mynavoice recording 6.7 - hardening manual
TRANSCRIPT
Version: 6.7
Date: 1 November 2019
HARDENING MANUAL
Myna V o i c e R e c o r d i n g
M y n a V o i c e R e c o r d i n g
Information in this document is subject to change without notice and does not represent a commitment on the part of River Projects
International Ltd. The systems described in this document are furnished under a license agreement or nondisclosure agreement.
All information included in this document, such as text, graphics, photos, logos and images, is the exclusive property of River Projects
International Ltd. and protected by United States and international copyright laws.
Permission is granted to view and photocopy (or print) materials from this document for personal, non-commercial use only. Any other
copying, distribution, retransmission ormodification of the information in this document, whether in electronic or hard copy form, without
the express priorwritten permission of River Projects International Ltd., is strictly prohibited. In the event of any permitted copying,
redistribution or publication of copyrightedmaterial, no changes in, or deletion of, author attribution, trademark legend or copyright notice
shall be made.
All contents of this document are: Copyright © 2019 River Projects International Ltd. All rights reserved.
The full list of MynaVoice marks are the trademarks or registered trademarks of River Projects International Ltd. All othermarks used are
the property of their respective proprietors.
For assistance, contact your local supplier or nearestMynaVoice Support Desk.
Formore information aboutMynaVoice, visitwww.mynavoice.com/extranet.
This manual created by MynaVoice, Alkmaar, The Netherlands
CONTENTS
1: Introduction 7Hardening 7
Scope 7
Intended Audience 7
Conventions and Symbols 8
Windows Versions in This Manual 8
2: Configuring the Firewall 9Introduction 9
Port Scanning 10
Which List Do I Use for Configuring Ports? 10
Core Server 13
Core Server: Additional Ports 15
Core Server with Channels 17
Core Server with Channels: Additional Ports 18
Core Server with Channels and CTI 20
Core Server with Channels and CTI: Additional Ports 22
Core Server with CTI 24
Core Server with CTI: Additional Ports 25
Satellite 27
Satellite: Additional Ports 28
Satellite with CTI on One System 29
Satellite with CTI: Additional Ports 30
CTI Server 32
CTI Server: Additional Ports 33
CDR Server 34
Fusion Server 35
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 3 -
3: Antivirus and 3rd Party Software Exclusions 37Introduction 37
Antivirus and Other Software Exceptions 38
MynaVoice Core Server (With orWithout Channels or CTI) 38
MynaVoice Satellite 41
MynaVoice CTI Server 43
MynaVoice Fusion Server 44
4: System Hardening 45Installed MynaVoice Recording Services 46
MynaVoice Recording Services - Core Server 48
MynaVoice Recording Services - Satellite 50
MynaVoice Recording Services - CTI Server 51
Required Windows Services 52
Windows Data Execution Prevention (DEP) 54
SMB Signing 54
E-mail Filtering 54
Local or Group Policy Security Settings 55
Group Policy Security Settings 55
Local Security Settings 56
Enabling IPsec Encryption 58
Configure Transport Encryption for File Shares 69
5: Web Server Security 73Supported Security Versions 74
TLS (SSL) Security 76
SSLCertificates 76
Enabling TLS Security 77
SSLCertificate Settings 78
Enabling HTTP Only and Secure Cookies 83
Enable HTTPOnly Cookies Using URLRewrite 2.1 84
Enable Secure Cookies Using URLRewrite 2.1 90
Preventing Cross Frame Scripting 96
Hiding Version Information in the Server Header 98
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 4 -
Table of Contents
Remove the X-Powered-By Header 103
Enforcing Account Lockout (MynaVoice) 106
6: Web Client Internet Explorer Policy 109Internet Explorer Security Level 110
Required Security Settings 111
Real-time Play 112
Setting Satellite Access to External Communication 113
Removing Temporary Internet Files 118
Cleaning the Cache Folder 118
Configuring Cache Control Using IIS (on Core Server) 120
7: Vulnerability 123Heartbleed 123
POODLE 123
Shellshock 125
A: Terminology 127
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 5 -
Table of Contents
[This page intentionally left blank]
1:Introduction
Hardening
This document contains procedures you can do and measures you can take to eliminate security risksfrom your Operating System (OS) and network.
Antivirus programs and spyware blockers prevent malicious software from running on a machine ornetwork, but they can still be vulnerable to outside access with evil intents. Securing anOS or network,commonly known as "hardening", minimizes the vulnerability, prevents "back-door" access, andprotects against attacks from outside.
Hardening is typically done by removing all non-essential software, utilities and services, limiting accessto system partitions and registry, encryption, and the like.
Scope
The procedures and settings in this manual are compatible withMynaVoice Recording 6.7 and itsintegrations.
Information contained in this manual might change, particularly as a result of continual upgrading ofMynaVoice Recording and third party software such as Microsoft Windows and MySQL. Thedocumentation does not entail any guarantee with respect to the items described in the manual. Thegeneral description of security measures in this manual might not entirely apply in your individual case. Ifin doubt, contact the MynaVoice Support Desk.
Intended Audience
This manual is intended for engineers responsible for securing the systems onwhichMynaVoiceRecording 6.7, Fusion, otherMynaVoice applications and/or any of the MynaVoice integrations havebeen installed.
Such an engineer must be qualified as a MynaVoice Certified Implementation Engineer orMynaVoiceCertified Support Engineer, having successfully completed the required MynaVoice training courses, orhave equivalent education/experience.
For details, seewww.mynavoice.com/extranet.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 7 -
1
It is assumed that the user of this manual has knowledge about the following:
Windows Server 2012 R2 and/or 2016
MynaVoice Recording version 6.7
MynaVoice CTI or CDR integrations (if applicable)
Conventions and Symbols
Youwill see the following symbols in this manual:
Important! - for system-critical information
NOTE: - a general remark or reference to another document
TIP: - a reference to other useful information
Windows Versions in This ManualThis manual shows mainly screenshots made inWindows 2016, and some inWindows 2012 R2. Thescreens of Windows Server 2016 and 2012 R2 and Windows 2008 R2 have a (slightly) different look andfeel, but have identical contents. Wherever the procedures of the various Windows versions differ fromeach other, this is either noted, or separate procedures are included.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 8 -
1: IntroductionConventions and Symbols
2:Configuring the Firewall
Introduction
A firewall is a network security system that controls the incoming and outgoing network traffic based ona set of rules. It is intended to be a barrier between a trusted, secure internal network and another networksuch as the Internet.
What is a port?
A software or network port is a (virtual) location thatinformation is sent through. Ports are used by theTransmission Control Protocol (TCP) and the UserDatagram Protocol (UDP), and are identified by a 16-bitnumber. Network ports are normally closed: they areblocked by the firewall.
For proper communication between the systems ofMynaVoice Recording and the customer's telephony ortrading systems, a number of ports must be "opened".
Ports for MynaVoice Recording
The ports on each system that must be configured as open ports are listed below. They are sorted on thebasis of the recording system configuration, which consists of a combination of "roles".
For each configuration you also find the port numbers used when the following applications are installed:
EMC Archiving
Resilience
Core API
Fusion
Some of these applications require separate servers as well. Also for these servers the ports are listed.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 9 -
2
Internal ports
'INTERNAL' ports are only used on the system itself (local host). Normally, you do not need to configurethese.
However, when installing other components that use the same ports, conflicts can occur. For example,when using ‘Windows 2003 R2 Small Business Edition’ a port conflicts with the ‘lsass' Windows service.
You can avoid problems by starting the MynaVoice services before this other service is started.
Port ScanningMynaVoice Recording supports port scanning to verify security policies of the network, but only whenperformed in a controlled manner.This means the scanning speed and intensity must match thenetwork's specifications. It is recommended, as best practice, to run the port scans outside office hours,at a low speed (e.g. 'Low Performance ' in the Qualys tool).
Which List Do I Use for Configuring Ports?
Important! Only an authorized person is allowed to configure the firewall settings.
The ports listing below includes all generic ports. For integration-specific ports, e.g. from the linkcontroller to the PBX or Trading system, refer to the specific integrationmanual.
Select the applicable recording system configuration, and give the corresponding list(s) to thecustomer's system/network administrator.
Instructions for configuring Windows Firewall can be found atMicrosoftNetworkingandAccessTechnologies.
Active and Passive IP Recording
Configuration 1: Core Server with Recording Channels and an integrated CTI Server
See Core Server with Channels and CTI on page 20
Configuration 2: Core Server with integrated CTI Server andseparate satellite(s)
See Core Server with CTI on page 24
and Satellite on page 27
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 10 -
2: Configuring the FirewallPort Scanning
Configuration 3 Core Server with a separate CTI Server and Satellite(s)
See Core Server on page 13
and CTI Server on page 32
and Satellite on page 27
Configuration 4: Core Server with Recording Channels and separate CTI Server
See Core Server with Channels on page 17
and CTI Server on page 32
Configuration 5: Core Server with separate Satellites and CTI on a satellite
See Core Server on page 13
and Satellite with CTI on One System on page 29
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 11 -
2: Configuring the FirewallWhich List Do I Use for Configuring Ports?
CDR
Dedicated CDR server: see section CDR Server on page 34.
CDR functionality installed on other role: See corresponding configurations with CTI functionality.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 12 -
2: Configuring the FirewallWhich List Do I Use for Configuring Ports?
Core Server
Configure the following ports on a MynaVoice Recording Core Server withoutchannels or CTI.
For systems that combine a Core Server with other roles, see the applicablesection:
Core Server with Channels on page 17
Core Server with Channels and CTI on page 20
Core Server with CTI on page 24
Port Protocol Direction Service Explanation
Basic
25 SMTP OUT Error Core To customer's e-mail server
80 HTTP IN Web Service Client connections Web User Login.
For HTTPS, replace this port byport 443
123 NTP OUT OS (Time sync) Network Time Synchronization,if applied
162 UDP OUT Error Core To (any) SNMP traps receiver
443 HTTPS OUT Web Service Client connections Web User Login.
For HTTP, replace this port byport 80
445 TCP IN/OUT CyberTech Content Manager Archiving Communication with archiveservers.
NOTE: This port is part of the SMB protocol. Using SAMBA or
Windows networking or file sharing is a service consumed by the
Content Manager. Configuration cannot be controlled by
MynaVoice.
3306 TCP IN MySQL Service Database
6003 TCP IN DBI Client Audio transfer from channels toCore Server
6004 TCP OUT Monitor Tool Informs Monitor Tool aboutstatus of channels
6005 TCP IN Web Service Client connections Web User: Channel overview
6006 TCP IN DBI Client Channel overview
7780 TCP IN/OUT CyberTech.SystemOverview.WebService Queries Node Agents onMynaVoice systems
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 13 -
2: Configuring the FirewallCore Server
Port Protocol Direction Service Explanation
7950 TCP IN/OUT Connectivity.Media Delivery service External access of the MediaDelivery service by Core API.
8007 TCP IN ConfigurationManagement Listens for inbound messagesof configurationmanagement.
NOTE: Port not required if this service is disabled
INTERNAL Ports
You do not need to configure these ports in the firewall. Use this information in case of port conflicts.
7002 TCP IN Fault Manager SNMP traps and alarms
7800 TCP IN Media Manager Port must be opened ifCompass is installed
8003 TCP/UDP IN Internal WCF communication
Table 2-1: Open Port Configuration: MynaVoice Recording Core Server
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 14 -
2: Configuring the FirewallCore Server
Core Server: Additional PortsDepending on the applications installed on this MynaVoice Core Server, configure the following ports inaddition:
Port Protocol Direction Service Explanation
EMC Archiving
3218 TCP/UDP IN/OUT EMC Archiving Between Core Server and EMC
Resilience
4251 TCP IN/OUT Core Server Resilience Connection events
4252 TCP IN/OUT Core Server Resilience Connection with slave Core Server:Failover messages. Agent events
4255 TCP IN/OUT Core Server Resilience When CSR Support Tool is used
Recorder API
8024 TCP IN Cybertech Recorder API Default port number to be used for TCP/IPremoting connections to the recorder APIserver
Core API
7001 TCP IN Core API V1 Content Manager Core Content Manager API
7002 TCP IN CyberTechMAX UserManager UserManager API
7003 TCP IN Core API V1 UserManager Core UserManager API
7500 TCP IN Core API V2 Interface Communication between Fusion andMynaVoice.
7702 TCP IN Core API V1 SystemManager Core SystemManager API
7703 TCP IN Core API V1 SystemManager MAX SystemManager Client Component
7710 TCP IN Core API V1 SystemManager Core Recorder Information API.
Fusion
Requires all Core API ports, plus:
7004 HTTP IN CyberTechMAX UserManager Core UserManager JSON API
7711 TCP IN CyberTechMAXSystemManager
Core Recorder Information API.
Additional INTERNAL Ports
You do not need to configure these ports in the firewall. Use this information in case of portconflicts.
4250 TCP IN Host communication If RESILIENCE is applied
7006 TCP IN Core API V1 SystemManager Fusion - Redundancy API
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 15 -
2: Configuring the FirewallCore Server: Additional Ports
Port Protocol Direction Service Explanation
7701 TCP OUT Core API V1 SystemManager Fusion - Fetch node configuration
7705 TCP IN Core API V1 UserManager Fusion - Core SM Client Component
7707 TCP IN CyberTechMAXContentManager
Fusion - Core SM Client Component
7712 TCP IN Recorder configuration service To Core API
Table 2-2: Open Port Configuration: Applications on Core Server
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 16 -
2: Configuring the FirewallCore Server: Additional Ports
Core Server with Channels
Configure the following ports on a MynaVoice Recording Core Server withchannels, and a separate dedicated CTI Server.
For a Core Server that has channels and a CTI role installed, see section CoreServer with Channels and CTI on page 20.
Port Protocol Direction Service Explanation
Basic
25 SMTP OUT Error Core To customer's e-mail server
80 HTTP IN Web Service Client connections Web User Login.
For HTTPS, replace this port byport 443
123 NTP OUT OS (Time sync) Network Time Synchronization, ifapplied
162 UDP OUT Error Core To (any) SNMP traps receiver
443 HTTPS OUT Web Service Client connections Web User Login.
For HTTP, replace this port by port80
445 TCP IN/OUT CyberTech Content ManagerArchiving
Communication with archiveservers.
NOTE: This port is part of the SMB protocol. Using SAMBA or
Windows networking or file sharing is a service consumed by the
Content Manager. Configuration cannot be controlled by
MynaVoice.
3306 TCP IN MySQL Service Database
4245 * TCP IN CTI: CTI Receiver FromCall controller on CTI Server
4345 * TCP IN CTI: Satellite Controller FromCall controller on CTI Server
6001 TCP IN Web Service Client connections Web User: Real-time play
6002 UDP IN/OUT Web Service Client connections Web User: Real-time play
6005 TCP IN Web Service Client connections Web User: Channel overview
7780 TCP IN/OUT SystemOverview.Webservice Queries Node Agents on onMynaVoice systems
7950 TCP IN Connectivity.MediaDelivery.Service External access of the MediaDelivery service by Core API.
8007 TCP IN ConfigurationManagement Port not required if this service isdisabled
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 17 -
2: Configuring the FirewallCore Server with Channels
Port Protocol Direction Service Explanation
10002-10401
UDP IN Active IP Recording Audio On a Core Server with 200 channels.
Required number of ports = numberof channels * 2. Always start withport 10002
INTERNAL Ports
You do not need to configure these ports in the firewall. Use this information in case of portconflicts.
6003 TCP IN DBI Client Audio transfer from channels toCore Server
6004 TCP OUT Monitor Tool Informs Monitor Tool about statusof channels
6006 TCP IN Channel overview
7002 TCP IN Fault Manager SNMP traps and alarms
7800 TCP IN Media Manager Port must be opened if Compass isinstalled
8003 TCP/UDP IN Internal WCF communication
* CTI integrations only. If your recording integration has a CDR functionality or dedicated CDR Serverinstalled, do not configure these ports.
Core Server with Channels: Additional PortsDepending on the applications installed on this MynaVoice Core Server, configure the following ports inaddition:
Port Protocol Direction Service Explanation
EMC Archiving
3218 TCP/UDP IN/OUT EMC Archiving Between Core Server and EMC
Resilience
4251 TCP IN/OUT Core Server Resilience Connection events
4252 TCP IN/OUT Core Server Resilience Connection with slave Core Server:Failover messages. Agent events
4255 TCP IN/OUT Core Server Resilience When CSR Support Tool is used
Recorder API
8024 TCP IN Cybertech Recorder API Default port number to be used for TCP/IPremoting connections to the recorder APIserver
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 18 -
2: Configuring the FirewallCore Server with Channels: Additional Ports
Port Protocol Direction Service Explanation
Core API
7001 TCP IN Core API V1 Content Manager Core Content Manager API
7002 TCP IN CyberTechMAX UserManager UserManager API
7003 TCP IN Core API V1 UserManager Core UserManager API
7500 TCP IN Core API V2 Interface Communication between Fusion andMynaVoice.
7702 TCP IN Core API V1 SystemManager Core SystemManager API
7703 TCP IN Core API V1 SystemManager MAX SystemManager Client Component
7710 TCP IN Core API V1 SystemManager Core Recorder Information API.
Fusion
Requires all Core API ports, plus:
7004 HTTP IN CyberTechMAX UserManager Core UserManager JSON API
7711 TCP IN CyberTechMAXSystemManager
Core Recorder Information API.
Additional INTERNAL Ports
You do not need to configure these ports in the firewall. Use this information in case of portconflicts.
4250 TCP IN Host communication If RESILIENCE is applied
7006 TCP IN Core API V1 SystemManager Fusion - Redundancy API
7701 TCP OUT Core API V1 SystemManager Fusion - Fetch node configuration
7705 TCP IN Core API V1 UserManager Fusion - Core SM Client Component
7707 TCP IN CyberTechMAXContentManager
Fusion - Core SM Client Component
7712 TCP IN Recorder configuration service To Core API
Table 2-3: Open Port Configuration: Applications on Core Server
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 19 -
2: Configuring the FirewallCore Server with Channels: Additional Ports
Core Server with Channels and CTI
Configure the following ports on a MynaVoice Recording Core Server withchannels and an integrated CTI ("All-in-One box") installed.
For a Core Server without channels or CTI see section Core Server on page 13.
Port Protocol Direction Service Explanation
Basic
25 SMTP OUT Error Core To customer's e-mail server
80 HTTP IN Web Service Client connections Web User Login.
For HTTPS, replace this port by port443
123 NTP OUT OS (Time sync) Network Time Synchronization, ifapplied
162 UDP OUT Error Core To (any) SNMP traps receiver
443 HTTPS OUT Web Service Client connections Web User Login.
For HTTP, replace this port by port80
6001 TCP IN Web Service Client connections Web User: Real-time play
6002 UDP IN/OUT Web Service Client connections Web User: Real-time play
6005 TCP OUT Web Service Client connections Web User: Channel overview
6006 TCP IN DBI Client Channel overview
7950 TCP IN Connectivity.MediaDelivery.Service External access of the MediaDelivery service by Core API,Compass
8007 TCP IN ConfigurationManagement NOTE: Port not required if this
service is disabled
10002-10401
UDP IN Active IP Recording Audio On a Core Server with 200 channels.
Required number of ports = numberof channels * 2. Always start withport 10002
[Integration-specific] CTI Link controller Refer to vendor-specific integrationmanual
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 20 -
2: Configuring the FirewallCore Server with Channels and CTI
INTERNAL Ports
You do not need to configure these ports in the firewall. Use this information in case of portconflicts.
3306 TCP IN Database
4245 * TCP OUT CTI FromCall controller to CTI Receiver
4246 * TCP IN/OUT Communication between link controller(s) and call controller
4345 * TCP OUT CTI FromCall controller to Satellite Controller
6003 TCP IN DBI Client Audio transfer from channels to CoreServer
6004 TCP OUT Monitor Tool Informs Monitor Tool about status ofchannels
7002 TCP IN Fault Manager SNMP traps and alarms
7780 TCP IN/OUT SystemOverview.Webservice Queries Node Agent
8003 TCP/UDP IN Internal WCF communication
Table 2-4: Open Port Configuration: MynaVoice Recording Core Server with Channels and Integrated CTI
* CTI integrations only. If your recording integration has a CDR functionality installed, these ports are notpresent.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 21 -
2: Configuring the FirewallCore Server with Channels and CTI
Core Server with Channels and CTI: Additional PortsDepending on the applications installed on this MynaVoice Core Server, configure the following ports inaddition:
Port Protocol Direction Service Explanation
EMC Archiving
3218 TCP/UDP IN/OUT EMC Archiving Between Core Server and EMC
Resilience
4251 TCP IN/OUT Core Server Resilience Connection events
4252 TCP IN/OUT Core Server Resilience Connection with slave Core Server:Failover messages. Agent events
4255 TCP IN/OUT Core Server Resilience When CSR Support Tool is used
Recorder API
8024 TCP IN Cybertech Recorder API Default port number to be used for TCP/IPremoting connections to the recorder APIserver
Core API
7001 TCP IN Core API V1 Content Manager Core Content Manager API
7002 TCP IN CyberTechMAX UserManager UserManager API
7003 TCP IN Core API V1 UserManager Core UserManager API
7500 TCP IN Core API V2 Interface Communication between Fusion andMynaVoice.
7702 TCP IN Core API V1 SystemManager Core SystemManager API
7703 TCP IN Core API V1 SystemManager MAX SystemManager Client Component
7710 TCP IN Core API V1 SystemManager Core Recorder Information API.
Fusion
Requires all Core API ports, plus:
7004 HTTP IN CyberTechMAX UserManager Core UserManager JSON API
7711 TCP IN CyberTechMAXSystemManager
Core Recorder Information API.
Additional INTERNAL Ports
You do not need to configure these ports in the firewall. Use this information in case of portconflicts.
4250 TCP IN Host communication If RESILIENCE is applied
7006 TCP IN Core API V1 SystemManager Fusion - Redundancy API
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 22 -
2: Configuring the FirewallCore Server with Channels and CTI: Additional Ports
Port Protocol Direction Service Explanation
7701 TCP OUT Core API V1 SystemManager Fusion - Fetch node configuration
7705 TCP IN Core API V1 UserManager Fusion - Core SM Client Component
7707 TCP IN CyberTechMAXContentManager
Fusion - Core SM Client Component
7712 TCP IN Recorder configuration service To Core API
Table 2-5: Open Port Configuration: Applications on Core Server
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 23 -
2: Configuring the FirewallCore Server with Channels and CTI: Additional Ports
Core Server with CTI
Configure the following ports on a MynaVoice Recording Core Server withoutchannels, but with a CTI role installed.
For a Core Server without CTI see section Core Server on page 13 or CoreServer with Channels on page 17.
Port Protocol Direction Service Explanation
Basic
25 SMTP OUT Error Core To customer's e-mail server
80 HTTP IN Web Service Client connections Web User Login.
For HTTPS, replace this port by port443
123 NTP OUT OS (Time sync) Network Time Synchronization, ifapplied
162 UDP OUT Error Core To (any) SNMP traps receiver
443 HTTPS OUT Web Service Client connections Web User Login.
For HTTP, replace this port by port 80
3306 TCP IN MySQL Service Database
4245*
TCP OUT CTI: Call controller To CTI Receiver on satellite(s)
4345*
TCP OUT CTI: Call controller To Satellite Controller on satellite(s)
6003 TCP IN DBI Client Audio transfer from channels to CoreServer
6004 TCP OUT Monitor Tool Informs Monitor Tool about status ofchannels
6005 TCP IN Web Service Client connections Web User: Channel overview
6006 TCP IN DBI Client Channel overview
7500 TCP IN Core API Communication between Fusion andMynaVoice Recording.
7780 TCP IN/OUT SystemOverview.Webservice Queries Node Agents on onMynaVoice systems
7950 TCP IN Connectivity.MediaDelivery.Service External access of the Media Deliveryservice by Core API
8007 TCP IN ConfigurationManagement NOTE: Port not required if this
service is disabled
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 24 -
2: Configuring the FirewallCore Server with CTI
Port Protocol Direction Service Explanation
[Integration-specific] CTI Link controller Refer to vendor-specific integrationmanual
INTERNAL Ports
You do not need to configure these ports in the firewall. Use this information in case of portconflicts.
4246*
TCP IN/OUT Communication between link controller(s) and call controller
7002 TCP IN Fault Manager SNMP traps and alarms
8003 TCP/UDP IN Internal WCF communication
Table 2-6: Open Port Configuration: Core Server with Integrated CTI
* CTI integrations only. If your recording integration has a CDR functionality or dedicated CDR Serverinstalled, do not configure these ports.
Core Server with CTI: Additional PortsDepending on the applications installed on this MynaVoice Core Server, configure the following ports inaddition:
Port Protocol Direction Service Explanation
EMC Archiving
3218 TCP/UDP IN/OUT EMC Archiving Between Core Server and EMC
Resilience
4251 TCP IN/OUT Core Server Resilience Connection events
4252 TCP IN/OUT Core Server Resilience Connection with slave Core Server:Failover messages. Agent events
4255 TCP IN/OUT Core Server Resilience When CSR Support Tool is used
Recorder API
8024 TCP IN Cybertech Recorder API Default port number to be used for TCP/IPremoting connections to the recorder APIserver
Core API
7001 TCP IN Core API V1 Content Manager Core Content Manager API
7002 TCP IN CyberTechMAX UserManager UserManager API
7003 TCP IN Core API V1 UserManager Core UserManager API
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 25 -
2: Configuring the FirewallCore Server with CTI: Additional Ports
Port Protocol Direction Service Explanation
7500 TCP IN Core API V2 Interface Communication between Fusion andMynaVoice.
7702 TCP IN Core API V1 SystemManager Core SystemManager API
7703 TCP IN Core API V1 SystemManager MAX SystemManager Client Component
7710 TCP IN Core API V1 SystemManager Core Recorder Information API.
Fusion
Requires all Core API ports, plus:
7004 HTTP IN CyberTechMAX UserManager Core UserManager JSON API
7711 TCP IN CyberTechMAXSystemManager
Core Recorder Information API.
Additional INTERNAL Ports
You do not need to configure these ports in the firewall. Use this information in case of portconflicts.
4250 TCP IN Host communication If RESILIENCE is applied
7006 TCP IN Core API V1 SystemManager Fusion - Redundancy API
7701 TCP OUT Core API V1 SystemManager Fusion - Fetch node configuration
7705 TCP IN Core API V1 UserManager Fusion - Core SM Client Component
7707 TCP IN CyberTechMAXContentManager
Fusion - Core SM Client Component
7712 TCP IN Recorder configuration service To Core API
Table 2-7: Open Port Configuration: Applications on Core Server
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 26 -
2: Configuring the FirewallCore Server with CTI: Additional Ports
Satellite
Configure the following ports on a MynaVoice Recording satellite.
For a satellite combined with a CTI Server, see section Satellite with CTI on OneSystem
Port Protocol Direction Service Explanation
Basic
25 TCP OUT Error Core SMTP. To e-mail server
123 TCP OUT OS (Time sync) Network TimeSynchronization, if applied
162 UDP OUT Error Core To (any) SNMP traps receiver
3306 TCP OUT MySQL Service Database
4245 * TCP IN CTI Receiver FromCall controller on CTIServer
4251 TCP IN/OUT WhenCore Server Resilience is applied Core Server connectionevents
4252 TCP IN/OUT WhenCore Server Resilience is applied Agent events
4345 * TCP IN Satellite Controller FromCall controller on CTIServer
6001 TCP IN Web Service Client connections Web User: Real-time play
6002 UDP IN/OUT Web Service Client connections Web User: Real-time play
6003 TCP OUT DBI Client Audio transfer from channelsto Core Server
6004 TCP IN Monitor Tool Informs Monitor Tool aboutstatus of channels
6006 TCP OUT DBI Client Channel overview
7780 TCP IN CyberTech.SystemOverview.NodeAgent Provides Core Server withinformation about MynaVoice.
7950 TCP IN Connectivity.MediaDelivery. Service External access of the MediaDelivery service by Core API
8007 TCP IN ConfigurationManagement Listens for inbound messagesof configurationmanagement
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 27 -
2: Configuring the FirewallSatellite
Port Protocol Direction Service Explanation
10002–12001
UDP IN IP Recording Audio On a satellite with 1000channels.
Required number of ports =number of channels * 2.Always start with port 10002.For example, a satellite with500 channels requires ports10002 - 11001 to be opened.
INTERNAL Ports
No internal ports
Table 2-8: Open Port Configuration: Satellite
* CTI integrations only. If your recording integration has a CDR functionality or dedicated CDR Serverinstalled, do not configure these ports.
Satellite: Additional PortsDepending on the applications installed on this satellite, configure the following ports in addition:
Port Protocol Direction Service Explanation
Archiving
For archiving, no ports are configured on asatellite
Resilience
4251 TCP IN Core Server Resilience Keep-alive messages
4252 TCP OUT Core Server Resilience Failover messages
Fusion
For Fusion, no ports are configured on asatellite
Additional INTERNAL Ports
You do not need to configure these ports in the firewall. Use this information in case of portconflicts.
4250 TCP IN Host communication If RESILIENCE is applied
Table 2-9: Open Port Configuration: Satellite - Additional Ports
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 28 -
2: Configuring the FirewallSatellite: Additional Ports
Satellite with CTI on One System
Configure the following ports on a MynaVoice Recording satellite that also hasthe CTI role installed.
For channels with integrated CTI on a Core Server, see section Core Server withChannels and CTI on page 20.
Port Protocol Direction Service Explanation
Basic
25 TCP OUT Error Core SMTP. To e-mail server
80 TCP IN Web Service Client connections, HTTP Configure this port only if theOpen Call Controller Interface(OCCI) is installed.
For HTTPS, replace this portby port 443
123 TCP OUT OS (Time sync) Network TimeSynchronization, if applied
162 UDP OUT Error Core To (any) SNMP traps receiver
443 TCP OUT Web Service Client connections, HTTPS Configure this port only if theOpen Call Controller Interface(OCCI) is installed.
For HTTP, replace this portby port 80
3306 TCP OUT MySQL Service Database
6001 TCP IN Web Service Client connections Web User: Real-time play
6002 UDP IN/OUT Web Service Client connections Web User: Real-time play
6003 TCP OUT DBI Client Audio transfer from channelsto Core Server
6004 TCP IN Monitor Tool Informs Monitor Tool aboutstatus of channels
6006 TCP OUT DBI Client Channel overview
7780 TCP IN CyberTech.SystemOverview.NodeAgents Provides Core Server withinformation aboutMynaVoice.
7950 TCP IN Connectivity.MediaDelivery.Service External access of the MediaDelivery service by Core API
8007 TCP IN ConfigurationManagement Listens for inboundmessages of ConfigurationManagement
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 29 -
2: Configuring the FirewallSatellite with CTI on One System
Port Protocol Direction Service Explanation
10002–12001
UDP IN Active IP Recording Audio On a satellite with 1000channels.
Required number of ports =number of channels * 2.
Always start with port 10002.
For example, a satellite with500 channels requires ports10002 - 11001 to be opened.
[Integration-specific] CTI Link controller Refer to vendor-specificintegrationmanual
INTERNAL Ports
You do not need to configure these ports in the firewall. Use this information in case of portconflicts.
4245 * TCP OUT CTI FromCall controller to CTIReceiver
4246 * TCP IN/OUT Communication between link controller(s) and call controller
4345 * TCP OUT CTI FromCall controller toSatellite Controller
7002 TCP IN Fault Manager SNMP traps and alarms
Table 2-10: Open Port Configuration: Satellite with CTI Server
* CTI integrations only. If your recording integration has a CDR functionality or dedicated CDR Serverinstalled, do not configure these ports.
Satellite with CTI: Additional PortsDepending on the applications installed on this server, configure the following ports in addition:
Port Protocol Direction Service Explanation
Archiving
For archiving, no ports are configured on a satellite
Resilience
4251 TCP IN Core Server Rseilience Keep Alive Messages
4252 TCP OUT Core Server Resilience Failover message
N+1CTI Server Resilience requires dedicated CTI Servers. It cannot be applied in thisconfiguration.
For Sentinel, no ports are configured on a satellite plus CTI
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 30 -
2: Configuring the FirewallSatellite with CTI: Additional Ports
Port Protocol Direction Service Explanation
Fusion
For Fusion, no ports are configured on a satellite plus CTI
Additional INTERNAL Ports
You do not need to configure these ports in the firewall. Use this information in case of portconflicts.
4252 TCP IN Failover message If RESILIENCE is applied
4250 TCP IN Host communication If RESILIENCE is applied
Table 2-11: Open Port Configuration: Satellite with CTI Server - Additional Ports
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 31 -
2: Configuring the FirewallSatellite with CTI: Additional Ports
CTI Server
Configure the following ports on a separate dedicated MynaVoice RecordingCTI Server.
Port Protocol Direction Service Explanation
Basic
80 TCP IN Web Service Clientconnections, HTTP
Configure this port only if the Open CallController Interface (OCCI) is installed.
For HTTPS, replace this port by port 443
123 TCP OUT Customer LAN Network Time Synchronization, if applied
162 UDP OUT Fault Manager To (any) SNMP traps receiver
443 TCP OUT Web Service Clientconnections, HTTPS
Configure this port only if the Open CallController Interface (OCCI) is installed.
For HTTP, replace this port by port 80
3306 TCP OUT MySQL Service Database
4245 TCP OUT CTI: Call controller To CTI Receiver on satellite(s)
4345 TCP OUT CTI: Call controller To Satellite Controller on satellite(s)
7780 TCP IN/OUT CyberTechSystemOverview.NodeAgent
Provides Core Server with information aboutMynaVoice.
8007 TCP IN ConfigurationManagement Listens for inbound messages ofConfigurationManagement
[Integration-specific] CTI Link controller Refer to vendor-specific integrationmanual
INTERNAL Ports
4246 TCP IN/OUT Communication between link controller(s) and call controller
7002 TCP IN Fault Manager SNMP traps and alarms
Table 2-12: Open Port Configuration: Dedicated CTI Server
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 32 -
2: Configuring the FirewallCTI Server
CTI Server: Additional PortsDepending on the applications installed on this CTI Server, configure the following ports in addition:
Port Protocol Direction Service Explanation
Archiving
For archiving, no ports are configured on a CTI server
Resilience
4250 TCP IN N+1CTI ServerResilience
Host Communication
4251 TCP IN Core Server Resilience Keep-alive messages
4252 TCP IN/OUT N+1CTI ServerResilience
Failover messages
4350 TCP IN/OUT N+1CTI ServerResilience
Channel Synchronization
Core API
For Core API, no ports are configured on a CTI server
Fusion
For Fusion, no ports are configured on a CTI server
Table 2-13: Open Port Configuration: CTI Server - Additional Ports
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 33 -
2: Configuring the FirewallCTI Server: Additional Ports
CDR Server
Configure the following ports on a dedicated MynaVoice Recording CDRServer.
Port Protocol Direction Service Explanation
Basic
80 TCP IN Web Service Clientconnections, HTTP
Configure this port only if the Open CallController Interface (OCCI) is installed.
123 TCP OUT Customer LAN Network Time Synchronization, if applied
162 UDP OUT Fault Manager To (any) SNMP traps receiver
3306 TCP OUT MySQL Service Database, Monitor Tool
7002 TCP IN Fault Manager SNMP traps and alarms
INTERNAL Ports
No internal ports
Table 2-14: Open Port Configuration: Dedicated CDR Server
CDR Server: Additional Ports
For additional applications installed on this CDR Server, no ports have to be configured.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 34 -
2: Configuring the FirewallCDR Server
Fusion Server
Configure the following ports on a Fusion server.
NOTE: Before version 2.0, Fusion was known as 'Distributed Recording' (NDR).
Port Protocol Direction Service Explanation
Basic
80 HTTP IN FusionWebsite Connect to Fusion fromweb client
For HTTPS, replace this port by port 443
88 HTTP IN FusionWebsite Always used in combination with port 80 (HTTP)or 443 (HTTPS)
162 UDP OUT CyberTechAlarmingV2Service
To (any) SNMP traps receiver
443 HTTPS IN FusionWebsite (secure) Secure connection to Fusion fromweb client
1433 TCP OUT MS SQL Server Database
7000 TCP IN CyberTechMAXContentManager
Content Manager API
7001 TCP IN/OUT CyberTechMAXContentManager
Core Content Manager API
7003 TCP OUT CyberTechMAXUserManager
Core UserManager API
7005 TCP IN CyberTechMAXAuditManager
Audit ManagerAPI
7701 TCP IN CyberTechMAXSystemManager
SystemManager API
7703 TCP OUT CyberTechMAXSystemManager
Notify core withMAX presence and retrieve state
7710 TCP OUT CyberTechMAXSystemManager
Retrieve Recorder Information
with Sentinel
7011 TCP IN CyberTechMAXSystemManager
Core Recorder Information API
7711 TCP IN CyberTechMAXSystemManager
Recorder Information API
INTERNAL Ports Basic
You do not need to configure these ports in the firewall. Use this information in case of portconflicts.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 35 -
2: Configuring the FirewallFusion Server
Port Protocol Direction Service Explanation
7704 TCP IN CyberTechMAXUserManager
MAX SM Client Component
7706 TCP IN CyberTechMAXContentManager
MAX SM Client Component
7708 TCP IN CyberTechMAXWebsite MAX SM Client Component
7709 TCP IN CyberTechMAXAuditManager
MAX SM Client Component
Table 2-1: Open Port Configuration: MynaVoice Fusion Server
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 36 -
2: Configuring the FirewallFusion Server
3:Antivirus and 3rd Party SoftwareExclusions
This chapter describes the locations and files youmust exclude from antivirus checks, and from theactions of other third party software. This software can be, for instance, tooling that performs local fileactions such as backups.
MynaVoice Recording 6.7 is compatible with any antivirus software.
Introduction
Antivirus software is intended to prevent malicious software from invadingyour computer or network, known as real-time protection. Antivirus softwareshould also detect and remove malicious software before it does any harm,by planned scanning of systems.
The activities of antivirus software can seriously impact your computer'sperformance. The audio files of calls in progress, for example, arecontinuously changing. For real-time protection the antivirus software scans afile whenever it changes. Withmany calls in progress, this interferes with thefunctioning of the Recording Service and downgrades its performance.
For this reason you have to exclude the recording-related files and locationsfrom antivirus checks.
Planned system scans can be performed only when recording traffic is (very) low, always outside officehours.
Important! Never perform a full-system scan or full-system backup! When scanning orbacking up the system, you always have to set the file exclusions indicated below.
Backing up the MynaVoice Recording Database (using the Import/Export Database Settings tool)is not allowed while the system is recording.
Setting the exclusions
Present the list(s) of settings to the customer's system/network administrator.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 37 -
3
Antivirus and Other Software Exceptions
Important! Only an authorized person is allowed to configure these settings.
In your application, youmust exclude the following files and locations from real-time protection. Onlyexclude the files mentioned below, no other files!
Planned scans can be performed on these files and locations, but only outside office hours.
Important! Always perform system scans on MynaVoice Recording and updates outsideoffice hours
MynaVoice Core Server (With or Without Channels or CTI)
All paths show the default drive 'C:'. This is defined during setup, and can be a different drive.
Location Files to be excluded
The locations containing the recordingsystem and integration software:
'C:\Program Files\CyberTech'all folders
This folder contains the following exe files,stored in subfolders (Core Server):
Compass.RecorderSso.Service. exeConnectivity.CaptureApi.Service. exeCyberTech.CoreApi.Service.exeCyberTech.FaultManager.WindowsService.exeCyberTech.MediaManager.Service.exeCyberTech.MonitorTool.WpfApplication.exeCyberTech.ContentManager.Archiving.WindowsService.exeCyberTech.ContentManager.Storage.WindowsService.exeDatabaseInterfaceServer.exemonitor.exeSystemOverview.NodeAgent.Service.exeCyberTech.UserManager.Service.exe
In addition, if the Core Server has channels: Connectivity.MediaDelivery.Service. exe
In addition, if CTI is installed on the Core Server: CallController.exeRegAsm.exe
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 38 -
3: Antivirus and 3rd Party Software ExclusionsAntivirus and Other Software Exceptions
Location Files to be excluded
In addition, if CTI Resilience is applied: CyberTech.CTIResilienceManager.exeCyberTech.CTIServerResilienceAgent.exe
'C:\Program Files (x86)\CyberTech' all folders
This folder contains the following exe files,stored in subfolders (Core Server)
filebeat.exeRecorder.HistoricalIngestionAgent.Service.exeLogClean.execontrollerservice.exemyodbc3c.exemyodbc3i.exemyodbc3m.exeCyberTech.SystemManager.Configuration.WindowsService.exe
In addition, if the Core Server has channels: ModularLicensing.exemonitor.exeMaintenanceTool.exeParrotDscAPIDemo.exeparrotLT.exeProgrammer.exeCTI_Receiver.exeDatabaseInterfaceClient.exeDSCService.exeRegAsm.exeRecordingService.exeCyberTech.Resilience.DBIService.exe
In addition, if CTI is installed on the Core Server: ServiceMonitor.exeCallController.exeRegAsm.exe
In addition, if Core Server Resilience is applied: CyberTech.CSRClientConfigTool.exeCyberTech.ResilienceConnectionManager.exe
The locations containing the recordingsystem and integrationDLL files:
'C:\Program Files\Common Files\CyberTech'
'C:\Program Files (x86)\CommonFiles\CyberTech'
DLL files
The audio folders:'C:\ProgramData\CyberTech\Content\...
The 'Content' folder has subfolders named'audioX'. These folders have subfolders withdates as their names.
*.wav files
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 39 -
3: Antivirus and 3rd Party Software ExclusionsMynaVoice Core Server (With or Without Channels or CTI)
Location Files to be excluded
The VoIP INI file location:
'C:\ProgramData\CyberTech\INI_Files\VoIP'
*.ini files
The Filebeat configuration files location:
'C:\ProgramData\CyberTech\INI_Files\Filebeat'
Filebeat_transaction_registry.json
Filebeat_transaction_registry. json.old
MynaVoice Recording database folders:'C:\ProgramData\CyberTech\mySQL\Data\mysql'
file types: *.frm, *.myd, *.myi
'C:\ProgramData\CyberTech\CallDataCache\...'
all files in all subfolders (*.*)
MynaVoice Recording log files folder:'C:\logfiles'
including folder 'C:\logfiles\InteractionAuditLog'
file types *.log, *txt, *.zip
'C:\inetpub\...' all files in all subfolders (*.*)
If the Core Server has channels: thetemporary recording folder'C:\ProgramData\CyberTech\RecordingBuffer
file types: *.da_, *.dat1, *.dat1_, *.dat2, *.dat2_,*.dat3, *.dat3_, *.wa_, *.wav
If the Core Server has channels and/or CTI:The temporary call data folder'C:\ProgramData\CyberTech\CallDataCache\...'
all *.xml files in all subfolders
If you use local archiving, on the localarchive:
[drive]:\*.dat
[drive]:\*.html (incl. subfolders)
[drive]:\*.wav (incl. subfolders)
[drive]:\*.csv (incl. subfolders)
Table 3-1: Exclude on MynaVoice Core Server
Depending on the type of integration deployed, some executable files from Program Files can be found in
Program Files (x86) and vice versa.
With MySQL:
Location Files to be excluded
If applicable, all MySQL binary files
'C:\Program Files\CyberTech' *.exe
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 40 -
3: Antivirus and 3rd Party Software ExclusionsMynaVoice Core Server (With or Without Channels or CTI)
Location Files to be excluded
This folder contains the following exe files: echo.exeinnochecksum.exemyisamchk.exemyisamlog.exemyisampack.exemyisam_ftdump.exemysql.exemysqladmin.exemysqlbinlog.exemysqlcheck.exemysqld.exemysqldump.exemysqlimport.exemysqlshow.exemysqlslap.exemysqltest.exemysqltest_embedded.exemysql_client_test.exemysql_client_test_embedded.exemysql_config_editor.exemysql_embedded.exemysql_plugin.exemysql_tzinfo_to_sql.exemysql_upgrade.exemy_print_defaults.exeperror.exereplace.exeresolveip.exe
Table 3-2: Exclude on MynaVoice CTI Server
MynaVoice Satellite
All paths show the default drive 'C:'. This is definedduring setup, and can be a different drive.
Location Files to be excluded
The locations containing the recording systemand integration software:
'C:\Program Files\CyberTech' all folders
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 41 -
3: Antivirus and 3rd Party Software ExclusionsMynaVoice Satellite
Location Files to be excluded
This folder contains the following exe files, stored insubfolders
SystemOverview.NodeAgent.Service.exeConnectivity.MediaDelivery.Service.exeCyberTech.FaultManager.WindowsService.exeCyberTech.MonitorTool.WpfApplication.exe
The locations containing the recording systemand integration software:
'C:\Program Files (x86)\CyberTech' all folders
This folder contains the following exe files, stored insubfolders:
CyberTech.FaultManager.WindowsService.exeCyberTech.MonitorTool.WpfApplication.exeModularLicensing.exemonitor.exeMaintenanceTool.exeParrotDscAPIDemo.exeparrotLT.exeProgrammer.execontrollerservice.exeCTI_Receiver.exeDatabaseInterfaceClient.exeDSCService.exeRegAsm.exeRecordingService.exe
In addition, if Core Server Resilience is applied: CyberTech.CSRClientConfigTool.exeCyberTech.ResilienceConnectionManager.exeCyberTech.Resilience.DBIService.exe
The locations containing the recording systemand integrationDLL files:
'C:\Program Files\Common Files\ CyberTech'
'C:\Program Files (x86)\Common Files\ CyberTech'
DLL files
The VoIP INI file location:
'C:\ProgramData\CyberTech\INI_Files\VoIP'
*.ini files
MynaVoice Recording temporary directory:'C:\tmp'.
all files
The temporary recording folder'C:\ProgramData\CyberTech\Recording Buffer'
file types: *.da_, *.dat1, *.dat1_, *.dat2,*.dat2_, *.dat3, *.dat3_, *.wa_, *.wav
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 42 -
3: Antivirus and 3rd Party Software ExclusionsMynaVoice Satellite
Location Files to be excluded
The temporary call data folder
'C:\ProgramData\CyberTech\CallDataCache\...
all *.xml files in all subfolders
MynaVoice Recording log files folder:'C:\logfiles'
file types *.log, *txt, *.zip
Table 3-3: Antivirus - Exclude on MynaVoice Satellite
Depending on the type of integration deployed, some executable files from Program Files can be found in
Program Files (x86) and vice versa.
MynaVoice CTI Server
All paths show the default drive 'C:'. This is defined during setup, and can be adifferent drive.
Location Files to be excluded
The locations containing the recording system andintegration software:
'C:\Program Files\CyberTech' all folders
This folder contains the following exe files, stored insubfolders
CyberTech.FaultManager.Windows Service.exe
In addition, if CTI Resilience is applied: CyberTech.CTIResilienceManager.exeCyberTech.CTIServerResilienceAgent.exe
The locations containing the recording system andintegration software:
'C:\Program Files (x86)\CyberTech' all folders
This folder contains the following exe files, stored insubfolders
CallController.exeRegAsm.exe
In addition, if Core Server Resilience is applied: CyberTechCSRClientConfigTool.exeCyberTech.ResilienceConnectionManager.exe
The locations containing the recording system andintegrationDLL files:
'C:\Program Files (x86)\CyberTech'
'C:\Program Files (x86)\Common Files\CyberTech'DLL files
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 43 -
3: Antivirus and 3rd Party Software ExclusionsMynaVoice CTI Server
Location Files to be excluded
The Call Data Records folder:'C:\ProgramData\CyberTech\CallDataCache'
all *.xml files in all subfolders
The MynaVoice Recording log files folder:'C:\logfiles'
file types *.log, *txt, *.zip
Table 3-4: Exclude on MynaVoice CTI Server
Depending on the type of integration deployed, some executable files from Program Files can be found in
Program Files (x86) and vice versa.
MynaVoice Fusion Server
All paths show the default drive 'C:'. This is defined during setup, and can be adifferent drive.
Location Files to be excluded
C:\Program Files (x86)\Cybertech\Alarming
C:\Program Files (x86)\Cybertech\MAX
The Fusion log files folder: 'C:\logfiles'
file types *.log, *txt, *.zip
Table 3-5: Exclude on Fusion Server
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 44 -
3: Antivirus and 3rd Party Software ExclusionsMynaVoice Fusion Server
4:System Hardening
This chapter describes procedures to harden the operating system of the MynaVoice Recording serversand secure the communication between them.
Customizing these servers must always be in accordancewith the customer's hardening and security policies.
Usually, when hardening, customers disable unnecessaryservices.
This chapter provides a full listing of all required servicesto prevent they are inadvertently or deliberately disabled.
Important! Always consult with the systemadministrator before applying hardening procedures.
Topics:
InstalledMynaVoiceRecordingServices 46
MynaVoiceRecordingServices-CoreServer 48
MynaVoiceRecordingServices-Satellite 50
MynaVoiceRecordingServices-CTI Server 51
RequiredWindowsServices 52
WindowsDataExecutionPrevention (DEP) 54
SMBSigning 54
E-mailFiltering 54
LocalorGroup PolicySecuritySettings 55
GroupPolicySecuritySettings 55
LocalSecuritySettings 56
Enabling IPsecEncryption 58
Configure Transport Encryption forFile Shares 69
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 45 -
4
Installed MynaVoice Recording Services
MynaVoice Recording, its integrations, resilience and other applications all require their specificservices, installed on the MynaVoice servers by the setup.
Important! All installed MynaVoice Recording services are vital to proper functioning of therecording integration, andmust not be disabled or uninstalled.
'CyberTech' services
The basic MynaVoice services have a display name that starts with 'CyberTech', a formerMynaVoiceRecording brand name, as you can see in theWindows Services Manager (Windows Start >Administrative Tools).
Figure 4-1: Example of Basic 'CyberTech' Services in Windows Services Manager
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 46 -
4: System HardeningInstalled MynaVoice Recording Services
Figure 4-2: Example of Basic 'CyberTech' Services in Monitor Tool
NOTE: The old type Monitor Tool displays these services without the prefix 'CyberTech'.
The new typeMonitor Tool offers you the option to display other services in this listing:
File > Settings, tab Services > fieldMonitored Services, enter (part of) the name of the service. Entriesare case sensitive! Start each entry on a new line.
Which services are present on your servers depends on yourMynaVoice configuration and the installedapplications. The section below contains listings of all possible MynaVoice Recording services.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 47 -
4: System HardeningInstalled MynaVoice Recording Services
MynaVoice Recording Services - Core Server
MynaVoice Recording deploys the following services on a Core Server with Recording Channels and anintegrated CTI Server. Services are listed by their display name.
Depending on your configuration, not all listed services might be available.
You can also use the list for a Core Server without channels and/or without CTI. Services on the CoreServer that are specific for channels or CTI are marked in the column 'Purpose', and have a backgroundcolor.
Prefix Service Purpose Remark
CT Core Server ResilienceManagement
Core ServerResilience
Only when CSR is installed
CT Core Server Resilience Agent Core ServerResilience
Only when CSR is installed
CyberTech Call Controller CTI
CyberTech CDR Processor for [vendor] CDR
CyberTech ConfigurationManagement Disabled by default
CyberTech Connectivity Capture API Core
CyberTech Connectivity Media Delivery Channels
CyberTech Content Manager - Archiving Archiving
CyberTech Content Manager - Storage Archiving
CyberTech Controller Service
CyberTech Core API Core API As fromMynaVoice 6.7. PL1, Core API isinstalled by default. Latest version: 3.3.x
CyberTech CTI Processor for [vendor] CTI
CyberTech CTI/CDR Processor for[vendor]
CTI
CyberTech CTI Receiver Channels
CyberTech Database Interface Client Channels
CyberTech Database Interface Server
CyberTech DSC Service Channels
CyberTech Fault Manager
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 48 -
4: System HardeningMynaVoice Recording Services - Core Server
Prefix Service Purpose Remark
CyberTech Filebeat service Always installed by MynaVoice setup.
CyberTech Generic SipServer CTI Service for generic SIP Server linkcontroller
CyberTech HistoricalIngestionAgentservice
As fromMynaVoice 6.7.1, alwaysinstalled by MynaVoice setup.
CyberTech Licensing Service Channels Dependent of DSC Service
CyberTech Link Controller [vendor] CTI Service for connectivity to telephony ortrading system
CyberTech LogClean service Always installed by MynaVoice setup.Must be configured.
CyberTech MAX Content Manager Core API Used by Fusion. Service name:CyberTechMediaManager
CyberTech MAX SystemManager Core API used by Fusion
CyberTech MAX UserManager Core API used by Fusion
CyberTech Open Call ControllerWebservice
CTI: OCCInterface.
If installed. Not displayed in the list,appears as a website in IIS.
CyberTech Recording Service Channels
CyberTech Resilience Database Interface Core ServerResilience
CyberTech Satellite Controller Channels
CyberTech [vendor]SipServer CTI Service for SIP Server link controller
CyberTech SystemOverview NodeAgent
- - - MySQLDatabase Service My SQL
Table 4-1: Services: MynaVoice Core Server
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 49 -
4: System HardeningMynaVoice Recording Services - Core Server
MynaVoice Recording Services - SatelliteMynaVoice Recording deploys the following services on asatellite, or a satellite with CTI role installed on it.Depending on your configuration, not all services might beavailable.
Services specific for CTI are marked as such in the column'Purpose'.
Prefix Service Purpose Remark
CyberTech Call Controller CTI
CyberTech CDR Processor for[vendor]
CTI
CyberTech ConfigurationManagement Disabled by default
CyberTech Connectivity MediaDelivery
CyberTech Controller Service
CyberTech CSR ConnectionManager Core ServerResilience
CyberTech CTI Processor for [vendor] CTI
CyberTech CTI/CDR Processor for[vendor]
CTI
CyberTech CTI Receiver
CyberTech Database Interface Client
CyberTech DSC Service
CyberTech Generic SipServer CTI Service for generic SIP Server linkcontroller
CyberTech Licensing Service dependent of DSC Service
CyberTech Link Controller [vendor] CTI Service for connectivity to telephony ortrading system
CyberTech Open Call ControllerWebservice
CTI: OCC Interface,if installed
Not displayed in the list, but appearsas a website in IIS.
CyberTech RabbitMQ Server
CyberTech Recording Service
CyberTech Resilience DatabaseInterface
CTI for Core Server Redundancy
CyberTech Satellite Controller
CyberTech [vendor]SipServer CTI Service for SIP Server link controller
Table 4-2: Services: MynaVoice Satellite
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 50 -
4: System HardeningMynaVoice Recording Services - Satellite
MynaVoice Recording Services - CTI ServerMynaVoice Recording deploys the following services on a CTI Server.Depending on your configuration, not all services might be available.
If the CTI role is installed on a satellite, refer to sectionMynaVoice RecordingServices - Satellite on the previous page.
If the CTI role is installed on a Core Server, refer to sectionMynaVoiceRecording Services - Core Server on page 48.
Prefix Service Purpose Remark
CyberTech Call Controller
CyberTech CDR Processor for[vendor]
CyberTech ConfigurationManagement Disabled by default
CyberTech CSR ConnectionManager Core ServerRedundancy
CyberTech CTI/CDR Processor for[vendor]
CyberTech CTI Processor for [vendor]
CyberTech Database Interface Client
CyberTech Generic SipServer Service for generic SIP Server linkcontroller
CyberTech Link Controller [vendor] Service for connectivity to telephony ortrading system
CyberTech Open Call ControllerWebservice
CTI: OCC Interface,if installed
Not displayed in the list, but appearsas a website in IIS.
CyberTech Resilience DatabaseInterface
Core ServerRedundancy
CyberTech Service Monitor replaces Controller Service
CyberTech [vendor]SipServer Service for SIP Server link controller
Table 4-3: Services: MynaVoice CTI Server
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 51 -
4: System HardeningMynaVoice Recording Services - CTI Server
Required Windows Services
MynaVoice Recording uses a number of Microsoft Windows services.
This section lists the commonWindows services, indicating which services are required forMynaVoiceRecording, and which are not.
ServiceRequired
Y/NRemark
Common HTTP Features
Static Content Y Required for showing static content (e.g. html and images)
Default Document Y Required for redirection to default document (login.asp)when not specified on URL
Directory Browsing N Used to browse directories when no document isspecified on the URL
HTTP Errors N Used to display customized error pages
HTTP Redirection N Used to redirect users to other location
WebDAV Publishing N Used to deploy websites via HTTP
Application Development
ASP.NET N Currently no ASP.NET is used
.NET Extensibility N Currently no ASP.Net is used
ASP Y Required to show the MynaVoiceWeb GUI
CGI N
ISAPI Extensions Y Required when using ASP
ISAPI Filters N
Server Side Includes N
Health and Diagnostics
HTTP Logging N Not required but can be useful for debugging
Logging Tools N Not required but can be useful for debugging
Request Monitor N Not required but can be useful for debugging
Tracing N Not required but can be useful for debugging
Custom Logging N Not required but can be useful for debugging
ODBC Logging N Not required but can be useful for debugging
Security
Basic Authentication N Authentication is handled in code
Windows Authentication N Authentication is handled in code
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 52 -
4: System HardeningRequired Windows Services
ServiceRequired
Y/NRemark
Digest Authentication N Authentication is handled in code
Client Certificate MappingAuthentication
N Authentication is handled in code
IIS Client Certificate MappingAuthentication
N Authentication is handled in code
URL Authorization N
Request Filtering Y Required by ASP feature
IP and Domain Restrictions N
Performance
Static Content Compression Y Used by IIS to compress static content
Dynamic ContentCompression
N
Management Tools
IIS Management Console Y Required to customize the web server
IIS Management Scripts andTools
N
Management Services N
IIS 6ManagementCompatibility
IIS 6Metabase Compatibility Y Required when installing IIS 6Management Console
IIS 6WMI Compatibility Y Used by the setup to make changes to the used
application pool
IIS 6 Scripting Tools N
IIS 6Management Console N
FTP Server
FTP Service N No FTP features are necessary to runMynaVoice
Recording
FTP Extensibility N
IIS Host Web Core N
Table 4-4: Windows Services - Required and Not Required
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 53 -
4: System HardeningRequired Windows Services
Windows Data Execution Prevention (DEP)Windows Data Execution Prevention (DEP)monitors installed software applications to verify if they usesystemmemory safely. If an application tries executing code frommemory in an incorrect way, DEPcloses the program.
MynaVoice Recording software is trusted software. ForMynaVoice, you do not need to disable DEP, orchange any DEP settings .
Formore information on DEP, see Microsoft.com pages, such as DEP- freqently asked questions
SMB SigningMynaVoice Recording supports SMB signing forMicrosoft Active Directory.
E-mail FilteringAny system of MynaVoice Recording can generate e-mail messages about occurring errors. These e-mails are sent to pre-defined e-mail addresses, set in the MynaVoiceWeb GUI, tabs system installation >global settings.
If you apply any kind of e-mail filtering, be sure all MynaVoice systems - Core Server, CTI or CDRServers, satellites - are able to distribute their error message e-mails.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 54 -
4: System HardeningWindows Data Execution Prevention (DEP)
Local or Group Policy Security Settings
Security settings can be defined on the level of individual servers and on group level, depending on thecustomer's policy. Usually, Group Policy Security settings are used, as this is a centrally manageablepolicy for users within a domain. Some of the policy settings are domain-wide, other policy areas can bespecified at level of the organizational unit.
TIP: For details seeMicrosoft TechNet -Group PolicySecuritySettings.
Group Policy Security SettingsGroup Policy Security settings are defined using the Local Group Policy Editor.
1. In theWindows Run field, type gpedit.msc.
Figure 4-3: Start Local Group Policy Editor
2. Press [Enter]. The window Local Group Policy Editor appears.
Figure 4-4: Local Group Policy Editor
3. Go toWindows Settings > Security Settings, and select the required policy item.
Here Account Policies > Password Policy is shown as an example.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 55 -
4: System HardeningLocal or Group Policy Security Settings
4. Double-click the required line item, or right-click on it and select Properties. The settings windowappears. It has a tab Explain, showing youmore information about the item.
5. Adjust the setting as shown in the example below.
Figure 4-5: Example of a Local Group Policy Setting
6. Click OK.
7. When done, close the Editor.
TIP: For detailed instructions seeMicrosoft TechNet - LocalGroup PolicyEditor.
Local Security SettingsUsually, on an individual system only a limited number of security settings can be defined. Settingsdefined by Group Policy Security are disabled on local level.
To define Local Security Settings:
1. Navigate to Windows Start > Administrative Tools > Local Security Policy. The window LocalSecurity Policy appears.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 56 -
4: System HardeningLocal Security Settings
–––Figure 4-6: Local Security Policy
2. Select the required Local Policy Object. In the example above this is Account Policies > PasswordPolicy.
3. Double-click the required line item, or right-click on it and select Properties. The settings windowappears. It has a tab Explain, showing youmore information about the item.
This line item is defined by Group Policy Security, and is disabled here.
This line item can be set here, on local level.
4. Adjust the setting as shown in the example below.
Figure 4-7: Example of a Local Group Policy Setting
5. Click OK.
6. When done, close the window.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 57 -
4: System HardeningLocal Security Settings
Enabling IPsec Encryption
You can provide additional security to the servers of a MynaVoice Recording system by enablingInternet Protocol security (IPsec). By encrypting all communication between the servers, IPsec preventsany 'network sniffing' security issues.
By applying IPsec the following communication paths (port numbers) are encrypted. Unencryptedaccess is blocked.
NOTE: By enabling encrypted recording you can encrypt all audio data in the system, even
without enabling IPsec .
Communication to non-encrypted services such as NTP or SNMP is not affected.
You can secure web communication by enabling HTTPS as described in chapterWeb Server Security onpage 73.
Procedure
This procedure describes how to enable IPsec onWindows 2008 R2. On each server of the MynaVoiceRecording system:
1. Open the Local Security Policy window: Start > All Programs > Administrative Tools, or enter
secpol.msc in the Search programs and files field.
2. Right-click on IP Securities on Local Computer. From the menu, selectCreate IP Security Policy....
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 58 -
4: System HardeningEnabling IPsec Encryption
Security Policy
Welcome window of the IP Security PolicyWizard
3. Click Next.
IP Security Policy Name
4. Assign a proper name to your policy. Thename used here is an example.
5. If necessary, describe your policy. ClickNext.
Request for Secure Communication
6. Do not select the checkbox Activate thedefault response rule. Click Next.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 59 -
4: System HardeningEnabling IPsec Encryption
Completing the IP Security Policy Wizard
7. Select the checkbox Edit properties.Click Finish.
Properties of yourSecurity Policy
8. In the tab Rules, click Add.
IP Security RuleWelcome window of theCreate IP SecurityRuleWizard
9. Click Next.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 60 -
4: System HardeningEnabling IPsec Encryption
Tunnel Endpoint
10. Select the radio button This rule doesnot specify a tunnel.
11. Click Next.
Network Type
12. Select the radio buttonAll networkconnections.
13. Click Next.
IP Filter List
The field does not show any filter lists.
14. Click Add to open a window in which youcan define a list.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 61 -
4: System HardeningEnabling IPsec Encryption
15. In this window, enter aName and, ifnecessary, aDescription for your filterlist. The name shown here is an example.
16. To create the new filter within the list,click Add.
IP Security Rule > IP FilterWelcome window of the IP Filter Wizard
17. Click Next.
The window IP Filter Description andMirrored property appears. (not shownhere).
18. Enter aDescription, if necessary.
19. Select the checkboxMirrored.
20. Click Next.
IP Traffic source
21. From the drop-downmenu, select Any IPAddress.
22. Click Next.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 62 -
4: System HardeningEnabling IPsec Encryption
IP Traffic Destination
23. From the drop-downmenu, select Any IPAddress.
24. Click Next.
IP Protocol Type
25. From the drop-downmenu, select TCP.
26. Click Next.
IP Protocol Port
27. Select the radio buttons From any portand To this port.
28. Enter port number 3306.
29. Click Next.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 63 -
4: System HardeningEnabling IPsec Encryption
Completing the IP Filter Wizard
Do not select the checkbox Editproperties.
30. Click Finish.
IP Security Rule (continued)
You now return to the IP Filter List, with thenewly created filter added to the field IPFilters.
31. Click Add to create a new filter within thelist.
Repeat this procedure from Step to addthe other port numbers:
6003, 6006, 4250, 4245, 4345, 5002.
32. When done, click OK in this window
Security RuleWizard, window IP Filter List
33. Select the radio button of the IP filter listyou created.
34. Click Next.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 64 -
4: System HardeningEnabling IPsec Encryption
Security RuleWizard, window Filter Action
35. Make sure the checkbox Use AddWizard is selected, and click Add.
IP Security Rule > IP Filter ActionWelcome window of the IP Security FilterAction Wizard
36. Click Next.
The window Filter Action Name appears(not shown here).
37. Enter a properName and, if necessary, aDescription for your filter action.
38. Click Next.
Filter Action General Options
39. Select the radio buttonNegotiatesecurity.
40. Click Next.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 65 -
4: System HardeningEnabling IPsec Encryption
Communicating with computers...
41. Select the radio buttonDo not allowunsecured communication
42. Click Next.
IP Traffic Security
43. Select the radio button Integrity andencryption.
44. Click Next..
Completing the IP Security Filter ActionWizard
Do not select the checkbox Editproperties.
45. Click Finish.
IP Security Rule (continued)
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 66 -
4: System HardeningEnabling IPsec Encryption
Filter Action
46. Select the button of the Filter Action youjust created, and click Next.
Authentication Method
47. Select the radio button of your preferredauthenticationmethod.
MynaVoice recommends to usecertificates or Kerberos V5 protocol.
We advise against preshared keyauthentication because it is a relativelyweak authenticationmethod. Usepreshared keys only for testingpurposes.
48. Click Next.
Completing the Security Rule Wizard
Do not select the checkbox Editproperties.
49. Click Finish.
Properties
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 67 -
4: System HardeningEnabling IPsec Encryption
The window showing the Properties, tabRules, of your security policy re-appears.
50. Click OK.
You have now created your IPsec policy.
As a last step, you have to activate the created security policy
51. Open the Local Security Policy window again: Start > All Programs > Administrative Tools, or
enter secpol.msc in the Search programs and files field.
52. Right-click on IP Securities on Local Computer. Your policy is displayed in the right-hand pane.
53. Right-click it. In the menu, select Assign.
Your Internet Protocol Security policy has now been activated.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 68 -
4: System HardeningEnabling IPsec Encryption
Configure Transport Encryption for File Shares
For improved security you can enable encryption on transfer for file shares, preventing network sniffersfrom reading the transferred data.
1. On the host where youwant to host the file share, use Server Manager to add the role File andStorage Services.
2. UnderShares you can create a new share or see your existing share:
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 69 -
4: System HardeningConfigure Transport Encryption for File Shares
3. Right click on the share and select Properties. Under properties, select Settings and change Encryptdata access:
4. Click Apply and your share will now be encrypted at transport.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 70 -
4: System HardeningConfigure Transport Encryption for File Shares
How to Check If Encryption Is Enabled
Using Wireshark you can check the communication that uses SMB2.
If your data was encrypted, you will see in the info:
ENCRYPTED SMB3
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 71 -
4: System HardeningConfigure Transport Encryption for File Shares
If your data was not encrypted you see Read Responsewith plain bytes included. In this example yousee the text 'Hello shares' in the bytes section.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 72 -
4: System HardeningConfigure Transport Encryption for File Shares
5:Web Server Security
Communication between the MynaVoice Recording web server (Core Server) and the web clientsrequires a secure HTTPS connection.
This prevents capturing of any MynaVoice Recording related informationfrom the network, accidentally or withmalicious intents. The web client'stemporary internet files cache will not contain any traces of MynaVoiceRecording client sessions.
The first part of this chapter describes how to enable TLS security.
The second part contains additional, non-TLS related steps to enhance your web server security.
Topics:
Supported SecurityVersions 74
TLS(SSL)Security 76
EnablingHTTPOnlyand SecureCookies 83
PreventingCrossFrameScripting 96
HidingVersion Information in theServerHeader 98
Remove theX-Powered-ByHeader 103
EnforcingAccount Lockout (MynaVoice) 106
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 73 -
5
Supported Security Versions
TLS / SSL
Transport Layer Security (TLS), previously Secure Socket Layer security (SSL) are cryptographicprotocols that provide communications security over a computer network. For HTTPS connections youmust enable such a protocol. The TLS protocol is a more up-to-date and secure version of SSL, andtherefor considered as an absolute requirement.
NOTE: Although the use of SSL is not advised, the term "SSL" is still widely used for both SSL
and TLS.
In this manual we distinguish between both protocols, but will adhere to the use of the term "SSL-certificates", which is still common, for example in the IIS windows.
Supported versions:
MynaVoice Recording:
As from version 6.7 PL4, MynaVoice Recording supports TLS 1.2 only. Earlier TLS and SSLversions are disabled.
LowerMynaVoice versions support TLS 1.0 and TLS 1.1.
Important! Do not use the SSL 2.0 and 3.0 protocols on the OS level.We do not recommend TLS 1.0 and 1.1.
Ciphers
MynaVoice supports all secure ciphers.
Recommended secure ciphers are, as of March 2018: 'AES 128/128', 'AES 256/256'.
These options are set system-wide via the registry. A specific reg file can be obtained via the MynaVoiceSupport Desk, to load the correct values using the command line.
The figure below shows the required settings, using IIS Crypto.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 74 -
5: Web Server SecuritySupported Security Versions
* In certain cases you need to select TLS 1.0 and 1.1 as well. See Supported versions: on the previouspage.
When done, reboot the system to make all changes come into effect.
NOTE:MynaVoice Recording remains working when HTTP is completely disabled, or whenweak
ciphers are disabled ('DES 56/56', 'NULL', 'RC2 128/128', 'RC2 40/128', 'RC2 56/128', 'RC4
40/128', 'RC4 56/128', 'RC4 64/128', 'RC4 128/128', 'Triple DES 168').
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 75 -
5: Web Server SecuritySupported Security Versions
TLS (SSL) Security
To ensure HTTPS is used for web connections, you have to set up a secure binding and disable thestandard 'plain text' binding. When setting up the secure binding you need to select anSSL certificate,whichmust be created before you set up the binding.
SSLCertificates 76
EnablingTLSSecurity 77
SSLCertificateSettings 78
SSL CertificatesThe following types of certificates exist:
Certificate issued by a public or commercial Certificate Authority (CA). Not necessary for internalnetworks.
Certificate issued by the company (customer) itself, based on a CA certificate. This is a cost-effective and secure solution for internal networks.
Self-signed certificate. This is not fully secure. It ensures an encrypted connection, but 'man-in-the-middle' attacks are still possible. MynaVoice advises against this type of certificate forpurposes other than testing.
InWindows you can create a self-signed certificate using Internet Information Services (IIS) Manager.
Installed certificate
If you have created and installed a certificate inWindows you can check it as follows:
1. Open the Internet Information Services (IIS) Manager, select Connections > <localhost name> >Server Certificates .
2. Select the certificate. It will look like the following example:
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 76 -
5: Web Server SecurityTLS (SSL) Security
If you have multiple Core Servers, for example in 2N Recording, each Core Server requires its uniquecertificate.
Enabling TLS SecurityTo make sure the connection betweenweb client and web server always uses HTTPS, take the followingactions:
Make an SSL certificate available and install it on the Core Server(s). .
On the MynaVoice Recording Core Server(s),
Set the site binding to secure in the Internet Information Services (IIS) Manager.
Set up Internet Information Services (IIS) Manager to allow only HTTPS connections.
Change the desktop shortcut to HTTPS.
When applicable, youmust re-bind the certificate.
Self-signed certificate
If you use a self-signed certificate, you have to perform additional actions. MynaVoice advises againstthe use of self-signed certificates for purposes other than testing.
Importing the certificate on the web client
Setting up the certificate on the Core Server for access by local services
Setting up the web clients to use this self-signed certificate
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 77 -
5: Web Server SecurityEnabling TLS Security
Internet Information Services (IIS) Manager
You can access the IIS Manager in two ways:
Windows Start Administrative Tools > Internet Information Services (IIS) Manager
Windows Start > Server Manager > IIS > Tools > Internet Information Services (IIS)
Manager
For details, refer to the sections below.
SSL Certificate SettingsPerform the following steps to ensure proper functioning of the certificate.
Setting Site Binding
To set the secure site binding:
1. In the Internet Information Services (IIS) Manager, navigate to Connections, expand the <local hostname> (below 'Start Page').
2. Expand Sites.
3. Right-click DefaultWeb Site. From the menu, select Edit Bindings....
The pane Site Bindings appears.
4. Click Add. The pane Add Site Binding appears.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 78 -
5: Web Server SecuritySSL Certificate Settings
5. Type: - From the drop-downmenu, select https. The port number changes to 443.
IP address: - Leave as is.
6. The field SSL certificate: appears. Select the required certificate. Below an example is shown.
7. Click OK. Verify in the Site Bindings pane that the certificate has been added.
The asterisk * indicates 'All Unassigned' IP addresses.
Do not remove the port 80 binding.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 79 -
5: Web Server SecuritySSL Certificate Settings
8. Click Close.
9. Restart the website:
Right-click DefaultWeb Site.
10. From the menu, selectManageWeb Site ► Restart.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 80 -
5: Web Server SecuritySSL Certificate Settings
Setting up IIS for HTTPS Only
To set up IIS to allow only HTTPS connections:
1. In the Internet Information Services (IIS) Manager, navigate to the web site to be secured. ForMynaVoice this is Connections > <localhost name> > Sites > DefaultWeb Site.
2. Click the icon SSL Settings.
3. The pane SSL Settings appears. SelectRequire SSL.
4. UnderClient certificates:, select the radio button in accordance with the company policy.
5. In the pane Actions, click Apply.
6. Restart the website: right-click DefaultWeb Site.
From the menu, selectManageWeb Site ► Restart.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 81 -
5: Web Server SecuritySSL Certificate Settings
Redirecting the Desktop Shortcut
The MynaVoiceWeb GUI can be opened using the default 'CyberTech Recording SolutionApplication' desktop icon. Set this shortcut to HTTPS as follows:
1. Right-click the shortcut icon. From the menu, select Properties.
2. In the field Target, add an s to http.
3. Click OK.
Re-binding a Certificate after Upgrading MynaVoice Recording
If you upgrade MynaVoice Recording, the SSL certificate becomes unbound. Youmust re-bind it, usingthe IIS Manager. Refer to Setting Site Binding above.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 82 -
5: Web Server SecuritySSL Certificate Settings
Enabling HTTP Only and Secure Cookies
A cookie that has an HTTPOnly attribute is available to the browser, but it cannot be accessed by client-sideAPIs, such as JavaScript. This restriction eliminates , amongst others, session hijacking attacks and the threatof cookie theft via cross-site scripting (XSS).
For security reasons, you have to enable HTTPOnly on the Core Server.
It must be done forMynaVoice Recording.
It is described how to:
Enable HTTPOnly Cookies Using URLRewrite 2.1.
Enable Secure Cookies Using URLRewrite 2.1.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 83 -
5: Web Server SecurityEnabling HTTP Only and Secure Cookies
Enable HTTPOnly Cookies Using URLRewrite 2.11. Click the link below to download IIS URL Rewrite 2.1:
www.iis.net/downloads/microsoft/url-rewrite
2. Copy the downloaded file to the Core Server, and install theapplication.
Follow the installation wizard.
3. When done, open the Internet Information Services (IIS)Manager on the web server.
(Windows Start > Server Manager > in top menu Tools
> Internet Information Services (IIS) Manager)
4. InConnections select the web server (below 'Start Page'). This ensures the created rules apply to allweb sites and applications hosted on this server.
5. In the <server> Home pane in the middle, go to section IIS and openURL Rewrite
6. In the Actions pane on the right, select Add Rule(s)….
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 84 -
5: Web Server SecurityEnable HTTPOnly Cookies Using URLRewrite 2.1
The window Add Rule(s) appears.
7. UnderOutbound rules, double-click Blank rule.
The window Edit Outbound Rule appears.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 85 -
5: Web Server SecurityEnable HTTPOnly Cookies Using URLRewrite 2.1
8. Enter:
Name: Free text. Assign a logical, easy-to-use name e.g.: “Add HttpOnly”
Precondition: selectCreate NewPrecondition
The Add Precondition window appears.
Enter:
Name: Free text, e.g.: “No HttpOnly”
Using: Regular Expressions
Logical grouping:Match All
9. Click Add….
The Add Condition window appears.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 86 -
5: Web Server SecurityEnable HTTPOnly Cookies Using URLRewrite 2.1
10. Enter:
Condition input: {RESPONSE_CONTENT_TYPE}
Check if input string:Matches the Pattern
Pattern:. (a single dot)Ignore case Leave the checkbox selected
11. Click OK.
The Add Precondition window reappears.
12. Click Add… again to enter a second condition
The Add Condition window appears.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 87 -
5: Web Server SecurityEnable HTTPOnly Cookies Using URLRewrite 2.1
13. Enter:
Condition input: {RESPONSE_CONTENT_TYPE}
Check if input string: Does Not Match the Pattern
Pattern: ; HttpOnly (a semi-colon followed by a space and HttpOnly)
Ignore case Leave the checkbox selected
14. Click OK.
The Add Precondition window reappears.
Two preconditions are listed.
15. Click OK.
The Edit Outbound Rule window reappears.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 88 -
5: Web Server SecurityEnable HTTPOnly Cookies Using URLRewrite 2.1
16. Enter:
Match
Matching scope: Server Variable
Variable name: RESPONSE_Set_Cookie
Variable value:Matches the Pattern
Using: Regular Expressions
Pattern: - .+ (a dot followed by a plus sign)
Ignore case Leave the checkbox selected
Conditions
Leave the default (no conditions)
Action
Action type: Rewrite
Action Properties
Value: {R:0}; HttpOnly
Select the checkbox Replace existing server variable value
Checkbox Stop processing of... do not select
17. In the Actions pane on the right, select Apply.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 89 -
5: Web Server SecurityEnable HTTPOnly Cookies Using URLRewrite 2.1
Enable Secure Cookies Using URLRewrite 2.1A cookie that has a Secure attribute is only sent to the browser when encrypted communication isenforced, i.e. only when using HTTPS. By only sending (session) cookies over an encrypted channel,man-in-the-middle attacks, like snooping, are prevented.
1. If IIS URL Rewrite 2.1 is not yet installed, click the link below to download it:
www.iis.net/downloads/microsoft/url-rewrite
2. Copy the downloaded file to the Core Server, and installthe application.
Follow the installation wizard.
3. When done, open the Internet Information Services (IIS)Manager on the web server.
(Windows Start > Server Manager > in top menu
Tools > Internet Information Services (IIS) Manager)
4. InConnections select the web server (below 'Start Page').
5. In the <server> Home pane in the middle, go to section IIS and openURL Rewrite
6. In the Actions pane on the right, select Add Rule(s)….
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 90 -
5: Web Server SecurityEnable Secure Cookies Using URLRewrite 2.1
The window Add Rule(s) appears.
7. UnderOutbound rules, double-click Blank rule.
The window Edit Outbound Rule appears.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 91 -
5: Web Server SecurityEnable Secure Cookies Using URLRewrite 2.1
8. Enter:
Name: Free text. Assign a logical, easy-to-use name e.g.: “Add Secure”
Precondition: selectCreate NewPrecondition
The Add Precondition window appears.
Enter:
Name: Free text, e.g.: “No Secure”
Using: Regular Expressions
Logical grouping:Match All
9. Click Add….
The Add Condition window appears.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 92 -
5: Web Server SecurityEnable Secure Cookies Using URLRewrite 2.1
10. Enter:
Condition input: {RESPONSE_CONTENT_TYPE}
Check if input string:Matches the Pattern
Pattern:. (a single dot)Ignore case Leave the checkbox selected
11. Click OK.
The Add Precondition window reappears.
12. Click Add… again to enter a second condition
The Add Condition window appears.
13. Enter:
Condition input: {RESPONSE_CONTENT_TYPE}
Check if input string: Does Not Match the Pattern
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 93 -
5: Web Server SecurityEnable Secure Cookies Using URLRewrite 2.1
Pattern:; Secure (a semi-colon followed by a space and Secure)
Ignore case Leave the checkbox selected
14. Click OK.
The Add Precondition window reappears.
Two preconditions are listed.
15. Click OK.
The Edit Outbound Rule window reappears.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 94 -
5: Web Server SecurityEnable Secure Cookies Using URLRewrite 2.1
16. Enter:
Match
Matching scope: Server Variable
Variable name: RESPONSE_Set_Cookie
Variable value:Matches the Pattern
Using: Regular Expressions
Pattern:.+ (a dot followed by a plus sign)
Ignore case Leave the checkbox selected
Conditions
Leave the default (no conditions)
Action
Action type: - Rewrite
Action Properties
Value: {R:0}; Secure
Select the checkbox Replace existing server variable value
Checkbox Stop processing of...: Make sure it is not selected
17. In the Actions pane on the right, select Apply.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 95 -
5: Web Server SecurityEnable Secure Cookies Using URLRewrite 2.1
Preventing Cross Frame Scripting
Cross Frame Scripting is used for 'phishing' attacks. Web clients receive a link to a malicious site, withthe intention to capture pages from the actual site in an HTML frame. The real application is loaded as anembedded frame. When the web user accesses the application, the attacker is able to monitor activities,and compromise user and other sensitive information. This method is also known as 'framesniffing'.
The procedure below prevents web pages to become encapsulated within an HTML frame of anunauthorized site. The web page is blanked out when it is being framed.
Procedure
NOTE: This procedure sets the X-Frame-Options header. However, it might already be set from
within the application.
1. Go to the Internet Information Services (IIS) Manager, and expand the <local host name> (below'Start Page').
2. In the Connections pane on the left side, expand Sites.
3. SelectDefaultWeb Site
4. In the middle pane, section IIS, double-click the iconHTTP Response Headers .
5. In the Actions pane on the right side, click Add. The window Add Custom HTTP Response Headerappears:
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 96 -
5: Web Server SecurityPreventing Cross Frame Scripting
6. Fill in:
Name: X-Frame-Options
Value: SAMEORIGIN
7. Click OK.
The X-Frame-Options header prevents this website to be hosted in an 'IFRAME' of other domains. Ifrequired, you can add domains that are allowed to host your site.
For more information, seeMicrosoft Support -Mitigating framesniffing
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 97 -
5: Web Server SecurityPreventing Cross Frame Scripting
Hiding Version Information in the Server Header
By default, Internet Information Services (IIS) adds information to the header of requested (HTML) filesstating the name and version number of the web server that has processed the request. This versioninformation in the (IIS) server header can be useful for attackers to optimize and target their attacks.
The procedures below describe how to hide this version information, and avoid it is used for attacks. Itmust be done forMynaVoice Recording.
The steps depend on the version of IIS.
Procedure to hide version information: IIS 7.5 and higher
For this procedure you require IIS URL Rewrite 2.1. Download itfromwww.iis.net/downloads/microsoft/url-rewrite.
1. On the web server, install URL Rewrite 2.1. according to theinstructions on the website. Follow the setup screens.
2. When done, open the Internet Information Services (IIS)Manager on the web server.
(Windows Start > Server Manager > in top menu Tools
> Internet Information Services (IIS) Manager)
3. InConnections select the web server (below 'Start Page').
4. In the <server> Home pane in the middle, go to section IIS and openURL Rewrite.
5. In the Actions pane on the right, select Add Rule(s)….
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 98 -
5: Web Server SecurityHiding Version Information in the Server Header
The window Add Rule(s) appears.
6. UnderOutbound rules, double-click Blank rule.
The window Edit Outbound Rule appears.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 99 -
5: Web Server SecurityHiding Version Information in the Server Header
7. Enter:
Name: Free text. Assign a logical, easy-to-use name e.g.: “Drop Server Header”
Precondition: <None>
Match
Matching scope: Server Variable
Variable name: RESPONSE_Server
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 100 -
5: Web Server SecurityHiding Version Information in the Server Header
Variable value:Matches the Pattern
Using: Regular Expressions
Pattern:.+ (a dot followed by a plus sign)
Select the checkbox Ignore case
Conditions
Leave the default (no conditions)
Action
Action type: - Rewrite
Action Properties
Value: - Leave blank
Select the checkbox Replace existing server variable value
Checkbox Stop processing of... - do not select
8. In the Actions pane on the right, select Apply.
The warning “No value is specified for the rewrite action.”appears. You can ignore this.
Now verify if the version information in the header is hidden:
9. In your browser, open the Login page of the MynaVoiceapplication.
Do not log in to the application!
10. OpenDeveloper Tools – depending on your browser:
InChrome, press [Ctrl]+[Shift]+[I], or: in the Settings select
More Tools
In Internet Explorer, press [F12], or: select Tools
11. In the Developer Tools window, select the tab Network.
12. Refresh the Login page in the browser.
The Developer Tools > Network window shows all resources loaded from the web server as part ofthe request for the Login page.
13. In the columnName, select Login.htm?....
14. Select the Headers tab, scroll to Response Headers.
15. Verify that the Server header is empty.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 101 -
5: Web Server SecurityHiding Version Information in the Server Header
16. Close the Developer Tools window.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 102 -
5: Web Server SecurityHiding Version Information in the Server Header
Remove the X-Powered-By Header
Revealing the fact that MynaVoice is powered using ASP.NET technology only helps potential hackersnarrow down their attacks. This headermust be removed.
This must be done forMynaVoice Recording.
Procedure
1. Open the Internet Information Services (IIS) Manager on the web server.
(Windows Start > Server Manager > in top menu Tools > Internet Information Services (IIS)
Manager)
2. InConnections select the web server (below 'Start Page').
3. In the <server> Home pane in the middle, go to section IIS and double-click HTTP ResponseHeaders.
4. In the window HTTP Response Headers, select X-Powered-By.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 103 -
5: Web Server SecurityRemove the X-Powered-By Header
5. Click Remove.
6. Select theDefaultWeb Site and double-click HTTP Response Headers.
7. In the window HTTP Response Headers, select X-Powered-By.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 104 -
5: Web Server SecurityRemove the X-Powered-By Header
8. Click Remove.
9. Close the IIS Manager.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 105 -
5: Web Server SecurityRemove the X-Powered-By Header
Enforcing Account Lockout (MynaVoice)
Attackers can use brute forcing techniques to discover valid logon credentials. To prevent this, a useraccount must be locked out after multiple failed login attempts. We recommend maximum three failedattempts.
Perform following procedure to configure this setting, using the MynaVoiceWeb GUI:
1. Open the MynaVoiceWeb GUI. For this, open Internet Explorer, and type in the addressbar:
the IP address of the Core Server, when accessing from a different workstation, or
http://localhost, when accessing from the Core Server itself.
In this case you can also use the Recording Solution Application icon.
Now, the login page of the web interface appears:
2. Check if the tab Main Administration is active.
3. Type theUser name and Password, with Administrator rights.
4. Click the button to the right of the Password field, or press [Enter]. The main window of theWeb GUIappears.
5. Select the tabs user administration > users. You only need to configure the users that are allowed toaccess the MynaVoiceWeb GUI. Typically, these are administrators, service, and other authorizedusers.
6. Double-click on the user's line item (or click its Edit icon). The user's configuration panes appear.
7. Go to the pane Security settings for user account<user name> field Number of login attemptsallowed.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 106 -
5: Web Server SecurityEnforcing Account Lockout (MynaVoice)
8. From the drop-downmenu, select the required number of attempts.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 107 -
5: Web Server SecurityEnforcing Account Lockout (MynaVoice)
[This page intentionally left blank]
6:WebClient Internet ExplorerPolicy
For easy access to the recording system through any IP network, MynaVoice Recording uses a web-based graphical user interface (web GUI). You can access and browse this web GUI using theWindowsInternet Explorer (IE), from any web client system. For details of the MynaVoiceWeb GUI and its settings,refer to the MynaVoice Recording 6.7 - UserManual.
MynaVoice Recording supports Internet Explorer IE9, IE10 (incompatibility mode) and IE11 (in native mode).
Windows security settings on the web client can block specific webactivities, which results in limited functionality of the MynaVoiceWeb GUI.
This chapter explains which security settings you have to apply inthe Internet Explorer to overcome these limitations and allow:
Access from the web client
Playback of recorded calls
Downloading of recorded calls from the recording system
Copying version information to the clipboard
Real-time playback of calls (supported by NTR 6.7 PL1 and lower)
Real-time channel overview
Besides the correct settings, call playback also requires Microsoft Silverlight to be installed.
For additional requirements that enable real-time playback of calls, see section Real-time Play onpage 112.
NOTE: Earlier versions of MynaVoice Recording required Java and JavaScript to enable real-time
channel overview. InMynaVoice Recording R6.7 and higher they are no longer necessary for this
purpose.
The sections below explain how to apply the correct settings. Make them available to the customer'ssystem/network administrator.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 109 -
6
Internet Explorer Security Level
Important! Only an authorized person is allowed to configure the security settings.
Verify settings
To verify the security settings of the MynaVoiceWeb GUI, using IE11:
1. Open theWindows Internet Explorer on the web client.
2. In the address bar, enter the IP address or host name of the MynaVoice Recording Core Server. TheMynaVoiceWeb GUI's log-on window appears. Do not log on to the web GUI.
3. Click the Tools button in the top right-hand corner, or the Tools top menu.
4. From the drop-downmenu, select Internet options, tab Security.
5. The zone of the web GUI in your browsermust be 'Internet' or 'Localintranet'.
Usually, the default settings are sufficient for a fully functionalMynaVoice Web GUI.
You can customize the setting of the zones for the web GUI. For this,click Custom level....
Be sure that the parameters that can affect MynaVoice Recording are setcorrectly. See the listing below.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 110 -
6: Web Client Internet Explorer PolicyInternet Explorer Security Level
Group policy settings
A domain often has group policy settings. These are forced by the Domain Controller, and cannot bechanged on local level.
In such a case, adding MynaVoice Recording to the list of 'Trusted sites' can be an option. However, thissetting might be blocked.
1. Select Trusted sites, and click the button Sites.
2. Check if server verification is required, and select the checkbox. In that case the web GUI must havea https: address
3. Select MynaVoice Recording's IP address or host name and click Add.
4. Click Close.
Required Security SettingsThe following Internet Explorer security settings are required for a fully functional:MynaVoice Web GUI.
1. Navigate to tab Security, click buttonCustom level....
Youmust set all to Enable.
ActiveX controls and plug-ins
Run ActiveX controls and plug-ins
Script ActiveX controls marked safe for scripting
Downloads
File download
Miscellaneous
Launching programs and files in an IFRAME
Submit non-encrypted form data
Scripting
Active scripting
Allow programmatic clipboard access
Scripting of Java applets
2. Click OK.
3. Navigate to tab Advanced. Select the following checkboxes:
Multimedia
Play animations in web pages
Show pictures
4. Click OK, OK.
When done, reboot the web client system to make all changes come into effect.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 111 -
6: Web Client Internet Explorer PolicyRequired Security Settings
Real-time Play
Important! As from MynaVoice Recording 6.7 PL2 Real-time Play is not available anymore.
If you have MynaVoice 6.7 PL1 or lower installed, real-time play of calls is available in if the web clientsystem has:
Java installed
JavaScript enabled
In addition all satellites require specific access to external communication pages on the Core Server.This is set in the IIS Manager on the Core Server. See section Setting Satellite Access to ExternalCommunication below.
Java
Important! If you haveMynaVoice 6.7 PL2 or higher installed, real-time play is not available,and you do not need to install Java.
MynaVoice Recording 6.7 supports Java 8 (build 1.8) or higher. Java installation software is delivered onthe installation CD of MynaVoice Recording 6.7, folder 'Additional Software'.
After installing Java, you have to configure its security settings to ensure TCP connections are allowedfrom the client computer:
Close all Java applets. Java applets are automatically closed when closing all Internet Explorerwindows. Make sure there is no Java icon in the system tray.
1. OpenWindows Explorer and navigate to the folder 'C:\Program Files(x86)\Java\jre<version>\lib\security'.
2. Copy the file java.policy. Paste it and rename it to java.policy-orig, as a backup.
3. Open the file java.policy for editing.
4. In the file do the following:
For Java 1.8, add the line
permission java.net.SocketPermission "*", "listen, accept, connect, resolve";
For Java 1.6 and 1.7, replace the line:
permission java.net.SocketPermission "localhost:1024-","listen";
with
permission java.net.SocketPermission "*", "listen, accept, connect, resolve";
5. Save the file.
6. Reboot the system to make all changes come into effect.
7. Re-try the Real-Time Play option.
NOTE: Instead of "*" you can use a wildcard mask for IP addresses to narrow the Java policy. For
each satellite add a separate permission line including only the IP address of this satellite system.
permission java.net.SocketPermission "IP 1", "listen, accept, connect, resolve";permission java.net.SocketPermission "IP 2", "listen, accept, connect, resolve";
etc.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 112 -
6: Web Client Internet Explorer PolicyReal-time Play
JavaScript
By default, JavaScript is enabled. You can verify this as follows:
1. Open theWindows Internet Explorer on the web client.
2. Click the Tools button in the top right-hand corner, or the Tools top menu.
3. From the drop-downmenu, select Internet Options tab Security.
4. Click buttonCustom level....
5. UnderScripting, verify if Active Scripting has been set to Enable .
6. Click OK, OK.
7. Refresh your Internet Explorer screen to activate JavaScript.
Setting Satellite Access to External CommunicationImportant! As from MynaVoice Recording 6.7 PL2 Real-time Play is not available anymore.
To enable real-time playback (MynaVoice 6.7 PL1 or lower only), all satellites require specific access toexternal communication pages.
This procedure describes how to configure this in IIS7.
Prerequisite: have the IP addresses of all satellites available.
1. On the Core Server, navigate to (Administrative Tools >) Internet Information Services (IIS)Manager, expand the <local host name > Sites > DefaultWeb Site.
2. In the left-hand pane, select the folder toolbox.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 113 -
6: Web Client Internet Explorer PolicySetting Satellite Access to External Communication
3. Click Content View at the bottom of the middle pane. The toolbox Content appears.
4. Right-click externalCommunication.asp. From the menu, select Switch to Features View.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 114 -
6: Web Client Internet Explorer PolicySetting Satellite Access to External Communication
Do not use the 'Features View' button at the bottom for this!
The item externalCommunication.asp has now been added to the toolbox folder.
5. In the pane Connections, select externalCommunication.asp in the toolbox folder.
6. In the pane externalCommunication.asp Home, double-click the icon IP Address and DomainRestrictions.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 115 -
6: Web Client Internet Explorer PolicySetting Satellite Access to External Communication
7. The pane IP Address and Domain Restrictions appears. Right click on it. From the menu, select AddAllow Entry.
8. The window Add AllowRestriction Rule appears. Inthe field Specific IP address, fill in the IP address ofthe satellite.
If you want to add a range of addresses, consult theIIS Manager's Help.
9. Click OK.The satellite's IP address has now been added to the IP Address and Domain Restrictionslist.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 116 -
6: Web Client Internet Explorer PolicySetting Satellite Access to External Communication
10. Repeat the above steps for the folder _toolbox
Repeat this procedure on all satellites of the MynaVoice Recording system.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 117 -
6: Web Client Internet Explorer PolicySetting Satellite Access to External Communication
Removing Temporary Internet Files
Windows Internet Explorer stores all files used during internet sessions in a local IE cache folder. Toprevent improper use of stored items, it is recommended to clean the cache folder regularly. You canalso prevent certain files from being stored in the cache folder.
Cleaning the Cache FolderTo empty the cache folder automatically every time when closing an Internet Explorer session, apply thefollowing settings:
1. On the web client, open theWindows Internet Explorer.
2. Click the Tools button in the top right-hand corner, or the Tools top menu.
3. From the drop-downmenu, select Internet options, tab Advanced.
4. In section Security, select the following checkbox:
If SSL security is applied, this setting is not required. In that case, youmust selectDo not saveencrypted pages to disk:
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 118 -
6: Web Client Internet Explorer PolicyRemoving Temporary Internet Files
5. Besides these settings youmust also Enable native XMLHTTP support:
6. Click OK.
7. Close the Internet options window.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 119 -
6: Web Client Internet Explorer PolicyCleaning the Cache Folder
Configuring Cache Control Using IIS (on Core Server)In addition, you can set web site properties on the Core Server using the Internet Information Service (IIS)Manager. This can also be a solution if adapting the IE settings on the web client is not allowed.
These settings define which files are not cached on the web client.
Important! Excluding files from being cached can seriously impact your server'sperformance.
Procedure (using IIS Manager 7)
On the Core Server:
1. On the Core Server, navigate to (Administrative Tools >) Internet Information Services (IIS)Manager, expand the <local host name (Core Server.)
2. In the pane Connections, expand Sites > DefaultWeb Site.
3. Select the folder of which you need to change the settings. In this example: 'files'.
See the explanation about files and folders at the end of this procedure.
4. With the folder selected, click the iconHTTP Response Headers .
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 120 -
6: Web Client Internet Explorer PolicyConfiguring Cache Control Using IIS (on Core Server)
5. In the Actions pane, click Add.The window Add Custom HTTP Response Header appears.
6. Enter (type exactly as shown):
Name: Cache-Control
Value: no-store
The pane in the middle of the window now shows the name and value you have set.
7. Close the Internet Information (IIS) Manager.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 121 -
6: Web Client Internet Explorer PolicyConfiguring Cache Control Using IIS (on Core Server)
Best Practice:Which folders should I set?
Cache control recommended for following folder:
files
Exclude following files from being cached (do not set overallcache-control):
Default Web Site
_gfx (graphics)
Both settings have serious impact on server performance.
Cache settings managed
_jap (Java): manages its own cache settings.
_scr (JavaScript): cache settings done by MynaVoice
_sl (Silverlight): manages its own cache settings.
All other folders relate to 'dynamic' .ASP files, which are notbeing cached.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 122 -
6: Web Client Internet Explorer PolicyConfiguring Cache Control Using IIS (on Core Server)
7:Vulnerability
At this moment, three types of vulnerability are known:
Heartbleed
POODLE
Shellshock
These vulnerabilities entail security risks, but do not affect operation or performance of MynaVoiceRecording.
See the sections below for a description how to avoid the security risks.
Heartbleed
MynaVoice Recording uses MySQL for its database functionalities. MySQL versions lower than 5.6.18include the vulnerable SSL 3.0 protocol, based on the OpenSSL cryptographic software library. It canallow undesirable disclosure of encrypted information, known as 'Heartbleed'. You can find moreinformation on heartbleed.com.
To avoid any risk, the following solutions exist:
If yourMynaVoice Recording version is 6.5.8 or higher, Heartbleed does not occur. Theseversions use MySQL 5.6.18 or higher, which are not vulnerable
If you have a lower version of MynaVoice Recording, SSLmust be disabled inMySQL. InMynaVoice Recording this is disabled by default.
POODLE
The SSL 3.0 protocol is also in use in communication betweenweb servers and clients (browsers). Hereit is vulnerable to an attack known as POODLE, which can force a browser to execute malicious code.This code enables an attacker to intercept HTTPS traffic (cookies), and to decrypt parts of encryptedinformation.
For details of this vulnerability inWindows refer to Microsoft TechNet - Advisory3009008
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 123 -
7
Best Practice: Disable SSL 2.0 and SSL 3.0
Windows Server 2008 using IIS 7 allows SSL 2.0 by default. To properly secure your server, and makesure that the stronger TLS 1.0 is used, you need to disable SSL 2.0 and SSL 3.0, as follows:
1. In the Start menu field, type regedit, and press Enter. The Registry Editor appears.
2. InRegistry Editor, navigate to the registry key:
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols'
Disable SSL 2.0
3. Right-click on the folder 'SSL 2.0'. From the drop-downmenu, selectNew ► Key.
4. A new folder is added. Name it Server.
5. Open the new 'Server' folder. In the top menu, click Edit and selectNew.
6. Click DWORD (32-bit) Value. A new item is added.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 124 -
7: VulnerabilityPOODLE
7. Enter Enabled as the name. Then press Enter.
8. Be sure the value in the columnData shows 0x00000000 (0) (default).
If not, right-click the name, and selectModify in the menu. In the field Value data, enter 0.
Disable SSL 3.0
9. Right-click on the folder 'Protocols' From the drop-downmenu, selectNew ► Key.
10. Name the new folderSSL 3.0. Be sure there is a space between 'L'and '3'.
11. Right-click on the new folder 'SSL 3.0'. From the drop-downmenu, selectNew ► Key.
12. A new folder is added. Name it Server.
13. Open the new 'Server' folder. In the top menu, click Edit and selectNew.
14. Click DWORD (32-bit) Value. A new item is added.
15. Be sure the value in the columnData shows 0x00000000 (0) (default).
If not, right-click the name, and selectModify in the menu. In the field Value data, enter 0.
16. Reboot the system to make all changes come into effect.
This procedure is similar onWindows Server 2003 R2, with IIS 6.
See also the information ofMicrosoft Support.
NOTE: After disabling SSL 2.0 and SSL 3.0, the web browser will not get information fromweb
servers that use these protocols only..
Shellshock
MynaVoice Recording is not impacted by the 'Shellshock' bug. MynaVoice Recording does not use orinstall the vulnerable 'Bash' shell.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 125 -
7: VulnerabilityShellshock
[This page intentionally left blank]
A:Terminology
This appendix contains an overview of relevant abbreviations and terms used in this manual.
Item Description
Active CTI Server CTI Server that is operational en performing the current CTI tasks.
API Application Programming Interface
Call Controller A service linking to the recorder database which reads configuration details forinstalled CTI Devices. The Call Controller processes all CTI Device messagesto determine when to start and stop recording for a specific recording target.
CCLC Call Controller/Link Controller protocol
CDR Call Detail Record (a.k.a. Call Data Record). Metadata describing all callinformation like start time, end time, duration, phone numbers and names of theparties in the call, ID of the line onwhich the call was made, etc.
Certificate, Public Key-
Electronic document that proves ownership of a public key, used forencryption. A certificate is very important for web security, by ensuring theidentity of the web server.
Cipher (cypher) Algorithm used to execute encryption/decryption operations.
Cookie Small data packet sent from a web server and stored in a web browser whilethe user is browsing the website. Every time the user loads the website, thebrowser sends the cookie back to the server to notify the website of the user'sprevious activity
Core Server Main server of a MynaVoice Recording system. Accommodates the databaseto store calls, user and call information, facilitates archiving and the web-basedgraphical user interface. Can also have recording channels.
Cross FrameScripting
Vulnerability in web applications, allowing to load the application as anembedded frame into an HTML frame. This enables the attacker to monitor webactivities and receive sensitive information of the user.
Cross Site Scripting Vulnerability in web applications, allowing to 'inject' malicious code. Thisenables attackers to view session cookies, take over sessions, addfunctionality or perform actions, undesired by the user.
CTI Computer Telephony Integration
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 127 -
Appendix A
Item Description
CTI Server MynaVoice Recording server that facilitates connectivity with a PBXenvironment, and processes call activity to control voice recording and providecall metadata.
Fusion MynaVoice application, enabling to find and replay calls from linked multiplerecording systems. Previously known as NDR (MynaVoice DistributedRecording, and (CyberTech) MAX.
GUI Graphical User Interface.
HTTP Hypertext Transfer Protocol. protocol used for communication between a webclient (usually a browser) and a web server.
HTTPOnly Cookie Cookie with a HTTPOnly flag included in its response header. Does not allowaccess by non-HTTP scripts and cross-site scripting (XSS).
HTTPS HyperText Transfer Protocol Secure. SSL (TLS) security capabilities added toHTTP, by layering HTTP on top of the SSL (TLS) protocol
IIS Internet Information Services, a set of Internet-based services for servers usingWindows
IP Internet Protocol
IPsec Internet Protocol Security. A standard for securing IP communication byauthenticating and encrypting of all IP packets of a session
ISAPI Internet Server Application Programming Interface. API of Internet InformationServices (IIS), used to develop Extension and Filter applications.
ITSP Internet Telephony Service Provider
Java Object-oriented programming language, based on C++. Java code is compiledto machine language for a 'Java Virtual Machine' (JVM), whichmakes itplatform-independent.
Java VM Java virtual machine. See Java.
JavaScript Dynamic programming language, most commonly used as part of webbrowsers, to make web pages interactive. It is also used in server-side networkprogramming, game development and creating desktop and mobileapplications. Besides the name, it has no relation to Java.
Link (Controller) Interface betweenMynaVoice Call Controller and vendor-specific telephonyplatform
MITM Attack The 'Man-In-The-Middle' attack intercepts communication between twosystems, e.g. of the HTTP connection between a web server and a web client.
Monitor Tool MynaVoice (CyberTech) Recording SolutionMonitor
NTP Network Time Protocol
NTR MynaVoice Recording. Previously known as CyberTech Recording System
P(A)BX Private (Automatic) Branch eXchange
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 128 -
A: TerminologyA: Terminology
Item Description
PSTN Public Switched Telephone Network
Recorder MynaVoice Recording server with recording channels: All-in-One system, CoreServer with channels, or satellite.
Redundancy Duplication of critical hardware and software components, to enable failover
Resilience Group Two paired CTI Servers, one of which acts as Active, and the other as Standby
Resilience Host (CTI) Server that is part of the Resilience solution
Resilience The ability to provide and maintain an acceptable level of service in the case ofproblems and failures during normal operations
RTP Real-time Transport Protocol
Satellite MynaVoice Recording server accommodating recording channels.
SIP Session Initiation Protocol. Used to establish, maintain, and terminatesessions.
SMB ServerMessage Block. Microsoft developed network protocol used forproviding shared access to files, serial ports and printers.
Snooping Related to security: unauthorized access to data of others, usually by capturingnetwork traffic, monitoring keystrokes withmalicious intents. Also known assniffing.
SSL Secure Socket Layer. Encryption protocol to ensure security of communicationbetweenweb server and web client (browser). Being replaced by TLS.
SSLCertificate see Certificate, Public Key
Standby CTI Server Redundant CTI Server that is currently not performing any tasks, but is 'waiting'until failover is required. Upon failover, it takes over the configuration of theActive CTI Server.
Target Recordable unit (device, extension, agent, Trader ID, etc.)
TCP Transmission Control Protocol
TLS Transport Layer Security. Encryption protocol, more reliable successor of SSL.Although TLS is now commonly used instead of SSL, the term 'SSL' for securecommunication protocols is still widespread.
Turret Communication device, used specifically by Traders (a.k.a. ‘dealer board’). Itoffers multiple concurrent communication channels. Typically it has 2 handsetsand multiple speakers (up to 24).
UDP User Datagram Protocol
VoIP Voice over Internet Protocol
Web Client Web browser that runs on a user's local computer or workstation and connectsthrough an (internal) network to a server
Web GUI Web-based GUI of MynaVoice Recording. Accessed using the standardInternet Explorer.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 129 -
A: TerminologyA: Terminology
Item Description
Web Server Application, responding on requests for information of web clients. It stores,processes and delivers web pages, and uses the HTTP protocol forcommunication.
XSS See Cross-site Scripting.
Table A-1: Abbreviations and Terms
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 130 -
A: TerminologyA: Terminology
[This page intentionally left blank]
Version History
Date Revision Description
01-11-2019 6.7 PL4 Overall: Adapted toMynaVoice6.7.1. Layout adapted.
Ch1 'Introduction':Added sectionabout Windows versions.
Ch2 'Configuring theFirewall': added FusionServer.
Added internal ports 8003,7712 and 5051.Minor text edits.
Updated ports listings withports (Core) 445,4251,7780,7950; (CTI) 4251,4252,4350,7780; (Sat) 4251,4252.
Ch3 'Antivirus and 3rdParty SoftwareExclusions':Added exe files to all servers. 'CoreServer (WithorWithout Channels or CTI)': added locations of ProgramFiles and ProgramFiles (x86). 'FusionServer' -added locations.
Removed locationofWindows 2003.
Ch4 'SystemHardening' renamed from 'Recording SystemHardening'. Introductionrewritten. 'InstalledMynaVoiceRecording Services' updated:.
AddedConfigure Transport Encryption for File Shares.
Updatedwith latest services:MynaVoiceCoreServer extended.
'Removed references toWindows 2008;addedWindows Server 2016.
Ch5 'WebServer Security': restructuredHiding Version Information in the Server Headerinto IIS 7.5 and higher. section IIS 6 and lower removed (not supported). updatedscreenshots toWindows 2012R2.
AddedMynaVoiceandSecurity withupdated required/supported protocols (TLS only)
AddedRemove the X-Powered-By Header.
'Hiding Version Information in theServer Header': addedProcedure for IIS 7 and higher.Oldprocedure renamed to '... for IIS 6 and lower'.
Added 'EnableHTTPOnly Cookies Using URLRewrite 2.1' and 'EnableSecureCookiesUsing URLRewrite 2.1'.
Removed Enable HTTPOnly Cookies by Adding an ISAPI Filter.
Replaced allW2008 screenshots byW2016 screenshots
Ch6 'WebClient Internet Explorer Policy': added (important) notes and remarks about NTR6.7.2 and higher not supporting Real-timePlay.
Replaced allW2008 screenshots byW2016 screenshots, except thoseofSetting SatelliteAccess ... (featurenot available forW2016).
25-05-2016 6.6 PL8 Ch3: 'Introduction': updatedwarning.
Ch4: 'List of InstalledMynaVoiceRecording Services': reference toMonitor Tool separatedinold and new type.
Added sectionE-mail Filtering.
31-01-2016 6.6 PL7 Ch3: 'Antivirus and 3rdParty SoftwareExclusions'. - 'Introduction': added important noteabout full-systembackups.
31-10-2015 6.6 PL6 Ch4Recording System Hardening -added section 'SMBSigning.
Ch5Web Server Security - re-written introductory section to includeTLS versions, ciphertypes and relationSSl<>TLS
-Added heading 'SSL/ TLS Security'.
Updated Appendix A 'Terminology'.
30-09-2015 6.6 PL5 - -
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 132 -
A: TerminologyA: Terminology
Date Revision Description
31-08-2015 6.6 PL4 Ch2Configuring the Firewall:
- added port 7780 to sections onsatellite andCTI Server
-added direction 'IN' to port 6002 onsystemswithchannels
Ch3 'Antivirus Settings':
-Changed title into 'Antivirus and 3rd Party SoftwareExclusions'.
-Re-phrased introductionand 'Antivirus Exceptions' to includeother software.
-Added folder 'C:\inetpub' to the list.
Ch4 'Recording systemHardening',
-Added informationonWindowsDataExecutionPrevention (DEP)
-Figure4-1: replaced screenshot of old typeofMonitor Tool by newone.
30-06-2015 6.6 PL3 Ch2Configuring the Firewall: added section 'Port Scanning'.
Ch4 Added sections 'RequiredWindows Services' and 'Additionally Installed Applications'.
30-05-2015 6.6 PL2 Ch2Configuring the Firewall: changed port 6004 (Monitor Tool) to OUT onaCoreServer(withandwithout channels) and to IN onasatellite.
31-03-2015 6.6 PL1 - -
27-02-2015 6.6 Overall: Layout updated to latest standards.Chapter structure re-arranged.Minor textchanges.Removed allWindows Server 2003 information.
Ch1: Introduction rewritten.
AddedScope , Intended Audience, updatedSymbols.
Ch2:Configuring the Firewall:moved andmade into separate chapter (used to bepart of ch4).
Introduction rewritten.
Which List Do I Useadded.
Removed illustration.
Restructured, extended and updated ports listing.Created columns ServiceandExplanation, separated Protocol andDirection.
Used roles and combinations as abasis.Separated external and internal ports.AddedAdditional ports (for applications).Added Fusionserver.RemovedScreenRecorder.
Ch3:Moved fromch2.Added Introduction.Restructured, tables added.
Ch4:Renamed chapter (was: 'Operating systemhardening').
List of services updated. Introductionadded.
Local or Group Policy Security Settings renamed,updated and extended.
Enabling IPsec Encryptionmoved here (used to besep.chapter).Updated.
Internet Guest Account removed.
Windows Recorder Account removed.
Ch5:Moved and renamed (was: ch6 Enabling SSLweb server security).
Introduction rewrittenand updated.
SSL Certificates restructured and updated. IIS 6.0 information removed.
Enabling HTTPOnly Cookiesmoved her (used to beseparate chapter).Updated.
Preventing Cross Frame Scripting added
Hiding IIS Version Informationadded
Enforcing Account Lockout added
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 133 -
A: TerminologyA: Terminology
Date Revision Description
Ch6:Restructured and updated. Introduction rewritten.
Removed IE 6/7/8 information, updated to IE11.
Real-timePlayback (andChannelOverview) updated and extended.
Setting Satellite Access to External Communicationadded.
Removing Temporary Internet Files andConfiguring Cache Controlupdated.
Ch 7: Moved here from ch 5.
Rewritten.AddedPOODLE andShellshock.
Terminology: table added
Former ch9 IIS security policies removed.
Former versions
Date Version Remark
01-05-2006 1.0 First release
10-07-2006 1.1 AddedSSLsecurity information
16-08-2006 1.2 AddedSSLconfiguration to allow only HTTPS onserver
27-11-2006 1.3 Added IIS Guest Account password changesection.ChangedAntivirus policy.
18-04-2007 1.4 Added IE7 web client policies.
Added Internet Guest Account policies
AddedArchivedrive access policy for CyberTechRecording SystemandPCReplay Station
01-07-2007 1.5 Changed old recorder name to new name:CyberTechRecording System”
Added section ‘Windows recorder account’
Added section ‘Drivepartitioning’
24-12-2007 5.0 Updatedmanual to A5 layout and addedR5 related information
28-04-2008 5.1 Updated chapter 2 (antivirus) for ScreenRecordingUpdated chapter 4.1 (firewall) for ScreenRecordingAdded IPSECsecurity configurationchapter 6.AddedSSL IntermediateCA certificate for trading recording.
10-10-2008 5.2 Updated chapter 4.7 recorder account. IncludedCT5.2recorder account rights and removal options.Added informationonSSLcertificate valid time.Example shows only 365 days.Updated access right 4.7.1Added server sidecacheconfiguration3.5Updates Services list including Parrot API ServiceStarters inchapter 4.1.Updated Firewall recorder overview.RemovedSNMP andSMTP systems fromoverview inchapter 4.2.
Minor lay-out changes
02-04-2009 5.3 Minor text updates
Added securedelete chapter.
07-07-2009 5.4 Minor layout updates to all chapters
AddedResiliencecommunications to chapter 4.
18-09-2009 5.5 Added port number for ConfigurationManagement (chapter 4.2)
07-10-2009 5.6 Updated chapter 6.1 (minor text changes +extrapictures)
AddedOpenCall Controller Interface (OCCI) web serviceand port definitions.
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 134 -
A: TerminologyA: Terminology
01-02-2010 5.7 Added paragraph4.6.4 outlining apossible issuecaused by IIS applicationpoolPolicysettings.
10-06-2010 6.0 Implemented review comments for R6 and reformatted for A4 template
15-06-2010 6.0 Applied review comments JV, reformatted for A4 template
01-07-2010 6.0 Additional formatting corrections
20-07-2010 6.0 Additional style and formatting corrections
03-08-2010 6.0 Removed chapter 7
12-10-2010 6.1 AddedSilverlight ports to Firewall section
30-11-2010 6.1 AddedCoreServer Redundancy ports inFirewall section
09-05-2011 6.1 AddedRequireSSLsetting (Windows 2008 R2)
10-05-2011 6.1 Added section ‘Disabling IPv6 components’
14-06-2011 6.3 IPSECsteps forWindows 2008 improved
23-06-2011 6.3 Ipv6 sectionexpanded
11-07-2011 6.4 Added section5.5 ‘Setup SSLCertificateon recorder’
28-10-2011 6.2* Rebranding namechanges*manual versionsynchronisedwithproduct version
11-11-2011 6.2 Port number config mgt 8007
23-12-2011 6.2 IE setting ‘Enable nativeXMLHTTP support’ added
31-01-2012 6.2 HTTPS port number corrected
17-02-2012 6.2 IIS configuration temporary Internet files
13-03-2012 6.2 Updates to Firewall ports section
09-07-2012 6.2 Updated ports for screen recording
31-07-2012 6.2 AddedMAX services
13-09-2012 6.2 Server certificate instructions,SiteBindings added
25-09-2012 6.2 Added VoIP INI locations to antivirus exclusions
02-11-2012 6.2 Port range for Active IP Recording Audio:10002-11001
10-01-2013 6.3 AddedMySQLOptimizationchapter
14-03-2013 6.3 MySQLOptimizationchapter updated
29-08-2013 6.5 Advised scheduling antivirus updates out of hours andwhennetwork traffic is low
26-09-2013 6.5 Updated self-signed certificate link
29-10-2013 6.5 Added EMCports to table
30-10-2013 6.5 Added port 4345
03-01-2013 6.5 Added chapter ‘Adding an ISAPI filter’
07-01-2014 6.5 Added note for Sentinel ports
27-01-2014 6.5 AddedSatelliteController to tableof satellite services
06-02-2014 6.5 Antivirus excludes, added:C:\ProgramData\CyberTech\CallDataCache
11-02-2014 6.5 Added ISAPI filter pathc:\inetpub\ISAPIfilters
20-02-2014 6.5 ISAPI filter steps updatedAddedSentinel ports
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 135 -
A: TerminologyA: Terminology
24-02-2014 6.5 ‘Enabling HttpOnly cookies’ chapter updated
17-03-2014 6.5 Added port 7500
22-04-2014 6.5 RemovedMySQLOptimizationchapter (duplicated in Installationmanual)Fixed typo inAntivirus excludes
Added sectiononHeartbleed vulnerability
24-04-2014 6.5 Port 4350 added
29-05-2014 6.5 Updated sectiononHeartbleed vulnerability
Added IIS6 security options for NTR6.5.8 onWindows 2003
11-05-2014 6.5 Added port:-Port range for Active IP Recording Audio:10002-12001
-Customer LAN:E-mail 25 (SMTP) TCP,OUT-Customer LAN:Alarms 162 (SNMP) UDP,OUT
28-08-2014 6.5 Added port:-CoreAPI MediaDelivery /Monitoring 7950 TCP, IN
Version History
MynaVoice Recording 6.7
HARDENING MANUAL - 1 November 2019
- 136 -
A: TerminologyA: Terminology