security and the one-x speech 4.0 server

Security and the one-X Speech 4.0 Server

By: one-X Speech Development Team

1 Introduction

The one-X Speech product was designed to meet the enterprise need for a voice command access point to all of a business user’s communications needs, while residing within the corporate intranet and protected by the corporate firewall. The following servers, are all behind the corporate firewall: The one-X Speech Server itself which hosts the 1XS application and interacts via standard protocols with some or all of the following existing customer systems: Voice Messaging Server, Email server, LDAP corporate directory Server and PBX. Providing a secure point of entry for external access to the one-X Speech servers has to be part of the corporate IT security structure. This paper describes how the one-X system fits into a customer’s network and connects to existing systems. It will cover the network connection, protocols, system loading, and security concerns. One of the main purposes of this paper is to inform owners of 1XS about the steps Avaya has taken to secure these systems and to provide information to assist owners in operating the server(s) in the most secure manner. In earlier voice centric systems, the main security focus was on toll fraud issues. Earlier voice systems rarely interfaced with the data network and were neither susceptible to the types of attacks prevalent on data networks, nor were they provided a gateway into such networks from which an attack might be launched. With the convergence of voice and data networks and the advent of IP Telephony, this is no longer true. Toll fraud is still an important issue, and special considerations for Speech Access are covered within, however, this paper focuses primarily on security issues relating to connection to the enterprise data network. The intent of this document is to provide some insight into the overall security of one-X Speech Access and its various components, and some recommendations on how to optimize system security of one-X Speech on the Windows Operating System. The following topics will be covered in this document.

• Basic Precautions • Architecture Overview

• System components and interconnections • Connections with other customer system • Windows resources • Windows hardening • Further reading

2 Basic Precautions1

Securing a system begins with the people and organizations that operate or use it, rather than with the system itself. One of the most important tools for securing a system is to have a written, published security policy and to make sure it is enforced. The Site Security Handbook memo (RFC2196) issued by the Internet Engineering Task Force helps administrators create a security policy and defines these steps: 1. Identify what is to be protected. 2. Determine from what it is being protected. 3. Determine how likely the threats are. 4. Implement measures that cost-effectively protect

corporate assets. 5. Review the process continuously and make

improvements each time a weakness is found. Some of the most effective security measures are common sense. 1. The one-X Speech server should be a single

purpose server. Sharing the system with other applications adds unnecessary complexity, and possibly more administrators, each of which carries its own inherent risks.

2. Use strong passwords for every administrative account on the one-X Speech server.

3. Review Microsoft Security Best Practices. 4. Maintain a current and well patched operating

system. Important: you should install ‘Critical’ security patches from Microsoft as they apply to your environment, but please check the Avaya Web site for compatibility prior to installing Hot Fixes or Service Packs.

1 Caveats: • Do not attempt to implement any of the

recommendations in this guide without first testing in a non-operational environment.

• This document is not meant to replace well-structured policy or sound judgment. Furthermore, this document does not address site-specific configuration issues.


5. Keep the one-X Speech server in a physically secure location.

6. Do not leave login sessions opened and unattended at the server’s console.

7. Place the 1XS within your internal network, not on the internet.

8. Ensure that you have installed the latest security service packs associated to any or all of your system’s major components.

1XS is designed to be located securely within the network, and not directly connected to the Internet. The existing corporate gateway is the first line of defense. By leveraging the existing network, system administrators can effectively protect against outsiders. Examples of deployment include:

• Installation inside the trusted network behind a stateful-inspection Firewall

• Insertion of a network based Intrusion Detection System (IDS)

• Use of an anti-virus gateway • Use of Virtual Private Networks (VPNs) for remote

client connectivity

3 Architecture Overview

one-X SpeechServer

UCC SA

Sup

porti

ngA

pplic

atio

nC

OM

Libr

arie

s,e.

g.C

DO

/MA

PI/L

otus

Dialog Engine

Voic

eXM

LIn

terp

rete

r

VAXM

LIn

terp

rete

r

WSH

Con

nect

or

ApplicationScriptingEngine 1

ApplicationScriptingEngine 2

ApplicationScriptingEngine n

VAM

anag

er

VAS

erve

rMan

ager

Clu

ster

Ser

verC

ontro

ller(

CS

C)

Onl

y

Tele

phon

yAP

I

ASR

API

TTS

API

SIP

H.3

23

ISD

NT1

/E1

NMSS NIC

(Fon

ix)

SPW

X WindowsScript

Host 5.6Nua

nce

(SP

WX)

MSSQL2000

Corporate LAN

Lotus DominoServer(s)

ExchangeServer(s)

Voice MailServer(s)

AD / LDAPServer

UCC SACSC

AvayaWebLM

(Normally resides on UCC CSC)

PBX

Http

Http

s

UCC SA 01

UCC SA 02

T1 / E1

The diagram above provides a pictorial view of the architecture of the one-X Speech Access server2. All the components that comprise the 1XS server are COM/DCOM3 components that run in the context of a domain user identity called the “Service Account” and require connection authentication. Connection authentication requires any client attempting to connect to one of one-X Speech Access’s components to authenticate to the DCOM server. This level of DCOM security works with Microsoft’s Kerberos Security Support Provider Interface (SSPI) pluggable module. 4 Connection authentication also provides packet authentication, which validates that all data received is from the expected client Additionally, this Service Account needs to be a member of the one-X Speech Access server’s “Administrators” group, with the privilege to “log on as a service”. With the exception of email access, the Service Account does not require any additional privileges on the server or the domain. If the one-X Speech Access server will not be accessing an email data store and will not be running in a multi-node configuration, then the Service Account can just be local to the one-X Speech Access server.

3.1 Note on Resource Utilization Prior to delving into the architecture overview it is important to note that following installation of a one-X system, the customer should not experience any noticeable degradation in performance on the servers connected to the one-X Speech system, or any noticeable increase in LAN loading. The protocols used to access voicemail are the same as those used by Web visual clients. The protocols used to access email are the same as those used by Web visual clients (Exchange – MAPI, Domino – IMAP4).

3.2 Avaya one-X Speech Access Cluster Controller/Telephony Node

one-X Speech Access systems can consist of either a single system or a clustered system with a cluster 2 Items within the diagram that are enclosed in parentheses are either deprecated or not currently supported. 3 See Microsoft’s white paper: “Best Practices for Mitigating RPC and DCOM Vulnerabilities” and Microsoft security bulletins MS03-026 and MS03-039 for more detail. 4 Based on MIT Kerberos V5 RFC 1510.


controller and a number of telephony nodes. The one-X Speech Access cluster controller and telephony nodes also communicate via DCOM. The primary processes used to communicate between the cluster controller and the telephony nodes are the VAServerManager process (cluster controller) and the VAManager process (all nodes). These DCOM processes, and all One-X Speech Access DCOM processes, require connection authentication with the Service Account. Note: in a single node solution the cluster controller and the telephony node are one and the same. In a multi-node solution, a telephony node can be added or removed without the loss of any sensitive data. Each telephony node maintains and stores its own detailed logging information, e.g. debug logs, and utterances (subscriber spoken commands). Each telephony node will also transmit significant node events to the cluster controller for storage (call detail records, engine status changes, etc). Once a node has been joined to the cluster, a node can be controlled (via the one-X Speech Management Console), from any node within the cluster. All control communication between nodes flows thru the cluster controller. Since the cluster controller knows the state of all processes within the cluster, the nodes can use the controller to best determine how to handle a call. For example, call arrives on node 1 for subscriber, but prior to answering the call node 1 will query the controller to see if subscriber is already connected to a different node, and if so, redirect the call to that node. In this way, a subscriber can receive a whisper tone notification (indication of an incoming call), regardless of the node that the call originally arrived on.

3.2.1 Web Pages

Each one-X Speech Access server creates a number of directory shares and web pages that are used for various maintenance aspects of the system and for the web based reporting service. Each node in a one-X Speech Access cluster will have the same shares and web pages except for the controller; the cluster controller will also have the subscriber’s preference web service. The report service web pages are only accessible by the one-X Speech Access service account, domain administrators and local administrators. The report service and all administrative one-X Speech Access web pages require SSPI authentication. For the administrative web pages you can implement a finer granularity of access

via the SetUCCPermissions utility. For example, you can allow can certain non-administrative users access to reports web pages. See the one-X Speech Access Installation Guide for more detail. The subscriber preference web page is accessible to any subscriber that can be authenticated via their account number and numeric password. This web page allows the individual subscriber to customize their experience with one-X Speech Access. All one-X Speech Access web pages that handle passwords are designed to detect whether or not they are configured for SSL. If the web page detects that it isn’t using SSL, it will then automatically encrypt all passwords using an internal RSA asymmetric encryption algorithm (client and server). This ensures that no passwords are ever sent over the wire in clear text. If the web service is configured for SSL, then the SSL layer will handle all data encryption.

3.2.2 Password Storage

All passwords that are handled by one-X Speech Access are stored in one of two fashions depending on use. If the password will be needed to access an external data store on behalf of a subscriber, then the password will be stored using 3DES encryption. If the password is not required to access an external data store, then the password will be stored using a one-way hash (SHA1). No passwords are ever stored within any application debug logs or event trace files. No passwords are ever stored as plain text; prior to storage, passwords are either encrypted or hashed.

3.2.3 Password usage over the Cluster

When an application on one of the telephony nodes needs to authenticate a subscriber, the application will request a copy of encrypted or hashed subscriber credentials from the database on the cluster controller. If the subscriber only requires local authentication (one-way hash), the application will pass the subscriber provided authentication information through the one-way hash algorithm and compare the resulting value to the stored value. If the subscriber needs to be authenticated to an external message store, the application will pass the subscriber provided authentication information to the appropriate internal connector, which will then handle the encryption mechanism required by the external store. If the subscriber is configured by the administrator for “Express Login” where the subscriber’s ANI acts as


identification and authentication components, then the node will decrypt the retrieved credentials and pass the resulting value to the appropriate internal connector. The connector, in turn, will apply the appropriate encryption/hashing mechanism required by the external store. In other words, no passwords are ever transmitted between the telephony nodes and the cluster controller in clear text.

3.2.4 NMS Communications Natural Access 2005-1 (NMSS)

When one-X Speech Access is configured with a Natural MicroSystems (NMS) CG6060 E1/T1 telephony board; DSPs on the board are configured for specific tasks: call control, DTMF tone detection and generation, conferencing, echo cancellation, and audio conversion and mixing. In addition, depending on the number of MIPS that are available, one or two DSP resources are used for the fax operations of the board. Each DSP configured for fax, supports eight simultaneous fax operations. The current version of one-X Speech Access utilizes the fax resources on the NMS board for tone detection (call progress detection) on inbound and outbound calls, but doesn’t provide a client application (fax server) for handling inbound or outbound fax calls. Any incoming fax communication to the board will be dropped (the call is handed to the Voicemail system for fax reception, if supported)5 Beyond the fax modem capabilities, there are no resources on the board (DSPs, firmware, or otherwise) configured for handling digital or analog modem protocols. All resources and communications to and from the NMS board are tightly coupled to one-X Speech Access, that is, the telephony layer queries the one-X Speech Access for an available application to handle an incoming call, and the application, in turn, makes all telephony requests (place, drop, conference, etc) via one-X Speech Access. Thus, it is not possible to establish an IP-based network connection over a data call placed to a NMS fax

5 The fax tone detection capability can be disable by setting the Speech Server parameter "Telephony.Natural.FaxEnable" to FALSE.

resource, since the fax and IP components are in completely different and unconnected software stacks.

3.2.5 Nuance 8.5 Interpreter (ASR)

The Nuance ASR components run in the context of the one-X Speech Access service account and therefore have the same privileges. Currently there is one known potential security vulnerability in regards to Nuance’s ASR Watcher Daemon; the Watcher Daemon supports a telnet service on TCP port 7023 with no authentication. Therefore, Avaya provides and recommends the import of an IPSEC Policy file that will block access to the Watcher Daemon from other computers. See one-X Speech Access site preparation guide for the steps involved.

3.2.6 Nuance RealSpeak 4.5 (TTS)

The RealSpeak TTS service runs as a “Local Service” on the one-X Speech Access server and there is currently no known security issues associated to the service. If in your environment you need to block access to ports used by RealSpeak TTS from other machines, refer to the LAN utilization section for a listing of the ports used by RealSpeak TTS.

3.2.7 Microsoft SQL Server 2000 Desktop Engine (MSDE 2000)

The Microsoft SQL Server 2000 Desktop Engine (MSDE) provides the data repository for all one-X Speech Access parameters, call detail records, and local user configuration information. When one-X Speech Access is installed it will ensure that MSDE is set to only use Windows based authentication, and the installation process will also request that service pack 3 or higher also be installed. If in your environment you need to block access to ports used by MSDE from other machines, refer to the LAN utilization section for a listing of the ports used by MSDE.

3.2.8 Windows Script Host 5.6

Windows Script Host 5.6 is a standard part of the operating system on Windows 2003 .The scripting engines, when created, run in the context of the invoking user, and therefore, have no additional privilege beyond the privileges of the invoking user. One-X Speech Access scripting engines are basically extended WSH script engines. These engines run in the context of the one-X Speech Access service


account, and therefore, have the associated privileges of the one-X Speech Access service account. Currently there are no known security issues in regards to WSH scripting engines.

3.2.9 Optional Components

If the one-X Speech Access system is being configured to access email from either Microsoft Exchange or Lotus Domino 6.5+, then one or more of the following optional components will need to be installed. • Microsoft Exchange 2000/2003 System

Management Tools This install will provide both MAPI and CDO libraries that one-X Speech Access will use to access the MS Exchange server. These objects, when created, run in the context of the one-X Speech Access service account.

• Lotus Notes 6.5+ Runs in the context of the one-X Speech Access service account and is used to access a subscriber’s calendar. If one-X Speech Access is going to access a subscriber’s calendar, then the subscriber must explicitly grant delegate authority to the one-X Speech Access service account.

• Microsoft Word Allows one-X Speech Access to convert Word documents to Rich Text which can be rendered by the TTS service.

4 Interconnection with other customer systems

4.1 PBX The one-X Speech Server communicates with the PBX using ISDN and QSIG protocols over direct dedicated T1 or E1 connections, which are not connected to the data network. The T1 or E1 line(s) connecting the PBX to the speech servers must be enabled for trunk-to-trunk transfer for the Speech Access Reach-Me function to operate successfully. Callers can initiate an outcall if the subscriber sets up the Reach Me number in one-X SA. The Reach-Me number is set up by the subscriber through the one-X SA User Preferences Web pages which are protected by Subscriber authentication. The Reach-Me feature allows a caller to locate a subscriber if the subscriber does not answer the initial

call. However, the Reach-Me interface allows a caller to reach the subscriber only at the Reach-Me location defined by the subscriber. This prevents the caller from dialing other telephone numbers through the one-X SA system. In addition to this built in Reach-Me toll-control measure, one-X SA provides the following additional toll-control features: • Built-in authorization (PBX-independent) • Pre-dial outcall authorization codes • Post-dial outcall authorization codes • Overriding restriction • Outbound call detail report • Toll call usage alerts

All of these approaches are available for selection by the customer.

4.1.1 Built-in one-X Speech Access Authorization (Switch Independent)

This approach involves the administration of outcall permissions for each speech access user using the one-X Speech Access system administration database. One-X Speech Access will determine the call type whenever an outcall is attempted and will compare the call type with the allowed permissions for that user.

Comments: With this approach, the one-X Speech Access system always examines the subscriber’s outcall limitation before placing the outcall. Hence, the interface will prompt back to the subscriber immediately if the outcall phone number is restricted.

4.1.2 Unique outcall authorization codes (Communication Manager (DEFINITY) Switch Specific)

This approach involves using outcall authorization codes that are compatible with the Communication Manager / Avaya Call Processing software.

The one-X Speech Access application will store the unique outcall authorization code for each user in one-X user database. This field is administered for each user. This approach makes use of user outcall limitation rules being defined in the switch database. One-X Speech Access will pass the user’s authorization code to the switch when placing an outcall. The switch will use the authorization code to access the switch database to determine whether the outcall can be initiated for the user. If the call type of the outcall is not allowed for the


user or the authorization code is invalid, an error will be returned to the application.

Comments: With this approach the toll fraud is controlled by switch. The switch will keep a detailed outcall record of each user account for billing purpose. There may be limitations to the fidelity of outcall failure reporting available to the one-X speech access user using this approach and the one-X will not discover any outcall limitations until the outcall is actually initiated.

Note that this authorization code feature is in parallel to other Toll Fraud restrictions that might also be in place on the switch.

4.1.3 Outcall authorization codes (Central Office Switch Specific)

This approach involves using outcall authorization codes that are directed to the central office switch.

The system administrator can enter templates into the dialing tables, which specify how the subscriber’s authorization code will be passed to the Central office switch.

4.1.4 Overriding restriction

One-X SA has overriding restriction tables that allow the administrator to block calls, ranging from individual numbers to an entire country code. For example, the administrator can block all calls to directory assistance (411) and any numbers starting with 011 52. Overriding restrictions prevent subscribers from dialing 411 and any number in Mexico, even if certain subscribers are granted international dialing privileges.

4.1.5 Outbound call detail report

One-X SA offers an outbound call detail report through the one-X Speech Server Reports, a browser-based application that queries the one-X SA database and generates reports, ranging from system performance to user-related statistics. The outbound call detail report provides information on all outbound calls that are placed by a subscriber during a specified period of time. The administrator can run the outbound call detail report to monitor toll fraud or outbound call usage by specific subscribers. The report also alerts the administrator of unusual toll usage.

4.1.6 Toll call usage alerts

One-X SA provides an Alert feature that enables the system to send an e-mail or a text-page to the administrator when selected system alerts occur. The administrator can configure the following through the one-X Speech Server Management Console: • Types of alerts and events to be monitored • Frequency the administrator should be notified

4.2 Voicemail systems All of Avaya’s current and legacy voicemail systems allow the administrator to enable or disable specific features that govern a subscriber’s password characteristics. These characteristics can be managed system wide or on a Class of Service basis, e.g. one-X Speech Access subscribers could be placed in a COS that has higher security requirements then the average voicemail only subscriber. Each of Avaya voicemail systems allow the administrator to set: 1. Minimum password length.

a. Modular Messaging (0 to 32 digits) We recommend a password length in the range of 6 to 10 digits. Keep in mind though, that the longer the password length is, the higher the probability that the subscriber will transcribe the password versus memorizing the password.

2. Password aging. 3. Trivial password protection, e.g. mailbox number. For a quick reference to Avaya various voicemail system password handling characteristics, see below. For more detailed specifics on your Avaya voicemail system, please refer to your administrator guide.

Avaya Modular Messaging o Avaya Modular Messaging password can be

set from zero to 32 digits. The minimum number of digits is an administrator configurable parameter. The password change interval is also an administrator configurable parameter.

o When a subscriber first logs in with a temporary password, the system requests a change of password.

o The system does not allow reuse of previous passwords.

o The administrator can define the number of invalid attempts before disconnecting or locking out the mailbox on the messaging server. It cannot be a trivial sequence or increasing

or decreasing sequence of numbers, such as 5555 or 1234.


It cannot be increasing or decreasing odd or even numbers, such as 4680 or 1357. Note: The number “0” is considered to be both zero and ten.

One-X Speech Access (without Voicemail) o The one-X Speech Access password length

can be set from 1 to 15 digits. The minimum and maximum number of digits is an administrator configurable parameter. The default is 4 for minimum and 15 for maximum length.

o The administrator can configure the number of consecutive login failures that determines the lock-out of a subscriber account (default value 32). The administrator can also configure the duration for which the subscriber account stays locked (default is 10 minutes).6

o The administrator can configure the maximum number of login failures before the system terminates the call (default value is 6).

4.3 Email Systems • Microsoft Exchange (2000/2003)

No subscriber passwords are required when connecting to a Microsoft Exchange (2000/2003) server; the one-X Speech Access process runs in the context of a user that has ‘delegate like’ authority for the subscriber on the Exchange Server. These privileges are: “Send As”, “Receive As”, and “Administer the Information Store”. With these privileges one-X Speech Access is able to connect to a subscriber’s data store as the subscriber.

• Microsoft Exchange 2007 No passwords are required when connecting to a Microsoft Exchange 2007 server; the one-X Speech Access process runs in the context of a user that has “Service Account Admin” privileges. With this privilege one-X Speech Access is able to connect to a subscriber’s data store as the subscriber. Each subscriber’s Exchange alias is provisioned by the system administrator which limits the subscriber’s access to their own email store. Email messages sent by one-X Speech Access on behalf of a subscriber will be clearly identified as being from that subscriber.

Numerous other products within the industry that attempt to provide similar access to a subscriber’s Exchange mailbox require similar if not greater privilege 6 This feature is not fully implemented at this time.

for the delegate account on the Exchange Server. For example, in addition to the privileges listed for Microsoft Exchange 2000/2003, both Blackberry Enterprise Server and the Cisco Unity Server require delegate authority of “View only Administrator” over the entire site.7 Once authenticated by the system, the subscriber can listen to and delete email and voicemail, and forward or send messages. The scope for counterfeiting messages is limited as the introduction/message are in the voice of the person connected. Once on the system, access is limited. It is not possible to: browse or delete files on any internal file systems/shares (only emails in the single user account can be heard); gain access to any internal web sites; damage or compromise any server, including the mail server; install viruses, or gain access to any other user accounts (you cannot jump from one account to another). • Lotus Domino

To access Lotus Domino, each subscriber must supply their internet/web8 password via the one-X Speech Access subscriber preferences web service. Assuming that one-X Speech Access has access to the subscriber’s password, then one-X Speech Access logs onto Lotus Domino as the subscriber by passing the subscriber’s password to mail server via the IMAP protocol. Due to a limitation of the IMAP connector that one-X Speech Access utilizes, the subscriber’s internet/web Notes password is currently passed as clear text, but this can be mitigated by following one of the three recommendations below. 1. Assuming that the Domino server is a Windows

based server, create a security policy that restricts access to port 143 to only the one-X Speech Access server.

7 Accounts with “View Only Administrator” can view all configurations, but are unable to modify anything. However, an account with this permission can create a new mailbox-enabled user, mail-enable a user, and mail-enable a contact, if they can create a user in Active Directory, e.g., if they are an Account Operator or they have been given delegated access to a specific OU. 8 Lotus Notes uses two passwords: one for the desktop application and one for web clients (WebMail and i-Notes). Each password can be changed separately, so it is possible to have different passwords for different Lotus Notes clients.


4.4 Active Directory and LDAP Directory systems

2. Utilizing either a separate firewall or firewall software installed on the Domino server, restrict port 143 access to only the one-X Speech Access server. Most users are familiar with providing a username and

password while being authenticated. Similarly, the act of authenticating to an LDAP directory is called binding or binding to a directory. Currently one-X Speech Access supports three of the four authentication/binding methods provided by an LDAP V3 compliant LDAP directory.

3. Encrypt all traffic between one-X Speech Access server and Domino server utilizing Avaya’s VPN Service Units (Avaya VSU 5).

The following figure provides a graphic representation of these various solutions. All solutions assume that the server LAN and the subscriber LAN are on separate switched port routers and that the one-X Speech Access server and the Lotus Domino server are on the same switch. Assuming no other solution has been put in place, this limits the exposure to only devices on the same switch.

• Anonymous Authentication – the process of binding to the directory using an empty DN (username) and password. Supported.

• Simple Authentication – the process of binding to the directory where the DN (username) and password are sent in clear text to the LDAP server. Supported.

• Simple Authentication Over SSL/TLS – the process of binding to the directory where the DN (username) and password are sent over an encrypted transport layer to the LDAP server. Using this method all authentication credentials are kept secure as well as anything else being sent between the servers. Supported.

• Simple Authentication and Security Layer (SASL) – Currently not supported.

4.5 Avaya WebLM (Licensing server) In most circumstances the WebLM server will be installed on the one-X Speech Access Cluster Controller. With that assumption, we’ll briefly cover some of the security aspects of WebLM. Administration of the WebLM licensing server is by a set of web pages. Access to the administration pages is protected by a password. The password must be changed from the default on initial access to the page. The license provides access to the purchased number of seats, Automatic Speech Recognition licenses and Text-to-Speech licenses. The license itself is keyed using an encrypted checksum to the unique Media Access Control Address of the one-X Speech Access Server.

For example, to implement the first suggestion of setting up a Windows security policy to restrict IMAP4 access on the Domino server an administrator would do the following: 1. Go to Start > Settings > Control Panel >

Administrative Tools. 2. Double-click Local Security Policy. 3. Right-click IP Security Policies on Local Machine. 4. Click Create IP Security Policy. 5. Create the following rules in the IP Security Policy

Wizard: The license server web pages are a closed system and cannot be used to provide access to subscriber or any other system information. Permit IMAP4 from one-X Speech Access

Servers. Block all traffic for IMAP4 from anywhere.

Security and the one-X Speech Access 4.0 Server

5 Windows 2003 Server Resources

One-X may be installed on Avaya supplied servers or on Windows servers provided by the customer, so the following information is provided to enable the customer to make the appropriate security decisions as applicable to their internal policies and network conditions. The security of the servers from the default “out of the box” configuration should be tightened to an appropriate secure level. One-X system administrators should be fully knowledgeable about Microsoft recommendations on how to secure computers running Windows 2003 Server. For the latest checklist details please refer to Microsoft: http://www.microsoft.com/technet/security/default.mspx The Windows 2003 server resources section describes the various Windows resources utilized by one-X Speech Access including:

• LAN ports • Network Protocols • Services

This information is provided so that additional attempts by the customer to harden the system can be done with full knowledge of the resources needed by one-X Speech Access to operate correctly.

5.1 LAN Port Utilization Below is a table that list the LAN ports currently utilized by one-X Speech Access, the table includes the ports required for all the various backend message stores supported by one-X Speech Access. Please note: Ports not necessary, depending on the server configuration, are marked in grey.

If you intend to use DCOM through a firewall, it may be worth while to review the whitepaper by Michael Nelson “Using Distributed COM with Firewalls”.

5.1.1 General Port Utilization

Direction (In/Out/Both) is relative to the one-X Speech Access system. A subscriber could be any client interacting with the system while using a feature or service. In configuring Firewalls, please assume that all communication on a port is bidirectional.

Service Port Direction Notes

From To 1. Ping ICMP:

Type 8 One-X Speech Access

Message Store (MSS)

Out Echo request, used to determine the availability of the various message stores; can be disabled by removing the Dynu.dll file.

2. Ping ICMP: Type 0

Message Store

one-X Speech Access

In Echo reply.

3. DNS TCP/UDP: 53

One-X Speech Access

DNS server Out Used for Domain Name System. Name resolution of other one-X systems for direct networking, e.g., Exchange, Lotus Notes, and Modular Messaging (MSS). Note all necessary hosts can be added to the local host

http://www.microsoft.com/technet/security/default.mspx

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp


file to avoid the use of DNS. 4. DHCP

Lease UDP: 68

One-X Speech Access

DHCP Server

Out Only applies when the one-X Speech Access server is configured to use DHCP

5. SMTP TCP: 25

One-X Speech Access

SMTP Server

Out This is required for communication with SMTP based message stores (MSS or Lotus), and when one-X Speech Access is configured to send alerts and or subscriber newsletters.

6. HTTP(S) SSReports

TCP : 80, 443

Admin One-X Speech Access

In SSReports web page (requires SSPI authentication). Used by the administrator to view various statistic associated to system utilization. Note a valid certificate must be available to use SSL (HTTPS).

7. HTTP(S) SSManager

TCP : 80, 443


In SSManager web page (requires SSPI authentication). Allows web based speech server administration, similar to the MMC interface. Note a valid certificate must be available to use SSL (HTTPS).

8. HTTP(S) SAUM

TCP : 80, 443


In SAUM web page (requires SSPI authentication). Used by the administrator to manage subscribers, add, change, and delete, etc. Note a valid certificate must be available to use SSL (HTTPS).

9. HTTP(S) SAOnline

TCP : 80, 443

Subscriber

One-X Speech Access

In SAOnline web page (use voicemail numeric password authentication (encrypted)). Used by the subscriber to customize their individual experience. Note a valid certificate must be available to use SSL (HTTPS).

10. HTTP(S) WebLM

TCP: 80, 8080, 443

One-X Speech Access

WebLM (one-X Speech Access)

Out WebLM web page. Used by the speech server for license management and configuration. Note a valid certificate must be available to use SSL (HTTPS).

11. Epmap (MS RPC Locator Service)

TCP/UDP: 135

One-X Speech Access

Application Servers

Both

DCE endpoint resolution. Required when one-X Speech Access server needs to communicate with an application that registers itself with the epmap service, e.g. Exchange, SQL Server, etc.

12. netbios-ns

TCP/UDP: 137


In The SSReports web page uses per configured shares so that the web page can access, logs, utterances, and other system maintenance information on the system.

13. netbios-ssn

TCP: 139


In The SSReports web page uses per configured shares so that the web page can access, logs, utterances, and other system maintenance information on the system.

14. IMAP4 TCP: 143

One-X Speech Access

IMAP Message store (MSS)

Out Used to access IMAP compliant message stores (voicemail and email).

15. OCAPI TCP: 8001 - 8008

One-X Speech Access

Octel Access Server

Out Used to communicate with Octel and Serenade voicemail messaging servers.

16. IMAPI TCP: 55000

One-X Speech Access

Intuity Audix

Out Used to communicate with Intuity Audix voicemail messaging servers.

17. LDAP TCP: 389

One-X Speech Access

LDAP Server

Out Used to allow subscribers access to global contacts when placing calls are addressing messages.

18. SMB TCP: 445

One-X Speech

One-XSpeech

In If NetBios over TCP/IP is disabled, then SMB uses port 445. Used in conjunction with the SSReports web site


Access Access for access to utterances (commands spoken to Speech Access), logs, and other administrative data.

19. NTP UDP 123

one-X Speech Access

Time Server

Out Network time service. Used when you want to ensure that speech server time is in sync with the message store.

20. Ms-sql-s

TCP/UDP: 1433

One-X Speech Access

one-X Speech Access

In All one-X Speech Access configuration information is stored in an MSDE database.

21. Ms-sql-m

TCP/UDP: 1435

one-X Speech Access

one-X Speech Access


22. SQL Server Session

TCP: 1024-5000

one-X Speech Access

one-X Speech Access


23. Terminal Server

TCP: 3389

Admin one-X Speech Access

In Allows the administrator remote connections to the speech server.

24. DCOM TCP: 1024-65535

one-X Speech Access

one-X Speech Access

In The one-X Speech Server makes extensive use of DCOM.

25. one-X Speech Access MMC Remote Administration

DCOM ports


In Allows remote administration via Microsoft’s Management Console.

26. one-X Speech Access

TCP: 135 UDP: 135

one-X Speech Access

Exchange Server

Out Port discovery for the various Exchange services.

27. one-X Speech Access

DCOM ports

one-X Speech Access

Exchange Server

Out Various Microsoft Exchange services, e.g. Microsoft Exchange Directory Service, Microsoft Exchange Information Store Service, and the Microsoft Exchange System Attendant.

5.1.2 TTS Port Utilization

Direction (In/Out/Both) is relative to the one-X Speech Access TTS subsystem.

Service Voice

Port Direction Notes

From To • Samanth

a TCP: 5585/6666

one-X Speech Access

one-X Speech Access

In Used to render text into an audio format that can be played back to the subscriber.

• Tom TCP: 5573/6

one-X Speech

one-X Speech



666 Access Access • Emily TCP:

5563/6666

one-X Speech Access

one-X Speech Access


5.1.3 ASR Port Utilization

Direction (In/Out/Both) is relative to the one-X Speech Access ASR subsystem. Note the ASR uses dynamic port assignments

Service Voice

Port Direction Notes

From To 3.3.1 ASR

License Manager

TCP: 8470

one-X Speech Access

one-X Speech Access

In ASR License manager.

3.3.2 Resource Manager

TCP: 7777

one-X Speech Access

one-X Speech Access

In ASR resource manager. The port number is automatically assigned at installation time with a starting default of 7777.

3.3.3 Watcher Daemon Server

TCP: 7023, 7823, UDP: 7823

one-X Speech Access

one-X Speech Access

In Telnet port. Note: Via the Group Policy Editor, please import IPSEC Policy file “BlockWatcher.ipsec”, to block access to watcher daemon from other computers.


7080, UDP: 7080


In These ports are used to monitor the Watcher Daemon from a Web browser


TCP: 7161, UDP: 7161

one-X Speech Access

SNMP - Admin

Out SNMP monitoring – Not currently used.

3.3.6 Recognition Server

TCP: 7778

one-X Speech Access

one-X Speech Access

In The recognition server handles recognition requests. The port number is automatically assigned at installation time with a starting default of 7778.

3.3.7 Compilation Server

TCP: 7779+

one-X Speech Access

one-X Speech Access

In Compilation server handles dynamic grammars. There is one compilation server per application installed on the speech server. The port number is automatically assigned at installation time with a starting default of 7779.

5.2 Required Network protocols Avaya one-X Speech Access and its various components currently use the following network protocols, all other protocols should be disabled unless required by your hardware platform. • TCP/IP • File and Printer Sharing for Microsoft Networks • Client for Microsoft Networks


5.3 Required Services The services listed below are necessary for one-X Speech Access to function correctly. All other services can be either disable or set to manual start. Note: disabling certain services, though unneeded, can result in a large number of logged application events to occur, e.g. if you disable the printer spooler, then perfmon will complain about nonexistent performance counters in the application event log (noise, but you could lose actual events as the log recycles). Service Name Notes Description COM+ Event System

Required for communication with COM events

Provides automatic distribution of events to subscribing COM components.

Computer Browser Required to view network domains and resources.

Maintains an up-to-date list of computers on your network and supplies the list to programs that request it.

DNS Client Required to resolve host names.

Resolves and caches Domain Name System (DNS) names.

Event Log Core O.S. component Logs event messages issued by programs and Windows. Event Log reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer.

IIS Admin Service Required for subscriber and system management.

Allows administration of Web and FTP services through the Internet Information Services snap-in.

IPSEC Policy Agent Core O.S. component Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

Microsoft Exchange Management

Required for communicating with e-mail server.

Provides Exchange management information using Windows Management Instrumentation (WMI). If this service is stopped, Exchange management information is unavailable using WMI.

MSSQLSERVER Required for one-X Speech Access database.

Microsoft SQL Server

Network Connections

Required to manage network interfaces.

Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.

NMS CT daemon Required for one-X Speech Access

Required for telephony hardware support.

NT LM Security Support Provider

Required for the NT LM authentication protocol

Provides security to remote procedure call (RPC) programs that use transports other than named pipes.

Nuance Watcher Daemon

Required for one-X Speech Access

Required for ASR support.

Performance Logs and Alerts

Required to collect and record performance data

Configures performance logs and alerts.

Plug and Play Hardware support Manages device installation and configuration and notifies programs of device changes.

Protected Storage Core O.S. component Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.

PVAUserMSvc Required for one-X Speech Access.

one-X Speech Access user management database interface (web support).

Remote Procedure Call (RPC)

Core O.S. component Provides the endpoint mapper and other miscellaneous RPC services.

Removable Storage Required to open CD-ROM drives

Manages removable media, drives, and libraries.

RunAs Service (Windows 2000)

Core O.S. security component

Enables starting processes under alternate credentials

Secondary Logon (Windows 2003)

Core O.S. security component

Enables starting processes under alternate credentials

Security Accounts Core O.S. security Stores security information for local user accounts.


Manager component Server Required for named pipe

sharing Provides RPC support and file, print, and named pipe sharing.

RealSpeak Required for one-X Speech Access.

Nuance RealSpeak Text-to-Speech Server

SQLSERVERAGENT

Required for one-X Speech Access database.

MS SQL Server Agent

System Event Notification

Required to monitor and track system events

Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.

Task Scheduler Required for one-X Speech Access maintenance jobs.

Enables a program to run at a designated time.

Tomcat Required for Avaya License Manager

Tomcat web server.

VAManager Required for one-X Speech Access local server management.

one-X Speech Access VAManager process

VAServerManager Required for one-X Speech Access cluster management.

one-X Speech Access VAServerManager process (cluster controller only).

Windows Management Instrumentation

Core O.S. component Provides system management information.

Windows Management Instrumentation Driver Extensions

Core O.S. component Provides systems management information to and from drivers.

Windows Time Required to maintain date and time synchronization

Sets the computer clock.

Workstation Only required if directly managing WinNT, Win2000 passwords

Provides network connections and communications.

World Wide Web Publishing Service

Required for subscriber and system management.

Provides Web connectivity and administration through the Internet Information Services snap-in.

6 Windows 2003 Server Hardening

The Windows 2003 server hardening section describes techniques by which the one-X Speech Server has/can be hardened including:

• TCP/IP stack security • Security templates • The IIS Lockdown tool • URLScan • Redirecting the Default web site • IIS5 SSL Certificate Installation

6.1 TCP/IP Stack Security (resistant to denial of service (DOS)) 9 The table below list a number of TCP/IP parameters that can be added and configured to increase the security of the TCP/IP stack. All values are relative to the following registry key and are (REG_DWORD):

9 See Microsoft Article 315669 (Windows 2000) and 324270 (Windows 2003) for additional recommendations.


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Name Default Value Description

Protect Against SYN Attacks

SynAttackProtect 0 1 This parameter causes TCP to adjust the retransmission of SYN-ACKS to cause connection responses to time out more quickly if it appears that there is a SYN-ATTACK in progress. This determination is based on the TcpMaxPortsExhausted, TCPMaxHalfOpen, and TCPMaxHalfOpenRetried.

TcpMaxPortsExhausted 5 5 Determines how many connection requests the system can refuse before TCP/IP initiates a SYN flood attack protection.

TcpMaxHalfOpen 100 500 Determines how many connections the server can maintain in the half open state before TCP/IP initiates a SYN flood attack protection.

TcpMaxHalfOpenRetried 80 400 TcpMaxConnectResponseRetransmissions 3 2 Controls how many times a SYN-ACK is

retransmitted before canceling the attempt when responding to a SYN request. This value must be set at greater than or equal to 2, so that the TCP stack will read the registry values for syn-attack protection

TcpMaxDataRetransmissions 5 3 Controls the number of times TCP retransmits an individual data segment before aborting the connection

EnablePMTUDiscovery 1 0 Restricts the largest packet size (MTU) to 576 bytes for all connections that are not hosts on the local subnet.

KeepAliveTime 7200000 3600000 Controls how often TCP attempts to verify that an idle connection is still intact. (1 hour)

NoNameReleaseOnDemand 0 1 Prevents malicious NetBIOS name-release attacks.

Protect Against ICMP Attacks EnableICMPRedirect 1 0 Prevents Windows 2000 from altering its route

table in response to ICMP redirect messages are sent to it from network devices such as routers. Note, depending on your SP level you may need to also create EnableICMPRedirects. (MS KB 293626)

PerformRouterDiscovery 1 0 Disables ICMP Router Discovery Protocol (IRDP) where an attacker may remotely add default route entries on a remote system.

Protect Against SNMP Attacks EnableDeadGWDetect 1 0 Disables dead-gateway detection preventing an

attacker from switching the server to a secondary gateway.


6.2 Virus Scan Software Avaya strongly recommends that you install virus scan software on the one-X SA speech servers. The type of virus scan software used and the method of installation depends upon your company requirements.10 You must install the virus scan software after the installation of one-X SA. Disable the virus scan software if it is already installed on the system before installing one-X Speech Access. Re-enable the virus scan software after the installation is complete. The one-X SA installation guide and upgrade instructions contain reminders to disable and re-enable the virus scan software, as required. The following is the recommended procedure to disable the virus scan software through the Microsoft Windows Services monitor:

1. Double-click the Monitor icon on the speech server desktop. 2. Click the Services (Local) item in the left pane if it is not already selected. 3. In the right pane, scroll down to the service for the installed virus scan software package. 4. Right-click the software, and then select Stop.

Avaya recommends the use of on-demand scanning, where scans are run at scheduled intervals. Avaya does not recommend the use of a message-scanning method that could impact the performance of one-X SA. For example, do not use on access scanning. On access scanning runs each time a file is changed. This can have a negative impact on one-X SA performance. Note: Some virus scan applications automatically begin scanning at system startup by default. Disable this feature. It interferes with the time that it takes for a system to come back online after a reboot. Avaya recommends administering the virus scan software as follows:

• Scan the hard disk daily during off-peak hours, or at least once per week. Scans can be run on all speech servers simultaneously. Avoid scheduling the virus scan at the same time as a backup.

• Schedule virus definition updates to occur automatically at least once per week. The updates should occur before the next scheduled scan time to ensure that the latest

10 Avaya one-X Speech Access has been tested with McAfee® VirusScan® Enterprise 8.5i server edition. Use of desktop version of anti-virus software is not recommend nor supported and may prevent one-X Speech Access from functioning properly.

data files are used during the scan. Do not schedule updates to occur during a virus scan.

• If the virus scan software detects a virus, it should attempt to clean the file. If the attempt fails, the software should move the infected file to a different directory on the server.

The following information is available in Anti-Virus Software on Microsoft Windows-based Avaya Messaging Products:

• Anti-virus interoperability • Avaya anti-virus software testing • Recommendations regarding the use of virus

scan software • How to report security concerns

You can access Anti-Virus Software on Microsoft Windows-based Avaya Messaging Products at the following URL: http://www.avaya.com/master-usa/en-us/resource/assets/applicationnotes/anti-virus_software.pdf

6.3 Apply a Security Template To further increase the level of security on your one-X Speech Access server, consider applying one of Secure (Secure*.inf) or Highly Secure (hisec*.inf) Microsoft templates to your system. Note: one-X Speech Access was not tested with any Microsoft’s security template besides the default security template (security.inf), though some customers have applied hisecws.inf with no compatibility problems.

6.4 IIS Lockdown The Microsoft IIS Lockdown tool was run prior to creating the Windows 2003 Server OS boot image which is used on Avaya's S3500 server with the Torrey Pines version of the motherboard. This is called “Avaya one-X Speech Release 4.0 OS Boot Software”. IIS Lockdown was run using the Dynamic Web server (ASP enabled) option. The Microsoft IIS Lockdown tool was not run for the creation of the Windows 2000 Server OS boot image which is used on Avaya's S3400 server with the earlier Billings version of the motherboard. This is called “Avaya Modular Messaging Release 1.1/ SA 2.0 OS Boot Software”. IIS Lockdown should not be re-run on configurations of one-X Speech Access where it has already been run. On configurations where it has not already been run,

http://www.avaya.com/master-usa/en-us/resource/assets/applicationnotes/anti-virus_software.pdf




such as customer purchased equipment, it may be run as described above. UrlScan is packaged with IIS Lockdown and sometimes considered to be synonymous with IIS Lockdown. However, they are distinct entities which can be run independently of each other.

6.5 UrlScan (2.0, 2.1, 2.5) UrlScan was run during the creation of the “Avaya Modular Messaging Release 2.0 OS Boot Software”, but not during the creation of the earlier “Avaya Modular Messaging Release 1.1/ SA 2.0 OS Boot Software”. UrlScan should not be re-run on configurations of one-X Speech Access where it has already been run. On configurations where it has not already been run, such as customer purchased equipment, it may be run but, you will need to make some modifications to your IIS settings to ensure that the one-X Speech Access web pages still function and are accessible. The latest version available from Microsoft should always be run, regardless of the version which came with the version of IIS Lockdown being used. After running UrlScan only a limited number of file types can be accessed via IIS. This will result in pages not being correctly displayed or failing load all together. Depending on you’re your system configuration, errors will be logged in the following log. C:\WINNT\system32\inetsrv\urlscan\urlscan.xxxxxx.log To correct these problems, open up C:\WINNT\system32\inetsrv\urlscan\urlscan.ini using a text editor and ensure that the following lines are uncommented in the [AllowExtensions] section. .htm .asa .html .js .jpg .css .jpeg .txt .gif .tif .asp .wav Depending on your version of UrlScan, parent paths and “asp” application mapping maybe disabled. You’ll need to ensue that both are enabled for one-X Speech Access web pages to function correctly.

1. Start Internet Services Manager. Start -> Programs

-> Administrative Tools -> Internet Services Manager.

2. Double click on the server hostname. Right click on Default Web site, and select Properties.

3. Select the “Home Directory” tab, and click on “Configuration”.

4. From the “App Options” tab, ensure that “Enable

parent paths” is checked.


5. From the “App Mappings” tab, ensure that the

“.asp” extension executable path points to the location of the system asp.dll, e.g. “C:\WINNT\system32\inetsrv\asp.dll”.

6. Depending on when you ran UrlScan on your server, you may need to repeat these steps for each one-X Speech Access virtual directory. If you ran UrlScan, prior to the installation of one-X Speech Access and performed these configuration steps, then the attributes should be inherited by the subsequent virtual directories.

6.6 Redirecting the Default Web Site To ensure that people don’t stumble on an “Under Construction” web page and then assume that your server maybe vulnerable, you should ensure that you have a default web page set. Follow the following steps to configure a default web page. 1. Start Internet Services Manager. Start -> Programs


2. Double click on the server hostname. Left click on Default Web site.

3. In the right hand pane, look for a default web page, either default.htm or iisstart.asp. If a default web page is not displayed, then you will need to create one as follows.

a. Right click on the Default Web Site, and select Properties. Go to the Home Directory tab, and note where the home page is located (usually c:\inetpub\wwwroot). Using Windows Explorer, create an empty file in this directory called “Default.htm”.

4. Repeat step 2, if necessary, then right click on the

default web page (default.htm or iisstart.asp) and select Properties. Click on the File tab, then select the radio button “A redirection to a URL”. Enter something similar to https://FQDN/saonline substituting the fully qualified domain name of your one-X Speech Access server for FQDN.

6.7 IIS6 SSL Certificate Installation Since one-X Speech Access ensures that all Web entered passwords are never sent clear-text, in most installations, SSL normally will not be required. But in the instances where that extra level of assurance is needed, then the steps below will assist you in installing an SSL certificate on your one-X Speech Access server. Note the steps below assume that you have a signed certificate that can be installed on the one-X Speech Access server11. See the next section on how to generate a certificate request. 11 Avaya highly recommends that you have your certificate request signed by a trusted authority.





3. Select the Directory Security Tab. Click on the Server Certificate button.

4. The “Welcome to Web Server Certificate Wizard”

appears. Click on Next to continue.

5. The IIS Certificate Wizard appears. Click on Next to continue.

6. The “Pending Certificate Request” appears. Click on Next to continue.

7. Enter the path and filename of your signed

certificate. Click on Next then Finish.

8. Right Click on the Default Web Site, and select

Properties. From the Directory Security tab, select the Edit button under “Secure communications”.


9. Ensure the “Require secure channel [SSL]”

checkbox is unchecked. Click on OK.

10. Repeat the same procedures outlined above for

each of the following one-X Speech Access virtual directories, but now ensure that the “Require secure channel [SSL]” checkbox is now checked.

a. SAOnline b. SAUM

11. For the additional security, SSL may optionally be enabled for the following one-X Speech Access virtual directories:

c. NewsletterMgt d. SSReports e. News f. ASAOnline (deprecated) g. SSManager (deprecated)

6.8 IIS6 SSL Certificate Request This section describes how to generate a certificate request.




3. Select the Directory Security Tab. Click on the Server Certificate button.

4. The “Welcome to the Web Server Certificate

Wizard” appears. Click on Next to continue.


5. Select Create a New Certificate radio button. Click

on Next to continue.

6. The next dialog appears, confirming to prepare the

request now. Click on Next to continue.

7. For the Name, enter the name of the server or a

description of its function. Ensure the bit length selected is 1024 or greater. Click Next to continue.

8. For the Organization, enter name of your of your

company, e.g. “Avaya”. For the Organizational Unit, enter your department or division, e.g. “RND”, “Speech Access”.. Click on Next to continue

9. For the Common name, enter the Fully Qualified

Domain Name (FQDN) of the server. It is preferable to use the server DNS alias, not the server host name. Hence the FQDN for our one-X Speech Access server in RND is UCCsa.rnd.avaya.com. Click on Next to Continue.


10. Enter the Country / Region and State/City details.

Click on Next to continue.

11. For the Certificate Request File Name, enter a file

name on the local server. Click Next to continue.

12. From the summary dialog box, click on Next and

then click on Finish. 13. Send the certificate request to your preferred

certificate authority, make sure that you include the CSR in its entirety in the appropriate section of the enrollment form – including “-----BEGIN CERTIFICATE REQUEST-----to-----END CERTIFICATE REQUEST-----“

14. Save your private key. Go to the “Certificates” snap-in in the MMC (Local Computer)

15. Expand “Certificate Enrollment Requests”, and

select “Certificates”. In the right hand pane, right click the name of your certificate and select “All Tasks Export”

16. Click Next.


17. Ensure that the “Yes” radio button is selected and click Next.

20. Enter the name of your private key file.

18. Select the options that are appropriate to your location.

21. Click Finish, then make a note of your password

and backup your key, e.g. UCCsa.pfx. 19. Enter a password to password protect your key.


7 Some Further Reading

For more detailed information on how to secure your Windows 2003 Server and its various components visit the National Security Agency’s “Security Configuration Guides” web site (http://www.nsa.gov/snac/). You will find various well written guides covering numerous aspects of Windows 2003 security. In addition, Microsoft’s web site is an invaluable tool in locating numerous white papers and guides governing the secure operation of their various products.

http://www.nsa.gov/snac/

security and the one-x speech 4.0 server

Documents