your AV software to scan compressed files.
•
Set your AV software to not use more than 20% CPU utilization at any time.
•
When a virus is found, the first action is to clean the file, the second to delete or
quarantine the file.
•
If it is available in your AV software, enable buffer overflow protection.
•
Set your AV software to start on system startup.
•
Omit files with the following file extensions from the drive and on-access scanning
configuration of the AV program:
•
• *.hst applies to PG
• *.ems applies to ALL
Windows Remote Desktop
•
Native Remote Desktop Protocol (RDP) encryption between client and server is
supported. It’s the preferred method due to its security and low impact on performance.
•
Windows 2008 R2 Terminal Services (aka Remote Desktop) can replace pcAnywhere and
VNC.
-
•
Mstsc /v:<server[:port]>
RDP-TCP Guidelines:
-
-
Limit active connections to 1.
End disconnected sessions in 5 mins or less.
Inactive sessions limited to 1 day.
Idle sessions limited to 30mins.
Set permissions for users and groups – Administrator Full Control vs. User Limited vs. Guess
Access Restricted.
Set High encryption levels of connections.
Limit permission from specific host via ip address.
pcAnywhere and VNC
•
PcAnywhere provides the following:
Restrict Access to specific host via IP address.
Provides Serialization using a secure code between host and server.
Provides credentials for access and authorization.
Protects Data stream between host and server through encryption.
-
-
Prevent host integrity – prevents file and application changes.
Logging for sessions and identification through Symantec Remote Access Perimeter Scanner
(RAPS).
-
-
•
pCAnywhere encryption
Symmetric encryption
Public Key encryption
Logging features covers pcAnywhere log, NT Event log (Windows Server 2008 R2) or SNMP monitor.
Limited to 1 user at a time.
For VNC, SSH Servers to provide encrypted tunnels for VNC sessions are not supported
by Cisco.
Enable Transport Layer Security (TLS) 1.0
•
FIPS compliance for strong encryption requires TLS 1.0 protocol instead of SSL
2.0 or 3.0.
•
IE Setup:
-
-
•
Launch Internet Explorer
Tools > Internet Options
Advance Tab
Scroll to Security and check the “Use TLS 1.0” box.
*Note: If hardening is applied and IE is unable to connect to ISE or Agent Re-skilling,
make sure that IE is configured for TLS 1.0.
Firefox Setup
•
- Firefox 23+ no longer has a user interface setting to disable TLS or SSL3 but there are
manual methods. Please see - http://kb.mozillazine.org/Security.tls.version.*
Endpoint Security
•
IP Phone Hardening
PC Voice VLAN Access – disabling will prevent the PC to send/receive date on the
voice VLAN.
- Span to PC Port – disabling will inhibit the use of desktop-based monitoring and
recording.
- Gratuitous ARP – disable to prevent man in the middle attacks (MITM) or spoofing.
-
-
Third party uses G-ARP to capture voice streams.
CTIOS Silent Monitoring and CAD Silent Monitoring & Recording do not depend on G-ARP.
Other Security Considerations
•
There is a rate limit of Unified CCE agent login attempts with incorrect password. By default, the agent
account is disabled for 15 minutes after three incorrect password attempts, counted over a period of 15
minutes.
•
There is a rate limit on CTI OS Monitor Mode connection. When TLS is enabled and a password is
required, Monitor Mode is disabled for 15 minutes after three incorrect password attempts
(configurable).
•
Windows Management Instrumentation (WMI) is used to manage Windows systems. WMI security is an
extension of the security subsystem built into Windows operating systems. WMI security includes: WMI
namespace-level security; Distributed COM (DCOM) security; and Standard Windows OS security.
•
Microsoft native SNMP service is disabled by the Web Setup tool and its functionality replaced by a
more secure agent infrastructure. Do not re-enable the Microsoft SNMP service because it can cause
conflicts with the Cisco-installed SNMP agents. Use of SNMP v3 is highly preferred.
•
Cisco has qualified Unified ICM software with the Operating System implementations of NTLM,
Kerberos V, and IPsec security protocols.
Active Directory
Active Directory with UCCE
•
•
Interaction and Usage
•
Access Rights and Limitations
•
Maintain and Operate
Active Directory with UCCE – High Level
Requirements
•
Compatibility Matrix = AD Version Support
•
•
•
Functional Level agnostic
Staging Guide = Active Directory Integration Requirements
•
Single AD Forest
• No Read-Only Domain Controllers (RODC)
• Adhere to Cisco naming conventions for AD Root (Cisco_ICM) structure
• No co-locating CCE servers with Domain Controllers and/or DNS servers
• Global Catalog at each CCE site for multi-domain deployments
•
You must use the Domain Manager
tool to create the Cisco Root OU,
Cisco_ICM
Group Policy (GPOs)
•
•
•
•
We’ll get to this later but in the meantime, consider the following best practices…
Move UCCE servers into their own OU. Server OU should be at the same or lower level relative to the UCCE Root
OU (Cisco_ICM)
Discuss “blocking” and “enforced” requirements to Cisco OU’s (root + servers)
This, above all: UCCE servers are sophisticated, real-time enterprise application servers
Active Directory with UCCE – Interaction and Usage
•
UCCE Core Components
•
•
•
•
Other Components
•
•
•
•
Loggers and Administration Data Servers require service accounts
(created in Cisco_ICM) for database management
Peripheral Gateways don’t typically make AD calls unless running PG Setup…
CallRouters don’t typically make AD calls
Finesse integrates with a UCCE Administration Data Server for agent and API login (NTLMv1 ONLY)
CUIC login credentials can reside in either LDAP AD and/or CUIC’s Informix DB.
CVP – No AD integration or requirements
UCCE Tools
•
•
Setup Security Group membership: Web Setup, PG Setup, Service Control, Domain Manager, Service Account
Manager (SAM), ICMDBA, Configuration Manager*
Requiring Config Security Group membership: Configuration Manager, Script Editor, ISE
*The only time you require Setup rights for Configuration Manager is when you promote and/or create an
agent/person to a Supervisor. Configuration Manager will associate the Supervisor to the Instance Config Security
Group.
UCCE New Deployment – UCCE AD Security
Groups
•
Access Rights Are Nested In Cisco_ICM
•
•
•
•
Downstream recursive, if you are a member of a Facility
security group, you will have those same rights for the
Instance(s) in that Facility.
Config Security Group (No AD Write Access)
•
•
Configuration Manager tools
Script Editor and ISE (Internet Script Editor)
Corporate Domain
Contact Center Applications
Cisco_ICM
Facility
Config
Setup
Instance
Config
Setup
Config
Setup
Services
•
Setup Security Group (AD Read/Write Access)
•
•
•
•
• Service Security Group (Read-Only)
UCCE installation, patching, and WebSetup tools
Manage security group memberships via Domain Manager Instance level only
Manage service accounts via SAM tool
Users created via Service Account Manager
Configuration Manager: User and Agent list tools
(SAM) tool are members of this group
Logger/Distributor service account
membership
UCCE AD Security Groups Impact On
AD Domain Tools
•
I’m The AD Administrator And I Have A Few Concerns…
•
Assuming An AD User Is A Member Of All UCCE Security Groups, What Can They Do In
My Active Directory Domain?
•
•
•
•
•
•
Not much…
User cannot log onto the Domain Controller
User cannot make any changes in the AD domain whatsoever
User cannot create domain OUs, Users, Groups, Policies, etc.
Unless the user is a member of the Setup security group, he/she won’t
be able to stop/start UCCE services.
•
Users With UCCE Security Group Membership(s) Can Only
Administor UCCE Related Objects
•
UCCE Software Does Not Modify AD Objects Without Direct
User Intervention and Control
UCCE New Deployment – UCCE Domain Manager
•
Creates the Cisco_ICM (Root) OUs
•
•
•
•
Creates and defines all UCCE security groups and permissions for
root, Facility, and Instance.
Requires domain administrator read/write privileges and this user
becomes a member of the Setup security group during OU creation.
Manages AD User Membership To UCCE Security Groups
•
•
•
•
•
Control access rights to UCCE tools
Hierarchical approach for maximum administration flexibility
Nested, downward recursive security group rights. Example: A user
that’s a member of the Facility Config security group will have
UCCE
configuration rights to all Instances in that Facility.
After initial setup of the UCCE Root, you may use standard AD tools associate users to our Security Groups
UCCE New Deployment – Service Account Manager
•
UCCE Service Account Management
•
•
•
•
•
•
Must be ran locally on each respective server
User must be a member of the Setup Security Group
User must have local-domain administrator read/write
privileges.
Modify (after initial account creation) Domain Service
Account names and passwords.
Used As A Post-Install Diagnostic Tool
•
•
Check and manage the health of UCCE service accounts
Health status and remediation: 9.0(y) Staging Guide page 64 - 69
By default when you install UCCE, all component services (PG,
Router, Dialer, CG, CTIOS, etc.) will use the Local System
Account. The Logger and Distributor services however, will be
bound to a specific AD user account in the Instance OU.
Moving UCCE AD Objects
Reasons Why You May Have To Move AD Objects
•
User Story 1
•
•
User Story 2
•
•
“We need to move our UCCE administration users and agent supervisors to another OU
in the same domain. Will this impact UCCE functionality?”
“We are changing our AD structure. Currently, the Cisco_ICM OU is located directly
under the domain CORP.COM  Cisco_ICM. We would like to move the Cisco root OU
to a lower level container like,
CORP.COM  Applications  Contact Center Enterprise  Cisco_ICM. Is this
possible and what are the steps?”
User Story 3
•
“We are moving our UCCE Servers (and thus, the Cisco_ICM) to a new domain.”
Moving AD Objects – Intra-Domain (Simple)
A few things to know about moving objects in Active Directory…
•
After Windows 2000, Moving AD Objects Is Drag and Drop Simple
•
Especially so for intra-domain tasks
• Inter-domain moves are more complicated
•
Permissions Assigned Directly To AD Objects Remains With The Object After
A Move
•
•
Inherited Permissions Are Lost
•
•
UCCE tools assign AD permissions directly
AD objects will inherit permissions (and restrictions) assigned to the new OU
In AD, Objects With Similar Permission Settings Are Usually Grouped Together
•
Know the target OU policies before you move the Cisco_ICM root OU.
Moving A UCCE AD User Object – Intra-Domain
(Simple)
•
User Story 1
•
•
Answer
•
•
“We need to move our UCCE administration users and agent supervisors to another OU
in the same domain. Will this impact UCCE functionality?”
This type of AD object move will not impact UCCE functionality. So long as you are not
moving the native UCCE service accounts (Logger/Distributor), this AD task is
transparent to UCCE.
What’s Involved?
•
Ensure that all users are completely logged out.
• Using Microsoft Active Directly Users and Computers, drag and drop the user object to
its new location.
Moving A UCCE AD User Object – Intra-Domain
(Simple)
Moving UCCE Servers To Another OU – Intra-Domain
(Simple)
•
What About Moving Servers In The Same Domain?
•
•
Must Stop All UCCE Services Before Moving UCCE Servers
•
•
•
Similar To Moving Users
Including duplexed peers … plan a maintenance window.
Computers Vs. Users
•
Unlike users who may have direct policies and permissions applied, servers in AD typcially inherit
their operational rules through a Group Policy. Example: You may have separate containers in AD for
Windows 2003 and Windows 2008 R2 servers so that GPO management can be applied
respectively.
•
In short, when you move users around in an AD domain, their permissions will follow as they are
often times applied directly. However, moving computers around in an AD domain will often times
result in inheritance of different policy objects depending on the source and target OU’s.
No Post-Actions On UCCE To Accommodate This Task
Moving The Cisco_ICM Root OU – Intra-Domain
(Simple)
•
User Story 2
•
•
Answer
•
•
“We are changing our AD structure. Currently, the Cisco_ICM OU is located directly
under the domain CORP.COM  Cisco_ICM. We would like to move the root to a lower
level container like,
CORP.COM  Applications  Contact Center Enterprise  Cisco_ICM. Is this
possible and what are the steps?”
Yes, this is possible and it’s the most supported and least risky move possible for the
UCCE root OU.
What’s Involved?
•
I’m about to show you…
(Simple)
1.
•
2.
•
3.
•
Stop All UCCE Services Via Service Control
This includes duplexed peers.
Run WebSetup On The Central Controller
Record all Facility and Instance names and numbers.
Launch Microsoft Active Directory Users And Computers
Drag and drop the OU to the new location
OR
Or right-click on the OU you want to move
(Simple)
4.
•
Start Up All UCCE Services Via Service Control
Graceful startup order: LoggerA, RouterA, RouterB, LoggerB, PG’s and Administration
Servers
5.
Launch UCCE Service Account Manager (SAM)
•
Validate that Logger and Distributor service accounts are healthy
6.
Launch UCCE User List Tool
•
Validate permissions for UCCE users were properly migrated/retained post-OU move
DONE
Moving UCCE AD Objects – Inter-Domain (Complex)
•
User Story 3
•
•
Answer
•
•
“We are moving our UCCE Servers to a new domain. We understand that the UCCE servers must
reside in the same domain as the Cisco_ICM root OU. Can we copy the existing Cisco_ICM OU to
the new domain?”
No. Copying the existing Cisco_ICM root OU to the new/target domain is not supported.
What’s Involved?
•
•
•
•
•
•
Create a new Cisco_ICM root OU in the new/target domain using CCE’s Domain Manager tool
Root, Facility, and Instance from the source Cisco_ICM OU must all match the newly created
root OU
All UCCE services must be stopped prior to moving the servers; move the UCCE servers to the new
domain
Run WebSetup and PGSetup, respectively to map the instance to the new domain
Run CCE’s Service Account Manager (SAM) tool to validate the Logger and Distributor service
accounts were properly setup in the new domain
Decide whether or not to migrate the UCCE user and supervisor accounts to the new domain
Moving UCCE AD Objects – Inter-Domain
(Complex)
•
Inter-Domain AD User Objects From The Viewpoint Of UCCE…
•
UCCE Supervisors, Configuration, and Setup Users Can Reside Outside Of The UCCE
Root OU
Cisco_ICM
UCCE Servers and
Users
UCCE Users
Config, Setup, Supervisor
UCCE Users
•
UCCE Agent Explorer & User List Tool Have Resource Access To Domains In The Forest
•
•
Two-way transitive trusts
One-way outgoing external trusts allowing users from other domains to access resources in root domain
Agent Explorer
User List Tool
(Complex)
•
Inter-Domain AD Server Objects From The Viewpoint Of UCCE…
•
UCCE Servers Must Be In An OU That’s Local To / In The Same Domain As The UCCE
Root OU
Cisco_ICM
UCCE Servers and
Users
UCCE Users
UCCE Users
UCCE Servers
•
UCCE Servers Are Linked To Root OU Facility/Instance Via WebSetup’s Instance
Management
•
Note the ‘Change Domain’ option
(Complex)
•
OK, Back To The User Story…
•
•
“We are moving our UCCE Servers to a new domain. We understand that the UCCE servers must
reside in the same domain as the Cisco_ICM root OU. Can we copy the existing Cisco_ICM OU to
the new domain?”
Order Of Operations
1.
Using CCE’s Domain Manager, create a new (carbon copy) of the UCCE root OU in the new
Two-way transitive trust
domain.
One-way outgoing external trust
2.
3.
Shutdown all UCCE servers and move them into a similar OU in the new domain.
Run CCE’s WebSetup on each Central Controller server (including Distributors) and click the,
‘Change Domain’ button in the Instance Management drawer
(Complex)
•
Order Of Operations Continued…
4.
Run CCE’s Service Account Manager (SAM) tool on all Central Controller components to create a
new AD service accounts for: LoggerA, LoggerB, and your Distributors.
At this stage, you have successfully migrated the UCCE servers
Now, we need to migrate the UCCE users and supervisors
5.
When it comes to the users, you have a couple of options…
①
②
You can add the Config and Setup Security Group from the source domain as a member of the Config and Setup
Security Group in the new domain. This will allow the UCCE instance in the new root OU to access the original
permissions mapping from the old root OU. Note: The source UCCE root OU must not be touched!
OR
You can use the User Migration Tool to export UCCE users from the source domain and then import them into
the target domain. This will create duplicate users in AD between the source and target domains. All UCCE
permissions will be properly mapped over. Note: User Migration Tool is a separate download via cisco.com
(Complex)
•
When Moving Objects To A New Domain, You May Have The Need To Also
Rename UCCE Facility and/or Instance OUs
•
Renaming Cisco_ICM Facility As Part Of A Domain Move
•
•
Supported and does not change previous steps discussed
Renaming Cisco_ICM Instance As Part Of A Domain Move
•
NOT supported. If you rename the UCCE Instance, you are in-a-sense installing a brand
new UCCE customer from scratch.
• There is no migration path when the Instance name is changed
Group Policy Objects
(GPOs)
Playing Nice With UCCE OU’s and Group Policy
Objects

Understand How UCCE Works With AD
•

Know the dependencies for tools and general functionality
Understand The Intent/Purpose Behind Group Policies
•
UCCE servers are real-time application servers and often times fall into their own management
category

Consult Cisco’s UCCE Security Best Practices Guide

Test GPO Changes In The Lab Prior To Production Rollout

Document Changes
•
•
•
•
What
When
Where
Why
What Are Group Policy Objects?
•
What Is A Group Policy?
•
•
Common Windows 2008 Group Policy Security Settings
•
•
•
•
•
Mechanism used to define a set of rules to centrally secure, manage, enforce, and deploy across a
group of computers and users
Limiting an AD user’s administrative authority
Enforced passwords
Advanced security through Windows firewall
User Account Control (UAC)
Policy Considerations For UCCE Computers and Users OU
•
•
Audit Policies
Policies that control:



Passwords, encryption and certificates
Auto-updates
Downloads, scans, exclusions
Consult
the UCCE Security Best Practices Guide
How Are Group Policies Deployed In Active
Directory?
•
Group Policy Types
•
Local group policies exists on all Windows systems
• Active Directory (AD) group policies are only available
in an AD Forest
•
Group Policy Editor
•
Primary function of this tool is to configure group policy
settings within a GPO
•
Group Policy Management
•
Primary function of this tool is to apply, link, and control
GPO behavior within Active Directory forests, domains, and OU’s.
What Are Group Policy Objects?
•
Most Group Policy Restrictions Do Not Apply To Nor Affect Cisco Root OU
•
The Cisco_ICM OU structure does not contain any servers and only contains service
account users in the Instance OU
Playing Nice With UCCE OU’s and Group Policy
Objects
•
Applying GPO’s To An OU
•
•
•
Block Policy Inheritance (Indirect GPO)
•
•
Indirectly via top-down inheritance from a higher-level OU or domain root
Directly linked within the OU
•
Prevents higher-level policies from applying to users and computers within a site, domain, or OU
This can be overridden if higher-level policies have the “Enforced” option checked
•
Preference to have UCCE Root OU directly under the domain root and not nested (if possible)
No Override – 2003 / Enforced – 2008 (Direct GPO)
•
•
Ensures that the linked GPO is always enabled/enforced
Notice the ‘padlock’ on the linked policy when it’s Enforced
Summary
•
Demystified How UCCE and Active Directory Works Together
•
Aliviated Common Security Concerns
•
Security groups
• GPOs
•
Domain Manager Used To Create UCCE Root OU Footprint
•
Service Account Manager (SAM) Used To Diagnose And Resolve Service
Accounts
•
User Story Examples Highlight Common Questions Asked
•
Cisco forums
• Cisco TAC
•
Confidence = Go Forth And Concur!

Introducing the New Cisco PowerPoint Templates

Transcription

Similar documents

Cisco Recruitment Session* When

2014 Flower Stage Schedule

PITAHAYA or DRAGON FRUIT FESTIVAL and

crescent village - Prime Commercial, Inc.

Cisco.com AEM Integration and Migration

Virtual Lock for Corporate IP Telephony v 3.0

5.3.4.2 Lab - Hard Drive Maintenance in Windows 7

Cool Summer Nights - Shipley Nature Center

Cisco Chooses to Be Smart in Songdo