This package contains: CPSECPEP014S Version 1.0.1 Date: April 22 / 2011 1. PEP Number: CPSECPEP014S Version 1.0.1 Summary: a). List of CRs resolved in this PEP, section 3.1 b). List of hotfixes installed by this PEP, section 3.2 c). List of registry changes, section 3.3 d). List of services being disabled, section 3.4 e). Disk space requirements, section 4e. f). Opsware related info, section 9 g). Hotfix checker, section 10 2. Problem Description This package contains Microsoft hotfixes to be installed on a CallPilot 3.0, 4.0 or 5.0 server. Certain additional OS hardening and enhancement are also made to improve security. The PEP contains all post-SP2 applicable hotfixes up to and including April 12th, 2011 (Up to MS11-034 but excluding IE7&IE8). It is intended for installation on a system that has Service Pack 2 installed. Installation can take up to 2 hours depending on your platform and CallPilot release. Less time is needed if anti-virus software is temporarily disabled during installation. This PEP may be installed remotely using pcAnywhere or Remote Desktop. NOTE: Do not apply this security PEP CPSECPEP014S to CallPilot 4 servers which have already been JITC hardened since the PEP may weaken some of the security hardening needed for JITC compliance. KNOWN ISSUE: After installing this PEP, the High Availability Configuration Wizard will get an error "Unable to connect to the registry on server". The workaround for this is to temporarily manually start the Remote Registry service. Use the Services applet to set the service to manual, then start it. (This problem Q01846574 is resolved in CP5 SU04 and later). 3.1. List of CRs that are fixed by this PEP ============================================== wi00858836 New Security PEP needed for CallPilot Servers Other fixes resolved in the replaced PEP: ---------------------------------------------- Q01367189 Excessive TCP Keep-Alive LAN traffic with Desktop Messaging Q01449531 DMI view update sets CPservices to disabled after installing PEP CP202SEC004S Q01617017 MSI-Format support for CallPilot Q01638452 CP40404SU04S failed to install on a 703t with CallPilot 4.0 GA Q01637569 Receiving numerous event 59 and 32 in system log Q01781913 PEP CPSECPEP009S crashes CallPilot Q01783689 Need Windows Administrator account to launch CallPilot Manager Homepage Q01806764 PEP CPSECPEP010S makes many main functions of CallPilot work incorrectly Q01807104 CPSECPEP010S – Some securities are not added as expectation Q01807140 Some enhancement securities are not configured properly Q01807505 Users can configure proxy setting in IE Q01807989 Service "Help And Support (helpsvc)" is not configured as document mentioned Q01819385 Cannot login to Support Tools on CP server joined to Domain Q01819279 Some registries are not added as expected Q01830619 Wrong sevice name in readme.txt (TrkSrv) Q01973128 CPSECPEP011S fails to install on 202i Q01980200 Application popup after installation of CPSECPEP011S Q02094497 Microsoft Base Security Analyzer fails after installing CPSECPEP011S Q02116123 DCOM errors EVENT ID: 10020 Q02133709 DCOM Events10005 is generated after each reboot 3.2. list of hotfixes to patch the following Microsoft Bulletins MS11-034 12.04.2011 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223) MS11-033 12.04.2011 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663) MS11-032 12.04.2011 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618) MS11-031 12.04.2011 Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2510587) MS11-030 12.04.2011 Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553) MS11-029 12.04.2011 Vulnerability in GDI+ Could Allow Remote Code Execution (2412687) MS11-027 12.04.2011 Cumulative Security Update of ActiveX Kill Bits (2508272) MS11-026 12.04.2011 Vulnerability in MHTML Could Allow Information Disclosure (2503658) MS11-024 12.04.2011 Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2506212) MS11-020 12.04.2011 Vulnerability in SMB Server Could Allow Remote Code Execution (2508429) MS11-019 12.04.2011 Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455) MS11-018 12.04.2011 Cumulative Security Update for Internet Explorer (2497640) MS11-014 08.02.2011 Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege (2478960) MS11-013 08.02.2011 Vulnerabilities in Kerberos Could Allow Elevation of Privilege (2478971) MS11-011 08.02.2011 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) MS11-010 08.02.2011 Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2476687) MS11-006 08.02.2011 Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185) MS11-002 11.01.2011 Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2419635) MS10-101 14.12.2010 Vulnerability in Windows Netlogon Service Could Allow Denial of Service (2207559) MS10-099 14.12.2010 Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege (2440591) MS10-097 14.12.2010 Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution (2443105) MS10-096 14.12.2010 Vulnerability in Windows Address Book Could Allow Remote Code Execution (2423089) MS10-084 12.10.2010 Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (2360937) MS10-083 12.10.2010 Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution (979687) MS10-082 12.10.2010 Vulnerability in Windows Media Player Could Allow Remote Code Execution (2378111) MS10-081 12.10.2010 Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2296011) MS10-076 12.10.2010 Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132) MS10-074 12.10.2010 Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution (2387149) MS10-070 28.09.2010 Vulnerability in ASP.NET Could Allow Information Disclosure (2416451) MS10-069 14.09.2010 Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege (2121546) MS10-065 14.09.2010 Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2124261) MS10-063 14.09.2010 Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (981322) MS10-062 14.09.2010 Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558) MS10-061 14.09.2010 Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) MS10-052 10.08.2010 Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168) MS10-051 10.08.2010 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2979403) MS10-049 10.08.2010 Vulnerabilities in Schannel could allow Remote Code Execution (980436) MS10-042 13.07.2010 Vulnerability in Help and Support Center Could Allow Remote Code Execution (2229593) MS10-041 30.06.2010 Vulnerability in Microsoft .NET Framework Could Allow Tampering (979907) MS10-040 30.06.2010 Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666) MS10-033 23.06.2010 Vulnerabilities in Media Decompression Could Allow Remote Code Execution (975562, 978695, 979482) MS10-029 21.04.2010 Vulnerability in Windows ISATAP Component Could Allow Spoofing (978338) MS10-026 22.06.2010 Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816) MS10-020 26.05.2010 Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232) MS10-019 21.04.2010 Vulnerabilities in Windows Could Allow Remote Code Execution (978601, 979309) MS10-015 17.03.2010 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) MS10-013 10.02.2010 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977914, 975560) MS10-007 09.02.2010 Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713) MS10-005 10.02.2010 Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706) MS10-001 12.01.2010 Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270) MS09-073 27.01.2010 Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (973904) MS09-071 09.12.2009 Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318) MS09-069 08.12.2009 Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392) MS09-061 21.10.2009 Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (953298) MS09-059 14.10.2009 Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (975467) MS09-057 13.10.2009 Vulnerability in Indexing Service Could Allow Remote Code Execution (969059) MS09-056 14.10.2009 Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571) MS09-053 13.10.2009 Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) MS09-052 13.10.2009 Vulnerability in Windows Media Player Could Allow Remote Code Execution (974112) MS09-051 13.10.2009 Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (954155, 975025) MS09-048 08.09.2009 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723) MS09-046 08.09.2009 Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844) MS09-044 25.08.2009 Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (958469) MS09-042 12.08.2009 Vulnerability in Telnet Could Allow Remote Code Execution (960859) MS09-041 11.08.2009 Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657) MS09-040 11.08.2009 Vulnerability in Message Queuing Could Allow Elevation of Privilege (971032) MS09-037 11.08.2009 Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973869, 973507, 973815, 973540, 973354) MS09-022 17.06.2009 Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501) MS09-020 17.06.2009 Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) MS09-015 15.04.2009 Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426) MS09-013 14.04.2009 Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803) MS09-012 14.04.2009 Vulnerabilities in Windows Could Allow Elevation of Privilege (952004, 956572) MS09-010 14.04.2009 Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (923561) MS08-076 09.12.2008 Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (952069) MS08-071 09.12.2008 Vulnerabilities in GDI Could Allow Remote Code Execution (956802) MS08-067 23.10.2008 Vulnerability in Server Service Could Allow Remote Code Execution (958644) MS08-062 14.10.2008 Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155) MS08-049 12.08.2008 Vulnerabilities in Event System Could Allow Remote Code Execution (950974) MS08-048 12.08.2008 Security Update for Outlook Express and Windows Mail (951066) MS08-046 12.08.2008 Vulnerability in MS Windows Image Color Management System Could Allow RCE (952954) MS08-038 08.07.2008 Vulnerability in Windows Explorer could allow remote code execution (950582) MS08-036 10.06.2008 Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762) MS08-022 08.04.2008 Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338) MS08-008 12.02.2008 Vulnerability in OLE Automation Could Allow Remote Code Execution (943055) MS08-007 12.02.2008 Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution (946026) MS08-005 12.02.2008 Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831) MS07-068 11.12.2007 Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569) MS07-067 11.12.2007 Vulnerability in Macrovision Driver Could Allow Elevation of Privilege (944653) MS07-061 13.11.2007 Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460) MS07-050 14.08.2007 Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127) MS07-040 10.07.2007 Vulnerabilities in .NET Framework Could Allow Remote Code Execution (933854) MS07-039 10.07.2007 Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122) MS07-034 12.06.2007 Cumulative Security Update for Outlook Express and Windows Mail (929123) MS07-028 08.05.2007 Vulnerability in CAPICOM Could Allow Remote Code Execution (931906) MS07-020 10.04.2007 Vulnerability in Microsoft Agent Could Allow Remote Code Execution (932168) MS07-017 03.04.2007 Vulnerabilities in GDI Could Allow Remote Code Execution (925902) MS06-078 07.10.2007 Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689, 925398) KB890830 Windows Malicious Software Removal Tool v.3.18 KB927891 Update for Windows Installer (MSI) KB942840 Update for Windows Server 2003 (KB942840) KB936357 A microcode reliability update is available that improves the reliability of systems that use Intel processors KB968389 Update to help strengthen authentication credentials in specific scenarios KB946235 Visual Basic 6.0 Service Pack 6 oleaut32.DLL Security Update KB967715 Update to resolve an issue in which AutoRun features were not correctly disabled KB973917 Update that implements Extended Protection for Authentication in Internet Information Services (IIS) KB973688 Update for Microsoft XML Core Services 4.0 Service Pack 2 KB973687 Updates for Microsoft MSXML Core Services 3.0 and MSXML Core Services 6.0 KB973686 Update for MSXML Core Services 6.0 Service Pack 2 KB971737 Description of the update that implements Extended Protection for Authentication in Microsoft Windows HTTP Services (WinHTTP) KB955759 Microsoft Security Advisory: Description of the AppCompat update for Indeo codec KB971029 Update to the AutoPlay functionality in Windows KB957579 Post-installation behavior on client computers after you install the DNS update KB2524375 Update to resolve an issue which requires an update to the certificate revocation list on Windows systems and to keep your systems certificate list up to date 3.3. Changing settings for improved security Set threshold for Windows disk full warning to 2 percent Enable signatures on SMB Disable updating of Last Access Time by NTFS Set Event Log sizes, retention policy and guest access Remote Access Settings- disallow saving password, enable logging, and answer after 5 rings Remote Access Settings- Authentication Retries 6, Time 2 min, auto disconnect 2 min, KeepConn 5 min Set KeepAliveTime to 300,000 ms according to MS recommendation. Disable AutoRun on all drives Set ScreenSaver Grace Period to 0 Make proxy settings per-machine (Disallow per-user proxy settings) Prevent Internet Explorer from automatically downloading new software to update/upgrade itself Ensure that software update shell notifications are enabled Tighten the handling of temporary directories used by Terminal Services (Remote Desktop) sessions Remove Installer Policies Key to ensure that no elevated privileges have been given to the Installer Although the Posix subsystem was already disabled, remove an additional registry key associated with Posix Remove the default password for use if autologin was configured from the registry Enable SaveDLLSearchMode to make it harder for an attacker to introduce malicious software in the form of a DLL Disable Remote Desktop Sharing (as used by Microsoft conferencing products) Use only machine settings (not per user) for IE Security Zone Settings Tighten restrictions on Remote Desktop Connections Prevent the installation of Microsoft Messenger Client Disable PCHealth Error Reporting to Microsoft Prohibit the use of Internet Connection Sharing Block the installation of Kernel Mode Printer drivers (most printer drivers are not kernel mode today) Prevent Windows Media Player from automatically downloading and installing new codecs and updates Disable Messenger Client and Messenger Service software Registry flag changes to protect against a security issue with the Macromedia Flash Player Workaround for MS06-041: Modifying the Autodial DLL within the Windows registry will prevent an application, specially crafted website or e-mail message from calling the affected API and exploiting the vulnerability. Workaround for MS06-042: Disable caching of Web content in Internet Explorer Internet Zone- Control Access to data sources across domains based on the site being browsed Local Zone- Control Access to data sources across domains Trusted Sites Zone- Control Access to data sources across domains Restricted Sites Zone- Ensure Active Scripting has level of protection based on site being accessed Trusted Sites Zone- Prevent execution of ActiveX controls not marked safe for scripting (prompt) Local Zone- Prevent execution of ActiveX controls not marked safe for scripting (prompt) Restricted Sites Zone- Prevent execution of ActiveX controls not marked safe for scripting Internet Zone- Prevent execution of ActiveX controls not marked safe for scripting (prompt) Restricted Sites Zone- Ensure Allow META REFRESH has level of protection based on the site being browsed Internet Zone- Ensure paste operations via script have level of protection based on site being accessed Local Zone- Ensure paste operations via script have level of protection based on site being accessed Trusted Sites Zone- Ensure paste operations via script have level of protection based on site being accessed Restricted Sites Zone- Ensure paste operations via script have level of protection based on site being accessed Internet Zone- Ensure Display Mixed Content has level of protection based on the site being browsed Restricted Sites Zone- Ensure Display Mixed Content has level of protection based on the site being browsed Restricted Sites Zone- Ensure client certificates are not presented to web sites without the user’s acknowledgement Internet Zone- Ensure client certificates are not presented to web sites without the user’s acknowledgement Local Zone- Ensure client certificates are not presented to web sites without the user’s acknowledgement Trusted Sites Zone- Ensure client certificates are not presented to web sites without the user’s acknowledgement Internet Zone- Ensure Signed Active X controls cannot be downloaded Local Zone- Ensure Signed Active X controls cannot be downloaded without prompt Restricted Sites Zone- Ensure Signed Active X controls cannot be downloaded Trusted Sites Zone- Ensure Signed Active X controls cannot be downloaded without prompt Internet Zone- Ensure unsigned Active X controls cannot be downloaded Restricted Sites Zone- Ensure unsigned Active X controls cannot be downloaded Local Zone- Ensure unsigned Active X controls cannot be downloaded Trusted Sites Zone- Ensure unsigned Active X controls cannot be downloaded Restricted Sites Zone- Ensure Drag and Drop (and copy/paste) of files has level of protection based on the site being accessed Internet Zone- Ensure Drag and Drop (and copy/paste) of files has level of protection based on the site being accessed Ensure IE Error Reporting is disabled since it could send sensitive info to vendor Restricted Sites Zone- Ensure file download is disabled Internet Zone- prevent download of fonts without a prompt Restricted Sites Zone- prevent download of fonts Ensure user is warned when changing zones Ensure user is warned when IE form data is redirected to another site Local Zone- set to a custom level so other required settings can take effect Restricted Sites Zone- set to a custom level so other required settings can take effect Trusted Sites Zone- Ensure Trusted Sites zone is set to custom level Ensure IE checks signatures on downloaded programs Ensure IE warns of invalid certificates Local Zone- Prevent execution of ActiveX controls not marked safe for scripting Trusted Sites Zone- Prevent execution of ActiveX controls not marked safe for scripting (set to prompt) Internet Zone- Prevent execution of ActiveX controls not marked safe for scripting (set to prompt) Restricted Sites Zone- Prevent execution of ActiveX controls not marked safe for scripting (set to prompt) Internet Zone- Prevent installation of desktop items Local Zone- Prevent installation of desktop items without a prompt Restricted Sites Zone- Prevent installation of desktop items Trusted Sites Zone- Prevent installation of desktop items without a prompt Local Zone- Set Java Permissions appropriate for Zone (prompt) Internet Zone- Set Java Permissions appropriate for Zone Trusted Sites Zone- Set Java Permissions appropriate for Zone Restricted Sites Zone- Set Java Permissions appropriate for Zone Local Zone- Control Launching Programs and files in IFRAME Internet Zone- Control Launching Programs and files in IFRAME Trusted Sites Zone- Control Launching Programs and files in IFRAME Restricted Sites Zone- Control Launching Programs and files in IFRAME Internet Zone- Control Frames trying to navigate across different domains Restricted Sites Zone- Control Frames trying to navigate across different domains Restricted Sites Zone- Control the running of ActiveX controls and plug-ins Internet Zone- Control the scripting of Java applets (prompt) Restricted Sites Zone- Control the scripting of Java applets Internet Zone- Control Software Channel permissions Local Zone- Control Software Channel permissions Restricted Sites Zone- Control Software Channel permissions Trusted Sites Zone- Control Software Channel permissions Restricted Sites Zone- Control Submission of non-encrypted form data Internet Zone- Control Submission of non-encrypted form data (prompt) Restricted Sites Zone- User Authentication - Logon (control how credentials are passed to web sites) Internet Zone- User Authentication - Logon (control how credentials are passed to web sites) Local Zone- User Authentication - Logon (control how credentials are passed to web sites) Trusted Sites Zone- User Authentication - Logon (control how credentials are passed to web sites) Internet Zone- Control user data persistence Restricted Zone- Control user data persistence Enable Cipher setting for Triple DES 168/168 for all protocols Enable Cipher setting for RC2 128/128 for all protocols Enable Cipher setting for RC4 128/128 for all protocols Enable Cipher setting for Skipjack for all protocols Disable Cipher setting for NULL for all protocols Enable MD5 and SHA Hashes for all protocols Ensure IE SSL/TLS parameter allows SSL and TLS to be used from the browser Disable Internet Printing Protocol Set DCOM Static Allocation of Endpoints for NMAOS to ncacn_ip_tcp,0,5000 (always use port 5000) Remove RunAs values in registry MS06-067 - Prevent the Microsoft DirectAnimation Path ActiveX control from running in Internet Explorer MS07-011 - Enable Embedded Object Blocking in Wordpad MS07-020 - (Microsoft animated help agent) MS07-045 - Set "kill bit" for certain COM objects MS07-047 - Disassociate the WMZ and WMD file extensions & Disassociation of WMZ and WMD in Windows prevents previewing or opening WMZ and WMD files in Windows Media Player. Visa scan result Remote Desktop/Terminal Services settings: Override user settings: End a disconnected session: 1 hour Active Session Limit: Never Idle Session Limit: 2 hours Encryption level should be set to high Disable Windows Print mapping, LPT Port mapping, COM mapping, Audio mapping MS07-056 - remove news protocol handler to avoid Outlook news reader vulnerabilities Disable SSLv2 since it is less secure and clients should be using SSLv3 Disable weak encryption algorithms (RC2 40bit; DES 56 bit; RC4 40bit; RC4 56bit; RC4 64bit) MS08-008: Disable attempts to instantiate Microsoft Forms 2.0 ImageActiveX Control in IE MS08-010: Disable COM object instantiation in IE Internet Zone- .NET disable running components signed with Authenticode Internet Zone- .NET disable running components not signed with Authenticode RealPlayer ActiveX vulnerability Workarounds: Set killbits for rmoc3260.dll version 6.0.10.45 (KB240797) Close off some unneeded TCP ports by using an IP Security policy (1027, 1031, 1033 and 2019) Disable JavaScript in Adobe Reader PDF files for the Administrator userid (workaround for multiple security vulnerabilities reported November 2008) Improved disabling of the AutoRun on all drives Uninstall unneeded Java Runtime Engine 1.3.1-11 from some CP Servers Changed permissions on disabled services Added more auditing to disabled services Changed Audit Policy - Audit privilege use from Success&Fail to Failure only Network Access Remotely accessible registry paths and subpaths Network Security: LAN manager authentication level Network security: Minumum session security for NTLM SSP based (including secure RPC) clients User Rights: Deny logon as a batch job User Rights: Deny logon through Terminal Services Network security: Minumum session security for NTLM SSP based (including secure RPC) servers System objects: Default owner for objects created by members of the Administrators group Remote Administration Service set to Disabled Security Log: Maximum Event log size changed from 16384KB to 81920KB MSS MinimumDynamicBacklog changed to 20 from 10 File Permissions tightened for several files Autorun: HonorAutorun setting registry value set IE hardening and zone settings updated IIS6 Installation, several settings updated Restrict permissions on some system tools Audit failures for the Everyone group for all files/folders on the system drive Set permissions for all DCOM objects to Administrators F, System F, Users R Ensure policies are reprocessed even if Group Policy objects have not changed Protect against Office Web Components vulnerability KB973472 Disable parsing of Quicktime files Disallow anonymous SID/Name translation Adobe Reader disallow opening non-PDF file attachments with external applications Remove keys related to Remote Administration Service DCOM to fix event 10005 on reboot Java JRE javaws vulnerability - set kill bit Prevent Windows Media Player ActiveX control from running in IE (MS10-027 workaround) Disable HCP protocol MS10-071 - set kill bit for CVE-2010-3329 Disable MP3 audio codec usage Disable MPEG Layer-3 parsing in DirectShow Disable FTP bounce attack Disable auto creation of administrative shares Disable AutoRestartShell to force the user to log out and log back in if a shell component crashes Adjust file permissions on C:\Windows\Repair Disable the ASP.NET ISAPI mapping Tighten file permissions on Wscript.exe and Cscript.exe 3.4. Following services are set to disabled in order to reduce the attack surface Application Layer Gateway Service (ALG) Alerter (Alerter) Application Management (AppMgmt) Automatic Updates (wuauserv) ClipBook (ClipSrv) DHCP Client (DHCP) Distributed File System (Dfs) Distributed Link Tracking Client (TrkWks) Distributed Link Tracking Server (TrkSvr) Error Reporting Service (ERSvc) File Replication (NtFrs) Help And Support (helpsvc) Human Interface Device Access (HidServ) IMAPI CD-Burning COM Service (ImapiService) Indexing Service (CiSvc) Intersite Messaging (IsmServ) Kerberos Key Distribution Center (kdc) License Logging (LicenseService) Local Display Manager (saldm) Messenger (Messenger) Microsoft Software Shadow Copy Provider (swprv) NetMeeting Remote Desktop Sharing (mnmsrvc) Network DDE (NetDDE) Network DDE DSDM (NetDDEdsdm) Network Location Awareness (Nla) Portable Media Serial Number Service (WmdmPmSN) Print Spooler (Spooler) Remote Access Auto Connection Manager (RasAuto) Remote Desktop Help Session Manager (RDSessMgr) Remote Registry (RemoteRegistry) Resultant Set of Policy Provider (RSoPProv) Secondary Logon (seclogon) Shell Hardware Detection (ShellHWDetection) Smart Card (SCardSvr) SNMP Trap Service (SNMPTRAP) Special Administration Console Helper (sacsvr) Task Scheduler (Schedule) Telnet (TlntSvr) Terminal Services Session Directory (Tssdis) Themes (Themes) Uninterruptible Power Supply (UPS) Upload Manager (uploadmgr) Virtual Disk Service (vds) Volume Shadow Copy (VSS) WebClient (WebClient) Web Element Manager (elementmgr) Windows Audio (AudioSrv) Windows Firewall/Internet Connection Sharing (SharedAccess) Windows Image Acquisition (stisvc) WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) Wireless Configuration (WZCSVC) 3.5. Following service is set to manual in order to reduce the attack surface Logical Disk Manager (dmserver) 4. Pre-installation notes a). Make sure you are installing this PEP on a CallPilot 3.0, 4.0 or 5.0 server This PEP replaces the following PEPs if applicable: -------------------------------------------------- - CP300SEC002S - CP303SEC003S - CP303SEC004S - CP303SEC005S - CP404SEC003S - CP404SEC004S - CP404SEC005S - CPSECPEP006S - CPSECPEP007S - CPSECPEP008S - CPSECPEP009S - CPSECPEP010S - CPSECPEP011S - CPSECPEP012S - CPSECPEP013S The replaced PEPs will be automatically removed from DMI Viewer when CPSECPEP014S is installed. b). Ensure there is a recent backup available prior to installing this PEP (or split RAID). c). Make sure the CallPilot server is fully booted before beginning PEP installation. Stop any other applications running on the local console, including all support tools and the CallPilot PEP Maintenance Utility (DMI Viewer). d). Disable any active anti-virus software active on the server prior to installing this PEP. (This makes the PEP install faster.) As a precaution, it's recommended the CLAN connection be disconnected prior to disabling the anti-virus software. e). Ensure sufficient free disk space. This PEP will need 680 MB on C: to start installation process, actual final disk space consumption is less than 270 MB. Ensure the system has sufficient disk-space available to install this PEP. If required, use the following steps as needed to increase free disk space: -If you set the User Environment Variable TMP (Start -> Control Panel -> System -> Advanced -> Environment Variables) to D:\TEMP\TMP, this will cause the CPSECPEP014S installer to unpack its files onto the D: drive instead of to the default temp folder (C:\Documents And Settings\Administrator\Local Settings\Temp). These actions will reduce the space on C: drive needed during the CPSECPEP014S install to 500 MB. -Verify there is no unauthorized 3rd party software loaded on the CallPilot Server -If Anti-Virus is installed, verify it is installed per the latest version of the bulletin entitled "CallPilot Support for Anti-virus Applications" (current number is P-2009-0039-Global). In particular, for CP4 systems, ensure that AV software is installed on the D: drive. -Clean any large unnecessary files and/or folders off the desktop. Once you have finished cleaning up, empty the recycle bin. -Excessive space may be consumed by other Users. To find large files that are private to other users, using Windows Explorer, select C:\Documents And Settings, then click Search. Do not fill in any file name pattern, and click the "Search" button. This will display all files and folders that exist under this folder. Sort by size. If there are any large files shown, decide if they are needed. Delete them or move them to another partition. Do not delete or move small files or shortcuts. Once you have finished cleaning up, empty the Recycle Bin. - Delete hotfix uninstall folders C:\Windows\$NTUninstallKBnnnnnn$ (where nnnnnn is the Microsoft Knowledge Base article number). Once you have finished cleaning up, empty the Recycle Bin. For example: C:\Windows\$NTUninstallKB913580$ NOTE: Folder KB931836 must remain on the system. Do not delete this folder. -If needed, remove any unnecessary files and folders in the c:\temp or d:\temp folders. If an error occurs while attempting to remove a particular file, ignore the error, continue to remove as many other files and folders as possible in the temp folder. Note: do not remove the c:\temp and d:\temp, and D:\TEMP\CPSECPEP014S folders themselves. Once you have finished cleaning up, empty the recycle bin. -If there is not enough disk space available on C: drive, please install CPDSKPEP001S. It will recover about 850MB on C: drive. -If needed, use Windows Disk Cleanup utility to compress old files to save disk space: Click Start->Programs->Accessories->System Tools->Disk Cleanup Highlight C: drive and click OK, Disk Cleanup will analyze C: to determine the amount of space that can be freed. Select [Compress Old Files] in the Description section of the window. [Compress Old Files] is the only item which should be selected. De-select any other items, even if they were selected by default. Click OK and Yes to begin the disk cleanup process. -If, after following the above steps, there is still not enough disk space available, CallPilot Manager can be removed prior to installing CPSECPEP014S and then re-installed. This uninstall/reinstall will temporarily free up 46MB on the C: drive and 76MB on the D: drive. Follow CallPilot Manager read-me file for un-install and re-install instructions. -If the above actions do not free up enough disk space a case can be opened to investigate the space issue on a per site basis. f) Since Service Pack 1 is not built into CallPilot 3.0 GA systems, PEP CP303SECSP1S needs to be used to install Service Pack 1 prior to installing CPSECPEPSP2S on a CP3 system. SP1 is already built in to CallPilot 4.0 and 5.0 GA systems. PEP CPSECPEPSP2S should be used to install SP2 on a CallPilot 3.0, 4.0 or 5.0 system. How to identify that Service Pack 2 has already been installed on your system: Open DMI Viewer or Add/Remove Program Applet. Please find CPSECPEPSP2S record. If CPSECPEPSP2S record exists then Service Pack 2 is installed on your system and you can continue with installation of CPSECPEP014S. Special note for 202i and 1006r platforms: Service Pack 2 is installed with CallPilot 5.0 GA system on 202i and 1006r platforms. Therefore you can continue with installation of CPSECPEP014S on 202i and 1006r platform. 5. Installing the PEP NOTE: please refer to the PDF version of this Readme file under D:\temp\CPSECPEP014S for directions and corresponding screenshots on how to install this PEP NOTE FOR INSTALLING ON HIGH AVAILABILITY SERVERS: CallPilot security PEPs do not impact either the database or the MMFS. This is also true for the installation of Microsoft hotfixes directly. Therefore it is possible to install security PEPs and MS hotfixes on the standby server. In order to minimize downtime, the following procedure is recommended (assumes CP1 is initially active, CP2 is initially standby) 1) Install the security PEP (or hotfix) on the CP2 and reboot CP2 2) Once CP2 is fully rebooted, switch the CallPilot resource group to from CP1 to CP2 3) Install the security PEP (or hotfix) on CP1 and reboot CP1 4) Once CP1 is fully rebooted, if desired, switch the CallPilot resource group back to CP1 a). Begin installation by double-clicking on CPSECPEP014S.msi NOTE: If you run the MSI from a network location (e.g. a shared network drive), you will get an "Open File Security Warning" window asking that "Are you sure you want to run this software?" just click on the Run button to run it. b). Click on Next button on window "Welcome to the InstallShield Wizard for CPSECPEP014S" and continue on to the Readme window. After reading through the readme, select Radio Button "I have read the readme.txt" and click on Next button. On next window "Ready to install the Program", click on Install button to install NOTE: Some cases, PEP will uninstall unneeded Java Runtime Environment. In this case, you will receive pop-up windows about it. Please click "Yes" and "OK" when prompted. In other cases, just continue installation as usual. NOTE: Some cases, the main installation window "Installing CPSECPEP014S" will show up in front of the message box "Installing Hotfixes", that is a glitch of InstallShield, you may click on the message box and bring it to the front, either way will NOT affect the PEP install process. NOTE: Total time required will be about 50 minutes depending on your platform and CallPilot release, plus the time to reboot into service. NOTE: This PEP automatically installs a number of Microsoft hot fixes. Do not close any windows or the PEP might not install successfully. c). When the PEP installation is complete, a window will be displayed saying "InstallShield Wizard Completed". Click on the "Finish" button to exit the wizard, and then you will be prompted to "Click Yes to restart now or No if you plan to restart later". You need to restart the system for the changes to take effect. NOTE: Although we don't recommend that you apply this PEP during busy hours, this PEP can be applied to a live server and the reboot can be deferred to a later time. NOTE: Do not reboot the system until the PEP installation is finished, otherwise the PEP may not be properly registered on the server. d). If anti-virus software was disabled, check to ensure it is now enabled. Note that it must be properly configured to scan "incoming" files only. See the bulletin P-2009-0039 on configuring anti-virus software for CallPilot. e). After this PEP has been installed, the first time Internet Explorer is launched, a popup may been seen "Internet Explorer is not the default browser". Simply click to set it to be the default browser. Also, an event log may be seen about the Print Spooler not running when a remote desktop session is established. This event can be ignored. 6. Installation Log File "SecPEP.log" in the root folder of the system drive will contain a log of the actions performed during PEP installation. In addition, a note will be added to the file "os_ver.txt", also in the root folder of the system drive. 7. PEP Uninstall Due to the nature of the Microsoft hotfixes contained within this PEP, it cannot be uninstalled. Once applied, if removed from DMIViewer, only the references to PEP CPSECPEP014S in both DMIViewer and Windows Add/Remove Programs will be removed. Installation folder CPSECPEP014S under D:\TEMP will also be removed. 8. PEP Reinstallation If required, this PEP may be installed again without any problem. Rerunning the PEP will reapply hotfixes and other configuration changes. If the PEP is not already in the PEP Utility (DMI Viewer), the PEP entry will be added when the PEP is reinstalled. If the PEP is already listed in the CallPilot PEP Utility (DMI Viewer), it will not be added again to this utility. 9. Special installation instructions for Opsware: No special instructions for installing this PEP via Opsware. 10. Supplemental Information - Verifying Hotfixes To run the hotfix checker: Double-click D:\TEMP\CPSECPEP014S\Checker\CheckHotFixes.bat NOTE: You also may use the following method to run Checker: In the Start menu select "Start" > "Run..." command. Run dialog appears. Type "D:\TEMP\CPSECPEP014S\Checker\CheckHotFixes.bat" (without quotes) or "D:\TEMP\CPSECPEP014S\Checker\CheckHotFixes.bat current" (without quotes) and press [OK]. NOTE: You may use CheckHotFixes.bat with the "current" parameter to check against the current hotfix list, i.e. a hotfix list downloaded dynamically from Microsoft. This method requires internet connection to work properly. Without the "current" parameter script checks against a hotfix list that was current when the PEP was released. Internet connection is not required in this case. NOTE: Verifying hotfixes can take up to 20 minutes depending on your platform and CallPilot release. NOTE: The result (CheckResult.txt) will be opened in Notepad after the batch file execution; the result file contains two sections: * Installed updates: list of all installed hotfixes. * Missing Updates: list of missing hotfixes. NOTE: Probably some hotfixes from the following list will be shown as missed updates: - Windows Internet Explorer 7 for Windows Server 2003 - Windows Internet Explorer 8 for Windows Server 2003 - Daylight Savings time change (KB2443685) - Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847) - (HA only) Security Update for Microsoft .NET Framework, Version 2.0 (KB928365) - (HA only) Microsoft .NET Framework 2.0 Service Pack 1 (KB110806) It is normal for this PEP. On HA systems, the missing .NET updates must be installed separately.