mynavoice recording 6.7 - hardening manual

Version: 6.7

Date: 1 November 2019

HARDENING MANUAL

Myna V o i c e R e c o r d i n g

M y n a V o i c e R e c o r d i n g

Information in this document is subject to change without notice and does not represent a commitment on the part of River Projects

International Ltd. The systems described in this document are furnished under a license agreement or nondisclosure agreement.

All information included in this document, such as text, graphics, photos, logos and images, is the exclusive property of River Projects

International Ltd. and protected by United States and international copyright laws.

Permission is granted to view and photocopy (or print) materials from this document for personal, non-commercial use only. Any other

copying, distribution, retransmission ormodification of the information in this document, whether in electronic or hard copy form, without

the express priorwritten permission of River Projects International Ltd., is strictly prohibited. In the event of any permitted copying,

redistribution or publication of copyrightedmaterial, no changes in, or deletion of, author attribution, trademark legend or copyright notice

shall be made.

All contents of this document are: Copyright © 2019 River Projects International Ltd. All rights reserved.

The full list of MynaVoice marks are the trademarks or registered trademarks of River Projects International Ltd. All othermarks used are

the property of their respective proprietors.

For assistance, contact your local supplier or nearestMynaVoice Support Desk.

Formore information aboutMynaVoice, visitwww.mynavoice.com/extranet.

This manual created by MynaVoice, Alkmaar, The Netherlands

CONTENTS

1: Introduction 7Hardening 7

Scope 7

Intended Audience 7

Conventions and Symbols 8

Windows Versions in This Manual 8

2: Configuring the Firewall 9Introduction 9

Port Scanning 10

Which List Do I Use for Configuring Ports? 10

Core Server 13

Core Server: Additional Ports 15

Core Server with Channels 17

Core Server with Channels: Additional Ports 18

Core Server with Channels and CTI 20

Core Server with Channels and CTI: Additional Ports 22

Core Server with CTI 24

Core Server with CTI: Additional Ports 25

Satellite 27

Satellite: Additional Ports 28

Satellite with CTI on One System 29

Satellite with CTI: Additional Ports 30

CTI Server 32

CTI Server: Additional Ports 33

CDR Server 34

Fusion Server 35

MynaVoice Recording 6.7

HARDENING MANUAL - 1 November 2019

- 3 -

3: Antivirus and 3rd Party Software Exclusions 37Introduction 37

Antivirus and Other Software Exceptions 38

MynaVoice Core Server (With orWithout Channels or CTI) 38

MynaVoice Satellite 41

MynaVoice CTI Server 43

MynaVoice Fusion Server 44

4: System Hardening 45Installed MynaVoice Recording Services 46

MynaVoice Recording Services - Core Server 48

MynaVoice Recording Services - Satellite 50

MynaVoice Recording Services - CTI Server 51

Required Windows Services 52

Windows Data Execution Prevention (DEP) 54

SMB Signing 54

E-mail Filtering 54

Local or Group Policy Security Settings 55

Group Policy Security Settings 55

Local Security Settings 56

Enabling IPsec Encryption 58

Configure Transport Encryption for File Shares 69

5: Web Server Security 73Supported Security Versions 74

TLS (SSL) Security 76

SSLCertificates 76

Enabling TLS Security 77

SSLCertificate Settings 78

Enabling HTTP Only and Secure Cookies 83

Enable HTTPOnly Cookies Using URLRewrite 2.1 84

Enable Secure Cookies Using URLRewrite 2.1 90

Preventing Cross Frame Scripting 96

Hiding Version Information in the Server Header 98



- 4 -

Table of Contents

Remove the X-Powered-By Header 103

Enforcing Account Lockout (MynaVoice) 106

6: Web Client Internet Explorer Policy 109Internet Explorer Security Level 110

Required Security Settings 111

Real-time Play 112

Setting Satellite Access to External Communication 113

Removing Temporary Internet Files 118

Cleaning the Cache Folder 118

Configuring Cache Control Using IIS (on Core Server) 120

7: Vulnerability 123Heartbleed 123

POODLE 123

Shellshock 125

A: Terminology 127



- 5 -

Table of Contents

[This page intentionally left blank]

1:Introduction

Hardening

This document contains procedures you can do and measures you can take to eliminate security risksfrom your Operating System (OS) and network.

Antivirus programs and spyware blockers prevent malicious software from running on a machine ornetwork, but they can still be vulnerable to outside access with evil intents. Securing anOS or network,commonly known as "hardening", minimizes the vulnerability, prevents "back-door" access, andprotects against attacks from outside.

Hardening is typically done by removing all non-essential software, utilities and services, limiting accessto system partitions and registry, encryption, and the like.

Scope

The procedures and settings in this manual are compatible withMynaVoice Recording 6.7 and itsintegrations.

Information contained in this manual might change, particularly as a result of continual upgrading ofMynaVoice Recording and third party software such as Microsoft Windows and MySQL. Thedocumentation does not entail any guarantee with respect to the items described in the manual. Thegeneral description of security measures in this manual might not entirely apply in your individual case. Ifin doubt, contact the MynaVoice Support Desk.

Intended Audience

This manual is intended for engineers responsible for securing the systems onwhichMynaVoiceRecording 6.7, Fusion, otherMynaVoice applications and/or any of the MynaVoice integrations havebeen installed.

Such an engineer must be qualified as a MynaVoice Certified Implementation Engineer orMynaVoiceCertified Support Engineer, having successfully completed the required MynaVoice training courses, orhave equivalent education/experience.

For details, seewww.mynavoice.com/extranet.



- 7 -

1

It is assumed that the user of this manual has knowledge about the following:

Windows Server 2012 R2 and/or 2016

MynaVoice Recording version 6.7

MynaVoice CTI or CDR integrations (if applicable)

Conventions and Symbols

Youwill see the following symbols in this manual:

Important! - for system-critical information

NOTE: - a general remark or reference to another document

TIP: - a reference to other useful information

Windows Versions in This ManualThis manual shows mainly screenshots made inWindows 2016, and some inWindows 2012 R2. Thescreens of Windows Server 2016 and 2012 R2 and Windows 2008 R2 have a (slightly) different look andfeel, but have identical contents. Wherever the procedures of the various Windows versions differ fromeach other, this is either noted, or separate procedures are included.



- 8 -

1: IntroductionConventions and Symbols

2:Configuring the Firewall

Introduction

A firewall is a network security system that controls the incoming and outgoing network traffic based ona set of rules. It is intended to be a barrier between a trusted, secure internal network and another networksuch as the Internet.

What is a port?

A software or network port is a (virtual) location thatinformation is sent through. Ports are used by theTransmission Control Protocol (TCP) and the UserDatagram Protocol (UDP), and are identified by a 16-bitnumber. Network ports are normally closed: they areblocked by the firewall.

For proper communication between the systems ofMynaVoice Recording and the customer's telephony ortrading systems, a number of ports must be "opened".

Ports for MynaVoice Recording

The ports on each system that must be configured as open ports are listed below. They are sorted on thebasis of the recording system configuration, which consists of a combination of "roles".

For each configuration you also find the port numbers used when the following applications are installed:

EMC Archiving

Resilience

Core API

Fusion

Some of these applications require separate servers as well. Also for these servers the ports are listed.



- 9 -

2

Internal ports

'INTERNAL' ports are only used on the system itself (local host). Normally, you do not need to configurethese.

However, when installing other components that use the same ports, conflicts can occur. For example,when using ‘Windows 2003 R2 Small Business Edition’ a port conflicts with the ‘lsass' Windows service.

You can avoid problems by starting the MynaVoice services before this other service is started.

Port ScanningMynaVoice Recording supports port scanning to verify security policies of the network, but only whenperformed in a controlled manner.This means the scanning speed and intensity must match thenetwork's specifications. It is recommended, as best practice, to run the port scans outside office hours,at a low speed (e.g. 'Low Performance ' in the Qualys tool).

Which List Do I Use for Configuring Ports?

Important! Only an authorized person is allowed to configure the firewall settings.

The ports listing below includes all generic ports. For integration-specific ports, e.g. from the linkcontroller to the PBX or Trading system, refer to the specific integrationmanual.

Select the applicable recording system configuration, and give the corresponding list(s) to thecustomer's system/network administrator.

Instructions for configuring Windows Firewall can be found atMicrosoftNetworkingandAccessTechnologies.

Active and Passive IP Recording

Configuration 1: Core Server with Recording Channels and an integrated CTI Server

See Core Server with Channels and CTI on page 20

Configuration 2: Core Server with integrated CTI Server andseparate satellite(s)

See Core Server with CTI on page 24

and Satellite on page 27



- 10 -

2: Configuring the FirewallPort Scanning

http://technet.microsoft.com/en-US/network/bb545423.aspx

http://technet.microsoft.com/en-US/network/bb545423.aspx

Configuration 3 Core Server with a separate CTI Server and Satellite(s)

See Core Server on page 13

and CTI Server on page 32

and Satellite on page 27

Configuration 4: Core Server with Recording Channels and separate CTI Server

See Core Server with Channels on page 17

and CTI Server on page 32

Configuration 5: Core Server with separate Satellites and CTI on a satellite

See Core Server on page 13

and Satellite with CTI on One System on page 29



- 11 -

2: Configuring the FirewallWhich List Do I Use for Configuring Ports?

CDR

Dedicated CDR server: see section CDR Server on page 34.

CDR functionality installed on other role: See corresponding configurations with CTI functionality.



- 12 -

2: Configuring the FirewallWhich List Do I Use for Configuring Ports?

Core Server

Configure the following ports on a MynaVoice Recording Core Server withoutchannels or CTI.

For systems that combine a Core Server with other roles, see the applicablesection:

Core Server with Channels on page 17

Core Server with Channels and CTI on page 20

Core Server with CTI on page 24

Port Protocol Direction Service Explanation

Basic

25 SMTP OUT Error Core To customer's e-mail server

80 HTTP IN Web Service Client connections Web User Login.

For HTTPS, replace this port byport 443

123 NTP OUT OS (Time sync) Network Time Synchronization,if applied

162 UDP OUT Error Core To (any) SNMP traps receiver

443 HTTPS OUT Web Service Client connections Web User Login.

For HTTP, replace this port byport 80

445 TCP IN/OUT CyberTech Content Manager Archiving Communication with archiveservers.

NOTE: This port is part of the SMB protocol. Using SAMBA or

Windows networking or file sharing is a service consumed by the

Content Manager. Configuration cannot be controlled by

MynaVoice.

3306 TCP IN MySQL Service Database

6003 TCP IN DBI Client Audio transfer from channels toCore Server

6004 TCP OUT Monitor Tool Informs Monitor Tool aboutstatus of channels

6005 TCP IN Web Service Client connections Web User: Channel overview

6006 TCP IN DBI Client Channel overview

7780 TCP IN/OUT CyberTech.SystemOverview.WebService Queries Node Agents onMynaVoice systems



- 13 -

2: Configuring the FirewallCore Server


7950 TCP IN/OUT Connectivity.Media Delivery service External access of the MediaDelivery service by Core API.

8007 TCP IN ConfigurationManagement Listens for inbound messagesof configurationmanagement.

NOTE: Port not required if this service is disabled

INTERNAL Ports

You do not need to configure these ports in the firewall. Use this information in case of port conflicts.

7002 TCP IN Fault Manager SNMP traps and alarms

7800 TCP IN Media Manager Port must be opened ifCompass is installed

8003 TCP/UDP IN Internal WCF communication

Table 2-1: Open Port Configuration: MynaVoice Recording Core Server



- 14 -

2: Configuring the FirewallCore Server

Core Server: Additional PortsDepending on the applications installed on this MynaVoice Core Server, configure the following ports inaddition:


EMC Archiving

3218 TCP/UDP IN/OUT EMC Archiving Between Core Server and EMC

Resilience

4251 TCP IN/OUT Core Server Resilience Connection events

4252 TCP IN/OUT Core Server Resilience Connection with slave Core Server:Failover messages. Agent events

4255 TCP IN/OUT Core Server Resilience When CSR Support Tool is used

Recorder API

8024 TCP IN Cybertech Recorder API Default port number to be used for TCP/IPremoting connections to the recorder APIserver

Core API

7001 TCP IN Core API V1 Content Manager Core Content Manager API

7002 TCP IN CyberTechMAX UserManager UserManager API

7003 TCP IN Core API V1 UserManager Core UserManager API

7500 TCP IN Core API V2 Interface Communication between Fusion andMynaVoice.

7702 TCP IN Core API V1 SystemManager Core SystemManager API

7703 TCP IN Core API V1 SystemManager MAX SystemManager Client Component

7710 TCP IN Core API V1 SystemManager Core Recorder Information API.

Fusion

Requires all Core API ports, plus:

7004 HTTP IN CyberTechMAX UserManager Core UserManager JSON API

7711 TCP IN CyberTechMAXSystemManager

Core Recorder Information API.

Additional INTERNAL Ports

You do not need to configure these ports in the firewall. Use this information in case of portconflicts.

4250 TCP IN Host communication If RESILIENCE is applied

7006 TCP IN Core API V1 SystemManager Fusion - Redundancy API



- 15 -

2: Configuring the FirewallCore Server: Additional Ports


7701 TCP OUT Core API V1 SystemManager Fusion - Fetch node configuration

7705 TCP IN Core API V1 UserManager Fusion - Core SM Client Component

7707 TCP IN CyberTechMAXContentManager

Fusion - Core SM Client Component

7712 TCP IN Recorder configuration service To Core API

Table 2-2: Open Port Configuration: Applications on Core Server



- 16 -

2: Configuring the FirewallCore Server: Additional Ports

Core Server with Channels

Configure the following ports on a MynaVoice Recording Core Server withchannels, and a separate dedicated CTI Server.

For a Core Server that has channels and a CTI role installed, see section CoreServer with Channels and CTI on page 20.


Basic



For HTTPS, replace this port byport 443

123 NTP OUT OS (Time sync) Network Time Synchronization, ifapplied



For HTTP, replace this port by port80

445 TCP IN/OUT CyberTech Content ManagerArchiving

Communication with archiveservers.

NOTE: This port is part of the SMB protocol. Using SAMBA or

Windows networking or file sharing is a service consumed by the

Content Manager. Configuration cannot be controlled by

MynaVoice.


4245 * TCP IN CTI: CTI Receiver FromCall controller on CTI Server

4345 * TCP IN CTI: Satellite Controller FromCall controller on CTI Server

6001 TCP IN Web Service Client connections Web User: Real-time play

6002 UDP IN/OUT Web Service Client connections Web User: Real-time play


7780 TCP IN/OUT SystemOverview.Webservice Queries Node Agents on onMynaVoice systems

7950 TCP IN Connectivity.MediaDelivery.Service External access of the MediaDelivery service by Core API.

8007 TCP IN ConfigurationManagement Port not required if this service isdisabled



- 17 -

2: Configuring the FirewallCore Server with Channels


10002-10401

UDP IN Active IP Recording Audio On a Core Server with 200 channels.

Required number of ports = numberof channels * 2. Always start withport 10002

INTERNAL Ports


6003 TCP IN DBI Client Audio transfer from channels toCore Server

6004 TCP OUT Monitor Tool Informs Monitor Tool about statusof channels

6006 TCP IN Channel overview


7800 TCP IN Media Manager Port must be opened if Compass isinstalled


* CTI integrations only. If your recording integration has a CDR functionality or dedicated CDR Serverinstalled, do not configure these ports.

Core Server with Channels: Additional PortsDepending on the applications installed on this MynaVoice Core Server, configure the following ports inaddition:


EMC Archiving


Resilience




Recorder API




- 18 -

2: Configuring the FirewallCore Server with Channels: Additional Ports


Core API








Fusion

















- 19 -

2: Configuring the FirewallCore Server with Channels: Additional Ports

Core Server with Channels and CTI

Configure the following ports on a MynaVoice Recording Core Server withchannels and an integrated CTI ("All-in-One box") installed.

For a Core Server without channels or CTI see section Core Server on page 13.


Basic



For HTTPS, replace this port by port443




For HTTP, replace this port by port80



6005 TCP OUT Web Service Client connections Web User: Channel overview


7950 TCP IN Connectivity.MediaDelivery.Service External access of the MediaDelivery service by Core API,Compass

8007 TCP IN ConfigurationManagement NOTE: Port not required if this

service is disabled

10002-10401

UDP IN Active IP Recording Audio On a Core Server with 200 channels.

Required number of ports = numberof channels * 2. Always start withport 10002

[Integration-specific] CTI Link controller Refer to vendor-specific integrationmanual



- 20 -

2: Configuring the FirewallCore Server with Channels and CTI

INTERNAL Ports


3306 TCP IN Database

4245 * TCP OUT CTI FromCall controller to CTI Receiver

4246 * TCP IN/OUT Communication between link controller(s) and call controller

4345 * TCP OUT CTI FromCall controller to Satellite Controller

6003 TCP IN DBI Client Audio transfer from channels to CoreServer

6004 TCP OUT Monitor Tool Informs Monitor Tool about status ofchannels


7780 TCP IN/OUT SystemOverview.Webservice Queries Node Agent


Table 2-4: Open Port Configuration: MynaVoice Recording Core Server with Channels and Integrated CTI

* CTI integrations only. If your recording integration has a CDR functionality installed, these ports are notpresent.



- 21 -

2: Configuring the FirewallCore Server with Channels and CTI

Core Server with Channels and CTI: Additional PortsDepending on the applications installed on this MynaVoice Core Server, configure the following ports inaddition:


EMC Archiving


Resilience




Recorder API


Core API








Fusion











- 22 -

2: Configuring the FirewallCore Server with Channels and CTI: Additional Ports










- 23 -

2: Configuring the FirewallCore Server with Channels and CTI: Additional Ports

Core Server with CTI

Configure the following ports on a MynaVoice Recording Core Server withoutchannels, but with a CTI role installed.

For a Core Server without CTI see section Core Server on page 13 or CoreServer with Channels on page 17.


Basic



For HTTPS, replace this port by port443




For HTTP, replace this port by port 80


4245*

TCP OUT CTI: Call controller To CTI Receiver on satellite(s)

4345*

TCP OUT CTI: Call controller To Satellite Controller on satellite(s)

6003 TCP IN DBI Client Audio transfer from channels to CoreServer

6004 TCP OUT Monitor Tool Informs Monitor Tool about status ofchannels



7500 TCP IN Core API Communication between Fusion andMynaVoice Recording.

7780 TCP IN/OUT SystemOverview.Webservice Queries Node Agents on onMynaVoice systems

7950 TCP IN Connectivity.MediaDelivery.Service External access of the Media Deliveryservice by Core API

8007 TCP IN ConfigurationManagement NOTE: Port not required if this

service is disabled



- 24 -

2: Configuring the FirewallCore Server with CTI



INTERNAL Ports


4246*

TCP IN/OUT Communication between link controller(s) and call controller



Table 2-6: Open Port Configuration: Core Server with Integrated CTI


Core Server with CTI: Additional PortsDepending on the applications installed on this MynaVoice Core Server, configure the following ports inaddition:


EMC Archiving


Resilience




Recorder API


Core API






- 25 -

2: Configuring the FirewallCore Server with CTI: Additional Ports






Fusion

















- 26 -

2: Configuring the FirewallCore Server with CTI: Additional Ports

Satellite

Configure the following ports on a MynaVoice Recording satellite.

For a satellite combined with a CTI Server, see section Satellite with CTI on OneSystem


Basic

25 TCP OUT Error Core SMTP. To e-mail server

123 TCP OUT OS (Time sync) Network TimeSynchronization, if applied


3306 TCP OUT MySQL Service Database

4245 * TCP IN CTI Receiver FromCall controller on CTIServer

4251 TCP IN/OUT WhenCore Server Resilience is applied Core Server connectionevents

4252 TCP IN/OUT WhenCore Server Resilience is applied Agent events

4345 * TCP IN Satellite Controller FromCall controller on CTIServer



6003 TCP OUT DBI Client Audio transfer from channelsto Core Server

6004 TCP IN Monitor Tool Informs Monitor Tool aboutstatus of channels

6006 TCP OUT DBI Client Channel overview

7780 TCP IN CyberTech.SystemOverview.NodeAgent Provides Core Server withinformation about MynaVoice.

7950 TCP IN Connectivity.MediaDelivery. Service External access of the MediaDelivery service by Core API

8007 TCP IN ConfigurationManagement Listens for inbound messagesof configurationmanagement



- 27 -

2: Configuring the FirewallSatellite


10002–12001

UDP IN IP Recording Audio On a satellite with 1000channels.

Required number of ports =number of channels * 2.Always start with port 10002.For example, a satellite with500 channels requires ports10002 - 11001 to be opened.

INTERNAL Ports

No internal ports

Table 2-8: Open Port Configuration: Satellite


Satellite: Additional PortsDepending on the applications installed on this satellite, configure the following ports in addition:


Archiving

For archiving, no ports are configured on asatellite

Resilience

4251 TCP IN Core Server Resilience Keep-alive messages

4252 TCP OUT Core Server Resilience Failover messages

Fusion

For Fusion, no ports are configured on asatellite




Table 2-9: Open Port Configuration: Satellite - Additional Ports



- 28 -

2: Configuring the FirewallSatellite: Additional Ports

Satellite with CTI on One System

Configure the following ports on a MynaVoice Recording satellite that also hasthe CTI role installed.

For channels with integrated CTI on a Core Server, see section Core Server withChannels and CTI on page 20.


Basic

25 TCP OUT Error Core SMTP. To e-mail server

80 TCP IN Web Service Client connections, HTTP Configure this port only if theOpen Call Controller Interface(OCCI) is installed.

For HTTPS, replace this portby port 443

123 TCP OUT OS (Time sync) Network TimeSynchronization, if applied


443 TCP OUT Web Service Client connections, HTTPS Configure this port only if theOpen Call Controller Interface(OCCI) is installed.

For HTTP, replace this portby port 80




6003 TCP OUT DBI Client Audio transfer from channelsto Core Server

6004 TCP IN Monitor Tool Informs Monitor Tool aboutstatus of channels

6006 TCP OUT DBI Client Channel overview

7780 TCP IN CyberTech.SystemOverview.NodeAgents Provides Core Server withinformation aboutMynaVoice.

7950 TCP IN Connectivity.MediaDelivery.Service External access of the MediaDelivery service by Core API

8007 TCP IN ConfigurationManagement Listens for inboundmessages of ConfigurationManagement



- 29 -

2: Configuring the FirewallSatellite with CTI on One System


10002–12001

UDP IN Active IP Recording Audio On a satellite with 1000channels.

Required number of ports =number of channels * 2.

Always start with port 10002.

For example, a satellite with500 channels requires ports10002 - 11001 to be opened.

[Integration-specific] CTI Link controller Refer to vendor-specificintegrationmanual

INTERNAL Ports


4245 * TCP OUT CTI FromCall controller to CTIReceiver

4246 * TCP IN/OUT Communication between link controller(s) and call controller

4345 * TCP OUT CTI FromCall controller toSatellite Controller


Table 2-10: Open Port Configuration: Satellite with CTI Server


Satellite with CTI: Additional PortsDepending on the applications installed on this server, configure the following ports in addition:


Archiving

For archiving, no ports are configured on a satellite

Resilience

4251 TCP IN Core Server Rseilience Keep Alive Messages

4252 TCP OUT Core Server Resilience Failover message

N+1CTI Server Resilience requires dedicated CTI Servers. It cannot be applied in thisconfiguration.

For Sentinel, no ports are configured on a satellite plus CTI



- 30 -

2: Configuring the FirewallSatellite with CTI: Additional Ports


Fusion

For Fusion, no ports are configured on a satellite plus CTI



4252 TCP IN Failover message If RESILIENCE is applied


Table 2-11: Open Port Configuration: Satellite with CTI Server - Additional Ports



- 31 -

2: Configuring the FirewallSatellite with CTI: Additional Ports

CTI Server

Configure the following ports on a separate dedicated MynaVoice RecordingCTI Server.


Basic

80 TCP IN Web Service Clientconnections, HTTP

Configure this port only if the Open CallController Interface (OCCI) is installed.

For HTTPS, replace this port by port 443

123 TCP OUT Customer LAN Network Time Synchronization, if applied

162 UDP OUT Fault Manager To (any) SNMP traps receiver

443 TCP OUT Web Service Clientconnections, HTTPS


For HTTP, replace this port by port 80


4245 TCP OUT CTI: Call controller To CTI Receiver on satellite(s)

4345 TCP OUT CTI: Call controller To Satellite Controller on satellite(s)

7780 TCP IN/OUT CyberTechSystemOverview.NodeAgent

Provides Core Server with information aboutMynaVoice.

8007 TCP IN ConfigurationManagement Listens for inbound messages ofConfigurationManagement


INTERNAL Ports

4246 TCP IN/OUT Communication between link controller(s) and call controller


Table 2-12: Open Port Configuration: Dedicated CTI Server



- 32 -

2: Configuring the FirewallCTI Server

CTI Server: Additional PortsDepending on the applications installed on this CTI Server, configure the following ports in addition:


Archiving

For archiving, no ports are configured on a CTI server

Resilience

4250 TCP IN N+1CTI ServerResilience

Host Communication

4251 TCP IN Core Server Resilience Keep-alive messages

4252 TCP IN/OUT N+1CTI ServerResilience

Failover messages

4350 TCP IN/OUT N+1CTI ServerResilience

Channel Synchronization

Core API

For Core API, no ports are configured on a CTI server

Fusion

For Fusion, no ports are configured on a CTI server

Table 2-13: Open Port Configuration: CTI Server - Additional Ports



- 33 -

2: Configuring the FirewallCTI Server: Additional Ports

CDR Server

Configure the following ports on a dedicated MynaVoice Recording CDRServer.


Basic

80 TCP IN Web Service Clientconnections, HTTP


123 TCP OUT Customer LAN Network Time Synchronization, if applied

162 UDP OUT Fault Manager To (any) SNMP traps receiver

3306 TCP OUT MySQL Service Database, Monitor Tool


INTERNAL Ports

No internal ports

Table 2-14: Open Port Configuration: Dedicated CDR Server

CDR Server: Additional Ports

For additional applications installed on this CDR Server, no ports have to be configured.



- 34 -

2: Configuring the FirewallCDR Server

Fusion Server

Configure the following ports on a Fusion server.

NOTE: Before version 2.0, Fusion was known as 'Distributed Recording' (NDR).


Basic

80 HTTP IN FusionWebsite Connect to Fusion fromweb client

For HTTPS, replace this port by port 443

88 HTTP IN FusionWebsite Always used in combination with port 80 (HTTP)or 443 (HTTPS)

162 UDP OUT CyberTechAlarmingV2Service

To (any) SNMP traps receiver

443 HTTPS IN FusionWebsite (secure) Secure connection to Fusion fromweb client

1433 TCP OUT MS SQL Server Database


Content Manager API

7001 TCP IN/OUT CyberTechMAXContentManager

Core Content Manager API

7003 TCP OUT CyberTechMAXUserManager

Core UserManager API

7005 TCP IN CyberTechMAXAuditManager

Audit ManagerAPI


SystemManager API

7703 TCP OUT CyberTechMAXSystemManager

Notify core withMAX presence and retrieve state

7710 TCP OUT CyberTechMAXSystemManager

Retrieve Recorder Information

with Sentinel


Core Recorder Information API


Recorder Information API

INTERNAL Ports Basic




- 35 -

2: Configuring the FirewallFusion Server


7704 TCP IN CyberTechMAXUserManager

MAX SM Client Component



7708 TCP IN CyberTechMAXWebsite MAX SM Client Component

7709 TCP IN CyberTechMAXAuditManager


Table 2-1: Open Port Configuration: MynaVoice Fusion Server



- 36 -

2: Configuring the FirewallFusion Server

3:Antivirus and 3rd Party SoftwareExclusions

This chapter describes the locations and files youmust exclude from antivirus checks, and from theactions of other third party software. This software can be, for instance, tooling that performs local fileactions such as backups.

MynaVoice Recording 6.7 is compatible with any antivirus software.

Introduction

Antivirus software is intended to prevent malicious software from invadingyour computer or network, known as real-time protection. Antivirus softwareshould also detect and remove malicious software before it does any harm,by planned scanning of systems.

The activities of antivirus software can seriously impact your computer'sperformance. The audio files of calls in progress, for example, arecontinuously changing. For real-time protection the antivirus software scans afile whenever it changes. Withmany calls in progress, this interferes with thefunctioning of the Recording Service and downgrades its performance.

For this reason you have to exclude the recording-related files and locationsfrom antivirus checks.

Planned system scans can be performed only when recording traffic is (very) low, always outside officehours.

Important! Never perform a full-system scan or full-system backup! When scanning orbacking up the system, you always have to set the file exclusions indicated below.

Backing up the MynaVoice Recording Database (using the Import/Export Database Settings tool)is not allowed while the system is recording.

Setting the exclusions

Present the list(s) of settings to the customer's system/network administrator.



- 37 -

3

Antivirus and Other Software Exceptions

Important! Only an authorized person is allowed to configure these settings.

In your application, youmust exclude the following files and locations from real-time protection. Onlyexclude the files mentioned below, no other files!

Planned scans can be performed on these files and locations, but only outside office hours.

Important! Always perform system scans on MynaVoice Recording and updates outsideoffice hours

MynaVoice Core Server (With or Without Channels or CTI)

All paths show the default drive 'C:'. This is defined during setup, and can be a different drive.

Location Files to be excluded

The locations containing the recordingsystem and integration software:

'C:\Program Files\CyberTech'all folders

This folder contains the following exe files,stored in subfolders (Core Server):

Compass.RecorderSso.Service. exeConnectivity.CaptureApi.Service. exeCyberTech.CoreApi.Service.exeCyberTech.FaultManager.WindowsService.exeCyberTech.MediaManager.Service.exeCyberTech.MonitorTool.WpfApplication.exeCyberTech.ContentManager.Archiving.WindowsService.exeCyberTech.ContentManager.Storage.WindowsService.exeDatabaseInterfaceServer.exemonitor.exeSystemOverview.NodeAgent.Service.exeCyberTech.UserManager.Service.exe

In addition, if the Core Server has channels: Connectivity.MediaDelivery.Service. exe

In addition, if CTI is installed on the Core Server: CallController.exeRegAsm.exe



- 38 -

3: Antivirus and 3rd Party Software ExclusionsAntivirus and Other Software Exceptions


In addition, if CTI Resilience is applied: CyberTech.CTIResilienceManager.exeCyberTech.CTIServerResilienceAgent.exe

'C:\Program Files (x86)\CyberTech' all folders

This folder contains the following exe files,stored in subfolders (Core Server)

filebeat.exeRecorder.HistoricalIngestionAgent.Service.exeLogClean.execontrollerservice.exemyodbc3c.exemyodbc3i.exemyodbc3m.exeCyberTech.SystemManager.Configuration.WindowsService.exe

In addition, if the Core Server has channels: ModularLicensing.exemonitor.exeMaintenanceTool.exeParrotDscAPIDemo.exeparrotLT.exeProgrammer.exeCTI_Receiver.exeDatabaseInterfaceClient.exeDSCService.exeRegAsm.exeRecordingService.exeCyberTech.Resilience.DBIService.exe

In addition, if CTI is installed on the Core Server: ServiceMonitor.exeCallController.exeRegAsm.exe

In addition, if Core Server Resilience is applied: CyberTech.CSRClientConfigTool.exeCyberTech.ResilienceConnectionManager.exe

The locations containing the recordingsystem and integrationDLL files:

'C:\Program Files\Common Files\CyberTech'

'C:\Program Files (x86)\CommonFiles\CyberTech'

DLL files

The audio folders:'C:\ProgramData\CyberTech\Content\...

The 'Content' folder has subfolders named'audioX'. These folders have subfolders withdates as their names.

*.wav files



- 39 -

3: Antivirus and 3rd Party Software ExclusionsMynaVoice Core Server (With or Without Channels or CTI)


The VoIP INI file location:

'C:\ProgramData\CyberTech\INI_Files\VoIP'

*.ini files

The Filebeat configuration files location:

'C:\ProgramData\CyberTech\INI_Files\Filebeat'

Filebeat_transaction_registry.json

Filebeat_transaction_registry. json.old

MynaVoice Recording database folders:'C:\ProgramData\CyberTech\mySQL\Data\mysql'

file types: *.frm, *.myd, *.myi

'C:\ProgramData\CyberTech\CallDataCache\...'

all files in all subfolders (*.*)

MynaVoice Recording log files folder:'C:\logfiles'

including folder 'C:\logfiles\InteractionAuditLog'

file types *.log, *txt, *.zip

'C:\inetpub\...' all files in all subfolders (*.*)

If the Core Server has channels: thetemporary recording folder'C:\ProgramData\CyberTech\RecordingBuffer

file types: *.da_, *.dat1, *.dat1_, *.dat2, *.dat2_,*.dat3, *.dat3_, *.wa_, *.wav

If the Core Server has channels and/or CTI:The temporary call data folder'C:\ProgramData\CyberTech\CallDataCache\...'

all *.xml files in all subfolders

If you use local archiving, on the localarchive:

[drive]:\*.dat

[drive]:\*.html (incl. subfolders)

[drive]:\*.wav (incl. subfolders)

[drive]:\*.csv (incl. subfolders)

Table 3-1: Exclude on MynaVoice Core Server

Depending on the type of integration deployed, some executable files from Program Files can be found in

Program Files (x86) and vice versa.

With MySQL:


If applicable, all MySQL binary files

'C:\Program Files\CyberTech' *.exe



- 40 -

3: Antivirus and 3rd Party Software ExclusionsMynaVoice Core Server (With or Without Channels or CTI)


This folder contains the following exe files: echo.exeinnochecksum.exemyisamchk.exemyisamlog.exemyisampack.exemyisam_ftdump.exemysql.exemysqladmin.exemysqlbinlog.exemysqlcheck.exemysqld.exemysqldump.exemysqlimport.exemysqlshow.exemysqlslap.exemysqltest.exemysqltest_embedded.exemysql_client_test.exemysql_client_test_embedded.exemysql_config_editor.exemysql_embedded.exemysql_plugin.exemysql_tzinfo_to_sql.exemysql_upgrade.exemy_print_defaults.exeperror.exereplace.exeresolveip.exe

Table 3-2: Exclude on MynaVoice CTI Server

MynaVoice Satellite

All paths show the default drive 'C:'. This is definedduring setup, and can be a different drive.


The locations containing the recording systemand integration software:

'C:\Program Files\CyberTech' all folders



- 41 -

3: Antivirus and 3rd Party Software ExclusionsMynaVoice Satellite


This folder contains the following exe files, stored insubfolders

SystemOverview.NodeAgent.Service.exeConnectivity.MediaDelivery.Service.exeCyberTech.FaultManager.WindowsService.exeCyberTech.MonitorTool.WpfApplication.exe

The locations containing the recording systemand integration software:


This folder contains the following exe files, stored insubfolders:

CyberTech.FaultManager.WindowsService.exeCyberTech.MonitorTool.WpfApplication.exeModularLicensing.exemonitor.exeMaintenanceTool.exeParrotDscAPIDemo.exeparrotLT.exeProgrammer.execontrollerservice.exeCTI_Receiver.exeDatabaseInterfaceClient.exeDSCService.exeRegAsm.exeRecordingService.exe

In addition, if Core Server Resilience is applied: CyberTech.CSRClientConfigTool.exeCyberTech.ResilienceConnectionManager.exeCyberTech.Resilience.DBIService.exe

The locations containing the recording systemand integrationDLL files:

'C:\Program Files\Common Files\ CyberTech'

'C:\Program Files (x86)\Common Files\ CyberTech'

DLL files

The VoIP INI file location:

'C:\ProgramData\CyberTech\INI_Files\VoIP'

*.ini files

MynaVoice Recording temporary directory:'C:\tmp'.

all files

The temporary recording folder'C:\ProgramData\CyberTech\Recording Buffer'

file types: *.da_, *.dat1, *.dat1_, *.dat2,*.dat2_, *.dat3, *.dat3_, *.wa_, *.wav



- 42 -

3: Antivirus and 3rd Party Software ExclusionsMynaVoice Satellite


The temporary call data folder

'C:\ProgramData\CyberTech\CallDataCache\...


MynaVoice Recording log files folder:'C:\logfiles'


Table 3-3: Antivirus - Exclude on MynaVoice Satellite



MynaVoice CTI Server

All paths show the default drive 'C:'. This is defined during setup, and can be adifferent drive.


The locations containing the recording system andintegration software:

'C:\Program Files\CyberTech' all folders


CyberTech.FaultManager.Windows Service.exe

In addition, if CTI Resilience is applied: CyberTech.CTIResilienceManager.exeCyberTech.CTIServerResilienceAgent.exe

The locations containing the recording system andintegration software:



CallController.exeRegAsm.exe

In addition, if Core Server Resilience is applied: CyberTechCSRClientConfigTool.exeCyberTech.ResilienceConnectionManager.exe

The locations containing the recording system andintegrationDLL files:

'C:\Program Files (x86)\CyberTech'

'C:\Program Files (x86)\Common Files\CyberTech'DLL files



- 43 -

3: Antivirus and 3rd Party Software ExclusionsMynaVoice CTI Server


The Call Data Records folder:'C:\ProgramData\CyberTech\CallDataCache'


The MynaVoice Recording log files folder:'C:\logfiles'


Table 3-4: Exclude on MynaVoice CTI Server



MynaVoice Fusion Server

All paths show the default drive 'C:'. This is defined during setup, and can be adifferent drive.


C:\Program Files (x86)\Cybertech\Alarming

C:\Program Files (x86)\Cybertech\MAX

The Fusion log files folder: 'C:\logfiles'


Table 3-5: Exclude on Fusion Server



- 44 -

3: Antivirus and 3rd Party Software ExclusionsMynaVoice Fusion Server

4:System Hardening

This chapter describes procedures to harden the operating system of the MynaVoice Recording serversand secure the communication between them.

Customizing these servers must always be in accordancewith the customer's hardening and security policies.

Usually, when hardening, customers disable unnecessaryservices.

This chapter provides a full listing of all required servicesto prevent they are inadvertently or deliberately disabled.

Important! Always consult with the systemadministrator before applying hardening procedures.

Topics:

InstalledMynaVoiceRecordingServices 46

MynaVoiceRecordingServices-CoreServer 48

MynaVoiceRecordingServices-Satellite 50

MynaVoiceRecordingServices-CTI Server 51

RequiredWindowsServices 52

WindowsDataExecutionPrevention (DEP) 54

SMBSigning 54

E-mailFiltering 54

LocalorGroup PolicySecuritySettings 55

GroupPolicySecuritySettings 55

LocalSecuritySettings 56

Enabling IPsecEncryption 58

Configure Transport Encryption forFile Shares 69



- 45 -

4

Installed MynaVoice Recording Services

MynaVoice Recording, its integrations, resilience and other applications all require their specificservices, installed on the MynaVoice servers by the setup.

Important! All installed MynaVoice Recording services are vital to proper functioning of therecording integration, andmust not be disabled or uninstalled.

'CyberTech' services

The basic MynaVoice services have a display name that starts with 'CyberTech', a formerMynaVoiceRecording brand name, as you can see in theWindows Services Manager (Windows Start >Administrative Tools).

Figure 4-1: Example of Basic 'CyberTech' Services in Windows Services Manager



- 46 -

4: System HardeningInstalled MynaVoice Recording Services

Figure 4-2: Example of Basic 'CyberTech' Services in Monitor Tool

NOTE: The old type Monitor Tool displays these services without the prefix 'CyberTech'.

The new typeMonitor Tool offers you the option to display other services in this listing:

File > Settings, tab Services > fieldMonitored Services, enter (part of) the name of the service. Entriesare case sensitive! Start each entry on a new line.

Which services are present on your servers depends on yourMynaVoice configuration and the installedapplications. The section below contains listings of all possible MynaVoice Recording services.



- 47 -

4: System HardeningInstalled MynaVoice Recording Services

MynaVoice Recording Services - Core Server

MynaVoice Recording deploys the following services on a Core Server with Recording Channels and anintegrated CTI Server. Services are listed by their display name.

Depending on your configuration, not all listed services might be available.

You can also use the list for a Core Server without channels and/or without CTI. Services on the CoreServer that are specific for channels or CTI are marked in the column 'Purpose', and have a backgroundcolor.

Prefix Service Purpose Remark

CT Core Server ResilienceManagement

Core ServerResilience

Only when CSR is installed

CT Core Server Resilience Agent Core ServerResilience

Only when CSR is installed

CyberTech Call Controller CTI

CyberTech CDR Processor for [vendor] CDR

CyberTech ConfigurationManagement Disabled by default

CyberTech Connectivity Capture API Core

CyberTech Connectivity Media Delivery Channels

CyberTech Content Manager - Archiving Archiving

CyberTech Content Manager - Storage Archiving

CyberTech Controller Service

CyberTech Core API Core API As fromMynaVoice 6.7. PL1, Core API isinstalled by default. Latest version: 3.3.x

CyberTech CTI Processor for [vendor] CTI

CyberTech CTI/CDR Processor for[vendor]

CTI

CyberTech CTI Receiver Channels

CyberTech Database Interface Client Channels

CyberTech Database Interface Server

CyberTech DSC Service Channels

CyberTech Fault Manager



- 48 -

4: System HardeningMynaVoice Recording Services - Core Server


CyberTech Filebeat service Always installed by MynaVoice setup.

CyberTech Generic SipServer CTI Service for generic SIP Server linkcontroller

CyberTech HistoricalIngestionAgentservice

As fromMynaVoice 6.7.1, alwaysinstalled by MynaVoice setup.

CyberTech Licensing Service Channels Dependent of DSC Service

CyberTech Link Controller [vendor] CTI Service for connectivity to telephony ortrading system

CyberTech LogClean service Always installed by MynaVoice setup.Must be configured.

CyberTech MAX Content Manager Core API Used by Fusion. Service name:CyberTechMediaManager

CyberTech MAX SystemManager Core API used by Fusion

CyberTech MAX UserManager Core API used by Fusion

CyberTech Open Call ControllerWebservice

CTI: OCCInterface.

If installed. Not displayed in the list,appears as a website in IIS.

CyberTech Recording Service Channels

CyberTech Resilience Database Interface Core ServerResilience

CyberTech Satellite Controller Channels

CyberTech [vendor]SipServer CTI Service for SIP Server link controller

CyberTech SystemOverview NodeAgent

- - - MySQLDatabase Service My SQL

Table 4-1: Services: MynaVoice Core Server



- 49 -

4: System HardeningMynaVoice Recording Services - Core Server

MynaVoice Recording Services - SatelliteMynaVoice Recording deploys the following services on asatellite, or a satellite with CTI role installed on it.Depending on your configuration, not all services might beavailable.

Services specific for CTI are marked as such in the column'Purpose'.


CyberTech Call Controller CTI

CyberTech CDR Processor for[vendor]

CTI


CyberTech Connectivity MediaDelivery

CyberTech Controller Service

CyberTech CSR ConnectionManager Core ServerResilience

CyberTech CTI Processor for [vendor] CTI


CTI

CyberTech CTI Receiver

CyberTech Database Interface Client

CyberTech DSC Service

CyberTech Generic SipServer CTI Service for generic SIP Server linkcontroller

CyberTech Licensing Service dependent of DSC Service

CyberTech Link Controller [vendor] CTI Service for connectivity to telephony ortrading system


CTI: OCC Interface,if installed

Not displayed in the list, but appearsas a website in IIS.

CyberTech RabbitMQ Server

CyberTech Recording Service

CyberTech Resilience DatabaseInterface

CTI for Core Server Redundancy

CyberTech Satellite Controller

CyberTech [vendor]SipServer CTI Service for SIP Server link controller

Table 4-2: Services: MynaVoice Satellite



- 50 -

4: System HardeningMynaVoice Recording Services - Satellite

MynaVoice Recording Services - CTI ServerMynaVoice Recording deploys the following services on a CTI Server.Depending on your configuration, not all services might be available.

If the CTI role is installed on a satellite, refer to sectionMynaVoice RecordingServices - Satellite on the previous page.

If the CTI role is installed on a Core Server, refer to sectionMynaVoiceRecording Services - Core Server on page 48.


CyberTech Call Controller

CyberTech CDR Processor for[vendor]


CyberTech CSR ConnectionManager Core ServerRedundancy


CyberTech CTI Processor for [vendor]

CyberTech Database Interface Client

CyberTech Generic SipServer Service for generic SIP Server linkcontroller

CyberTech Link Controller [vendor] Service for connectivity to telephony ortrading system


CTI: OCC Interface,if installed

Not displayed in the list, but appearsas a website in IIS.

CyberTech Resilience DatabaseInterface

Core ServerRedundancy

CyberTech Service Monitor replaces Controller Service

CyberTech [vendor]SipServer Service for SIP Server link controller

Table 4-3: Services: MynaVoice CTI Server



- 51 -

4: System HardeningMynaVoice Recording Services - CTI Server

Required Windows Services

MynaVoice Recording uses a number of Microsoft Windows services.

This section lists the commonWindows services, indicating which services are required forMynaVoiceRecording, and which are not.

ServiceRequired

Y/NRemark

Common HTTP Features

Static Content Y Required for showing static content (e.g. html and images)

Default Document Y Required for redirection to default document (login.asp)when not specified on URL

Directory Browsing N Used to browse directories when no document isspecified on the URL

HTTP Errors N Used to display customized error pages

HTTP Redirection N Used to redirect users to other location

WebDAV Publishing N Used to deploy websites via HTTP

Application Development

ASP.NET N Currently no ASP.NET is used

.NET Extensibility N Currently no ASP.Net is used

ASP Y Required to show the MynaVoiceWeb GUI

CGI N

ISAPI Extensions Y Required when using ASP

ISAPI Filters N

Server Side Includes N

Health and Diagnostics

HTTP Logging N Not required but can be useful for debugging

Logging Tools N Not required but can be useful for debugging

Request Monitor N Not required but can be useful for debugging

Tracing N Not required but can be useful for debugging

Custom Logging N Not required but can be useful for debugging

ODBC Logging N Not required but can be useful for debugging

Security

Basic Authentication N Authentication is handled in code

Windows Authentication N Authentication is handled in code



- 52 -

4: System HardeningRequired Windows Services

ServiceRequired

Y/NRemark

Digest Authentication N Authentication is handled in code

Client Certificate MappingAuthentication

N Authentication is handled in code

IIS Client Certificate MappingAuthentication

N Authentication is handled in code

URL Authorization N

Request Filtering Y Required by ASP feature

IP and Domain Restrictions N

Performance

Static Content Compression Y Used by IIS to compress static content

Dynamic ContentCompression

N

Management Tools

IIS Management Console Y Required to customize the web server

IIS Management Scripts andTools

N

Management Services N

IIS 6ManagementCompatibility

IIS 6Metabase Compatibility Y Required when installing IIS 6Management Console

IIS 6WMI Compatibility Y Used by the setup to make changes to the used

application pool

IIS 6 Scripting Tools N

IIS 6Management Console N

FTP Server

FTP Service N No FTP features are necessary to runMynaVoice

Recording

FTP Extensibility N

IIS Host Web Core N

Table 4-4: Windows Services - Required and Not Required



- 53 -

4: System HardeningRequired Windows Services

Windows Data Execution Prevention (DEP)Windows Data Execution Prevention (DEP)monitors installed software applications to verify if they usesystemmemory safely. If an application tries executing code frommemory in an incorrect way, DEPcloses the program.

MynaVoice Recording software is trusted software. ForMynaVoice, you do not need to disable DEP, orchange any DEP settings .

Formore information on DEP, see Microsoft.com pages, such as DEP- freqently asked questions

SMB SigningMynaVoice Recording supports SMB signing forMicrosoft Active Directory.

E-mail FilteringAny system of MynaVoice Recording can generate e-mail messages about occurring errors. These e-mails are sent to pre-defined e-mail addresses, set in the MynaVoiceWeb GUI, tabs system installation >global settings.

If you apply any kind of e-mail filtering, be sure all MynaVoice systems - Core Server, CTI or CDRServers, satellites - are able to distribute their error message e-mails.



- 54 -

4: System HardeningWindows Data Execution Prevention (DEP)

http://windows.microsoft.com/en-us/windows-vista/data-execution-prevention-frequently-asked-questions

Local or Group Policy Security Settings

Security settings can be defined on the level of individual servers and on group level, depending on thecustomer's policy. Usually, Group Policy Security settings are used, as this is a centrally manageablepolicy for users within a domain. Some of the policy settings are domain-wide, other policy areas can bespecified at level of the organizational unit.

TIP: For details seeMicrosoft TechNet -Group PolicySecuritySettings.

Group Policy Security SettingsGroup Policy Security settings are defined using the Local Group Policy Editor.

1. In theWindows Run field, type gpedit.msc.

Figure 4-3: Start Local Group Policy Editor

2. Press [Enter]. The window Local Group Policy Editor appears.

Figure 4-4: Local Group Policy Editor

3. Go toWindows Settings > Security Settings, and select the required policy item.

Here Account Policies > Password Policy is shown as an example.



- 55 -

4: System HardeningLocal or Group Policy Security Settings

https://technet.microsoft.com/library/cc960657.aspx

4. Double-click the required line item, or right-click on it and select Properties. The settings windowappears. It has a tab Explain, showing youmore information about the item.

5. Adjust the setting as shown in the example below.

Figure 4-5: Example of a Local Group Policy Setting

6. Click OK.

7. When done, close the Editor.

TIP: For detailed instructions seeMicrosoft TechNet - LocalGroup PolicyEditor.

Local Security SettingsUsually, on an individual system only a limited number of security settings can be defined. Settingsdefined by Group Policy Security are disabled on local level.

To define Local Security Settings:

1. Navigate to Windows Start > Administrative Tools > Local Security Policy. The window LocalSecurity Policy appears.



- 56 -

4: System HardeningLocal Security Settings

https://technet.microsoft.com/en-us/library/cc725970.aspx

–––Figure 4-6: Local Security Policy

2. Select the required Local Policy Object. In the example above this is Account Policies > PasswordPolicy.

3. Double-click the required line item, or right-click on it and select Properties. The settings windowappears. It has a tab Explain, showing youmore information about the item.

This line item is defined by Group Policy Security, and is disabled here.

This line item can be set here, on local level.

4. Adjust the setting as shown in the example below.

Figure 4-7: Example of a Local Group Policy Setting

5. Click OK.

6. When done, close the window.



- 57 -

4: System HardeningLocal Security Settings

Enabling IPsec Encryption

You can provide additional security to the servers of a MynaVoice Recording system by enablingInternet Protocol security (IPsec). By encrypting all communication between the servers, IPsec preventsany 'network sniffing' security issues.

By applying IPsec the following communication paths (port numbers) are encrypted. Unencryptedaccess is blocked.

NOTE: By enabling encrypted recording you can encrypt all audio data in the system, even

without enabling IPsec .

Communication to non-encrypted services such as NTP or SNMP is not affected.

You can secure web communication by enabling HTTPS as described in chapterWeb Server Security onpage 73.

Procedure

This procedure describes how to enable IPsec onWindows 2008 R2. On each server of the MynaVoiceRecording system:

1. Open the Local Security Policy window: Start > All Programs > Administrative Tools, or enter

secpol.msc in the Search programs and files field.

2. Right-click on IP Securities on Local Computer. From the menu, selectCreate IP Security Policy....



- 58 -

4: System HardeningEnabling IPsec Encryption

Security Policy

Welcome window of the IP Security PolicyWizard

3. Click Next.

IP Security Policy Name

4. Assign a proper name to your policy. Thename used here is an example.

5. If necessary, describe your policy. ClickNext.

Request for Secure Communication

6. Do not select the checkbox Activate thedefault response rule. Click Next.



- 59 -


Completing the IP Security Policy Wizard

7. Select the checkbox Edit properties.Click Finish.

Properties of yourSecurity Policy

8. In the tab Rules, click Add.

IP Security RuleWelcome window of theCreate IP SecurityRuleWizard

9. Click Next.



- 60 -


Tunnel Endpoint

10. Select the radio button This rule doesnot specify a tunnel.

11. Click Next.

Network Type

12. Select the radio buttonAll networkconnections.

13. Click Next.

IP Filter List

The field does not show any filter lists.

14. Click Add to open a window in which youcan define a list.



- 61 -


15. In this window, enter aName and, ifnecessary, aDescription for your filterlist. The name shown here is an example.

16. To create the new filter within the list,click Add.

IP Security Rule > IP FilterWelcome window of the IP Filter Wizard

17. Click Next.

The window IP Filter Description andMirrored property appears. (not shownhere).

18. Enter aDescription, if necessary.

19. Select the checkboxMirrored.

20. Click Next.

IP Traffic source

21. From the drop-downmenu, select Any IPAddress.

22. Click Next.



- 62 -


IP Traffic Destination

23. From the drop-downmenu, select Any IPAddress.

24. Click Next.

IP Protocol Type

25. From the drop-downmenu, select TCP.

26. Click Next.

IP Protocol Port

27. Select the radio buttons From any portand To this port.

28. Enter port number 3306.

29. Click Next.



- 63 -


Completing the IP Filter Wizard

Do not select the checkbox Editproperties.

30. Click Finish.

IP Security Rule (continued)

You now return to the IP Filter List, with thenewly created filter added to the field IPFilters.

31. Click Add to create a new filter within thelist.

Repeat this procedure from Step to addthe other port numbers:

6003, 6006, 4250, 4245, 4345, 5002.

32. When done, click OK in this window

Security RuleWizard, window IP Filter List

33. Select the radio button of the IP filter listyou created.

34. Click Next.



- 64 -


Security RuleWizard, window Filter Action

35. Make sure the checkbox Use AddWizard is selected, and click Add.

IP Security Rule > IP Filter ActionWelcome window of the IP Security FilterAction Wizard

36. Click Next.

The window Filter Action Name appears(not shown here).

37. Enter a properName and, if necessary, aDescription for your filter action.

38. Click Next.

Filter Action General Options

39. Select the radio buttonNegotiatesecurity.

40. Click Next.



- 65 -


Communicating with computers...

41. Select the radio buttonDo not allowunsecured communication

42. Click Next.

IP Traffic Security

43. Select the radio button Integrity andencryption.

44. Click Next..

Completing the IP Security Filter ActionWizard


45. Click Finish.

IP Security Rule (continued)



- 66 -


Filter Action

46. Select the button of the Filter Action youjust created, and click Next.

Authentication Method

47. Select the radio button of your preferredauthenticationmethod.

MynaVoice recommends to usecertificates or Kerberos V5 protocol.

We advise against preshared keyauthentication because it is a relativelyweak authenticationmethod. Usepreshared keys only for testingpurposes.

48. Click Next.

Completing the Security Rule Wizard


49. Click Finish.

Properties



- 67 -


The window showing the Properties, tabRules, of your security policy re-appears.

50. Click OK.

You have now created your IPsec policy.

As a last step, you have to activate the created security policy

51. Open the Local Security Policy window again: Start > All Programs > Administrative Tools, or

enter secpol.msc in the Search programs and files field.

52. Right-click on IP Securities on Local Computer. Your policy is displayed in the right-hand pane.

53. Right-click it. In the menu, select Assign.

Your Internet Protocol Security policy has now been activated.



- 68 -


Configure Transport Encryption for File Shares

For improved security you can enable encryption on transfer for file shares, preventing network sniffersfrom reading the transferred data.

1. On the host where youwant to host the file share, use Server Manager to add the role File andStorage Services.

2. UnderShares you can create a new share or see your existing share:



- 69 -

4: System HardeningConfigure Transport Encryption for File Shares

3. Right click on the share and select Properties. Under properties, select Settings and change Encryptdata access:

4. Click Apply and your share will now be encrypted at transport.



- 70 -


How to Check If Encryption Is Enabled

Using Wireshark you can check the communication that uses SMB2.

If your data was encrypted, you will see in the info:

ENCRYPTED SMB3



- 71 -


If your data was not encrypted you see Read Responsewith plain bytes included. In this example yousee the text 'Hello shares' in the bytes section.



- 72 -


5:Web Server Security

Communication between the MynaVoice Recording web server (Core Server) and the web clientsrequires a secure HTTPS connection.

This prevents capturing of any MynaVoice Recording related informationfrom the network, accidentally or withmalicious intents. The web client'stemporary internet files cache will not contain any traces of MynaVoiceRecording client sessions.

The first part of this chapter describes how to enable TLS security.

The second part contains additional, non-TLS related steps to enhance your web server security.

Topics:

Supported SecurityVersions 74

TLS(SSL)Security 76

EnablingHTTPOnlyand SecureCookies 83

PreventingCrossFrameScripting 96

HidingVersion Information in theServerHeader 98

Remove theX-Powered-ByHeader 103

EnforcingAccount Lockout (MynaVoice) 106



- 73 -

5

Supported Security Versions

TLS / SSL

Transport Layer Security (TLS), previously Secure Socket Layer security (SSL) are cryptographicprotocols that provide communications security over a computer network. For HTTPS connections youmust enable such a protocol. The TLS protocol is a more up-to-date and secure version of SSL, andtherefor considered as an absolute requirement.

NOTE: Although the use of SSL is not advised, the term "SSL" is still widely used for both SSL

and TLS.

In this manual we distinguish between both protocols, but will adhere to the use of the term "SSL-certificates", which is still common, for example in the IIS windows.

Supported versions:

MynaVoice Recording:

As from version 6.7 PL4, MynaVoice Recording supports TLS 1.2 only. Earlier TLS and SSLversions are disabled.

LowerMynaVoice versions support TLS 1.0 and TLS 1.1.

Important! Do not use the SSL 2.0 and 3.0 protocols on the OS level.We do not recommend TLS 1.0 and 1.1.

Ciphers

MynaVoice supports all secure ciphers.

Recommended secure ciphers are, as of March 2018: 'AES 128/128', 'AES 256/256'.

These options are set system-wide via the registry. A specific reg file can be obtained via the MynaVoiceSupport Desk, to load the correct values using the command line.

The figure below shows the required settings, using IIS Crypto.



- 74 -

5: Web Server SecuritySupported Security Versions

* In certain cases you need to select TLS 1.0 and 1.1 as well. See Supported versions: on the previouspage.

When done, reboot the system to make all changes come into effect.

NOTE:MynaVoice Recording remains working when HTTP is completely disabled, or whenweak

ciphers are disabled ('DES 56/56', 'NULL', 'RC2 128/128', 'RC2 40/128', 'RC2 56/128', 'RC4

40/128', 'RC4 56/128', 'RC4 64/128', 'RC4 128/128', 'Triple DES 168').



- 75 -

5: Web Server SecuritySupported Security Versions

TLS (SSL) Security

To ensure HTTPS is used for web connections, you have to set up a secure binding and disable thestandard 'plain text' binding. When setting up the secure binding you need to select anSSL certificate,whichmust be created before you set up the binding.

SSLCertificates 76

EnablingTLSSecurity 77

SSLCertificateSettings 78

SSL CertificatesThe following types of certificates exist:

Certificate issued by a public or commercial Certificate Authority (CA). Not necessary for internalnetworks.

Certificate issued by the company (customer) itself, based on a CA certificate. This is a cost-effective and secure solution for internal networks.

Self-signed certificate. This is not fully secure. It ensures an encrypted connection, but 'man-in-the-middle' attacks are still possible. MynaVoice advises against this type of certificate forpurposes other than testing.

InWindows you can create a self-signed certificate using Internet Information Services (IIS) Manager.

Installed certificate

If you have created and installed a certificate inWindows you can check it as follows:

1. Open the Internet Information Services (IIS) Manager, select Connections > <localhost name> >Server Certificates .

2. Select the certificate. It will look like the following example:



- 76 -

5: Web Server SecurityTLS (SSL) Security

If you have multiple Core Servers, for example in 2N Recording, each Core Server requires its uniquecertificate.

Enabling TLS SecurityTo make sure the connection betweenweb client and web server always uses HTTPS, take the followingactions:

Make an SSL certificate available and install it on the Core Server(s). .

On the MynaVoice Recording Core Server(s),

Set the site binding to secure in the Internet Information Services (IIS) Manager.

Set up Internet Information Services (IIS) Manager to allow only HTTPS connections.

Change the desktop shortcut to HTTPS.

When applicable, youmust re-bind the certificate.

Self-signed certificate

If you use a self-signed certificate, you have to perform additional actions. MynaVoice advises againstthe use of self-signed certificates for purposes other than testing.

Importing the certificate on the web client

Setting up the certificate on the Core Server for access by local services

Setting up the web clients to use this self-signed certificate



- 77 -

5: Web Server SecurityEnabling TLS Security

Internet Information Services (IIS) Manager

You can access the IIS Manager in two ways:

Windows Start Administrative Tools > Internet Information Services (IIS) Manager

Windows Start > Server Manager > IIS > Tools > Internet Information Services (IIS)

Manager

For details, refer to the sections below.

SSL Certificate SettingsPerform the following steps to ensure proper functioning of the certificate.

Setting Site Binding

To set the secure site binding:

1. In the Internet Information Services (IIS) Manager, navigate to Connections, expand the <local hostname> (below 'Start Page').

2. Expand Sites.

3. Right-click DefaultWeb Site. From the menu, select Edit Bindings....

The pane Site Bindings appears.

4. Click Add. The pane Add Site Binding appears.



- 78 -

5: Web Server SecuritySSL Certificate Settings

5. Type: - From the drop-downmenu, select https. The port number changes to 443.

IP address: - Leave as is.

6. The field SSL certificate: appears. Select the required certificate. Below an example is shown.

7. Click OK. Verify in the Site Bindings pane that the certificate has been added.

The asterisk * indicates 'All Unassigned' IP addresses.

Do not remove the port 80 binding.



- 79 -


8. Click Close.

9. Restart the website:

Right-click DefaultWeb Site.

10. From the menu, selectManageWeb Site ► Restart.



- 80 -


Setting up IIS for HTTPS Only

To set up IIS to allow only HTTPS connections:

1. In the Internet Information Services (IIS) Manager, navigate to the web site to be secured. ForMynaVoice this is Connections > <localhost name> > Sites > DefaultWeb Site.

2. Click the icon SSL Settings.

3. The pane SSL Settings appears. SelectRequire SSL.

4. UnderClient certificates:, select the radio button in accordance with the company policy.

5. In the pane Actions, click Apply.

6. Restart the website: right-click DefaultWeb Site.

From the menu, selectManageWeb Site ► Restart.



- 81 -


Redirecting the Desktop Shortcut

The MynaVoiceWeb GUI can be opened using the default 'CyberTech Recording SolutionApplication' desktop icon. Set this shortcut to HTTPS as follows:

1. Right-click the shortcut icon. From the menu, select Properties.

2. In the field Target, add an s to http.

3. Click OK.

Re-binding a Certificate after Upgrading MynaVoice Recording

If you upgrade MynaVoice Recording, the SSL certificate becomes unbound. Youmust re-bind it, usingthe IIS Manager. Refer to Setting Site Binding above.



- 82 -


Enabling HTTP Only and Secure Cookies

A cookie that has an HTTPOnly attribute is available to the browser, but it cannot be accessed by client-sideAPIs, such as JavaScript. This restriction eliminates , amongst others, session hijacking attacks and the threatof cookie theft via cross-site scripting (XSS).

For security reasons, you have to enable HTTPOnly on the Core Server.

It must be done forMynaVoice Recording.

It is described how to:

Enable HTTPOnly Cookies Using URLRewrite 2.1.

Enable Secure Cookies Using URLRewrite 2.1.



- 83 -

5: Web Server SecurityEnabling HTTP Only and Secure Cookies

Enable HTTPOnly Cookies Using URLRewrite 2.11. Click the link below to download IIS URL Rewrite 2.1:

www.iis.net/downloads/microsoft/url-rewrite

2. Copy the downloaded file to the Core Server, and install theapplication.

Follow the installation wizard.

3. When done, open the Internet Information Services (IIS)Manager on the web server.

(Windows Start > Server Manager > in top menu Tools

> Internet Information Services (IIS) Manager)

4. InConnections select the web server (below 'Start Page'). This ensures the created rules apply to allweb sites and applications hosted on this server.

5. In the <server> Home pane in the middle, go to section IIS and openURL Rewrite

6. In the Actions pane on the right, select Add Rule(s)….



- 84 -

5: Web Server SecurityEnable HTTPOnly Cookies Using URLRewrite 2.1

https://www.iis.net/downloads/microsoft/url-rewrite

The window Add Rule(s) appears.

7. UnderOutbound rules, double-click Blank rule.

The window Edit Outbound Rule appears.



- 85 -


8. Enter:

Name: Free text. Assign a logical, easy-to-use name e.g.: “Add HttpOnly”

Precondition: selectCreate NewPrecondition

The Add Precondition window appears.

Enter:

Name: Free text, e.g.: “No HttpOnly”

Using: Regular Expressions

Logical grouping:Match All

9. Click Add….

The Add Condition window appears.



- 86 -


10. Enter:

Condition input: {RESPONSE_CONTENT_TYPE}

Check if input string:Matches the Pattern

Pattern:. (a single dot)Ignore case Leave the checkbox selected

11. Click OK.

The Add Precondition window reappears.

12. Click Add… again to enter a second condition




- 87 -


13. Enter:


Check if input string: Does Not Match the Pattern

Pattern: ; HttpOnly (a semi-colon followed by a space and HttpOnly)

Ignore case Leave the checkbox selected

14. Click OK.


Two preconditions are listed.

15. Click OK.

The Edit Outbound Rule window reappears.



- 88 -


16. Enter:

Match

Matching scope: Server Variable

Variable name: RESPONSE_Set_Cookie

Variable value:Matches the Pattern


Pattern: - .+ (a dot followed by a plus sign)


Conditions

Leave the default (no conditions)

Action

Action type: Rewrite

Action Properties

Value: {R:0}; HttpOnly

Select the checkbox Replace existing server variable value

Checkbox Stop processing of... do not select

17. In the Actions pane on the right, select Apply.



- 89 -


Enable Secure Cookies Using URLRewrite 2.1A cookie that has a Secure attribute is only sent to the browser when encrypted communication isenforced, i.e. only when using HTTPS. By only sending (session) cookies over an encrypted channel,man-in-the-middle attacks, like snooping, are prevented.

1. If IIS URL Rewrite 2.1 is not yet installed, click the link below to download it:

www.iis.net/downloads/microsoft/url-rewrite

2. Copy the downloaded file to the Core Server, and installthe application.

Follow the installation wizard.


(Windows Start > Server Manager > in top menu

Tools > Internet Information Services (IIS) Manager)

4. InConnections select the web server (below 'Start Page').

5. In the <server> Home pane in the middle, go to section IIS and openURL Rewrite




- 90 -

5: Web Server SecurityEnable Secure Cookies Using URLRewrite 2.1







- 91 -


8. Enter:

Name: Free text. Assign a logical, easy-to-use name e.g.: “Add Secure”

Precondition: selectCreate NewPrecondition

The Add Precondition window appears.

Enter:

Name: Free text, e.g.: “No Secure”


Logical grouping:Match All

9. Click Add….




- 92 -


10. Enter:


Check if input string:Matches the Pattern

Pattern:. (a single dot)Ignore case Leave the checkbox selected

11. Click OK.


12. Click Add… again to enter a second condition


13. Enter:


Check if input string: Does Not Match the Pattern



- 93 -


Pattern:; Secure (a semi-colon followed by a space and Secure)


14. Click OK.


Two preconditions are listed.

15. Click OK.

The Edit Outbound Rule window reappears.



- 94 -


16. Enter:

Match


Variable name: RESPONSE_Set_Cookie



Pattern:.+ (a dot followed by a plus sign)


Conditions


Action

Action type: - Rewrite

Action Properties

Value: {R:0}; Secure


Checkbox Stop processing of...: Make sure it is not selected




- 95 -


Preventing Cross Frame Scripting

Cross Frame Scripting is used for 'phishing' attacks. Web clients receive a link to a malicious site, withthe intention to capture pages from the actual site in an HTML frame. The real application is loaded as anembedded frame. When the web user accesses the application, the attacker is able to monitor activities,and compromise user and other sensitive information. This method is also known as 'framesniffing'.

The procedure below prevents web pages to become encapsulated within an HTML frame of anunauthorized site. The web page is blanked out when it is being framed.

Procedure

NOTE: This procedure sets the X-Frame-Options header. However, it might already be set from

within the application.

1. Go to the Internet Information Services (IIS) Manager, and expand the <local host name> (below'Start Page').

2. In the Connections pane on the left side, expand Sites.

3. SelectDefaultWeb Site

4. In the middle pane, section IIS, double-click the iconHTTP Response Headers .

5. In the Actions pane on the right side, click Add. The window Add Custom HTTP Response Headerappears:



- 96 -

5: Web Server SecurityPreventing Cross Frame Scripting

6. Fill in:

Name: X-Frame-Options

Value: SAMEORIGIN

7. Click OK.

The X-Frame-Options header prevents this website to be hosted in an 'IFRAME' of other domains. Ifrequired, you can add domains that are allowed to host your site.

For more information, seeMicrosoft Support -Mitigating framesniffing



- 97 -

5: Web Server SecurityPreventing Cross Frame Scripting

http://support.microsoft.com/kb/2694329

Hiding Version Information in the Server Header

By default, Internet Information Services (IIS) adds information to the header of requested (HTML) filesstating the name and version number of the web server that has processed the request. This versioninformation in the (IIS) server header can be useful for attackers to optimize and target their attacks.

The procedures below describe how to hide this version information, and avoid it is used for attacks. Itmust be done forMynaVoice Recording.

The steps depend on the version of IIS.

Procedure to hide version information: IIS 7.5 and higher

For this procedure you require IIS URL Rewrite 2.1. Download itfromwww.iis.net/downloads/microsoft/url-rewrite.

1. On the web server, install URL Rewrite 2.1. according to theinstructions on the website. Follow the setup screens.


(Windows Start > Server Manager > in top menu Tools

> Internet Information Services (IIS) Manager)


4. In the <server> Home pane in the middle, go to section IIS and openURL Rewrite.




- 98 -

5: Web Server SecurityHiding Version Information in the Server Header







- 99 -


7. Enter:

Name: Free text. Assign a logical, easy-to-use name e.g.: “Drop Server Header”

Precondition: <None>

Match


Variable name: RESPONSE_Server



- 100 -




Pattern:.+ (a dot followed by a plus sign)

Select the checkbox Ignore case

Conditions


Action

Action type: - Rewrite

Action Properties

Value: - Leave blank


Checkbox Stop processing of... - do not select


The warning “No value is specified for the rewrite action.”appears. You can ignore this.

Now verify if the version information in the header is hidden:

9. In your browser, open the Login page of the MynaVoiceapplication.

Do not log in to the application!

10. OpenDeveloper Tools – depending on your browser:

InChrome, press [Ctrl]+[Shift]+[I], or: in the Settings select

More Tools

In Internet Explorer, press [F12], or: select Tools

11. In the Developer Tools window, select the tab Network.

12. Refresh the Login page in the browser.

The Developer Tools > Network window shows all resources loaded from the web server as part ofthe request for the Login page.

13. In the columnName, select Login.htm?....

14. Select the Headers tab, scroll to Response Headers.

15. Verify that the Server header is empty.



- 101 -


16. Close the Developer Tools window.



- 102 -


Remove the X-Powered-By Header

Revealing the fact that MynaVoice is powered using ASP.NET technology only helps potential hackersnarrow down their attacks. This headermust be removed.

This must be done forMynaVoice Recording.

Procedure

1. Open the Internet Information Services (IIS) Manager on the web server.

(Windows Start > Server Manager > in top menu Tools > Internet Information Services (IIS)

Manager)


3. In the <server> Home pane in the middle, go to section IIS and double-click HTTP ResponseHeaders.

4. In the window HTTP Response Headers, select X-Powered-By.



- 103 -

5: Web Server SecurityRemove the X-Powered-By Header

5. Click Remove.

6. Select theDefaultWeb Site and double-click HTTP Response Headers.

7. In the window HTTP Response Headers, select X-Powered-By.



- 104 -


8. Click Remove.

9. Close the IIS Manager.



- 105 -


Enforcing Account Lockout (MynaVoice)

Attackers can use brute forcing techniques to discover valid logon credentials. To prevent this, a useraccount must be locked out after multiple failed login attempts. We recommend maximum three failedattempts.

Perform following procedure to configure this setting, using the MynaVoiceWeb GUI:

1. Open the MynaVoiceWeb GUI. For this, open Internet Explorer, and type in the addressbar:

the IP address of the Core Server, when accessing from a different workstation, or

http://localhost, when accessing from the Core Server itself.

In this case you can also use the Recording Solution Application icon.

Now, the login page of the web interface appears:

2. Check if the tab Main Administration is active.

3. Type theUser name and Password, with Administrator rights.

4. Click the button to the right of the Password field, or press [Enter]. The main window of theWeb GUIappears.

5. Select the tabs user administration > users. You only need to configure the users that are allowed toaccess the MynaVoiceWeb GUI. Typically, these are administrators, service, and other authorizedusers.

6. Double-click on the user's line item (or click its Edit icon). The user's configuration panes appear.

7. Go to the pane Security settings for user account<user name> field Number of login attemptsallowed.



- 106 -

5: Web Server SecurityEnforcing Account Lockout (MynaVoice)

8. From the drop-downmenu, select the required number of attempts.



- 107 -

5: Web Server SecurityEnforcing Account Lockout (MynaVoice)

6:WebClient Internet ExplorerPolicy

For easy access to the recording system through any IP network, MynaVoice Recording uses a web-based graphical user interface (web GUI). You can access and browse this web GUI using theWindowsInternet Explorer (IE), from any web client system. For details of the MynaVoiceWeb GUI and its settings,refer to the MynaVoice Recording 6.7 - UserManual.

MynaVoice Recording supports Internet Explorer IE9, IE10 (incompatibility mode) and IE11 (in native mode).

Windows security settings on the web client can block specific webactivities, which results in limited functionality of the MynaVoiceWeb GUI.

This chapter explains which security settings you have to apply inthe Internet Explorer to overcome these limitations and allow:

Access from the web client

Playback of recorded calls

Downloading of recorded calls from the recording system

Copying version information to the clipboard

Real-time playback of calls (supported by NTR 6.7 PL1 and lower)

Real-time channel overview

Besides the correct settings, call playback also requires Microsoft Silverlight to be installed.

For additional requirements that enable real-time playback of calls, see section Real-time Play onpage 112.

NOTE: Earlier versions of MynaVoice Recording required Java and JavaScript to enable real-time

channel overview. InMynaVoice Recording R6.7 and higher they are no longer necessary for this

purpose.

The sections below explain how to apply the correct settings. Make them available to the customer'ssystem/network administrator.



- 109 -

6

Internet Explorer Security Level

Important! Only an authorized person is allowed to configure the security settings.

Verify settings

To verify the security settings of the MynaVoiceWeb GUI, using IE11:

1. Open theWindows Internet Explorer on the web client.

2. In the address bar, enter the IP address or host name of the MynaVoice Recording Core Server. TheMynaVoiceWeb GUI's log-on window appears. Do not log on to the web GUI.

3. Click the Tools button in the top right-hand corner, or the Tools top menu.

4. From the drop-downmenu, select Internet options, tab Security.

5. The zone of the web GUI in your browsermust be 'Internet' or 'Localintranet'.

Usually, the default settings are sufficient for a fully functionalMynaVoice Web GUI.

You can customize the setting of the zones for the web GUI. For this,click Custom level....

Be sure that the parameters that can affect MynaVoice Recording are setcorrectly. See the listing below.



- 110 -

6: Web Client Internet Explorer PolicyInternet Explorer Security Level

Group policy settings

A domain often has group policy settings. These are forced by the Domain Controller, and cannot bechanged on local level.

In such a case, adding MynaVoice Recording to the list of 'Trusted sites' can be an option. However, thissetting might be blocked.

1. Select Trusted sites, and click the button Sites.

2. Check if server verification is required, and select the checkbox. In that case the web GUI must havea https: address

3. Select MynaVoice Recording's IP address or host name and click Add.

4. Click Close.

Required Security SettingsThe following Internet Explorer security settings are required for a fully functional:MynaVoice Web GUI.

1. Navigate to tab Security, click buttonCustom level....

Youmust set all to Enable.

ActiveX controls and plug-ins

Run ActiveX controls and plug-ins

Script ActiveX controls marked safe for scripting

Downloads

File download

Miscellaneous

Launching programs and files in an IFRAME

Submit non-encrypted form data

Scripting

Active scripting

Allow programmatic clipboard access

Scripting of Java applets

2. Click OK.

3. Navigate to tab Advanced. Select the following checkboxes:

Multimedia

Play animations in web pages

Show pictures

4. Click OK, OK.

When done, reboot the web client system to make all changes come into effect.



- 111 -

6: Web Client Internet Explorer PolicyRequired Security Settings

Real-time Play

Important! As from MynaVoice Recording 6.7 PL2 Real-time Play is not available anymore.

If you have MynaVoice 6.7 PL1 or lower installed, real-time play of calls is available in if the web clientsystem has:

Java installed

JavaScript enabled

In addition all satellites require specific access to external communication pages on the Core Server.This is set in the IIS Manager on the Core Server. See section Setting Satellite Access to ExternalCommunication below.

Java

Important! If you haveMynaVoice 6.7 PL2 or higher installed, real-time play is not available,and you do not need to install Java.

MynaVoice Recording 6.7 supports Java 8 (build 1.8) or higher. Java installation software is delivered onthe installation CD of MynaVoice Recording 6.7, folder 'Additional Software'.

After installing Java, you have to configure its security settings to ensure TCP connections are allowedfrom the client computer:

Close all Java applets. Java applets are automatically closed when closing all Internet Explorerwindows. Make sure there is no Java icon in the system tray.

1. OpenWindows Explorer and navigate to the folder 'C:\Program Files(x86)\Java\jre<version>\lib\security'.

2. Copy the file java.policy. Paste it and rename it to java.policy-orig, as a backup.

3. Open the file java.policy for editing.

4. In the file do the following:

For Java 1.8, add the line

permission java.net.SocketPermission "*", "listen, accept, connect, resolve";

For Java 1.6 and 1.7, replace the line:

permission java.net.SocketPermission "localhost:1024-","listen";

with

permission java.net.SocketPermission "*", "listen, accept, connect, resolve";

5. Save the file.

6. Reboot the system to make all changes come into effect.

7. Re-try the Real-Time Play option.

NOTE: Instead of "*" you can use a wildcard mask for IP addresses to narrow the Java policy. For

each satellite add a separate permission line including only the IP address of this satellite system.

permission java.net.SocketPermission "IP 1", "listen, accept, connect, resolve";permission java.net.SocketPermission "IP 2", "listen, accept, connect, resolve";

etc.



- 112 -

6: Web Client Internet Explorer PolicyReal-time Play

JavaScript

By default, JavaScript is enabled. You can verify this as follows:

1. Open theWindows Internet Explorer on the web client.


3. From the drop-downmenu, select Internet Options tab Security.

4. Click buttonCustom level....

5. UnderScripting, verify if Active Scripting has been set to Enable .

6. Click OK, OK.

7. Refresh your Internet Explorer screen to activate JavaScript.

Setting Satellite Access to External CommunicationImportant! As from MynaVoice Recording 6.7 PL2 Real-time Play is not available anymore.

To enable real-time playback (MynaVoice 6.7 PL1 or lower only), all satellites require specific access toexternal communication pages.

This procedure describes how to configure this in IIS7.

Prerequisite: have the IP addresses of all satellites available.

1. On the Core Server, navigate to (Administrative Tools >) Internet Information Services (IIS)Manager, expand the <local host name > Sites > DefaultWeb Site.

2. In the left-hand pane, select the folder toolbox.



- 113 -

6: Web Client Internet Explorer PolicySetting Satellite Access to External Communication

3. Click Content View at the bottom of the middle pane. The toolbox Content appears.

4. Right-click externalCommunication.asp. From the menu, select Switch to Features View.



- 114 -


Do not use the 'Features View' button at the bottom for this!

The item externalCommunication.asp has now been added to the toolbox folder.

5. In the pane Connections, select externalCommunication.asp in the toolbox folder.

6. In the pane externalCommunication.asp Home, double-click the icon IP Address and DomainRestrictions.



- 115 -


7. The pane IP Address and Domain Restrictions appears. Right click on it. From the menu, select AddAllow Entry.

8. The window Add AllowRestriction Rule appears. Inthe field Specific IP address, fill in the IP address ofthe satellite.

If you want to add a range of addresses, consult theIIS Manager's Help.

9. Click OK.The satellite's IP address has now been added to the IP Address and Domain Restrictionslist.



- 116 -


10. Repeat the above steps for the folder _toolbox

Repeat this procedure on all satellites of the MynaVoice Recording system.



- 117 -


Removing Temporary Internet Files

Windows Internet Explorer stores all files used during internet sessions in a local IE cache folder. Toprevent improper use of stored items, it is recommended to clean the cache folder regularly. You canalso prevent certain files from being stored in the cache folder.

Cleaning the Cache FolderTo empty the cache folder automatically every time when closing an Internet Explorer session, apply thefollowing settings:

1. On the web client, open theWindows Internet Explorer.


3. From the drop-downmenu, select Internet options, tab Advanced.

4. In section Security, select the following checkbox:

If SSL security is applied, this setting is not required. In that case, youmust selectDo not saveencrypted pages to disk:



- 118 -

6: Web Client Internet Explorer PolicyRemoving Temporary Internet Files

5. Besides these settings youmust also Enable native XMLHTTP support:

6. Click OK.

7. Close the Internet options window.



- 119 -

6: Web Client Internet Explorer PolicyCleaning the Cache Folder

Configuring Cache Control Using IIS (on Core Server)In addition, you can set web site properties on the Core Server using the Internet Information Service (IIS)Manager. This can also be a solution if adapting the IE settings on the web client is not allowed.

These settings define which files are not cached on the web client.

Important! Excluding files from being cached can seriously impact your server'sperformance.

Procedure (using IIS Manager 7)

On the Core Server:

1. On the Core Server, navigate to (Administrative Tools >) Internet Information Services (IIS)Manager, expand the <local host name (Core Server.)

2. In the pane Connections, expand Sites > DefaultWeb Site.

3. Select the folder of which you need to change the settings. In this example: 'files'.

See the explanation about files and folders at the end of this procedure.

4. With the folder selected, click the iconHTTP Response Headers .



- 120 -

6: Web Client Internet Explorer PolicyConfiguring Cache Control Using IIS (on Core Server)

5. In the Actions pane, click Add.The window Add Custom HTTP Response Header appears.

6. Enter (type exactly as shown):

Name: Cache-Control

Value: no-store

The pane in the middle of the window now shows the name and value you have set.

7. Close the Internet Information (IIS) Manager.



- 121 -


Best Practice:Which folders should I set?

Cache control recommended for following folder:

files

Exclude following files from being cached (do not set overallcache-control):

Default Web Site

_gfx (graphics)

Both settings have serious impact on server performance.

Cache settings managed

_jap (Java): manages its own cache settings.

_scr (JavaScript): cache settings done by MynaVoice

_sl (Silverlight): manages its own cache settings.

All other folders relate to 'dynamic' .ASP files, which are notbeing cached.



- 122 -


7:Vulnerability

At this moment, three types of vulnerability are known:

Heartbleed

POODLE

Shellshock

These vulnerabilities entail security risks, but do not affect operation or performance of MynaVoiceRecording.

See the sections below for a description how to avoid the security risks.

Heartbleed

MynaVoice Recording uses MySQL for its database functionalities. MySQL versions lower than 5.6.18include the vulnerable SSL 3.0 protocol, based on the OpenSSL cryptographic software library. It canallow undesirable disclosure of encrypted information, known as 'Heartbleed'. You can find moreinformation on heartbleed.com.

To avoid any risk, the following solutions exist:

If yourMynaVoice Recording version is 6.5.8 or higher, Heartbleed does not occur. Theseversions use MySQL 5.6.18 or higher, which are not vulnerable

If you have a lower version of MynaVoice Recording, SSLmust be disabled inMySQL. InMynaVoice Recording this is disabled by default.

POODLE

The SSL 3.0 protocol is also in use in communication betweenweb servers and clients (browsers). Hereit is vulnerable to an attack known as POODLE, which can force a browser to execute malicious code.This code enables an attacker to intercept HTTPS traffic (cookies), and to decrypt parts of encryptedinformation.

For details of this vulnerability inWindows refer to Microsoft TechNet - Advisory3009008



- 123 -

7

http://heartbleed.com/

https://technet.microsoft.com/en-us/library/security/3009008.aspx

Best Practice: Disable SSL 2.0 and SSL 3.0

Windows Server 2008 using IIS 7 allows SSL 2.0 by default. To properly secure your server, and makesure that the stronger TLS 1.0 is used, you need to disable SSL 2.0 and SSL 3.0, as follows:

1. In the Start menu field, type regedit, and press Enter. The Registry Editor appears.

2. InRegistry Editor, navigate to the registry key:

'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols'

Disable SSL 2.0

3. Right-click on the folder 'SSL 2.0'. From the drop-downmenu, selectNew ► Key.

4. A new folder is added. Name it Server.

5. Open the new 'Server' folder. In the top menu, click Edit and selectNew.

6. Click DWORD (32-bit) Value. A new item is added.



- 124 -

7: VulnerabilityPOODLE

7. Enter Enabled as the name. Then press Enter.

8. Be sure the value in the columnData shows 0x00000000 (0) (default).

If not, right-click the name, and selectModify in the menu. In the field Value data, enter 0.

Disable SSL 3.0

9. Right-click on the folder 'Protocols' From the drop-downmenu, selectNew ► Key.

10. Name the new folderSSL 3.0. Be sure there is a space between 'L'and '3'.

11. Right-click on the new folder 'SSL 3.0'. From the drop-downmenu, selectNew ► Key.

12. A new folder is added. Name it Server.

13. Open the new 'Server' folder. In the top menu, click Edit and selectNew.

14. Click DWORD (32-bit) Value. A new item is added.

15. Be sure the value in the columnData shows 0x00000000 (0) (default).

If not, right-click the name, and selectModify in the menu. In the field Value data, enter 0.

16. Reboot the system to make all changes come into effect.

This procedure is similar onWindows Server 2003 R2, with IIS 6.

See also the information ofMicrosoft Support.

NOTE: After disabling SSL 2.0 and SSL 3.0, the web browser will not get information fromweb

servers that use these protocols only..

Shellshock

MynaVoice Recording is not impacted by the 'Shellshock' bug. MynaVoice Recording does not use orinstall the vulnerable 'Bash' shell.



- 125 -

7: VulnerabilityShellshock

http://support.microsoft.com/kb/187498

A:Terminology

This appendix contains an overview of relevant abbreviations and terms used in this manual.

Item Description

Active CTI Server CTI Server that is operational en performing the current CTI tasks.

API Application Programming Interface

Call Controller A service linking to the recorder database which reads configuration details forinstalled CTI Devices. The Call Controller processes all CTI Device messagesto determine when to start and stop recording for a specific recording target.

CCLC Call Controller/Link Controller protocol

CDR Call Detail Record (a.k.a. Call Data Record). Metadata describing all callinformation like start time, end time, duration, phone numbers and names of theparties in the call, ID of the line onwhich the call was made, etc.

Certificate, Public Key-

Electronic document that proves ownership of a public key, used forencryption. A certificate is very important for web security, by ensuring theidentity of the web server.

Cipher (cypher) Algorithm used to execute encryption/decryption operations.

Cookie Small data packet sent from a web server and stored in a web browser whilethe user is browsing the website. Every time the user loads the website, thebrowser sends the cookie back to the server to notify the website of the user'sprevious activity

Core Server Main server of a MynaVoice Recording system. Accommodates the databaseto store calls, user and call information, facilitates archiving and the web-basedgraphical user interface. Can also have recording channels.

Cross FrameScripting

Vulnerability in web applications, allowing to load the application as anembedded frame into an HTML frame. This enables the attacker to monitor webactivities and receive sensitive information of the user.

Cross Site Scripting Vulnerability in web applications, allowing to 'inject' malicious code. Thisenables attackers to view session cookies, take over sessions, addfunctionality or perform actions, undesired by the user.

CTI Computer Telephony Integration



- 127 -

Appendix A

Item Description

CTI Server MynaVoice Recording server that facilitates connectivity with a PBXenvironment, and processes call activity to control voice recording and providecall metadata.

Fusion MynaVoice application, enabling to find and replay calls from linked multiplerecording systems. Previously known as NDR (MynaVoice DistributedRecording, and (CyberTech) MAX.

GUI Graphical User Interface.

HTTP Hypertext Transfer Protocol. protocol used for communication between a webclient (usually a browser) and a web server.

HTTPOnly Cookie Cookie with a HTTPOnly flag included in its response header. Does not allowaccess by non-HTTP scripts and cross-site scripting (XSS).

HTTPS HyperText Transfer Protocol Secure. SSL (TLS) security capabilities added toHTTP, by layering HTTP on top of the SSL (TLS) protocol

IIS Internet Information Services, a set of Internet-based services for servers usingWindows

IP Internet Protocol

IPsec Internet Protocol Security. A standard for securing IP communication byauthenticating and encrypting of all IP packets of a session

ISAPI Internet Server Application Programming Interface. API of Internet InformationServices (IIS), used to develop Extension and Filter applications.

ITSP Internet Telephony Service Provider

Java Object-oriented programming language, based on C++. Java code is compiledto machine language for a 'Java Virtual Machine' (JVM), whichmakes itplatform-independent.

Java VM Java virtual machine. See Java.

JavaScript Dynamic programming language, most commonly used as part of webbrowsers, to make web pages interactive. It is also used in server-side networkprogramming, game development and creating desktop and mobileapplications. Besides the name, it has no relation to Java.

Link (Controller) Interface betweenMynaVoice Call Controller and vendor-specific telephonyplatform

MITM Attack The 'Man-In-The-Middle' attack intercepts communication between twosystems, e.g. of the HTTP connection between a web server and a web client.

Monitor Tool MynaVoice (CyberTech) Recording SolutionMonitor

NTP Network Time Protocol

NTR MynaVoice Recording. Previously known as CyberTech Recording System

P(A)BX Private (Automatic) Branch eXchange



- 128 -

A: TerminologyA: Terminology

Item Description

PSTN Public Switched Telephone Network

Recorder MynaVoice Recording server with recording channels: All-in-One system, CoreServer with channels, or satellite.

Redundancy Duplication of critical hardware and software components, to enable failover

Resilience Group Two paired CTI Servers, one of which acts as Active, and the other as Standby

Resilience Host (CTI) Server that is part of the Resilience solution

Resilience The ability to provide and maintain an acceptable level of service in the case ofproblems and failures during normal operations

RTP Real-time Transport Protocol

Satellite MynaVoice Recording server accommodating recording channels.

SIP Session Initiation Protocol. Used to establish, maintain, and terminatesessions.

SMB ServerMessage Block. Microsoft developed network protocol used forproviding shared access to files, serial ports and printers.

Snooping Related to security: unauthorized access to data of others, usually by capturingnetwork traffic, monitoring keystrokes withmalicious intents. Also known assniffing.

SSL Secure Socket Layer. Encryption protocol to ensure security of communicationbetweenweb server and web client (browser). Being replaced by TLS.

SSLCertificate see Certificate, Public Key

Standby CTI Server Redundant CTI Server that is currently not performing any tasks, but is 'waiting'until failover is required. Upon failover, it takes over the configuration of theActive CTI Server.

Target Recordable unit (device, extension, agent, Trader ID, etc.)

TCP Transmission Control Protocol

TLS Transport Layer Security. Encryption protocol, more reliable successor of SSL.Although TLS is now commonly used instead of SSL, the term 'SSL' for securecommunication protocols is still widespread.

Turret Communication device, used specifically by Traders (a.k.a. ‘dealer board’). Itoffers multiple concurrent communication channels. Typically it has 2 handsetsand multiple speakers (up to 24).

UDP User Datagram Protocol

VoIP Voice over Internet Protocol

Web Client Web browser that runs on a user's local computer or workstation and connectsthrough an (internal) network to a server

Web GUI Web-based GUI of MynaVoice Recording. Accessed using the standardInternet Explorer.



- 129 -


Item Description

Web Server Application, responding on requests for information of web clients. It stores,processes and delivers web pages, and uses the HTTP protocol forcommunication.

XSS See Cross-site Scripting.

Table A-1: Abbreviations and Terms



- 130 -


Version History

Date Revision Description

01-11-2019 6.7 PL4 Overall: Adapted toMynaVoice6.7.1. Layout adapted.

Ch1 'Introduction':Added sectionabout Windows versions.

Ch2 'Configuring theFirewall': added FusionServer.

Added internal ports 8003,7712 and 5051.Minor text edits.

Updated ports listings withports (Core) 445,4251,7780,7950; (CTI) 4251,4252,4350,7780; (Sat) 4251,4252.

Ch3 'Antivirus and 3rdParty SoftwareExclusions':Added exe files to all servers. 'CoreServer (WithorWithout Channels or CTI)': added locations of ProgramFiles and ProgramFiles (x86). 'FusionServer' -added locations.

Removed locationofWindows 2003.

Ch4 'SystemHardening' renamed from 'Recording SystemHardening'. Introductionrewritten. 'InstalledMynaVoiceRecording Services' updated:.

AddedConfigure Transport Encryption for File Shares.

Updatedwith latest services:MynaVoiceCoreServer extended.

'Removed references toWindows 2008;addedWindows Server 2016.

Ch5 'WebServer Security': restructuredHiding Version Information in the Server Headerinto IIS 7.5 and higher. section IIS 6 and lower removed (not supported). updatedscreenshots toWindows 2012R2.

AddedMynaVoiceandSecurity withupdated required/supported protocols (TLS only)

AddedRemove the X-Powered-By Header.

'Hiding Version Information in theServer Header': addedProcedure for IIS 7 and higher.Oldprocedure renamed to '... for IIS 6 and lower'.

Added 'EnableHTTPOnly Cookies Using URLRewrite 2.1' and 'EnableSecureCookiesUsing URLRewrite 2.1'.

Removed Enable HTTPOnly Cookies by Adding an ISAPI Filter.

Replaced allW2008 screenshots byW2016 screenshots

Ch6 'WebClient Internet Explorer Policy': added (important) notes and remarks about NTR6.7.2 and higher not supporting Real-timePlay.

Replaced allW2008 screenshots byW2016 screenshots, except thoseofSetting SatelliteAccess ... (featurenot available forW2016).

25-05-2016 6.6 PL8 Ch3: 'Introduction': updatedwarning.

Ch4: 'List of InstalledMynaVoiceRecording Services': reference toMonitor Tool separatedinold and new type.

Added sectionE-mail Filtering.

31-01-2016 6.6 PL7 Ch3: 'Antivirus and 3rdParty SoftwareExclusions'. - 'Introduction': added important noteabout full-systembackups.

31-10-2015 6.6 PL6 Ch4Recording System Hardening -added section 'SMBSigning.

Ch5Web Server Security - re-written introductory section to includeTLS versions, ciphertypes and relationSSl<>TLS

-Added heading 'SSL/ TLS Security'.

Updated Appendix A 'Terminology'.

30-09-2015 6.6 PL5 - -



- 132 -



31-08-2015 6.6 PL4 Ch2Configuring the Firewall:

- added port 7780 to sections onsatellite andCTI Server

-added direction 'IN' to port 6002 onsystemswithchannels

Ch3 'Antivirus Settings':

-Changed title into 'Antivirus and 3rd Party SoftwareExclusions'.

-Re-phrased introductionand 'Antivirus Exceptions' to includeother software.

-Added folder 'C:\inetpub' to the list.

Ch4 'Recording systemHardening',

-Added informationonWindowsDataExecutionPrevention (DEP)

-Figure4-1: replaced screenshot of old typeofMonitor Tool by newone.

30-06-2015 6.6 PL3 Ch2Configuring the Firewall: added section 'Port Scanning'.

Ch4 Added sections 'RequiredWindows Services' and 'Additionally Installed Applications'.

30-05-2015 6.6 PL2 Ch2Configuring the Firewall: changed port 6004 (Monitor Tool) to OUT onaCoreServer(withandwithout channels) and to IN onasatellite.

31-03-2015 6.6 PL1 - -

27-02-2015 6.6 Overall: Layout updated to latest standards.Chapter structure re-arranged.Minor textchanges.Removed allWindows Server 2003 information.

Ch1: Introduction rewritten.

AddedScope , Intended Audience, updatedSymbols.

Ch2:Configuring the Firewall:moved andmade into separate chapter (used to bepart of ch4).

Introduction rewritten.

Which List Do I Useadded.

Removed illustration.

Restructured, extended and updated ports listing.Created columns ServiceandExplanation, separated Protocol andDirection.

Used roles and combinations as abasis.Separated external and internal ports.AddedAdditional ports (for applications).Added Fusionserver.RemovedScreenRecorder.

Ch3:Moved fromch2.Added Introduction.Restructured, tables added.

Ch4:Renamed chapter (was: 'Operating systemhardening').

List of services updated. Introductionadded.

Local or Group Policy Security Settings renamed,updated and extended.

Enabling IPsec Encryptionmoved here (used to besep.chapter).Updated.

Internet Guest Account removed.

Windows Recorder Account removed.

Ch5:Moved and renamed (was: ch6 Enabling SSLweb server security).

Introduction rewrittenand updated.

SSL Certificates restructured and updated. IIS 6.0 information removed.

Enabling HTTPOnly Cookiesmoved her (used to beseparate chapter).Updated.

Preventing Cross Frame Scripting added

Hiding IIS Version Informationadded

Enforcing Account Lockout added



- 133 -



Ch6:Restructured and updated. Introduction rewritten.

Removed IE 6/7/8 information, updated to IE11.

Real-timePlayback (andChannelOverview) updated and extended.

Setting Satellite Access to External Communicationadded.

Removing Temporary Internet Files andConfiguring Cache Controlupdated.

Ch 7: Moved here from ch 5.

Rewritten.AddedPOODLE andShellshock.

Terminology: table added

Former ch9 IIS security policies removed.

Former versions

Date Version Remark

01-05-2006 1.0 First release

10-07-2006 1.1 AddedSSLsecurity information

16-08-2006 1.2 AddedSSLconfiguration to allow only HTTPS onserver

27-11-2006 1.3 Added IIS Guest Account password changesection.ChangedAntivirus policy.

18-04-2007 1.4 Added IE7 web client policies.

Added Internet Guest Account policies

AddedArchivedrive access policy for CyberTechRecording SystemandPCReplay Station

01-07-2007 1.5 Changed old recorder name to new name:CyberTechRecording System”

Added section ‘Windows recorder account’

Added section ‘Drivepartitioning’

24-12-2007 5.0 Updatedmanual to A5 layout and addedR5 related information

28-04-2008 5.1 Updated chapter 2 (antivirus) for ScreenRecordingUpdated chapter 4.1 (firewall) for ScreenRecordingAdded IPSECsecurity configurationchapter 6.AddedSSL IntermediateCA certificate for trading recording.

10-10-2008 5.2 Updated chapter 4.7 recorder account. IncludedCT5.2recorder account rights and removal options.Added informationonSSLcertificate valid time.Example shows only 365 days.Updated access right 4.7.1Added server sidecacheconfiguration3.5Updates Services list including Parrot API ServiceStarters inchapter 4.1.Updated Firewall recorder overview.RemovedSNMP andSMTP systems fromoverview inchapter 4.2.

Minor lay-out changes

02-04-2009 5.3 Minor text updates

Added securedelete chapter.

07-07-2009 5.4 Minor layout updates to all chapters

AddedResiliencecommunications to chapter 4.

18-09-2009 5.5 Added port number for ConfigurationManagement (chapter 4.2)

07-10-2009 5.6 Updated chapter 6.1 (minor text changes +extrapictures)

AddedOpenCall Controller Interface (OCCI) web serviceand port definitions.



- 134 -


01-02-2010 5.7 Added paragraph4.6.4 outlining apossible issuecaused by IIS applicationpoolPolicysettings.

10-06-2010 6.0 Implemented review comments for R6 and reformatted for A4 template

15-06-2010 6.0 Applied review comments JV, reformatted for A4 template

01-07-2010 6.0 Additional formatting corrections

20-07-2010 6.0 Additional style and formatting corrections

03-08-2010 6.0 Removed chapter 7

12-10-2010 6.1 AddedSilverlight ports to Firewall section

30-11-2010 6.1 AddedCoreServer Redundancy ports inFirewall section

09-05-2011 6.1 AddedRequireSSLsetting (Windows 2008 R2)

10-05-2011 6.1 Added section ‘Disabling IPv6 components’

14-06-2011 6.3 IPSECsteps forWindows 2008 improved

23-06-2011 6.3 Ipv6 sectionexpanded

11-07-2011 6.4 Added section5.5 ‘Setup SSLCertificateon recorder’

28-10-2011 6.2* Rebranding namechanges*manual versionsynchronisedwithproduct version

11-11-2011 6.2 Port number config mgt 8007

23-12-2011 6.2 IE setting ‘Enable nativeXMLHTTP support’ added

31-01-2012 6.2 HTTPS port number corrected

17-02-2012 6.2 IIS configuration temporary Internet files

13-03-2012 6.2 Updates to Firewall ports section

09-07-2012 6.2 Updated ports for screen recording

31-07-2012 6.2 AddedMAX services

13-09-2012 6.2 Server certificate instructions,SiteBindings added

25-09-2012 6.2 Added VoIP INI locations to antivirus exclusions

02-11-2012 6.2 Port range for Active IP Recording Audio:10002-11001

10-01-2013 6.3 AddedMySQLOptimizationchapter

14-03-2013 6.3 MySQLOptimizationchapter updated

29-08-2013 6.5 Advised scheduling antivirus updates out of hours andwhennetwork traffic is low

26-09-2013 6.5 Updated self-signed certificate link

29-10-2013 6.5 Added EMCports to table

30-10-2013 6.5 Added port 4345

03-01-2013 6.5 Added chapter ‘Adding an ISAPI filter’

07-01-2014 6.5 Added note for Sentinel ports

27-01-2014 6.5 AddedSatelliteController to tableof satellite services

06-02-2014 6.5 Antivirus excludes, added:C:\ProgramData\CyberTech\CallDataCache

11-02-2014 6.5 Added ISAPI filter pathc:\inetpub\ISAPIfilters

20-02-2014 6.5 ISAPI filter steps updatedAddedSentinel ports



- 135 -


24-02-2014 6.5 ‘Enabling HttpOnly cookies’ chapter updated

17-03-2014 6.5 Added port 7500

22-04-2014 6.5 RemovedMySQLOptimizationchapter (duplicated in Installationmanual)Fixed typo inAntivirus excludes

Added sectiononHeartbleed vulnerability

24-04-2014 6.5 Port 4350 added

29-05-2014 6.5 Updated sectiononHeartbleed vulnerability

Added IIS6 security options for NTR6.5.8 onWindows 2003

11-05-2014 6.5 Added port:-Port range for Active IP Recording Audio:10002-12001

-Customer LAN:E-mail 25 (SMTP) TCP,OUT-Customer LAN:Alarms 162 (SNMP) UDP,OUT

28-08-2014 6.5 Added port:-CoreAPI MediaDelivery /Monitoring 7950 TCP, IN

Version History



- 136 -


mynavoice recording 6.7 - hardening manual

Documents