Professional Documents
Culture Documents
c Configure Security Account Delegation in Active Directory (Computers folder) for each machine that
has SQL (or MSDE) installed. Select Trust computer for delegation on the General property page.
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
1
SQL Server Hardening
Top SQL Hardening Considerations
d Have a Domain Administrator configure Security Account Delegation using the SetSPN utility from
the Windows Server 2008 R2 resource kit to set a Service Principal Name as follows:
List the existing SPN for the machine by typing the following at a command prompt: setspn -L
<machine>
Delete any existing SPN for the MSSQLSvc entry by typing the following at a command prompt:
1
setspn -D "MSSQLSvc/<machine:port> <serviceaccountname>" <machine>
Create a new SPN entry for the MSSQLSvc entry by typing the following at a command prompt:
setspn -A "MSSQLSvc/<machine:port> <serviceaccountname>" <machine>
e Add the newly-created domain user account to the NTFS permissions for the Operating System and
data partitions at the root level (For example, C:\). Allow all permissions, except Full Control.
Note The SQL Server 2008 R2 automated hardening utility, and the ICMDBA tool, automatically ensure that
this permission is appropriately granted.
f Finally, add the newly-created domain user account to the Registry permissions for the
HKEY_LOCAL_MACHINE\Software, HKEY_LOCAL_MACHINE\System and HKEY_USERS
hives, giving it Full Control.
g From the SQL Server Configuration Manager (for SQL Server 2008 R2), configure the SQL Server
service to run as the domain user account created in Step a. (for example, <domain>\SQLServiceAcct>).
6 SQL Server Agent Service must be enabled and set to Automatic for database maintenance functioning
in Unified ICM.
Note Applying SQL Server security updates or hotfixes can require that you disable the SQL Server Agent
service. Reset this service to disabled before performing the update. When the update has completed,
stop the service and set it back to enabled.
7 Use NTFS directory security with EFS for SQL Server data directories. EFS must be set while logged in
under the account credentials that the SQL service runs under (for example, <domain>\SQLServiceAcct>).
From the Local Policy editor, temporarily grant logon locally privileges to this account to enable EFS
then remove this right after signing out.
Warning Only enable EFS if data theft is a concern; there is a performance impact.
Note In order to copy and send the data to other parties, back up the database to a different directory that is not
encrypted to ensure that the receiving party is able to read the data in the backup. This backup can be
accomplished by backing up the database from the SQL Server Enterprise Manager.
1 The string inside quotes must match exactly what is seen in the List command:: setspn -L <machine>
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
2
SQL Server Hardening
SQL Server Users and Authentication
10 Block TCP port 1433 and UDP port 1434 at the firewall except for when the Administration & Data Server
is not in the same security zone as the Logger.
11 Provide protection with good housekeeping:
a Run the KillPwd utility to remove password data from setup files. Detailed instructions on how to run
this utility can be found in the Microsoft article KB 263968.
b Delete or secure old setup files: Delete or archive the following files after installation: sqlstp.log,
sqlsp.log, and setup.iss in the <systemdrive>:\Program Files\Microsoft SQL
Server\MSSQL\Install folder for a default installation, and the <systemdrive>:\Program
Files\Microsoft SQL Server\ MSSQL$<Instance Name>\Install folder for named
instances.
If the current system is an upgrade from SQL Server 7.0, delete the following files: setup.iss in the
%Windir% folder, and sqlsp.log in the Windows Temp folder.
12 Change the recovery actions of the Microsoft SQL Server service to restart after a failure.
13 Remove all sample databases, for example, Pubs and Northwind.
14 Enable auditing for failed logins.
Setting Value
Enforce Password History 24 passwords remembered
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
3
SQL Server Hardening
SQL Server 2008 R2 Security Considerations
Setting Value
Account Lockout Threshold 3 invalid logon attempts
Note The service account password must explicitly be set to Not expire.
Mixed mode authentication is enforced through SQL Server 2008 R2 automated hardening.
During web setup, if the sa password is blank, a randomly generated strong password is generated and used
to secure the sa account.
Important This randomly generated sa password is displayed only once during the install. Make note of the password
because it is not presented again.
You can reset the sa account password after installation by logging on to the SQL Server using a Windows
Local Administrator account.
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
4
SQL Server Hardening
SQL Server Security Hardening Utility
change anything. The Rollback option allows you to return to the state of SQL services and features that
existed before your applying the last hardening.
The SQL Server Security Hardening utility is launched via Setup, by default, to harden the SQL Server security.
However, you can run it manually.
Utility Location
The utility is located at:
%SYSTEMDRIVE%\CiscoUtils\SQLSecurity
Note The following security hardening settings are not removed when:
1 SQL Server security mode is currently set to Windows Only Authentication.
2 SQL Server user sa is set to random password.
3 SQLVSSWriter, SQLBrowser, and MSSQLServerADHelper100 services are disabled.
You can roll back these settings manually using SQL Server Management Studio tool.
No Argument
If you use no argument with the command line, the help appears.
Output Log
All output logs are saved in the file:
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
5
SQL Server Hardening
Manual SQL 2008 R2 Server Hardening
%SYSTEMDRIVE%\CiscoUtils\SQLSecurity\Logs\ICMSQLSecurity.log
Note The SQL Server Security Hardening utility checks for the availability and order of these endpoints.
Disable access to all unrequired endpoints. For instance, deny connect permission to VIA endpoint for
all users/groups who have access to the database.
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
6