This package contains: Date : May 19/2006 1. PEP Number: CP404SEC004S 2. Problem Description: ----------------------- This package contains Microsoft hotfixes to be installed on a server that has been installed with, or upgraded to CallPilot 4.0. Certain other changes are also made to improve security. The PEP contains all applicable hotfixes from the time Windows Server 2003 SP1 was originally released up to and including May 9th, 2006. It is intended for installation on a system that has Service Pack 1 installed. Installation can take up to 40 minutes. Less time is needed if anti-virus software is temporarily disabled during installation. This PEP may be installed remotely using pcAnywhere or Remote Desktop. 3. List of PRs that are fixed by this PEP: ------------------------------------------- - Q01367189 Excessive TCP Keep-Alive LAN traffic with Desktop Messaging Security Improvements: hotfixes to patch the following Microsoft Bulletins: --------fixes released between SP1 and GA image--------------- MS05-026 Jun 14/2005 Vulnerability in HTML Help Could Allow Remote Code Execution (896358) MS05-027 Jun 14/2005 Vulnerability in Server Message Block Could Allow Remote Code Execution (896422) MS05-028 Jun 14/2005 Vulnerability in Web Client Service Could Allow Remote Code Execution (896426) MS05-032 Jun 14/2005 Vulnerability in Microsoft Agent Could Allow Spoofing (890046) MS05-033 Jun 14/2005 Vulnerability in Telnet Client Could Allow Information Disclosure (896428) --------fixes released after GA image--------------- MS05-036 Jul 12/2005 Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (901214) MS05-039 Aug 8/2005 Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588) MS05-040 Aug 8/2005 Vulnerability in Telephony Service Could Allow Remote Code Execution (893756) MS05-041 Aug 8/2005 Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (899591) MS05-042 Aug 8/2005 Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing (899587) MS05-045 Oct 11/2005 Vulnerability in Network Connection Manager Could Allow Denial of Service (905414) MS05-046 Oct 11/2005 Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (899589) MS05-048 Oct 11/2005 Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution (901017) MS05-049 Oct 11/2005 Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725) MS05-050 Oct 11/2005 Vulnerability in DirectShow Could Allow Remote Code Execution (904706) MS05-051 Oct 11/2005 Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400) MS05-052 Oct 11/2005 Cumulative Security Update for Internet Explorer (896688) MS05-053 Nov 8/2005 Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) MS06-001 Jan 10/2006 Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919) MS06-002 Jan 10/2006 Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519) MS06-006 Feb 14/2006 Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution (911564) MS06-007 Feb 14/2006 Vulnerability in TCP/IP Could Allow Denial of Service (913446) MS06-008 Feb 14/2006 Vulnerability in Web Client Service Could Allow Remote Code Execution (911927) MS06-013 Apr 11/2006 Cumulative Security Update for Internet Explorer (912812) MS06-014 Apr 11/2006 Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562) MS06-015 Apr 11/2006 Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531) MS06-016 Apr 11/2006 Cumulative Security Update for Outlook Express (911567) Dec 12/2005 Update for Windows Server 2003 (KB910437) May 09/2006 Microsoft® Windows® Malicious Software Removal Tool (KB890830) Microsoft Security Bulletins are available at URLs like this: http://www.microsoft.com/technet/security/bulletin/MS03-018.mspx Significant additional hardening, including registry permissions and auditing based on securws4 profile and the Microsoft Windows Server 2003 Security Guide. --------Changing Registry settings for improved security--------------- Set threshold for Windows disk full warning to 2 percent Enable signatures on SMB Disable updating of Last Access Time by NTFS Disable automatic creation of 8.3 file names Set Event Log sizes, retention policy and guest access Remote Access Settings- disallow saving password, enable logging, answer after 5 rings Remote Access Settings- Authentication Retries 6, Time 2 min, auto disconnect 2 min, KeepConn 5 min set KeepAliveTime to 300,000 ms according to MS recommendation. disable AutoRun on all drives Set ScreenSaver Grace Period to 0 Do not allow users to configure proxy settings Prevent Internet Explorer from automatically downloading new software to update/upgrade itself Ensure that software update shell notifications are enabled Tighten the handling of temporary directories used by Terminal Services (Remote Desktop) sessions Remove Installer Policies Key to ensure that no elevated privileges have been given to the Installer Although the Posix subsystem was already disabled, remove an additional registry key associated with Posix Remove the default password for use if autologin was configured from the registry Enable SaveDLLSearchMode to make it harder for an attacker to introduce malicious software in the form of a DLL Disable Remote Desktop Sharing (as used by Microsoft conferencing products) Use only machine settings (not per user) for IE Security Zone Settings Tighten restrictions on Remote Desktop Connections Prevent the installation of Microsoft Messenger Client Disable PCHealth Error Reporting to Microsoft Prohibit the use of Internet Connection Sharing Block the installation of Kernel Mode Printer drivers (most printer drivers are not kernel mode today) Prevent Windows Media Player from automatically downloading and installing new codecs and updates Disable Messenger Client and Messenger Service software Registry flag changes to protect against a security issue with the Macromedia Flash Player --------Additional Internet Explorer Hardening from DoD Gold Disk v2.0 Beta and Desktop Application STIG--------------- Internet Zone- Control Access to data sources across domains based on the site being browsed Local Zone- Control Access to data sources across domains Trusted Sites Zone- Control Access to data sources across domains Restricted Sites Zone- Ensure Active Scripting has level of protection based on site being accessed Trusted Sites Zone- Prevent execution of ActiveX controls not marked safe for scripting (prompt) Local Zone- Prevent execution of ActiveX controls not marked safe for scripting (prompt) Restricted Sites Zone- Prevent execution of ActiveX controls not marked safe for scripting Internet Zone- Prevent execution of ActiveX controls not marked safe for scripting (prompt) Restricted Sites Zone- Ensure Allow META REFRESH has level of protection based on the site being browsed Internet Zone- Ensure paste operations via script have level of protection based on site being accessed Local Zone- Ensure paste operations via script have level of protection based on site being accessed Trusted Sites Zone- Ensure paste operations via script have level of protection based on site being accessed Restricted Sites Zone- Ensure paste operations via script have level of protection based on site being accessed Internet Zone- Ensure Display Mixed Content has level of protection based on the site being browsed Restricted Sites Zone- Ensure Display Mixed Content has level of protection based on the site being browsed Restricted Sites Zone- Ensure client certificates are not presented to web sites without the users acknowledgement Internet Zone- Ensure client certificates are not presented to web sites without the users acknowledgement Local Zone- Ensure client certificates are not presented to web sites without the users acknowledgement Trusted Sites Zone- Ensure client certificates are not presented to web sites without the users acknowledgement Internet Zone- Ensure Signed Active X controls cannot be downloaded Local Zone- Ensure Signed Active X controls cannot be downloaded without prompt Restricted Sites Zone- Ensure Signed Active X controls cannot be downloaded Trusted Sites Zone- Ensure Signed Active X controls cannot be downloaded without prompt Internet Zone- Ensure unsigned Active X controls cannot be downloaded Restricted Sites Zone- Ensure unsigned Active X controls cannot be downloaded Local Zone- Ensure unsigned Active X controls cannot be downloaded Trusted Sites Zone- Ensure unsigned Active X controls cannot be downloaded Restricted Sites Zone- Ensure Drag and Drop (and copy/paste) of files has level of protection based on the site being accessed Internet Zone- Ensure Drag and Drop (and copy/paste) of files has level of protection based on the site being accessed Ensure IE Error Reporting is disabled since it could send sensitive info to vendor Restricted Sites Zone- Ensure file download is disabled Internet Zone- prevent download of fonts without a prompt Restricted Sites Zone- prevent download of fonts Ensure user is warned when changing zones Ensure user is warned when IE form data is redirected to another site Local Zone- set to a custom level so other required settings can take effect Restricted Sites Zone- set to a custom level so other required settings can take effect Trusted Sites Zone- Ensure Trusted Sites zone is set to custom level Ensure IE checks signatures on downloaded programs Ensure IE warns of invalid certificates Local Zone- Prevent execution of ActiveX controls not marked safe for scripting Trusted Sites Zone- Prevent execution of ActiveX controls not marked safe for scripting (set to prompt) Internet Zone- Prevent execution of ActiveX controls not marked safe for scripting (set to prompt) Restricted Sites Zone- Prevent execution of ActiveX controls not marked safe for scripting (set to prompt) Internet Zone- Prevent installation of desktop items Local Zone- Prevent installation of desktop items without a prompt Restricted Sites Zone- Prevent installation of desktop items Trusted Sites Zone- Prevent installation of desktop items without a prompt Local Zone- Set Java Permissions appropriate for Zone (prompt) Internet Zone- Set Java Permissions appropriate for Zone Trusted Sites Zone- Set Java Permissions appropriate for Zone Restricted Sites Zone- Set Java Permissions appropriate for Zone Local Zone- Control Launching Programs and files in IFRAME Internet Zone- Control Launching Programs and files in IFRAME Trusted Sites Zone- Control Launching Programs and files in IFRAME Restricted Sites Zone- Control Launching Programs and files in IFRAME Internet Zone- Control Frames trying to navigate across different domains Restricted Sites Zone- Control Frames trying to navigate across different domains Restricted Sites Zone- Control the running of ActiveX controls and plug-ins Internet Zone- Control the scripting of Java applets (prompt) Restricted Sites Zone- Control the scripting of Java applets Internet Zone- Control Software Channel permissions Local Zone- Control Software Channel permissions Restricted Sites Zone- Control Software Channel permissions Trusted Sites Zone- Control Software Channel permissions Restricted Sites Zone- Control Submission of non-encrypted form data Internet Zone- Control Submission of non-encrypted form data (prompt) Restricted Sites Zone- User Authentication - Logon (control how credentials are passed to web sites) Internet Zone- User Authentication - Logon (control how credentials are passed to web sites) Local Zone- User Authentication - Logon (control how credentials are passed to web sites) Trusted Sites Zone- User Authentication - Logon (control how credentials are passed to web sites) Internet Zone- Control user data persistence Restricted Zone- Control user data persistence Prevent users from changing advanced settings in IE (commented out for CP5) Enable Cipher setting for DES 56/56 for all protocols Disable Cipher setting for NULL for all protocols (STIG says disable it, Beta Gold Disk says Enable it) Enable Cipher setting for Triple DES 168/168 for all protocols Enable Cipher setting for RC2 128/128 for all protocols Enable Cipher setting for RC4 128/128 for all protocols Enable Cipher setting for RC4 64/128 for all protocols Enable Cipher setting for Skipjack for all protocols Enable Cipher setting for NULL for all protocols Enable MD5 and SHA Hashes for all protocols Ensure IE SSL/TLS parameter allows SSL and TLS to be used from the browser Disable Internet Printing Protocol Set DCOM Static Allocation of Endpoints for NMAOS to ncacn_ip_tcp,0,5000 (always use port 5000) In addition, the following services are set to disabled in order to reduce the attack surface: ALG AppMgmt Dfs TrkWks ERSvc NtFrs helpsvc dmserver WmdmPmSN Spooler RasAuto RSoPProv seclogon ShellHWDetection ScardSvr SNMP SNMPTRAP sacsvr Schedule UPS uploadmgr vds AudioSrv WinHttpAutoProxySvc WZCSVC 4. Pre-installation notes: -------------------------- a). Make sure you are installing this PEP on a server that has been installed with, or upgraded to CallPilot 4.0. b). Make sure the CallPilot server is fully booted before beginning PEP installation. Stop any other applications running on the local console, including all support tools and the CallPilot PEP Maintenance Utility (DMI Viewer). c). Disable any active anti-virus software active on the server prior to installing this PEP. (This makes the PEP install faster.) As a precaution, it's recommended the CLAN connection be disconnected prior to disabling the anti-virus software. d). Ensure the system has sufficient disk-space available to install this PEP. If needed, remove any unnecessary files and folders in the c:\temp or d:\temp folders. If an error occurs while attempting to remove a particular file, ignore the error, but try to remove as many files and folders as possible in the temp folder. It is possible that the file is being used by Windows. Note: do not remove the c:\temp and d:\temp, and D:\TEMP\CP404SEC004S folders. Once you have finished cleaning up, empty the recycle bin. e). Ensure there is a recent backup available prior to installing this PEP. It's always recommended that a backup be performed (or split RAID) just prior to performing any server maintenance activity to ensure the most recent customer data is available should a restore be needed. f). The PEP installation is automatic. When this is complete, a dialog box is displayed with the title "CallPilot OS Security PEP Installation Completed". The system will reboot into service when the OK button is clicked on this dialog. Note: Do not reboot the system until the PEP installation is finished, otherwise the PEP may not be properly registered on the server. 5. Installing the PEP: ---------------------- a). Begin installation by executing CP404SEC004S.exe to extract the files to the D:\TEMP\CP404SEC004S folder. b). Navigate to the D:\TEMP\CP404SEC004S folder and run "RUNME.BAT" to launch the installer. Note that RUNME.BAT MUST be executed from this exact folder or the PEP install will fail. c). Click on OK to start the installation of the PEP. Total time required will be about 40 minutes, plus the time to reboot into service. Note: This PEP automatically installs a number of Microsoft hot fixes. Do not close any windows or click on any buttons while the PEP is being installed or the PEP will not install successfully. d). When the PEP installation is complete, a window will be displayed with the title "CallPilot OS Security PEP Installation Completed". Click on the OK button to reboot the server. e). If anti-virus software was disabled, check to ensure it is now enabled. Note that it must be properly configured to scan "incoming" files only. See the bulletin on configuring anti-virus software for CallPilot. 6. Installation Log ------------------- File "secpep.log" in the root folder of the system drive will contain a log of the actions performed during PEP installation. In addition, a note will be added to the file "os_ver.txt", also in the root folder of the system drive. 7. PEP Uninstall ---------------- Due to the nature of the Microsoft hotfixes contained within this PEP, it cannot be uninstalled. Once applied, if removed from DMIViewer, only the reference to PEP CP404SEC004S will actually be removed. 8. PEP ReInstallation --------------------- If required, this PEP may be installed again without any problem. This will reapply hotfixes and other configuration changes. If the PEP is not already in the PEP Utility (DMI Viewer), the PEP entry will be added when the PEP is reinstalled. It is possible that one or more popup windows may appear saying that a particular hotfix is not needed. Just click OK and the reinstallation will continue. If the PEP is already listed in the CallPilot PEP Utility (DMIViewer), it will not be added again to this utility. A popup window saying "Setup concludes that no actions needs to be taken" will be displayed. This just means that the PEP is already present in the list of installed PEPs so it will not be added again to this list. Click OK to dismiss the popup and complete the PEP install. 9. Supplemental Information - Verifying HotFixes ------------------------------------------------ Microsoft has released a tool called MBSAcli to check a system to ensure that all relevant security hotfixes are present. A version of this tool is provided in the PEP (in the D:\TEMP\CP404SEC004S\HotFixes\Checker folder). The tool makes use of a cab file from Microsoft called "mssecure_09May06.cab" telling it which hotfixes are available, when they are needed and how to check for them. The PEP includes a version of this XML file that was current at the time the PEP was created. MBSACLI replaces the previous hfnetchk hotfix checker. The new version does a better job of checking hotfixes for different OS components. "mbsacli /hf" replaces "hfnetchk" To run the hot fix checker: Use Windows NT Explorer to double-click D:\TEMP\CP404SEC004S\HotFixes\Checker\CheckHotFixes.bat Watch for "Patch Not Found" errors which indicate hotfixes that are needed but are not installed. Ignore "Note" messages. These just give some additional information related to a given patch. Note: The tool may give an error if the CallPilot server is still booting up. If this happens try running the tool again later. To display a list of hotfixes that have been explicitly installed on this server, do the following: Use Windows NT Explorer to double-click D:\TEMP\CP404SEC004S\HotFixes\Checker\ListHotFixes.bat NOTE: the list displayed is incomplete. Some hotfixes that are, in fact, installed will not appear in the list. Use the "CheckHotFixes" command to determine if any needed hotfixes are missing.