CCE Security Best Practice Guide

Carlos Gonzales, CBABU Engineering Manager

BRKCCT-1041

• Cisco Secure Development Lifecycle

• UCCE Security Best Practice Guide

• Security Reference Information

• PCI-DSS Guidance

• UCCE Security Update for 11.0

Agenda

Cisco Secure DevelopmentLifecycle (CSDL)

Purpose and Intent

• Provide awareness.

• Cisco Secure Development Lifecycle is an internal security baseline.

• CSDL does not intend to full fill customer certification requirements.

• Security is a broad and endless topic to be covered in a 90 min. presentation.

Product Security Requirements

• Product Security Baseline 5.1

• Privacy and Data Security

• Secure Development

• Application Security

• Authentication and Authorization

• Encryption

• Infrastructure Security

• Logging and Auditability

• Vulnerability Management

• Support and Operations

• Product Security Baseline (PSB)

• Attack Surface Reduction / Documentation

• Logging / Audit Infrastructure

• Trusted Product Architecture

• Credential / Password Controls

• Traffic Controls

• Processes

3rd Party Security

• Cisco Open Source Initiative (COSI)

• Register libraries in IP Central

• Establish maintenance plan

• Address known vulnerabilities

• Cisco Intelishield Alert Manager (CIAM)

• Register for alerts on any 3rd party code

Secure Design

• Threat Modeling

• Identify system data flow and trust boundaries

• Review auto-generated threats

• Prioritize and implement mitigations

Secure Coding

• Cisco/CBABU Secure Coding Guidelines

• Use “SAFE” libraries

• Cisco’s Safe C libraries

• Open Web Application Security Project (OWASP) • Enterprise Security API (ESAPI) Toolkit

• Security Awareness/Training/Emphasis

• Cisco White/Green/Black Belt Ninja Training

• Annual Security Conference

Static Analysis

• Tools

• Coverity for C/C++

• Jtest or Sonar for Java

• 70+ rule checks for code inspection

• Automated as part of the build and Continuous Integration

Vulnerability Testing

• Fuzz testing

• All protocols implemented in the product

• All ports and services

• Cisco Internal VT Tool,

• Codenomicon for Protocol

Robustness Testing

• IBM Rational AppScan for

Application VT.

Takeaways

• CBABU is working hard to secure the application in the solution. By performing application security, it will increase product quality and decrease TCO.

• Cisco CSDL is the practice in CBABU and within the Cisco development community.

• Security Baseline, Threat Modeling, COSI, Coding Best Practice (SA and Secure Coding) and Vulnerability Testing are key elements into securing the CCE application.

UCCE Security Best Practice Guide

Purpose and Intent

• Provide the current published security strategy for CCE.

• CUCM, IOS, UCS, and other products references are found in the appendix.

• Active Directory and GPO information are found in the appendix.

• Intent is to start a discussion through feedback and use case to build a solid security story in the long run.

UCCE Security Best Practice Guide 10.0(1)/10.5

• Deployment Coverage: UCCE

• Not Covered: Finesse, CVP, CUIC/LiveData, MediaSense, UCS, CUCM, Nexus Switches, IOS, Unified EIM/WIM, RSM, etc.

• OS Covers: Windows Server 2008 R2

• Enabling CTI OS Security and IPSec will have scalability impact. See the design guide for details.

CCE Encryption Support• Application user and contact center agent passwords are stored in the Logger databases as well

as the Distributor databases as an RSA MD5 Message-Digest Algorithm hash.

• The passwords are passed as MD5 hashes as opposed to clear text between Router/Logger and PG.

• Data sent in Call Variables or Expanded Call Context (ECC) variable relies on the IPSec between servers running Windows 2008 R2.

• IPSec between CUCM and the Agent PG is supported.• Use SHA-1 as integrity algorithm and 3DES as your encryption algorithm.

• For Internet Key Exchange (IKE), use at least Diffie-Hellman Group 2 for 1024 bit key.

• Diffie-Hellman 2048-bit key is also supported if processing and compute resources are available.

• By default, ISE, Web Setup, and Agent Re-Skilling supports TLS v1.0 protocol using the OpenSSL library. It uses 128-bit SSL encryption in Microsoft Internet Information Services (IIS).

CCE Encryption Support - Continued

• CTIOS and CAD implements TLS v1.0 protocol using the OpenSSL libraries between Agent Desktop and CTI Object Server.

• The cipher suite uses Diffie-Hellman for Key exchange, RSA for Authentication, AES (128-bit) for encryption, and SHA1 for message digest algorithm. This is not enabled by default and scaling needs to be considered when security is enabled.

• For SNMP service, CCE supports SNMPv1, 2c, & 3 with SHA-1 for message digest algorithm and the following for encryption: 3DES, AES-192, and AES-256.

• From a deployment level, CCE supports Cisco IOS IPSec in Tunnel Mode with HMAC-SHA1 Authentication (ESP-SHA-HMAC) and 3DES Encryption (ESP-3DES).

• Encryption needs to be enabled between devices through tunneling mode.

RSA MD5 Hash and IPSEC between CCE Components

Rogger

Router

Logger

Campgn Mgr

Generic PG

SIP Dialer

MR PG

CTI OS

CUCM PIM

VRU PIMs

CTI Server

AW/HDS/DDS

MD5 HASH – Agent

Information in DBMD5 HASH transmitted

over unencrypted wire

JTAPICUCM

IPSEC Transport

Mode or Tunnel

ModeIPSEC Tunnel Mode

HTTPS: Finesse,

CTIOS, and CAD

TLS1.0

HTTPS: ISE,

WebSetup, and

Agent Reskilling

TLSv1.0

SNMPv3

CCE IPSec Overview• CCE support IPSec Tunnel Mode (Layer 3) between Central Controller and remote

Peripheral Gateway using Cisco IOS gateways as IPSec peers.

• CCE also support IPSec in Transport Mode (Layer 4) via Windows Server 2008 R2 OS to secure server to server communications:

• Between NAM Router and CICM Router

• Between Public/Private Connections of a Router/Logger pair.

• Between Public/Private Connections of a PG Pair.

• All Connections between Router and the PG.

• All Connections between the Router/Logger and the AW/HDS.

• All Connections between the CUCM and the Agent PG (via AD/Kerberos).

• MRPG connections to Multi-Channel Systems (i.e. SocialMiner or EIM/WIM) is Tunneled via IOS Gateways

Clustering over the WANDeployment Example – Tunnel Mode

RLG SIDE A RLG SIDE B

PG SIDE APG SIDE B

IPSEC Tunnel Mode

Public/Private

Public/Private

Public/Private Public/Private

Cluster over the WAN Deployment Example –Transport Mode

RLG SIDE A

RLG SIDE B

PG SIDE A PG SIDE B

IPSEC Transport Mode

Public/Private

Public/Private

Public/Private Public/Private

(via AD Kerberos

Authentication or x.509

certificate)

IPSec Network Isolation Utility Overview• Tool that automatically sets a preconfigured policy to/from each CCE server.

• CLI (c:\CiscoUtils\NetworkIsolation\cscript) or Security Wizard deployment

• Each server shares the same policy and can be configured to accept exceptions.

• Trusted Devices are devices with IPSec policy configured.

• Router, Logger, PG(s), AW/HDS, CTIOS,

• Sets Trusted components using authentication and optional encryption between Trusted devices. Untrusted devices are denied unless it is classified as a Boundary device. Each Trusted device has a list of its own Boundary device defined as IP address, IP Subnet, or IP/port address. Boundary devices are configured manually.

• Boundary Devices do not have IPSec Policy but are allowed access to Trusted Devices:

• Domain Controller, Serviceability servers, NTP, Unified CM, Gateways, CTI OS Desktops, etc.

• No configuration needed on Boundary devices.

IPSec Network Isolation Utility Tips

• If remotely provisioning, make sure the host you are using is in the boundary list.

• AD/DNS and NTP needs to be in the boundary list of all trusted devices.

• Adding new devices or change in pre-shared key requires change to the IPSec policy.

• Enable encryption on ALL or NONE on the Trusted Devices.

• Do not use Windows IPSec MMC plug-in. The Network Isolation Utility tool creates and manages its own changes.

• If behind the firewall, allow port 50 (ESP) and UDP source/destination port 5000 (IKE).

• If using NAT, allow port 4500 UDP-ESP encapsulation

IPSec Network Isolation Utility Deployment ExampleStep 1 : Fully Functional Unified CCE System with no

existing IPSec Policy.

IPSec Network Isolation Utility Deployment Example

Step 2 : Run Network Isolation Utility on Router/Logger, and AW/HDS.

Set IPSec Policy on each server and boundary devices such as

serviceability devices, AD/DNS, etc..

IPSec Network Isolation Utility Deployment Example

Step 2 : Put PGs as Trusted Devices and then put clients, UCM, or ACD

servers as boundary devices to the PG.

Network Isolation Utility Troubleshooting

• Disable the policy

• Verify IP Address or port is in the boundary device list.

• Verify there were no changes in the boundary device list.

• Verify that the device is not configured for both Trusted and Boundary device.

• Verify that encryption is set to ALL or NONE.

• Verify that Microsoft MMC did not change the IPSec policy set by the tool.

Branch, Remote, & Home Office Deployment

Latency:

• Not to exceed 400ms RTT

Bandwidth Considerations:

• RTP Stream

• UCM Signaling to IP Phones

• CTI Data (Agent Desktop Traffic)

• ISE Client to ISE Server

• Administration Client

• CUIC Client to Server Traffic

• Recording RTP

• Music On Hold

Home Office w/ Broadband Considerations• Minimum supported bandwidth: 256kbps upload / 1.0Mbs download.

• Cisco Virtual Office 88x Series Router for Secure VPN, Firewall, Content Filtering, etc.

• http://www.cisco.com/c/en/us/products/routers/888-integrated-services-router-isr/index.html

• Mobile Agent Latency must not exceed 150ms RTT; jitter must not exceed 60ms.

• Firewall Configuration for Mobile Agent – Verify that the firewall is not blocking the media stream.

• In a nailed up connection, the firewall idle timeout should be longer than the nailed connection mode time out value. If not, then the media stream will be blocked by the firewall.

AS5500 SSL/IPSec VPN Enterprise • Wide Range of Options from the ASA 5505 supporting 25 concurrent sessions

to ASA5585-S60 supporting 10,000 concurrent connection.

• With ASA Software Release, customers can combine up to eight Cisco ASA 5580 or 5585-X Adaptive Security Appliance firewall modules to be joined in a single cluster for up to 128 Gbps of real-world throughput (320 Gbps max) and more than 50 million concurrent connections.

• Supports Cisco AnyConnect

• For more information:

• http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/models-comparison.html#~tab-a

• http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/prod_brochure0900aecd80402e39.html

• http://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-appliance-asa-software/data_sheet_c78-714849.html

• http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-527494.html

NAT Support

• Supported: IP Phones, Remote PG from the Central Controller via NAT router, Agent Desktop.

• Not Supported: CTIOS Agent Desktop with Silent Monitoring and Recording

• Sniffing packets : Call Center IP Scheme (local) vs. Datacenter IP Scheme (NAT); CTIOS Server detects NAT IP which is not the local AD IP in order for the sniffing to work.

• IPSec NAT Transparency enables IPSec to travel through NAT/PAT which is automatically detected and negotiated using NAT-T. Use Cisco IOS 12.2(13)T and later and both end VPN devices are NAT-T capable.

• No NAT between MediaSense and other systems.

• Finesse supports basic NAT between server and clients.

Unified Contact Center Security Wizard

• GUI interface that enables you to configure the following:

• Windows Server 2008 R2 Firewall Utility

• IPSec Network Isolation Utility

• Automated SQL 2008 R2 Hardening Utility

• Run via %SYSTEMDRIVE%\CiscoUtils\UCCSecurityWizard or START> PROGRAMS> Cisco Unified CCE Tools>Security Wizard.

• Relies on the CLI tools to be installed.

• Needs to run after the CCE environment has been configured and working properly.

SQL Server Hardening

• Top SQL Hardening Consideration:

• Do not install SQL Server on an Active Directory Domain Controller

• Install the latest applicable SQL Server service pack and security updates.

• Set a strong password for the “sa” account before installing ICM.

• Always install SQL Server service to run using a least privilege account. Never install SQL Server to run using the built-in Local System account.

• Apply a strict password policy and do not set the password to expire. If it expires, the SQL Server service and Administration & Data Server fails.

• Mixed mode authentication is enforced through SQL Server 2008 R2 automated hardening.

• During web setup, if the “sa” password is blank, an auto generated strong password is used.

SQL Server Hardening

SETTING VALUE

Enforce Password History 24 Passwords Remembered

Minimum Password Length 12 characters

Password Complexity Enabled

Minimum Password Age 1 Day

Account Lockout Duration 15 minutes

Account Lockout Threshold 3 Invalid Logo Attempts

Reset Account Lockout Counter After 15 minutes

SQL Server Password and Account Setting minimum recommendation:

Automated SQL 2008 R2 Hardening

• Hardens or Rolls Back the SQL Server security on Logger and AD/HDS.

• Utility Location: %SYSTEMDRIVE%\CiscoUtils\SQLSecurity

• Current SQL Server configuration is backed up and saved at the following:

- <ICMInstallDrive>:\CiscoUtils\SQLSecurity\ICMSQLSecurity.bkp

• CLI

• To Harden: “Perl ICMSQLSecurity.pl HARDEN”

• To Rollback: “Perl ICMSQLSecurity.pl ROLLBACK”

• Log:

• %SYSTEMDRIVE%\CiscoUtils\SQLSecurity\Logs\ICMSQLSecurity.log

• By default without hardening, SQL Server 2008 R2 disables VIA endpoint and limits the Dedicated Administrator Connection (DAC) to local access.

• Enable only Named Pipes and TCP/IP endpoints during setup for ICM/CCE. Named pipes has higher priority than TCP/IP. By default, other logins are enabled (i.e. Shared Memory, VIA, etc.)

Automated SQL 2008 R2 Hardening

• Hardening performs the following:

• Enforces mixed mode authentication

• Verifies that Named Pipe (np) is listed before TCP/IP (tcp) in the SQL Server Client Network Protocol Order.

• Disabled SQLWriter, SQLBrowser, and MSSQLServerADHelper100 Services.

• Forces SQL server user ‘sa’ password if found blank.

• Rollback does not remove the following:

• SQL Server security mode is set to Windows Only Authentication

• SQL Server “sa” is set to random password

• SQLVSSWriter, SQLBrowser, and MSSQLServerADHelper100 services are disabled.

SSL Encryption Utility – IIS Security• Only supported on Windows 2008 R2

• SSLUtil.exe – helps with the task of configuring web servers for use with SSL (HTTPS). Can be invoked as standalone or automatically as part of setup.

• Located: <ICMInstallDrive>\icm\bin folder.

• Log: <SystemDrive>\temp\SSLUtil.log

• Performs the following:

• SSL Configuration

• SSL Certificate Administration

• Available only on ICM Web Applications running on Windows Server 2008 R2

- Internet Script Editor (ISE)

- Agent Re-Skilling

SSL Encryption Utility

• Do not use IIS security setup and the utility at the same time.

• If IIS SSL port is blank, the utility sets IIS port to 443.

• Certificate Administration:

• Creates self-signed certificates.

• Installs self-signed certificate in IIS.

• Removal of certificate from IIS.

• Generates certificates via OpenSSL.

• Management of certificates – if it exist, it does not create a new one but logs an entry.

• Enables Virtual Directories and configures it for 128 bit encryption

Secured Endpoints – SRTP

• Unified CCE supports Unified Communication Manager’s Authenticated Device Security Mode

• CTI OS and CAD support TLS encryption to the server.

• Cisco Finesse supports HTTPS for the Administration Console and Agent and Supervisor Desktops.

• HTTPS is not supported for Agent and Supervisor Desktops in large deployments (over 1000 agents).

• Unified CVP VXML Browser does not support Secure Real-Time Transport Protocol (SRTP)

• UCCE does not support SRTP when using Span-based Silent Monitoring.

• Mobile Agents does not support SRTP.

• Outbound Option does not support SRTP.

• RSM SimPhone does not support SRTP.

Active Directory Guidance

• Use Case 1: Administration Users and Agent Supervisors moving to another OU in the same domain.

• No impact as long as the native services (Logger/Distributor) are not moved.

• Drag and Drop using MSFT AD Users and Computers Tool

• Use Case 2: Changing AD structure but still in the same domain.

• Yes and most common activity

• Stop all services and use the MSFT AD Users and Computer Tool.

• Use Case 3: Migration to a new domain

• Create a new Cisco_ICM root OU – DO NOT COPY from old to new target domain (not supported).

Check out the Appendix and Staging Guide for

more details.

GPOs

• Most Group Policy Restrictions Do Not Apply To Nor Affect Cisco Root OU

• The Cisco_ICM OU structure does not contain any servers and only contains service account users in the Instance OU

• Applying GPO’s To An OU

• Indirectly via top-down inheritance from a higher-level OU or domain root

• Directly linked within the OU

• Block Policy Inheritance (Indirect GPO)

• Prevents higher-level policies from applying to users and computers within a site, domain, or OU

• This can be overridden if higher-level policies have the “Enforced” option checked

Check out the Appendix and Staging Guide for

more details.

Put it all together…

Rogger

Router

Logger

Campgn Mgr

Generic PG

SIP Dialer

MR PG

CTI OS

CUCM PIM

VRU PIMs

CTI Server

AW/HDS/DDS

MD5 HASH – Agent

Information in DBMD5 HASH transmitted

over unencrypted wire

JTAPICUCM

IPSEC Transport

Mode or Tunnel

Mode

IPSEC Tunnel Mode

Remote Agents:

Finesse/CTIOS

(HTTPS)

SSL/TLS1.0

Administrators: ISE,

WebSetup, and Agent

Reskilling

(HTTPS)

TLSv1.0

SNMPv3

Active Directory

GPO

Direct/Indirect

Policy

Premise Agents:

Finesse/CTIOS

(HTTPS)

SSL/TLS1.0

Client SSL

Certificates/Anti-Virus

Protections

Certificates/Anti-Virus

Protections

Router ACL and AAA

Configuration

AnyConnect

VPN

Cisco CVO

88x

CSDL

CSDL

CSDL

Security Reference Links

Security Guides• CUCM 10.0 (1) Security Guide

• http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100.html

• CUCM Phone Security • http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_B

K_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_0110.html

• CTI/JTAPI Security • http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_B

K_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_010111.html

Security Guides• UCS

• https://supportforums.cisco.com/document/111121/securing-and-hardening-cisco-ucs-systems

• IOS• http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

• VMWARE

• http://www.vmware.com/security/hardening-guides.html

• REST/JSON Security• https://www.youtube.com/watch?v=FeSdFhsKGG0

• Best Practice for Securing Microsoft Active Directory• http://www.microsoft.com/en-us/download/details.aspx?id=38785

• Windows Firewall Administration

• http://technet.microsoft.com/en-us/library/cc739696(v=WS.10).aspx

PCI-DSS Guidance

PCI-DSS compliance requires corporate policy and operational practice in addition to product features, so customers that are crafting PCI-DSS compliant systems should plan to provide those in addition to security features that are needed to achieve compliance in their specific deployment.

– CCE Product Manager

PCI-DSS Guidance Future PCI Guidance Whitepaper Location: https://communities.cisco.com/community/partner/collaboration/contactcenter

High Level Requirements PCI DSS Requirements Cisco UCCE Enterprise Position Reference Information

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data

Use Cisco Firewall products to secure the networkhttp://www.cisco.com/c/en/us/products/security/firewalls/index.html

2. Do not use vendor-supplied defaults for system passwords and other security parameters

CCE Security Guide recommends using strong custom password for SQL and other accounts.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_10_5_1/Configuration/Guide/UCCE_BK_S02F26FD_00_security-best-practices-guide-cce.html

Protect Cardholder Data

3. Protect stored cardholder data

Customers should use PCI certified 3rd party data storage devices to store sensitive customer information. PCI certified 3rd party storage devices is beyond the scope of Cisco UCCE documentation or guidelines. Its also best practice to only store cardholder data in memory for the real-time transaction and not stored permanently in any database. Cardholder data should also be partially (last four digits) be stored for tracking purposes. Lastly, call recording should be disabled when cardholder data is being discussed.

Specific Customer Enterprise Implementation

4. Encrypt transmission of cardholder data across open, public networks

CCE Security Guide recommends using Transport or Tunnel IPSEC in order to encrypt data.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_10_5_1/Configuration/Guide/UCCE_BK_S02F26FD_00_security-best-practices-guide-cce.html

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs

CCE Security Guide documents Anti-Virus Guidelines, Chapter 9.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_10_5_1/Configuration/Guide/UCCE_BK_S02F26FD_00_security-best-practices-guide-cce.html

6. Develop and maintain secure systems and applications

CBABU implements Cisco Secure Development Lifecycle (CSDL) to develop secure systems and applications. Using 3rd party software for protection and monitoring is allowed but Cisco 3rd party software policy should be followed. Lastly, for Windows based patches, customers should follow Microsoft guidelines when applying updates. This does not include Service Packs.

http://www.cisco.com/c/en/us/products/collateral/customer-collaboration/unified-ip-interactive-voice-response-ivr/prod_bulletin09186a0080207fb9.html; http://www.cisco.com/c/en/us/products/collateral/customer-collaboration/unified-contact-center-enterprise/product_bulletin_c25-455396.html

PCI-DSS Guidance Future Whitepaper Location: https://communities.cisco.com/community/partner/collaboration/contactcenter

High Level Requirements PCI DSS Requirements Cisco UCCE Enterprise Position Reference Information

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know

Due to the integration of Active Directory supervisors and administrators, user credentials are limited to the inherited privileges set in the AD Organization Unit, Group Policy, and/or User Policy. Please review the UCCE Staging Guide.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/UCCE_BK_S737967D_00_staging-guide-for-cisco-unified.html

8. Identify and authenticate access to system components

The UCCE system component has the capability to identify and authenticate access via agent and AD credentials in order to identify, trace, and account user access to the system.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_10_5_1/Administration/UCCE_BK_S0A920A1_00_ucce-administration-guide.html

9. Restrict physical access to cardholder data

Use Cisco Connected Safety and Securityhttp://www.cisco.com/c/en/us/products/physical-security/index.html

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

Use Cisco Cloud and Systems Management - Network Management for IT Organizations Products such as Cisco Prime Infrastructure and Prime Collaboration. In addition, Cisco UCCE supports Audit Trail/Report and Syslog functionality.

http://www.cisco.com/c/en/us/products/cloud-systems-management/index.html

11. Regularly test security systems and processes

Customers should implement security policies, process, and testing activities in order to improve the enterprise security integrity. This topic is beyond the scope of Cisco UCCE documentation and guidelines. The UCCE Security Best Practice Guide should be considered as a component of an overall Enterprise solution.

Specific Customer Enterprise Policy

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

Customers should implement security policies, process, and testing activities in order to improve the enterprise security integrity. This topic is beyond the scope of Cisco UCCE documentation and guidelines. The UCCE Security Best Practice Guide should be considered as a component of an overall Enterprise solution.

Specific Customer Enterprise Policy

Security Update for 11.0

CCE Security Update – 11.0• Windows 2012 and SQL 2014 Platform Update

• REST API – SQL Column Encryption – AES 256-bits

• Security Hardening Update

• GPO Documentation Publication

• VOS 10.5 Update

• Antivirus Software Updates

• Tomcat and JRE/JVM Update

• Struts Update

• SQL Rule and Code Update

• OpenSSL Update

• Bash Shell and GlibC Update

Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

• Your favorite speaker’s Twitter handle @CiscoCC

• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could Be a Winner

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

• Related sessions

Thank you

Contact Center Sessions Week at a GlanceMonday Tuesday Wednesday Thursday

8:00-9:30 (90)

BRKCCT- 1011

Cisco Unified Contact Center

Express Update and Roadmap (G.Variyath)

9:30-10:30 (60)

PSOCCT-1008

Omnichannel Customer Care -

Preparing for the Mobile

Customer(K.McPartlan,K.Gouda))

10:00-11:30 (90)

BRKCCT- 1051

Cisco Unified Contact Center

Enterprise and CVP Overview

and Roadmap (J.Lundy/S.Vashist)

11:00-11:30 (30)

DEVNET-1130

Cisco Finesse API’s (T.Phipps)

12:00-1:00 Table Topics

UCCX (G.Variyath)

Finesse(T.Phipps)

Color Coding

UCCE

UCCX

MediaSense

Omnichannel

8:00-9:30 (90)

BRKCCT-1041

CCE Security Best Practice Guide

Overview (C. Gonzales)

11:30-12:30 Table Topic

Reporting and Analytics (C.Logue/G.Variyath)

1:00-2:00 (60)

CCSCOL-1400

Case Study: Providing a Total Customer

Experience (C.Botting, M.Voornhout)

1:00-2:30 (90)

BRKCCT-1006

Omnichannel Contact Center Solutions

Overview (W.E.Nijenhuis)

1:00-3:00 (2 hr)

BRKCCT-3005

Solution Troubleshooting for Unified

Contact Center Enterprise (C.Palau)

3:30-5:00 (90)

BRKCCT-1031 Cisco Finesse - The Next

Generation Agent Collaboration

Experience (T.Phipps)

4:00-5:00 (60)

CCSCCT-1405

Case Study: American Century

Investments (N.Westvold)

8:00-10:00 (2hr)

BRKCCT-2007 Cisco Unified

Contact Center Enterprise Planning

and Design (M. Berenjian,M.Eady)

8:00-10:00 (2hr)

BRKCCT-2019 Cisco Unified

Contact Center Express Planning

and Design and Support (G.Burton,M.Turnbow)

8:00-10:00 (2hr)

BRKUCC-2270 Network Media

Recording and Streaming with

Cisco MediaSense (C.Ward)

11:30-12:30 Table Topic

UCCE(PCCE,HCS) & CVP(J.Lundy, C.Logue)

1:00-3:00 (2hr)

BRKCCT-2050 Building recording

and monitoring applications with the

MediaSense API (K.Rehor)

1:00-3:00 (2hr)

BRKCCT-2056 Contact Center

Reporting & Analytics: Unified

Intelligence Center (V.Gururaj,C.Logue)

3:00-5:00 (2hr)

BRKCCT-2027 UCCE Solution

Service Creation (including CCE

and CVP Scripting) (S.Vashist,,B.Cole)

8:00-9:30 (90)

BRKCCT-1002

Hosted Collaboration Service

Contact Center Update (A.Mermel,M.Varghese)

10:00-12:00 (2hr)

BRKCCT-2080

Deliver omnichannel Customer

Experience with Remote Expert

Mobile

(R.Gupta,Y.Fedotov)

10:00-11:30 (90)

BRKCCT-1005 Context Service:

the new cloud-based

omnichannel solution for Contact

Center Enterprise and Express

(V.Chhabra)

1:00-2:30 (90)

BRKCCT-1009

Cisco Customer Collaboration

Architectural Vision and Cloud

Evolution (M.Lepore,T.Famous)

Appendix: Extra CCE Security Materials

Windows 2008 R2 Firewall• Stateful Firewall – drops packets that are unsolicited.

• Disabled by default on SP1 but new installs have it enabled.

• Remote configuration is not recommended.

• “Cscript” or ConfigFirewall.bat is used to configure the firewall for CCE applications. It uses the CiscoICMfwConfig_exc.xml file.

• The CiscoICMfwConfig_exc.xml file contains: Allowed Services, Open Ports, and excluded Applications.

• Verify it using START > SETTINGS > CONTROL PANEL > WINDOWS FIREWALL tool.

• Exceptions and Inbound/Outbound Rules tab will show the configuration settings based on the .xml file.

• Use “Ntfrsult” and “Portqry” tools to test and validate connectivity between two Domain Controller with firewall configured.

• Undo Firewall Settings:

• Stop all applications.

• Use %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\UndoConfigFirewall.bat

• Reboot Server

Windows Server 2008 R2 Firewall PortsServer Port Protocol Protocol Services

135 TCP RPC RPC Connector Helper

137 TCP UDP NetBIOS Name

138 UDP NetBIOS NetLogon and Browsing

139 NetBIOS Session

123 UDP NTP

389 TCP LDAP

636 TCP UDP LDAP SSL

3268 LDAP GC

Server Port Protocol Protocol Services

3269 LDAP GC SSL

42 WINS Replication

53 TCP UDP DNS

88 TCP UDP Kerberos

445 TCP UDP SMB over IP (Microsoft-DS)

10000 TCP RPC NTFRS

10001 TCP RPC NTDS

10002 to

10200

TCP RPC – Dynamic High Open

Ports

Reference the “Port Utilization Guide” in order to determine CCE ports that need to be open for your firewall configuration.

Domain Controller (DC) in the DMZ

• When deploying a DC in the Demilitarized Zone (DMZ), we recommend the following:

• Restrict File Replication Services (FRS) to a specific static port.

• Restrict Active Directory Replication traffic to a specific port.

• Configure Remote Procedure Call (RPC) port allocation.

Security Monitoring

• IP Security Monitor (ipsecmon) – monitors IPSec traffic

• Network Monitor (netmon) – captures frames sent to/from the server.

• System Monitoring (perfmon) – system performance data and network activity –see pg. 11 for recommended counters.

• Enable IPSec Logging

• \\System\CurrentControlSet\Services\PolicyAgent• Add Key = Oakley

• DWORD Value = EnableLogging

• DWORD Value = 1

• Enable/Disable PolicyAgent• “net stop policyagent” and “net start policyagent”

• Log found at %winddir%\debug\Oakley.log

Auditing

• Tracks events per system.

• Types:

- Local Policies: Start > Programs > Administrative Tools > Local Security Policies

- SNMP Real-Time Alerts: polls events from Windows eventlog and converts to SNMP traps (evntwin.exe or evntcmd.exe).

- SQL Server C2 Auditing is not supported with ICM/UCCE. May have significant impact to the system.

- Active Directory tools to audit logins and management of hosts.

Antivirus Guidelines• Update AV software scanning engines and definition files regularly, following your organization's

current policies.

• Upgrade to the latest supported version of the third-party antivirus application. Newer versions improve scanning speed over previous versions, resulting in lower overhead on servers.

• Avoid scanning of any files accessed from remote drives (such as network mappings or UNC connections). Where possible, ensure that each of these remote machines has its own antivirus software installed, thus keeping all scanning local. With a multitiered antivirus strategy, scanning across the network and adding to the network load is not required.

• Schedule full scans of systems by AV software only during scheduled maintenance windows, and when the AV scan cannot interrupt other Unified ICM maintenance activities.

• Do not set AV software to run in an automatic or background mode for which all incoming data or modified files are scanned in real time.

• Due to the higher scanning overhead of heuristics scanning over traditional antivirus scanning, use this advanced scanning option only at key points of data entry from untrusted networks (such as email and internet gateways).

Antivirus Guidelines

• Real-time or on-access scanning can be enabled, but only on incoming files (when writing to disk). This approach is the default setting for most antivirus applications. Implementing on-access scanning on file reads yields a higher impact on system resources than necessary in a high-performance application environment.

• While on-demand and real-time scanning of all files gives optimum protection, this configuration does have the overhead of scanning those files that cannot support malicious code (for example, ASCII text files). Exclude files or directories of files, in all scanning modes, that are known to present no risk to the system.

• Schedule regular disk scans only during low-usage times and at times when application activity is lowest.

• Disable the email scanner if the server does not use email.

• Additionally, set the AV software to block port 25 to block any outgoing email.

• Block IRC ports.

Antivirus Guidelines

• If your AV software has spyware detection and removal, then enable this feature. Clean infected files, or delete them (if these files cannot be cleaned).

• Enable logging in your AV application. Limit the log size to 2 MB.

• Set your AV software to scan compressed files.

• Set your AV software to not use more than 20% CPU utilization at any time.

• When a virus is found, the first action is to clean the file, the second to delete or quarantine the file.

• If it is available in your AV software, enable buffer overflow protection.

• Set your AV software to start on system startup.

• Omit files with the following file extensions from the drive and on-access scanning configuration of the AV program:

• • *.hst applies to PG• *.ems applies to ALL

Windows Remote Desktop• Native Remote Desktop Protocol (RDP) encryption between client and server is

supported. It’s the preferred method due to its security and low impact on performance.

• Windows 2008 R2 Terminal Services (aka Remote Desktop) can replace pcAnywhere and VNC.

- Mstsc /v:<server[:port]>

• RDP-TCP Guidelines:

- Limit active connections to 1.

- End disconnected sessions in 5 mins or less.

- Inactive sessions limited to 1 day.

- Idle sessions limited to 30mins.

- Set permissions for users and groups – Administrator Full Control vs. User Limited vs. Guess Access Restricted.

- Set High encryption levels of connections.

- Limit permission from specific host via ip address.

pcAnywhere and VNC

• PcAnywhere provides the following:

- Restrict Access to specific host via IP address.

- Provides Serialization using a secure code between host and server.

- Provides credentials for access and authorization.

- Protects Data stream between host and server through encryption.- pCAnywhere encryption

- Symmetric encryption

- Public Key encryption

- Prevent host integrity – prevents file and application changes.

- Logging for sessions and identification through Symantec Remote Access Perimeter Scanner (RAPS).

- Logging features covers pcAnywhere log, NT Event log (Windows Server 2008 R2) or SNMP monitor.

- Limited to 1 user at a time.

• For VNC, SSH Servers to provide encrypted tunnels for VNC sessions are not supported by Cisco.

Enable Transport Layer Security (TLS) 1.0

• FIPS compliance for strong encryption requires TLS 1.0 protocol instead of SSL 2.0 or 3.0.

• IE Setup:

- Launch Internet Explorer

- Tools > Internet Options

- Advance Tab

- Scroll to Security and check the “Use TLS 1.0” box.

- *Note: If hardening is applied and IE is unable to connect to ISE or Agent Re-skilling, make sure that IE is configured for TLS 1.0.

• Firefox Setup

• - Firefox 23+ no longer has a user interface setting to disable TLS or SSL3 but there are manual methods. Please see - http://kb.mozillazine.org/Security.tls.version.*

Endpoint Security

• IP Phone Hardening

- PC Voice VLAN Access – disabling will prevent the PC to send/receive date on the voice VLAN.

- Span to PC Port – disabling will inhibit the use of desktop-based monitoring and recording.

- Gratuitous ARP – disable to prevent man in the middle attacks (MITM) or spoofing. - Third party uses G-ARP to capture voice streams.

- CTIOS Silent Monitoring and CAD Silent Monitoring & Recording do not depend on G-ARP.

Other Security Considerations

• There is a rate limit of Unified CCE agent login attempts with incorrect password. By default, the agent account is disabled for 15 minutes after three incorrect password attempts, counted over a period of 15 minutes.

• There is a rate limit on CTI OS Monitor Mode connection. When TLS is enabled and a password is required, Monitor Mode is disabled for 15 minutes after three incorrect password attempts (configurable).

• Windows Management Instrumentation (WMI) is used to manage Windows systems. WMI security is an extension of the security subsystem built into Windows operating systems. WMI security includes: WMI namespace-level security; Distributed COM (DCOM) security; and Standard Windows OS security.

• Microsoft native SNMP service is disabled by the Web Setup tool and its functionality replaced by a more secure agent infrastructure. Do not re-enable the Microsoft SNMP service because it can cause conflicts with the Cisco-installed SNMP agents. Use of SNMP v3 is highly preferred.

• Cisco has qualified Unified ICM software with the Operating System implementations of NTLM, Kerberos V, and IPsec security protocols.

Active Directory

Active Directory with UCCE

• High Level Requirements

• Interaction and Usage

• Access Rights and Limitations

• Maintain and Operate

Active Directory with UCCE – High Level Requirements

• Compatibility Matrix = AD Version Support•

• Functional Level agnostic

• Staging Guide = Active Directory Integration Requirements

• Single AD Forest

• No Read-Only Domain Controllers (RODC)

• Adhere to Cisco naming conventions for AD Root (Cisco_ICM) structure

• No co-locating CCE servers with Domain Controllers and/or DNS servers

• Global Catalog at each CCE site for multi-domain deployments

• Group Policy (GPOs)

• We’ll get to this later but in the meantime, consider the following best practices…

• Move UCCE servers into their own OU. Server OU should be at the same or lower level relative to the UCCE Root OU (Cisco_ICM)

• Discuss “blocking” and “enforced” requirements to Cisco OU’s (root + servers)

• This, above all: UCCE servers are sophisticated, real-time enterprise application servers

You must use the Domain Manager

tool to create the Cisco Root OU,

Cisco_ICM

Active Directory with UCCE – Interaction and Usage• UCCE Core Components

• Loggers and Administration Data Servers require service accounts (created in Cisco_ICM) for database management

• Peripheral Gateways don’t typically make AD calls unless running PG Setup…

• CallRouters don’t typically make AD calls

• Other Components

• Finesse integrates with a UCCE Administration Data Server for agent and API login (NTLMv1 ONLY)

• CUIC login credentials can reside in either LDAP AD and/or CUIC’s Informix DB.

• CVP – No AD integration or requirements

• UCCE Tools

• Setup Security Group membership: Web Setup, PG Setup, Service Control, Domain Manager, Service Account Manager (SAM), ICMDBA, Configuration Manager*

• Requiring Config Security Group membership: Configuration Manager, Script Editor, ISE

*The only time you require Setup rights for Configuration Manager is when you promote and/or create an

agent/person to a Supervisor. Configuration Manager will associate the Supervisor to the Instance Config Security

Group.

UCCE New Deployment – UCCE AD Security Groups

• Access Rights Are Nested In Cisco_ICM

• Downstream recursive, if you are a member of a Facility

• security group, you will have those same rights for the

• Instance(s) in that Facility.

• Config Security Group (No AD Write Access)

• Configuration Manager tools

• Script Editor and ISE (Internet Script Editor)

• Setup Security Group (AD Read/Write Access)

• UCCE installation, patching, and WebSetup tools

• Manage security group memberships via Domain Manager

• Manage service accounts via SAM tool

• Configuration Manager: User and Agent list tools

Corporate Domain

Contact Center Applications

Cisco_ICM

Facility

Instance

Config

Setup

Config

Config

Setup

Setup

Services

• Service Security Group (Read-Only)

Instance level only

Users created via Service Account Manager (SAM) tool are members of this group

Logger/Distributor service account membership

UCCE AD Security Groups Impact On AD Domain Tools

• I’m The AD Administrator And I Have A Few Concerns…

• Assuming An AD User Is A Member Of All UCCE Security Groups, What Can They Do In My Active Directory Domain?

• Not much…

• User cannot log onto the Domain Controller

• User cannot make any changes in the AD domain whatsoever

• User cannot create domain OUs, Users, Groups, Policies, etc.

• Unless the user is a member of the Setup security group, he/she won’t

• be able to stop/start UCCE services.

• Users With UCCE Security Group Membership(s) Can Only Administor UCCE Related Objects

• UCCE Software Does Not Modify AD Objects Without DirectUser Intervention and Control

UCCE New Deployment – UCCE Domain Manager• Creates the Cisco_ICM (Root) OUs

• Creates and defines all UCCE security groups and permissions for root, Facility, and Instance.

• Requires domain administrator read/write privileges and this user

• becomes a member of the Setup security group during OU creation.

• Manages AD User Membership To UCCE Security Groups

• Control access rights to UCCE tools

• Hierarchical approach for maximum administration flexibility

• Nested, downward recursive security group rights. Example: A user

• that’s a member of the Facility Config security group will have UCCE

• configuration rights to all Instances in that Facility.

After initial setup of the UCCE Root, you may use standard AD tools associate users to our Security Groups

UCCE New Deployment – Service Account Manager

By default when you install UCCE, all component services (PG,

Router, Dialer, CG, CTIOS, etc.) will use the Local System

Account. The Logger and Distributor services however, will be

bound to a specific AD user account in the Instance OU.

• UCCE Service Account Management

• Must be ran locally on each respective server

• User must be a member of the Setup Security Group

• User must have local-domain administrator read/write

• privileges.

• Modify (after initial account creation) Domain ServiceAccount names and passwords.

• Used As A Post-Install Diagnostic Tool

• Check and manage the health of UCCE service accounts

• Health status and remediation: 9.0(y) Staging Guide page 64 - 69

Moving UCCE AD Objects

Reasons Why You May Have To Move AD Objects

• User Story 1

• “We need to move our UCCE administration users and agent supervisors to another OU in the same domain. Will this impact UCCE functionality?”

• User Story 2

• “We are changing our AD structure. Currently, the Cisco_ICM OU is located directly under the domain CORP.COM Cisco_ICM. We would like to move the Cisco root OU to a lower level container like,CORP.COM Applications Contact Center Enterprise Cisco_ICM. Is this possible and what are the steps?”

• User Story 3

• “We are moving our UCCE Servers (and thus, the Cisco_ICM) to a new domain.”

Moving AD Objects – Intra-Domain (Simple)

• After Windows 2000, Moving AD Objects Is Drag and Drop Simple

• Especially so for intra-domain tasks

• Inter-domain moves are more complicated

• Permissions Assigned Directly To AD Objects Remains With The Object After A Move

• UCCE tools assign AD permissions directly

• Inherited Permissions Are Lost

• AD objects will inherit permissions (and restrictions) assigned to the new OU

• In AD, Objects With Similar Permission Settings Are Usually Grouped Together

• Know the target OU policies before you move the Cisco_ICM root OU.

A few things to know about moving objects in Active Directory…

Moving A UCCE AD User Object – Intra-Domain (Simple)

• User Story 1

• “We need to move our UCCE administration users and agent supervisors to another OU in the same domain. Will this impact UCCE functionality?”

• Answer

• This type of AD object move will not impact UCCE functionality. So long as you are not moving the native UCCE service accounts (Logger/Distributor), this AD task is transparent to UCCE.

• What’s Involved?

• Ensure that all users are completely logged out.

• Using Microsoft Active Directly Users and Computers, drag and drop the user object to its new location.

Moving A UCCE AD User Object – Intra-Domain (Simple)

Moving UCCE Servers To Another OU – Intra-Domain (Simple)

• What About Moving Servers In The Same Domain?

• Similar To Moving Users

• Must Stop All UCCE Services Before Moving UCCE Servers

• Including duplexed peers … plan a maintenance window.

• Computers Vs. Users

• Unlike users who may have direct policies and permissions applied, servers in AD typcially inherit their operational rules through a Group Policy. Example: You may have separate containers in AD for Windows 2003 and Windows 2008 R2 servers so that GPO management can be applied respectively.

• In short, when you move users around in an AD domain, their permissions will follow as they are often times applied directly. However, moving computers around in an AD domain will often times result in inheritance of different policy objects depending on the source and target OU’s.

• No Post-Actions On UCCE To Accommodate This Task

Moving The Cisco_ICM Root OU – Intra-Domain (Simple)

• User Story 2

• “We are changing our AD structure. Currently, the Cisco_ICM OU is located directly under the domain CORP.COM Cisco_ICM. We would like to move the root to a lower level container like,CORP.COM Applications Contact Center Enterprise Cisco_ICM. Is this possible and what are the steps?”

• Answer

• Yes, this is possible and it’s the most supported and least risky move possible for the UCCE root OU.

• What’s Involved?

• I’m about to show you…

Moving The Cisco_ICM Root OU – Intra-Domain (Simple)

1. Stop All UCCE Services Via Service Control

• This includes duplexed peers.

2. Run WebSetup On The Central Controller

• Record all Facility and Instance names and numbers.

3. Launch Microsoft Active Directory Users And Computers

• Drag and drop the OU to the new locationOR

Or right-click on the OU you want to move

Moving The Cisco_ICM Root OU – Intra-Domain (Simple)

4. Start Up All UCCE Services Via Service Control

• Graceful startup order: LoggerA, RouterA, RouterB, LoggerB, PG’s and Administration Servers

5. Launch UCCE Service Account Manager (SAM)

• Validate that Logger and Distributor service accounts are healthy

6. Launch UCCE User List Tool

• Validate permissions for UCCE users were properly migrated/retained post-OU move

DONE

Moving UCCE AD Objects – Inter-Domain (Complex) • User Story 3

• “We are moving our UCCE Servers to a new domain. We understand that the UCCE servers must reside in the same domain as the Cisco_ICM root OU. Can we copy the existing Cisco_ICM OU to the new domain?”

• Answer

• No. Copying the existing Cisco_ICM root OU to the new/target domain is not supported.

• What’s Involved?

• Create a new Cisco_ICM root OU in the new/target domain using CCE’s Domain Manager tool

• Root, Facility, and Instance from the source Cisco_ICM OU must all match the newly created root OU

• All UCCE services must be stopped prior to moving the servers; move the UCCE servers to the new domain

• Run WebSetup and PGSetup, respectively to map the instance to the new domain

• Run CCE’s Service Account Manager (SAM) tool to validate the Logger and Distributor service accounts were properly setup in the new domain

• Decide whether or not to migrate the UCCE user and supervisor accounts to the new domain

Moving UCCE AD Objects – Inter-Domain (Complex)

• Inter-Domain AD User Objects From The Viewpoint Of UCCE…

• UCCE Supervisors, Configuration, and Setup Users Can Reside Outside Of The UCCE Root OU

• UCCE Agent Explorer & User List Tool Have Resource Access To Domains In The Forest

• Two-way transitive trusts

• One-way outgoing external trusts allowing users from other domains to access resources in root domain

Cisco_ICM

UCCE Servers and Users

UCCE Users

Config, Setup, Supervisor

UCCE Users

Config, Setup, Supervisor

Agent Explorer User List Tool

Moving UCCE AD Objects – Inter-Domain (Complex)

• Inter-Domain AD Server Objects From The Viewpoint Of UCCE…

• UCCE Servers Must Be In An OU That’s Local To / In The Same Domain As The UCCE Root OU

• UCCE Servers Are Linked To Root OU Facility/Instance Via WebSetup’s Instance Management

• Note the ‘Change Domain’ option

Cisco_ICM

UCCE Servers and Users

UCCE Users

Config, Setup, Supervisor

UCCE Users

Config, Setup, Supervisor

UCCE Servers

Two-way transitive trust

One-way outgoing external trust

Moving UCCE AD Objects – Inter-Domain (Complex)

• OK, Back To The User Story…

• “We are moving our UCCE Servers to a new domain. We understand that the UCCE servers must reside in the same domain as the Cisco_ICM root OU. Can we copy the existing Cisco_ICM OU to the new domain?”

• Order Of Operations

1. Using CCE’s Domain Manager, create a new (carbon copy) of the UCCE root OU in the new domain.

2. Shutdown all UCCE servers and move them into a similar OU in the new domain.

3. Run CCE’s WebSetup on each Central Controller server (including Distributors) and click the, ‘Change Domain’ button in the Instance Management drawer

Moving UCCE AD Objects – Inter-Domain (Complex)

• Order Of Operations Continued…

4. Run CCE’s Service Account Manager (SAM) tool on all Central Controller components to create a new AD service accounts for: LoggerA, LoggerB, and your Distributors.

5. When it comes to the users, you have a couple of options…① You can add the Config and Setup Security Group from the source domain as a member of the Config and Setup

Security Group in the new domain. This will allow the UCCE instance in the new root OU to access the original permissions mapping from the old root OU. Note: The source UCCE root OU must not be touched!

OR

② You can use the User Migration Tool to export UCCE users from the source domain and then import them into the target domain. This will create duplicate users in AD between the source and target domains. All UCCE permissions will be properly mapped over. Note: User Migration Tool is a separate download via cisco.com

At this stage, you have successfully migrated the UCCE servers

Now, we need to migrate the UCCE users and supervisors

Moving UCCE AD Objects – Inter-Domain (Complex)

• When Moving Objects To A New Domain, You May Have The Need To Also Rename UCCE Facility and/or Instance OUs

• Renaming Cisco_ICM Facility As Part Of A Domain Move

• Supported and does not change previous steps discussed

• Renaming Cisco_ICM Instance As Part Of A Domain Move

• NOT supported. If you rename the UCCE Instance, you are in-a-sense installing a brand new UCCE customer from scratch.

• There is no migration path when the Instance name is changed

Group Policy Objects (GPOs)

Playing Nice With UCCE OU’s and Group Policy Objects

Understand How UCCE Works With AD

• Know the dependencies for tools and general functionality

Understand The Intent/Purpose Behind Group Policies

• UCCE servers are real-time application servers and often times fall into their own management category

Consult Cisco’s UCCE Security Best Practices Guide

Test GPO Changes In The Lab Prior To Production Rollout

Document Changes

• What

• When

• Where

• Why

What Are Group Policy Objects?

• What Is A Group Policy?

• Mechanism used to define a set of rules to centrally secure, manage, enforce, and deploy across a group of computers and users

• Common Windows 2008 Group Policy Security Settings

• Limiting an AD user’s administrative authority

• Enforced passwords

• Advanced security through Windows firewall

• User Account Control (UAC)

• Policy Considerations For UCCE Computers and Users OU

• Audit Policies

• Policies that control: Passwords, encryption and certificates

Auto-updates

Downloads, scans, exclusions Consult the UCCE Security Best Practices Guide

How Are Group Policies Deployed In Active Directory?

• Group Policy Types

• Local group policies exists on all Windows systems

• Active Directory (AD) group policies are only available

in an AD Forest

• Group Policy Editor

• Primary function of this tool is to configure group policy

settings within a GPO

• Group Policy Management

• Primary function of this tool is to apply, link, and control

GPO behavior within Active Directory forests, domains, and OU’s.

What Are Group Policy Objects?

• Most Group Policy Restrictions Do Not Apply To Nor Affect Cisco Root OU

• The Cisco_ICM OU structure does not contain any servers and only contains service account users in the Instance OU

Playing Nice With UCCE OU’s and Group Policy Objects

• Applying GPO’s To An OU

• Indirectly via top-down inheritance from a higher-level OU or domain root

• Directly linked within the OU

• Block Policy Inheritance (Indirect GPO)

• Prevents higher-level policies from applying to users and computers within a site, domain, or OU

• This can be overridden if higher-level policies have the “Enforced” option checked

• Preference to have UCCE Root OU directly under the domain root and not nested (if possible)

• No Override – 2003 / Enforced – 2008 (Direct GPO)

• Ensures that the linked GPO is always enabled/enforced

• Notice the ‘padlock’ on the linked policy when it’s Enforced

Summary

• Demystified How UCCE and Active Directory Works Together

• Aliviated Common Security Concerns

• Security groups

• GPOs

• Domain Manager Used To Create UCCE Root OU Footprint

• Service Account Manager (SAM) Used To Diagnose And Resolve Service Accounts

• User Story Examples Highlight Common Questions Asked

• Cisco forums

• Cisco TAC

• Confidence = Go Forth And Concur!