SecurityConfiguration forWindows 2003DIANE systems
DPS
7000/XTA
NO
VASC
ALE
7000
Security
REFERENCE47 A2 11EL 02
DPS7000/XTANOVASCALE 7000
Security Configurationfor Windows 2003DIANE systems
Security
January 2006
BULL CEDOC
357 AVENUE PATTON
B.P.20845
49008 ANGERS CEDEX 01
FRANCE
REFERENCE47 A2 11EL 02
The following copyright notice protects this book under Copyright laws which prohibit such actions as, but notlimited to, copying, distributing, modifying, and making derivative works.
Copyright Bull SAS 1992, 2006
Printed in France
Suggestions and criticisms concerning the form, content, and presentation of thisbook are invited. A form is provided at the end of this book for this purpose.
To order additional copies of this book or other Bull Technical Publications, youare invited to use the Ordering Form also provided at the end of this book.
Trademarks and Acknowledgements
We acknowledge the right of proprietors of trademarks mentioned in this book.
Intel® and Itanium® are registered trademarks of Intel Corporation.
Windows® and Microsoft® software are registered trademarks of Microsoft Corporation.
UNIX® is a registered trademark in the United States of America and other countries licensed exclusively throughthe Open Group.
Linux® is a registered trademark of Linus Torvalds.
The information in this document is subject to change without notice. Bull will not be liable for errors containedherein, or for incidental or consequential damages in connection with the use of this material.
Preface
47 A2 11EL iii
Preface
This document targets customers requiring information about the security configuration of:
- the DPS7000/XTA Diane system (32-bit) under Windows 2003 (original version with no Service Packs installed) or Windows 2003 SP1
- the NS7000 (Itanium) Diane system under Windows 2003 SP1.
To be effective, a security policy must be defined and applied at all levels of a company's information system. The Diane server must be installed in a secure environment.
This document does not discuss security for the global infrastructure of an information system but those security issues that apply to the Diane server.
This version concerns the Diane DPS7000/XTA 32-bit server and NS7000 Itanium server.
The security of the BullMaint maintenance workstation (or PAP in NS7000) is not discussed in this document.
For all Windows 2003 Diane systems the majority of security elements are factory-configured by applying a security model and by adding extra security features. The decision to enable the Windows 2003 SP1 firewall described in this document is optional and left up to customers who can choose whether or not to use it depending on their own IT system security policy.
All the security measures described in this document have been validated in-depth by specialist Bull teams.
Purpose
Security configuration for Windows 2003 DIANE systems
iv 47 A2 11EL
Chapter 1: Diane-Windows 2003 security model
Chapter 2: Additional security settings
Chapter 3: Configuring and enabling the Windows 2003 firewall
Chapter 4: List of ports used on the Diane-Windows 2003 system
Chapter 5: Windows updates
Chapter 6: Choosing an antivirus
Appendix A: Windows 2003 ports
Appendix B: Windows services on the Diane-Windows 2003 system
Appendix C: Firewall configurator
• Internet Connection Firewall Feature Overview (Microsoft) http://www.microsoft.com/technet/prodtechnol/winxppro/plan/icf.mspx
• Windows Server 2003 System Services Reference (Microsoft) http://download.microsoft.com/download/8/a/d/8ad3bc09-c975-4552-a56d-cee76181a301/SPTCG_SSS.doc
• 77 A2 88 US V7000 Software Installation and Activation Guide
• 47 A2 91US Interop7 User’s Guide
• 47 A2 37UT TDS-TCP/IP User’s Guide
• 47 A2 02EL Security on the DIANE System (Windows 2000)
Structure
Bibliography
Preface
47 A2 11EL v
• Revision 00: First version of the document
This version concerns the initial version of Windows 2003 (with application of a Service Pack).
Some security issues are not discussed in this initial version of the document. Please contact Bull's support teams if you have any questions.
• Revision 01:
Two new chapters added:
Chapter 5: Windows updates
Chapter 6: Choosing an antivirus
Additions to Chapter 4: List of ports used on the Diane-Windows 2003 system, in particular for CLX and IUM-SA7.
• Revision 02:
Additions for Windows 2003 SP1 on DPS7000/XTA and NovaScale 7000
Revisions
Security configuration for Windows 2003 DIANE systems
vi 47 A2 11EL
Preface
47 A2 11EL v
Contents
1. Diane-Windows 2003 security model
1.1 Windows 2003 services ............................................................................................................................1-1
1.2 NTFS permissions........................................................................................................................................1-3 E:\ConfigV7000 ........................................................................................................................................1-3 E:\ GlobalDiskSpace .................................................................................................................................1-3
2. Additional security settings
2.1 Users and groups ........................................................................................................................................2-1
2.2 Network.......................................................................................................................................................2-1
2.3 Strategy........................................................................................................................................................2-2
3. Configuring and enabling the Windows 2003 firewall
3.1 Windows 2003 SP1 firewall .....................................................................................................................3-1
3.2 Configuring Windows 2003 SP1 firewall ................................................................................................3-2
3.3 Activating the Windows 2003 SP1 firewall .............................................................................................3-3
3.4 Oracle..........................................................................................................................................................3-9
3.5 SNMP ....................................................................................................................................................... 3-10
4. List of ports used on the Diane-Windows 2003 system
4.1 Ports..............................................................................................................................................................4-1
4.2 FTP7..............................................................................................................................................................4-3
4.3 TDS-TCP/IP .................................................................................................................................................4-3
4.4 SUBUX .........................................................................................................................................................4-3
4.5 CLX ...............................................................................................................................................................4-4
4.6 IUM-SA7 .....................................................................................................................................................4-5
Security configuration for Windows 2003 DIANE systems
vi 47 A2 11EL
4.7 ORACLE.......................................................................................................................................................4-5
5 Windows updates
5.1 Regular updates ..........................................................................................................................................5-1
5.2 Service Packs...............................................................................................................................................5-1
6 Choosing an antivirus
6.1 Symantec Antivirus......................................................................................................................................6-1
6.2 Support for other antivirus programs than Symantec AntiVirus™............................................................6-1
A. Windows 2003 ports
B. Windows services on the Diane-Windows 2003 system
C. Firewall configurator
C.1 Automatic mode......................................................................................................................................... C-3 C.1.1 User rights................................................................................................................................... C-3 C.1.2 Checking of Windows version.................................................................................................. C-4 C.1.3 Checking of Windows Firewall/Internet Connection Sharing (ICS) service state ............... C-4 C.1.4 Automatic mode of configuration (cases 1-4)......................................................................... C-4 C.1.5 Automatic mode of enumeration (cases 5-6).......................................................................... C-7
C.2 V7000 Firewall Configurator User Rights................................................................................................ C-8 C.2.1 No user rights ............................................................................................................................. C-8 C.2.2 Read only restricted rights ......................................................................................................... C-9 C.2.3 Full user rights...........................................................................................................................C-10
C.3 Checking of Windows version................................................................................................................C-12
C.4 Checking of Windows Firewall/Internet Connection Sharing (ICS) service state .............................C-13
C.5 Checking of a V7000 Firewall Configurator previous instance ..........................................................C-14
C.6 Components managed in main dialog box...........................................................................................C-15 C.6.1 Native Windows common components.................................................................................C-15 C.6.2 V7000 components.................................................................................................................C-16 C.6.3 Interop7 components ..............................................................................................................C-17 C.6.4 Third party components...........................................................................................................C-18
C.7 Components state towards the firewall at main dialog box opening time..........................................C-19
Preface
47 A2 11EL vii
C.7.1 Case of Interop7 components uninstall..................................................................................C-19
C.8 Components state validation/invalidation in main dialog box ...........................................................C-20
C.9 Main dialog box use cases .....................................................................................................................C-23 C.9.1 Use case 1................................................................................................................................C-24 C.9.2 Use case 2................................................................................................................................C-25 C.9.3 Use case 3................................................................................................................................C-26 C.9.4 Use case 4................................................................................................................................C-27 C.9.5 Use case 5................................................................................................................................C-28 C.9.6 Use case 6................................................................................................................................C-33 C.9.7 Use case 7................................................................................................................................C-34
C.10 Interactive session file ..............................................................................................................................C-36
Security configuration for Windows 2003 DIANE systems
viii 47 A2 11EL
47 A2 11EL 1-1
1. Diane-Windows 2003 security model
All factory-default Diane-W2003 systems are made secure by the systematic application of the "Diane-Windows 2003" security model.
This chapter describes the effects of applying the security model to the machine configuration compared to the standard Windows 2003 configuration.
1.1 Windows 2003 services
The following services are disabled on top of those already disabled as standard by Windows.
Note SP1: In case of Windows 2003 SP1 the services marked with an asterisk * are not « Disabled » by the Diane security model
Application Management Application installation via network
Automatic Updates Automatic updates from Microsoft update site
Background Intelligent Transfer Service File transfer using leftover bandwidth
Computer Browser Updates to resources shared over the network
Security configuration for Windows 2003 DIANE systems
1-2 47 A2 11EL
DHCP Client: Access to DHCP server to get an IP address
Distributed File System Management of distributed logical volumes (DFS)
Distributed Link Tracking Client Management of NTFS files via the network
File Replication Duplication of files over the network
FTP Publishing Service * FTP administration via IIS
Indexing Service File indexing for fast local or networked searches
Remote Access Auto Connection Manager
Automatic handling of network connections
Remote Access Connection Manager Management of dialup or VPN connections through the internet
Remote Registry Enables remote administrators to modify the registry
Smart Card Management of smart cards and smart card readers
TCP/IP NetBIOS Helper Support for NetBIOS protocol
Telephony Support for Telephony APIs
World Wide Web Publishing Service * Web administration via IIS
Each of these services can re-enabled (set to MANUAL or AUTOMATIC) according to the customer's needs.
For more information:
http://download.microsoft.com/download/8/a/d/8ad3bc09-c975-4552-a56d-cee76181a301/SPTCG_SSS.doc
Diane-Windows 2003 security model
47 A2 11EL 1-3
1.2 NTFS permissions
NTFS permissions are applied by default to directories and their dependants as follows:
C:\Drivers:
Full Control for Administrators and V7000BullServices groups
Read & Execute/List Folder for Everyone
C:\Fix_Manufacturing:
Full Control for Administrators and V7000BullServices groups
Read & Execute/List Folder for Everyone
E:\ (V7000 partition)
Full Control for Administrators
Read & Execute/Write/Modify/List Folder for V7000BullServices
Read & Execute/List Folder for Everyone
These permissions are propagated to subdirectories:
E:\ConfigV7000
and
E:\ GlobalDiskSpace
Warning: Disk space apart "GCOS7 disks" (for windows applications /data ) must be out of mounted points "E:\GlobalDiskSpace" and partitions must use a letter from G: and beyond. If Partitions were previously attached to mounted points "E:\GlobalDiskSpace", use Disk Manager to change partitions letters. In this case permissions are kept from "E:\GlobalDiskSpace" . Modify them according to customer requirements.
____________
Security configuration for Windows 2003 DIANE systems
1-4 47 A2 11EL
In the C:\Fix_Manufacturing\Security directory you will find files that define the factory-default version of W2003 (in case of problems). These files are:
W2003aclc1.txt (for C:\Drivers)
W2003aclc2.txt (for C:\Fix_Manufacturing)
W2003acle.txt (for the E:\ Partition)
Note: The permissions defined in this chapter must not be modified.
47 A2 11EL 2-1
2. Additional security settings
The additional security settings described in this chapter are applied to the factory default version of all systems of Diane-Windows 2003.
2.1 Users and groups
Administrator group
There is no Administrator user account
1 AdmDiane account with 1 password chosen by the customer
1 AdmBull account with 1 factory-default password unique to the machine
IIS_WPG Group
The IUSR_XXX user account is disabled
The IWAM_XXX user account is disabled
2.2 Network
File and Printer Sharing for Microsoft Networks is unselected in the network card properties for the machine's TCP/IP connection.
The purpose of this is to prevent shared resources (Files, printers) being mounted on the machine.
It also prevents users from doing remote Computer Management from another Windows machine.
Security configuration for Windows 2003 DIANE systems
2-2 47 A2 11EL
It can be re-enabled without stopping GCOS or V7000 or rebooting Windows.
2.3 Strategy
The Security settings mean that in the Windows connection dialog there is no record of the last logged-on user.
Interactive logon: Do not display last user name is set to "Enabled".
For Windows 2003 SP1 :
The Security settings also mean that the user name is not displayed when returning from the “Idle screen”.
Interactive logon: Do not display user information when the session is locked is set to "Enabled".
It is possible to modify these settings to "Disabled".
To change the status, launch ("Start / Run /") gpedit.msc and go through the tree structure as follows:
Computer Configuration->Windows Settings->Security Settings->Local Policies-> Security Options
47 A2 11EL 3-1
3. Configuring and enabling the Windows 2003 firewall
On Diane systems, the Windows 2003 firewall is disabled by default. The decision to enable it is at the customer's discretion, since it is directly linked to the company's general IT security policy.
The Windows firewall evolved considerably between Windows 2003 and Windows 2003 SP1. On the Diane system the firewall can be activated starting from the Windows 2003 SP1 version. The information contained in this section is not applicable to the initial version of Windows 2003.
3.1 Windows 2003 SP1 firewall
The main characteristics of the Windows 2003 SP1 firewall are as follows:
• The activation of the firewall is available for all connections (i.e. all network cards) of the platform.
• Filters incoming and outgoing connections.
• Can be configured for applications (.exe file names) or communication ports (TCP or UDP protocols).
• In case of a configured application, the communication ports used by this application are opened only when it is active.
Security configuration for Windows 2003 DIANE systems
3-2 47 A2 11EL
3.2 Configuring Windows 2003 SP1 firewall
The activation of the firewall should not obviously disturb the operation of the Diane server. The firewall must thus be configured according to the applications, which can be used on the server and are using communication ports.
For more details about the communication ports used on Diane, refer to section 4.
To facilitate the configuration of the firewall on the Diane server, a specific tool has been designed: "V7000 Firewall Configurator".
Several V7000 and Interop7 components are using network facilities, and must correctly operate when the firewall is activated on the platform.
The goal of the V7000 Firewall Configurator application is to configure the native firewall of Windows 2003 SP1
• for V7000 and Interop7 components as well as Windows native common components necessary for V7000 and Interop7
• and also for factory installed third party components on a “Full V7000 Server” installation.
The configuration tool is activated at the end of the V7000 activation and at the end of the Interop7 installation. The configuration is automatically done for V7000 and Interop7 applications.
However, the configurator application does not have any effect on the activation or deactivation of the firewall. This decision is under the customer responsibility.
The configuration tool can also be manually started. It can be used for the firewall configuration on the Diane server as well as on a remote administration station (V7000 Remote Admin).
A detailed description of the "V7000 Firewall Configurator" is available in the appendix C of this document.
Configuring and enabling the Windows 2003 firewall
47 A2 11EL 3-3
3.3 Activating the Windows 2003 SP1 firewall
In Windows 2003 SP1 Diane server, the service Windows Firewall/Internet Connection Sharing (ICS) is started at the factory.
To activate the firewall, select “on” in the Windows Firewall view (started from the “Control Panel”):
Security configuration for Windows 2003 DIANE systems
3-4 47 A2 11EL
To configure the Windows Firewall for standard applications used on a Diane server, go to "Exceptions" Tab and check:
- Remote Desktop
This will allow "Remote Desktop" on all Network Connections
Then, go to "Advanced" Tab and select TCP-IP Network Connection
Configuring and enabling the Windows 2003 firewall
47 A2 11EL 3-5
- Click on "Settings"
Security configuration for Windows 2003 DIANE systems
3-6 47 A2 11EL
- Select:
FTP Server (associated to port 21)
Telnet Server (associated to port 23)
Web Server (HTTP) (associated to port 80)
- Click on OK
- On the same way TCP-IP Network Connection was selected, now select HUB CONNECTION and repeat the same operation for the 3 Services
Configuring and enabling the Windows 2003 firewall
47 A2 11EL 3-7
• Response to a "ping"
Once enabled, the firewall protects the machine from "pings" coming from all other machines. This is an important element in strengthening security.
However, "pings" may be useful in checking that a network between two machines is working correctly. In this case, you can configure the firewall using the ICMP (Internet Control Message Protocol) tab so that the machine answers "pings" from other machines.
To avoid a breach in security, this must be a temporary measure only. The rights described below must be removed once they cease to be necessary.
Security configuration for Windows 2003 DIANE systems
3-8 47 A2 11EL
In the ICMP Box:
- click on the "Settings…" button.
Configuring and enabling the Windows 2003 firewall
47 A2 11EL 3-9
Note: Microsoft strongly recommends you do not open ICMP Messages that are used in hacking and denial of service attacks. (Source: Internet Connection Firewall Feature (ICF) Overview).
3.4 Oracle
Applications that must be defined in the firewall configuration :
• In case of a database on GCOS7: v7sg7.exe (should be automatically defined by the configurator at the end of Interop7 installation
• In case of a database on Windows: oracle.exe and tnslsnr.exe in the bin directory of Oracle installation.
Security configuration for Windows 2003 DIANE systems
3-10 47 A2 11EL
3.5 SNMP
Applications that must be defined in the firewall configuration :
C:\WINDOWS\System32\snmp.exe for « SNMP Service »
C:\WINDOWS\System32\snmptrap.exe for « SNMP Trap Service »
47 A2 11EL 4-1
4. List of ports used on the Diane-Windows 2003 system
This section lists the port numbers used in the Diane Windows-2003 server.
One is reminded that the fire wall of Windows 2003 SP1 allows the automatic opening of the ports used by the applications defined at the time of its configuration.
The configuration of the firewall for the V7000 and Interop7 components is ensured by the firewall configurator as described in the section 3 and in the appendix C of this document.
With Windows 2003 SP1, it is thus no more necessary to take care of the opening of each port. Nevertheless this section is kept for information purposes.
4.1 Ports
The ports used on the Diane system are defined in the documentation for each product. This product documentation should be used as the reference guide.
For information purposes, the following table lists the incoming ports used by the products (or functions) often used on the Diane system. This list may not be exhaustive. In case of problems, it is recommended you refer to the product documentation.
The "Open by default" column indicates which ports should be opened systematically when enabling the firewall. These ports are used by the system's basic products or functions. The others must only be opened if the listed products are used.
The port numbers given in this table are those defined by default. The majority are configurable. Any changes to the port number must also be reflected in the firewall configuration.
Security configuration for Windows 2003 DIANE systems
4-2 47 A2 11EL
Product (or function)
Ports (default value)
Open by default
DCOM 7050 - 7099 TCP YES RPC 135 TCP YES FTP7 9037 TCP YES
(see note on FTP7 below table)
NT7GW for ESP7, DA7, JTDS, JUFAS, JESP7, HOOX, …. etc access GCOS7 via ATMI API (TDS_TCP/IP) or H_SRVCAM (DSA)
9002 TCP YES
SRVCAM for CNDSA 9003 TCP YES TDS-TCP/IP See note on TDS-TCP/IP
below table NO
SQL *XT 9007 TCP NO (only open in the case of
access from a remote system)
IUM-SA7 See note on IUM-SA7 below table)
NO
SUBUX Range 1023 - 512 See note on SUBUX below table
NO
CLX Range 1023 - 512 See note on CLX below table
NO
SDM (Shared Disk Manager)
7000 TCP NO (only open in the case of
shared disks) RCF7 (Remote Control Facility)
7011 TCP NO (only open if ISM is used)
SNMP 161 UDP NO SNMP7 7161 UDP NO OpenSave No port to open NetOp 6502 TCP and UDP NO
(pointless if standard connection via maintenance
network) Navisphere
6389 TCP NO (only useful for CX range)
List of ports used on the Diane-Windows 2003 system
47 A2 11EL 4-3
4.2 FTP7
The firewall automatically manages the opening of dynamic ports in that it recognizes the use of FTP though the use of port 21 on the local or remote machine.
When the transfer is initialized on GCOS7 and the remote server is not listening on port 21, the firewall does not know FTP is being used and cannot manage the dynamic ports. Use port 21 on the remote system (instead of port 9037 for a Diane).
When the transfer is initialized by a remote client in passive mode, you must either use active mode or use port 21 on the Diane.
4.3 TDS-TCP/IP
TDS uses the port specified in the Windows services file <windir>\system32\drivers\etc\services. The service name comprises a concatenation of the:
Local host name tds name
For example: If a client wants to connect to TDS TDS1 located on the XTA system referenced by the BC0F host name, the following line must appear in /etc/services file:
bc0ftds1 10100/tcp You should then open port 10100 TCP.
4.4 SUBUX
SUBUX uses ports, in pairs, in decreasing order from 1023 to 512. The number of pairs of ports used corresponds to the number of SUBUX commands that can be submitted and activated simultaneously, to a maximum of 255.
It is therefore essential to open as many pairs of ports, beginning with 1023,1022, as SUBUX commands that can be submitted and activated
Security configuration for Windows 2003 DIANE systems
4-4 47 A2 11EL
simultaneously plus, if appropriate, a number of additional ports in case other applications use ports in the same range.
You are advised to refer to the SUBUX product documentation, available in the following document:
47 A2 91US 06 Interop7 User’s Guide
4.5 CLX
The Interop ID340 release is a prerequisite for using CLX with the firewall activated.
CLX selects its ports from the same range as SUBUX in decreasing numeric order starting with 1023. CLX does not use more than 5 ports.
If CLX is used with SUBUX, you simply open 5 extra ports to the ones defined for SUBUX (see previous paragraph).
If CLX is used without SUBUX, you are recommended to open about ten ports in decreasing numeric order starting with 1023.
You are advised to refer to the CLX product documentation, available in the following document:
47 A2 63UU 07 Cartridge Tape Library User’s Guide
List of ports used on the Diane-Windows 2003 system
47 A2 11EL 4-5
4.6 IUM-SA7
The GCOS7 IUM-SA7 agent listens on a port that is chosen dynamically.
When it is initialized, it writes all useful information for clients who want to connect in the ST7SEC_BINDING member of SA7.IUM.SL. The client can retrieve this information via FTP.
Example of content of file SA7.IUM.SL..ST7SEC_BINDING: ncadg_ip_udp 172.31.37.14 22115
It includes 3 pieces of connection information:
• Protocol: UDP • Address: 172.31.37.14 • Port: 22115
This is the port you need to open in the Firewall configuration (you will need to modify it if another occurrence of the agent is launched).
4.7 ORACLE
Base Oracle on Diane GCOS7 side:
To be accessible from Open world applications the Oracle base uses a GCOS7 program (Listener Oracle) that is listening to a port number configured in the GCOS file "listener_ora".
This port number must be autorized in the Firewall configuration.
Base on the Diane Windows side:
Oracle on Windows uses the dynamic port rerooting. Opening the port number configured in the "listener.ora" file is not sufficient*.
Oracle suggests several solutions. The simplest one is to disable the dynamic port rerooting by setting in the register the key USE_SHARED_SOCKET=true.
Security configuration for Windows 2003 DIANE systems
4-6 47 A2 11EL
47 A2 11EL 5-1
5 Windows updates
5.1 Regular updates
Microsoft regularly diffuses patches designed to improve Windows® security.
Bull monitors and analyzes these patches constantly and on the Bull Solution On Line server (www.bull.fr/support) it makes available to its customers those that are DPS 7000/XTA -qualified.
These updates must be downloaded and installed as quickly as possible.
5.2 Service Packs
Periodically (once or twice a year) Microsoft diffuses patches and enhancements in a "kit" commonly known as a Service Pack.
Each Service Pack receives an in-depth validation from the Bull Research department in order to be sure that it will not interfere with the running of the DPS 7000/XTA systems.
Bull then installs the Service Packs that have been approved by its technicians. This is done as part of the DPS 7000/XTA maintenance contract.
When Microsoft launches a new Service Pack, Bull informs its GCOS 7 customers that it is starting validation and then performs the installation.
Security configuration for Windows 2003 DIANE systems
5-2 47 A2 11EL
47 A2 11EL 6-1
6 Choosing an antivirus
Windows® updates must be supplemented by the installation of antivirus software designed to destroy any viruses that have managed to penetrate the system.
6.1 Symantec Antivirus
The antivirus chosen and approved by Bull for its DPS 7000/XTA systems is Symantec AntiVirus Corporate Edition for workstations and network servers published by Symantec. This is installed on all systems.
It is customers' responsibility to systematically update the signatures and technical status of the antivirus program from the Symantec Web site: www.symantec.com/avcenter.
Details of the procedure are supplied to all DPS 7000/XTA customers.
The license supplied by Bull gives rights to signature updates for one year from the moment it is installed on the server. It is then the customer's responsibility to renew the license from Symantec and install it.
6.2 Support for other antivirus programs than Symantec AntiVirus™
Customers may choose other antivirus programs than Symantec AntiVirus™. In this case, they must make a formal request to Bull who will uninstall the Symantec antivirus software.
Bull will continue to support systems protected with other antivirus software than Symantec. If problems arise from their use, any Bull callouts incurred will be at the customer's expense if the problem handled would not have occurred if Symantec antivirus software had been active.
Security configuration for Windows 2003 DIANE systems
6-2 47 A2 11EL
47 A2 11EL A-1
A. Windows 2003 ports
Ports used by Windows 2003 services.
This list is taken from the document: "Port_Requirements_for_Microsoft_W2003" available from Microsoft.
Port Protocol Network Service System Service System Service Logical Name
7 TCP Echo Simple TCP/IP Services SimpTcp
7 UDP Echo Simple TCP/IP Services SimpTcp
9 TCP Discard Simple TCP/IP Services SimpTcp
9 UDP Discard Simple TCP/IP Services SimpTcp
13 TCP Daytime Simple TCP/IP Services SimpTcp
13 UDP Daytime Simple TCP/IP Services SimpTcp
17 TCP Quotd Simple TCP/IP Services SimpTcp
17 UDP Quotd Simple TCP/IP Services SimpTcp
19 TCP Chargen Simple TCP/IP Services SimpTcp
19 UDP Chargen Simple TCP/IP Services SimpTcp
20 TCP FTP default data
FTP Publishing Service MSFtpsvc
21 TCP FTP control FTP Publishing Service MSFtpsvc
21 TCP FTP control Application Layer Gateway Service
ALG
Security configuration for Windows 2003 DIANE systems
A-2 47 A2 11EL
Port Protocol Network Service System Service System Service Logical Name
23 TCP Telnet Telnet TlntSvr
25 TCP SMTP Simple Mail Transport Protocol
SMTPSVC
25 UDP SMTP Simple Mail Transport Protocol
SMTPSVC
25 TCP SMTP Exchange Server
25 UDP SMTP Exchange Server
42 TCP WINS Replication
Windows Internet Name Service
WINS
42 UDP WINS Replication
Windows Internet Name Service
WINS
53 TCP DNS DNS Server DNS
53 UDP DNS DNS Server DNS
53 TCP DNS Internet Connection Firewall/Internet Connection Sharing
SharedAccess
53 UDP DNS Internet Connection Firewall/Internet Connection Sharing
SharedAccess
67 UDP DHCP Server
DHCP Server DHCPServer
67 UDP DHCP Server
Internet Connection Firewall/Internet Connection Sharing
SharedAccess
69 UDP TFTP Trivial FTP Daemon Service
tftpd
80 TCP HTTP Windows Media Services WMServer
80 TCP HTTP World Wide Web Publishing Service
W3SVC
80 TCP HTTP SharePoint Portal Server
88 TCP Kerberos Kerberos Key Distribution Center
Kdc
Windows 2003 ports
47 A2 11EL A-3
Port Protocol Network Service System Service System Service Logical Name
88 UDP Kerberos Kerberos Key Distribution Center
Kdc
102 TCP X.400 Microsoft Exchange MTA Stacks
110 TCP POP3 Microsoft POP3 Service POP3SVC
110 TCP POP3 Exchange Server
119 TCP NNTP Network News Transfer Protocol
NntpSvc
123 UDP NTP Windows Time W32Time
123 UDP SNTP Windows Time W32Time
135 TCP RPC Message Queuing msmq
135 TCP RPC Remote Procedure Call RpcSs
135 TCP RPC Exchange Server
135 TCP RPC Certificate Services CertSvc
135 TCP RPC Cluster Service ClusSvc
135 TCP RPC Distributed File System DFS
135 TCP RPC Distributed Link Tracking TrkSvr
135 TCP RPC Distributed Transaction Coordinator MSDTC
135 TCP RPC Event Log Eventlog
135 TCP RPC Fax Service Fax
135 TCP RPC File Replication NtFrs
135 TCP RPC Local Security Authority LSASS
135 TCP RPC Remote Storage Notification Remote_Storage_User_Link
135 TCP RPC Remote Storage Server Remote_Storage_Server
135 TCP RPC Systems Management Server 2.0
Security configuration for Windows 2003 DIANE systems
A-4 47 A2 11EL
Port Protocol Network Service System Service System Service Logical Name
135 TCP RPC Terminal Services Licensing TermServLicensing
135 TCP RPC Terminal Services Session Directory Tssdis
137 UDP NetBIOS Name
Resolution
Computer Browser Browser
137 UDP NetBIOS Name
Resolution
Server lanmanserver
137 UDP NetBIOS Name
Resolution
Windows Internet Name Service
WINS
137 UDP NetBIOS Name
Resolution
Net Logon Netlogon
137 UDP NetBIOS Name
Resolution
Systems Management Server 2.0
138 UDP NetBIOS Datagram Service
Computer Browser Browser
138 UDP NetBIOS Datagram Service
Messenger Messenger
138 UDP NetBIOS Datagram Service
Server lanmanserver
138 UDP NetBIOS Datagram Service
Net Logon Netlogon
138 UDP NetBIOS Datagram Service
Distributed File System Dfs
138 UDP NetBIOS Datagram Service
Systems Management Server 2.0
Windows 2003 ports
47 A2 11EL A-5
Port Protocol Network Service System Service System Service Logical Name
Service
138 UDP NetBIOS Datagram Service
License Logging Service LicenseService
139 TCP NetBIOS Session Service
Computer Browser Browser
139 TCP NetBIOS Session Service
Fax Service Fax
139 TCP NetBIOS Session Service
Performance Logs and Alerts
SysmonLog
139 TCP NetBIOS Session Service
Print Spooler Spooler
139 TCP NetBIOS Session Service
Server lanmanserver
139 TCP NetBIOS Session Service
Net Logon Netlogon
139 TCP NetBIOS Session Service
Remote Procedure Call Locator
RpcLocator
139 TCP NetBIOS Session Service
Distributed File System Dfs
139 TCP NetBIOS Session Service
Systems Management Server 2.0
139 TCP NetBIOS Session Service
License Logging Service LicenseService
143 TCP IMAP Exchange Server
Security configuration for Windows 2003 DIANE systems
A-6 47 A2 11EL
Port Protocol Network Service System Service System Service Logical Name
161 UDP SNMP SNMP Service SNMP
162 UDP SNMP Traps
Outbound
SNMP Trap Service SNMPTRAP
270 TCP MOM 2004 Microsoft Operations Manager 2004
MOM
389 TCP LDAP Server
Local Security Authority LSASS
389 UDP LDAP Server
Local Security Authority LSASS
389 TCP LDAP Server
Distributed File System Dfs
389 UDP LDAP Server
Distributed File System Dfs
443 TCP HTTPS HTTP SSL HTTPFilter
443 TCP HTTPS World Wide Web Publishing Service
W3SVC
443 TCP HTTPS SharePoint Portal Server
445 TCP SMB Fax Service Fax
445 TCP SMB License Logging Service LicenseService
445 TCP SMB Print Spooler Spooler
445 TCP SMB Server lanmanserver
445 TCP SMB Remote Procedure Call Locator
RpcLocator
445 TCP SMB Distributed File System Dfs
445 TCP SMB Net Logon Dfs
500 UDP IPSec ISAKMP
Local Security Authority LSASS
515 TCP LPD TCP/IP Print Server LPDSVC
548 TCP File Server for
Macintosh
File Server for Macintosh MacFile
Windows 2003 ports
47 A2 11EL A-7
Port Protocol Network Service System Service System Service Logical Name
Macintosh
554 TCP RTSP Windows Media Services WMServer
563 TCP NNTP over SSL
Network News Transfer Protocol
NntpSvc
593 TCP RPC over HTTP
Remote Procedure Call RpcSs
593 TCP RPC over HTTP
Exchange Server
636 TCP LDAP SSL Local Security Authority LSASS
636 UDP LDAP SSL Local Security Authority LSASS
993 TCP IMAP over SSL
Exchange Server
995 TCP POP3 over SSL
Exchange Server
1270 TCP MOM-Encrypted
Microsoft Operations Manager 2000
one point
1433 TCP SQL over TCP
Microsoft SQL Server SQLSERVR
1433 TCP SQL over TCP
MSSQL$UDDI SQLSERVR
1434 UDP SQL Probe Microsoft SQL Server SQLSERVR
1434 UDP SQL Probe MSSQL$UDDI SQLSERVR
1645 UDP Legacy RADIUS
Internet Authentication Service
IAS
1646 UDP Legacy RADIUS
Internet Authentication Service
IAS
1701 UDP L2TP Routing and Remote Access
RemoteAccess
1723 TCP PPTP Routing and Remote Access
RemoteAccess
1755 TCP MMS Windows Media Services WMServer
Security configuration for Windows 2003 DIANE systems
A-8 47 A2 11EL
Port Protocol Network Service System Service System Service Logical Name
1755 UDP MMS Windows Media Services WMServer
1801 TCP MSMQ Message Queuing msmq
1801 UDP MSMQ Message Queuing msmq
1812 UDP RADIUS Authenticati
on
Internet Authentication Service
IAS
1813 UDP RADIUS Accounting
Internet Authentication Service
IAS
1900 UDP SSDP SSDP Discovery Service SSDPRSRV
2101 TCP MSMQ-DCs
Message Queuing msmq
2103 TCP MSMQ-RPC
Message Queuing msmq
2105 TCP MSMQ-RPC
Message Queuing msmq
2107 TCP MSMQ-Mgmt
Message Queuing msmq
2393 TCP OLAP Services
7.0
SQL Server: Downlevel OLAP Client Support
2394 TCP OLAP Services
7.0
SQL Server: Downlevel OLAP Client Support
2460 UDP MS Theater Windows Media Services WMServer
2535 UDP MADCAP DHCP Server DHCPServer
2701 TCP SMS Remote Control (control)
SMS Remote Control Agent
2701 UDP SMS Remote Control (control)
SMS Remote Control Agent
Windows 2003 ports
47 A2 11EL A-9
Port Protocol Network Service System Service System Service Logical Name
2702 TCP SMS Remote Control (data)
SMS Remote Control Agent
2702 UDP SMS Remote Control (data)
SMS Remote Control Agent
2703 TCP SMS Remote
Chat
SMS Remote Control Agent
2703 UDP SMS Remote
Chat
SMS Remote Control Agent
2704 TCP SMS Remote
File Transfer
SMS Remote Control Agent
2704 UDP SMS Remote
File Transfer
SMS Remote Control Agent
2725 TCP SQL Analysis Services
SQL 2000 Analysis Server
2869 TCP UPNP Universal Plug and Play Device Host
UPNPHost
2869 TCP SSDP event
notification
SSDP Discovery Service SSDPRSRV
3268 TCP Global Catalog Server
Local Security Authority LSASS
3269 TCP Global Catalog Server
Local Security Authority LSASS
3343 UDP Cluster Services
Cluster Service ClusSvc
Security configuration for Windows 2003 DIANE systems
A-10 47 A2 11EL
Port Protocol Network Service System Service System Service Logical Name
Services
3389 TCP Terminal Services
NetMeeting Remote Desktop Sharing
mnmsrvc
3389 TCP Terminal Services
Terminal Services TermService
3527 UDP MSMQ-Ping
Message Queuing msmq
4011 UDP BINL Remote Installation BINLSVC
4500 UDP NAT-T Local Security Authority LSASS
5000 TCP SSDP legacy event
notification
SSDP Discovery Service SSDPRSRV
5004 UDP RTP Windows Media Services WMServer
5005 UDP RTCP Windows Media Services WMServer
42424 TCP ASP.Net Session
State
ASP.NET State Service aspnet_state
51515 TCP MOM-Clear Microsoft Operations Manager 2000
one point
47 A2 11EL B-1
B. Windows services on the Diane-Windows 2003 system
This appendix contains the list of Windows services present on a Diane-Windows 2003 system. It is included for information purposes.
The "Installation" column gives the service's original product.
Name Description Installation Status Startup Type Log On As Alerter Notifies selected users and
computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local Service
Application Layer Gateway Service
Provides support for application level protocol plug-ins and enables network/protocol connectivity. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual Local Service
Security configuration for Windows 2003 DIANE systems
B-2 47 A2 11EL
Application Management
Processes installation, removal, and enumeration requests for Active Directory IntelliMirror group policy programs. If the service is disabled, users will be unable to install, remove, or enumerate any IntelliMirror programs. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual with W2003 Disabled By Security Script
Local System
Automatic Updates Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
W2003 Automatic with W2003 Disabled with Security Script
Local System
Background Intelligent Transfer Service
Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.
W2003 Manual Local System
ClipBook Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local System
Windows services on the Diane-Windows 2003 system
47 A2 11EL B-3
COM+ Event System
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Manual Local System
COM+ System Application
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual Local System
Computer Browser Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Automatic with W2003 Disabled with Security Script
Local System
ConnectEMC Navisphere Manual Local System
Security configuration for Windows 2003 DIANE systems
B-4 47 A2 11EL
Cryptographic Services
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
DHCP Client Registers and updates IP addresses and DNS records for this computer. If this service is stopped, this computer will not receive dynamic IP addresses and DNS updates. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Automatic with W2003 Disabled with Security Script
Network Service
Distributed File System
Integrates disparate file shares into a single, logical namespace and manages these logical volumes distributed across a local or wide area network. If this service is stopped, users will be unable to access file shares. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
Windows services on the Diane-Windows 2003 system
47 A2 11EL B-5
Distributed Link Tracking Client
Enables client programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. If this service is stopped, the links on this computer will not be maintained or tracked. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Automatic with W2003 Disabled with Security Script
Local System
Distributed Link Tracking Server
Enables the Distributed Link Tracking Client service within the same domain to provide more reliable and efficient maintenance of links within the domain. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local System
Distributed Transaction Coordinator
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Automatic with W2003 Disabled with Security Script
Network Service
DNS Client Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Network Service
EMC PowerPath Service 3.0.6
EMC PowerPath Service PowerPath Started Automatic Local System
Security configuration for Windows 2003 DIANE systems
B-6 47 A2 11EL
Emulex HBAnyware Remote Management Drivers Emulex
Disabled Local System
Emulex HBAnyware Discovery
Performs discovery of local and remote HBAs
Drivers Emulex
Manual Local System
Error Reporting Service
Collects, stores, and reports unexpected application crashes to Microsoft. If this service is stopped, then Error Reporting will occur only for kernel faults and some types of user mode faults. If this service is disabled, any services that explicitly depend on it will not start.
W2003 Started Automatic Local System
Event Log Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
W2003 Started Automatic Local System
File Replication Allows files to be automatically copied and maintained simultaneously on multiple servers. If this service is stopped, file replication will not occur and servers will not synchronize. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual with W2003 Disabled By Security Script
Local System
FTP Publishing Service
Enables this server to be a File Transfer Protocol (FTP) server. If this service is stopped, the server cannot function as an FTP server. If this service is disabled, any services that explicitly depend on it will fail to start.
IIS Automatic with W2003 Disabled with Security Script
Local System
GTS Event Agent GTS Started Automatic Local System
Windows services on the Diane-Windows 2003 system
47 A2 11EL B-7
Help and Support Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
HTTP SSL This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Manual Local System
Human Interface Device Access
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local System
IBM Active PCI Alert Service
1X4 machine Started Automatic Local System
IBM Remote Supervisor Adapter II
1X4 machine Started Automatic Local System
IIS Admin Service Enables this server to administer Web and FTP services. If this service is stopped, the server will be unable to run Web, FTP, NNTP, or SMTP sites or configure IIS. If this service is disabled, any services that explicitly depend on it will fail to start.
IIS Started Automatic Local System
Security configuration for Windows 2003 DIANE systems
B-8 47 A2 11EL
IMAPI CD-Burning COM Service
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local System
Indexing Service Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
W2003 Manual with W2003 Disabled By Security Script
Local System
Intel NCS NetService
Supports Intel(R) PROSet for Wired Connections.
IntelProset Manual Local System
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. If this service is stopped, networking services such as Internet sharing, name resolution, addressing and/or intrusion prevention will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local System
Interop7Adm Allows to start, stop and to get the state of the Interop7 servers
Interop7 Started Automatic Local System
Intersite Messaging Enables messages to be exchanged between computers running Windows Server sites. If this service is stopped, messages will not be exchanged, nor will site routing information be calculated for other services. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local System
Windows services on the Diane-Windows 2003 system
47 A2 11EL B-9
IP4700 Trap Catcher
Navisphere Manual Local System
IPSEC Services Provides end-to-end security between clients and servers on TCP/IP networks. If this service is stopped, TCP/IP security between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
Kerberos Key Distribution Center
On domain controllers this service enables users to log on to the network using the Kerberos authentication protocol. If this service is stopped on a domain controller, users will be unable to log on to the network. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local System
License Logging Monitors and records client access licensing for portions of the operating system (such as IIS, Terminal Server and File/Print) as well as products that aren't a part of the OS, like SQL and Exchange Server. If this service is stopped, licensing will be enforced, but will not be monitored.
W2003 Disabled Network Service
Security configuration for Windows 2003 DIANE systems
B-10 47 A2 11EL
Logical Disk Manager
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
Logical Disk Manager Administrative Service
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
W2003 Manual Local System
Messenger Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local System
Microsoft Software Shadow Copy Provider
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual Local System
Navisphere Agent Navisphere Started Automatic Local System
Windows services on the Diane-Windows 2003 system
47 A2 11EL B-11
Net Logon Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer may not authenticate users and services and the domain controller cannot register DNS records. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual Local System
NetMeeting Remote Desktop Sharing
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local System
NetOp Helper ver. 7.65 (2004052)
The NetOp Helper Service provides essential functions needed by NetOp programs from Danware.
NetOP Started Automatic Local System
Network Connections
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. If this service is disabled, you will not be able to view local area network and remote connections and any services that explicitly depend on it will fail to start.
W2003 Started Manual Local System
Security configuration for Windows 2003 DIANE systems
B-12 47 A2 11EL
Network DDE Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local System
Network DDE DSDM
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local System
Network Location Awareness (NLA)
Collects and stores network configuration and location information, and notifies applications when this information changes.
W2003 Started Manual Local System
NT LM Security Support Provider
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
W2003 Manual Local System
Performance Logs and Alerts
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual Network Service
Windows services on the Diane-Windows 2003 system
47 A2 11EL B-13
Plug and Play Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
W2003 Started Automatic Local System
Portable Media Serial Number Service
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
W2003 Manual Local System
Print Spooler Manages all local and network print queues and controls all printing jobs. If this service is stopped, printing on the local machine will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
Protected Storage Protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users. If this service is stopped, protected storage will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
Remote Access Auto Connection Manager
Detects unsuccessful attempts to connect to a remote network or computer and provides alternative methods for connection. If this service is stopped, users will need to manually connect. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual with W2003 Disabled By Security Script
Local System
Security configuration for Windows 2003 DIANE systems
B-14 47 A2 11EL
Remote Access Connection Manager
Manages dial-up and virtual private network (VPN) connections from this computer to the Internet or other remote networks. If this service is stopped, the operating system might not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual with W2003 Disabled By Security Script
Local System
Remote Desktop Help Session Manager
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
W2003 Manual Local System
Remote Procedure Call (RPC)
Serves as the endpoint mapper and COM Service Control Manager. If this service is stopped or disabled, programs using COM or Remote Procedure Call (RPC) services will not function properly.
W2003 Started Automatic Local System
Remote Procedure Call (RPC) Locator
Enables remote procedure call (RPC) clients using the RpcNs* family of APIs to locate RPC servers. If this service is stopped or disabled, RPC clients using RpcNs* APIs may be unable to locate servers or fail to start. RpcNs* APIs are not used internally in Windows.
W2003 Manual Network Service
Remote Registry Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Automatic with W2003 Disabled with Security Script
Local Service
Windows services on the Diane-Windows 2003 system
47 A2 11EL B-15
Removable Storage Manages and catalogs removable media and operates automated removable media devices. If this service is stopped, programs that are dependent on Removable Storage, such as Backup and Remote Storage, will operate more slowly. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual Local System
Resultant Set of Policy Provider
Enables a user to connect to a remote computer, access the Windows Management Instrumentation database for that computer, and either verify the current Group Policy settings made for the computer or check settings before they are applied. If this service is stopped, remote verification will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual Local System
Routing and Remote Access
Enables multi-protocol LAN-to-LAN, LAN-to-WAN, virtual private network (VPN), and network address translation (NAT) routing services for clients and servers on this network. If this service is stopped, these services will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local System
SavRoam Symantec AntiVirus Roaming Service
Antivirus Symantec
Manual Local System
Security configuration for Windows 2003 DIANE systems
B-16 47 A2 11EL
Secondary Logon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
Security Accounts Manager
The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.
W2003 Started Automatic Local System
Server Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
ServeRAID Manager Agent
1X4 machine ServeRAID Started Automatic Local System
Shell Hardware Detection
Provides notifications for AutoPlay hardware events.
W2003 Started Automatic Local System
Smart Card Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual with W2003 Disabled By Security Script
Local Service
Special Administration Console Helper
Allows administrators to remotely access a command prompt using Emergency Management Services.
W2003 Manual Local System
Windows services on the Diane-Windows 2003 system
47 A2 11EL B-17
Symantec AntiVirus Provides real-time virus scanning, reporting, and management functionality for Symantec AntiVirus.
Antivirus Symantec
Started Automatic Local System
Symantec AntiVirus Definition Watcher
Monitors and maintains virus definitions.
Antivirus Symantec
Started Automatic Local System
Symantec Event Manager
Symantec Event Manager Antivirus Symantec
Started Automatic Local System
Symantec Network Drivers Service
Symantec Network Drivers Service
Antivirus Symantec
Manual Local System
Symantec Password Validation
Symantec Password Validation Service
Antivirus Symantec
Manual Local System
Symantec Settings Manager
Symantec Settings Manager Antivirus Symantec
Started Automatic Local System
System Event Notification
Monitors system events and notifies subscribers to COM+ Event System of these events. If this service is stopped, COM+ Event System subscribers will not receive system event notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
Task Scheduler Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
Security configuration for Windows 2003 DIANE systems
B-18 47 A2 11EL
TCP/IP NetBIOS Helper
Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on the network, therefore enabling users to share files, print, and log on to the network. If this service is stopped, these functions might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Automatic with W2003 Disabled with Security Script
Local Service
Telephony Provides Telephony API (TAPI) support for clients using programs that control telephony devices and IP-based voice connections. If this service is stopped, the function of all dependent programs will be impaired. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual with W2003 Disabled By Security Script
Local System
Telnet Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local Service
Windows services on the Diane-Windows 2003 system
47 A2 11EL B-19
Terminal Services Allows users to connect interactively to a remote computer. Remote Desktop, Fast User Switching, Remote Assistance, and Terminal Server depend on this service - stopping or disabling this service may make your computer unreliable. To prevent remote use of this computer, clear the checkboxes on the Remote tab of the System properties control panel item.
W2003 Started Manual Local System
Terminal Services Session Directory
Enables a user connection request to be routed to the appropriate terminal server in a cluster. If this service is stopped, connection requests will be routed to the first available server.
W2003 Disabled Local System
Themes Provides user experience theme management.
W2003 Disabled Local System
Uninterruptible Power Supply
Manages an uninterruptible power supply (UPS) connected to the computer.
W2003 Manual Local Service
Upload Manager Manages the synchronous and asynchronous file transfers between clients and servers on the network. Driver data is anonymously uploaded from these transfers and then used by Microsoft to help users find the drivers they need. The Driver Feedback Server asks the client's permission to upload the computer's hardware profile and then search the Internet for information about how to obtain the appropriate driver or get support. If this service stops, Microsoft will not have access to the driver data.
W2003 Manual Local System
Security configuration for Windows 2003 DIANE systems
B-20 47 A2 11EL
V7000 Administration
Administration of V7000 GCOS7 virtual machine.
V7000 VAS Started Automatic Local System
V7000 System Control
Engine of V7000 GCOS7 virtual machine.
V7000 SYC Started Automatic .\V7000Engine
Virtual Disk Service Provides software volume and hardware volume management service.
W2003 Manual Local System
Volume Shadow Copy
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual Local System
WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local Service
Windows Audio Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Disabled Local System
Windows Image Acquisition (WIA)
Provides image acquisition services for scanners and cameras.
W2003 Disabled Local Service
Windows Installer Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual Local System
Windows services on the Diane-Windows 2003 system
47 A2 11EL B-21
Windows Management Instrumentation
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
Windows Management Instrumentation Driver Extensions
Monitors all drivers and event trace providers that are configured to publish Windows Management Instrumentation (WMI) or event trace information. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Manual Local System
Windows Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
WinHTTP Web Proxy Auto-Discovery Service
Implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP Services (WinHTTP). WPAD is a protocol to enable an HTTP client to automatically discover a proxy configuration. If this service is stopped or disabled, the WPAD protocol will be executed within the HTTP client's process instead of an external service process; there would be no loss of functionality as a result.
W2003 Manual Local Service
Security configuration for Windows 2003 DIANE systems
B-22 47 A2 11EL
Wireless Configuration
Enables automatic configuration for IEEE 802.11 adapters. If this service is stopped, automatic configuration will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
WMI Performance Adapter
Provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network. This service only runs when Performance Data Helper is activated.
W2003 Manual Local System
Workstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
W2003 Started Automatic Local System
World Wide Web Publishing Service
Provides Web connectivity and administration through the Internet Information Services Manager
IIS Automatic with W2003 Disabled with Security Script
Local System
47 A2 11EL C-1
C. Firewall configurator
The V7000 Firewall Configurator is a Windows™ application that may be executed on a “Full V7000 Server” or on a “Remote V7000 Administration Tools” installation, from Windows 2003 SP1 or Windows XP SP2.
From Windows 2003 SP1 and Windows XP SP2, a new version of the native firewall is available. The main characteristics of this firewall are the following:
• Filters incoming and outgoing connections.
• Can be configured for applications (.exe file names) or communication ports (TCP or UDP protocols).
• In case of a configured application, the communication ports used by this application are only opened when it is running.
• The activation of the firewall is available for all connections (i.e all network cards) of the platform.
Several V7000 and Interop7 components are using network facilities, and must correctly operate when the firewall is activated on the platform.
So, the goal of the V7000 Firewall Configurator application is to configure the native firewall of Windows 2003 SP1 or Windows XP SP2 platform:
• for Windows native common components necessary for both V7000 and Interop7 components, on both types (server and remote administration) of V7000 and Interop7 installations
• for V7000 and Interop7 components on both types (server and remote administration) of V7000 and Interop7 installations
• and also for factory installed third party components* on a “Full V7000 Server” installation.
*: a factory installed third party component is a network software component necessary for a general proper working of the V7000 server platform.
Security configuration for Windows 2003 Diane systems
C-2 47 A2 11EL
However, this application does not have charge of activation or deactivation of the firewall. This is under the customer responsibility.
Two operation modes are available:
• A automatic mode, used in V7000 or Interop7 installations by the suitable tools. This mode allows to configure V7000 products, respectively Interop7 products, without a manually intervention, into the native firewall. This automatic mode is briefly described below in the paragraph C.1.
• A interactive mode, using a graphical dialog box, allowing individual modifications in V7000 and Interop7 components configuration (versus automatic configuration) and factory installed third party components configuration. This interactive mode is described below from the paragraph C.2.
• Whatever the operation mode used, information, warning and error messages are logged into the V7000 log file under a log source named V7000_FWALL.
Firewall configurator
47 A2 11EL C-3
C.1 Automatic mode
The V7000 Firewall Configurator tool is automatically called in the following cases:
through the V7000 Version Manager tool when a V7000 version is activated on a “Full V7000 Server” installation (case 1)
through the Interop7 Installation program when a Interop7 server installation is made on a “Full V7000 Server” installation (case 2)
through the V7000 Installation program when a “Remote V7000 Administration Tools” installation is made (case 3)
through the Interop7 Installation program when a Interop7 administration installation is made on a “Remote V7000 Administration Tools” installation (case 4)
through the V7000 Information Collector tool when a BCT is asked to collect the actual state of all components known by the firewall on a “Full V7000 Server” installation (case 5)
through the V7000 Information Collector tool when a BCT is asked to enumerate the actual state of all components known by the firewall on a “Remote V7000 Administration Tools” installation (case 6)
C.1.1 User rights
The necessary user rights are those of the corresponding tools from which the V7000 Firewall Configurator is called:
Administrators and V7000BullServices groups for V7000 Version Manager tool
Administrators group for V7000 and Interop7 Installation programs
Administrators or V7000BullServices or V7000Operators groups for V7000 Information Collector tool
If the user rights are not sufficient, the following error message is logged:
V7000 Firewall Configurator Error : Error: RC=CONFFW_INSUFFICIENT_USERRIGHTS (45002)
Security configuration for Windows 2003 Diane systems
C-4 47 A2 11EL
C.1.2 Checking of Windows version
If the Windows version is less than Windows 2003 SP1 (for a “Full V7000 Server” installation) or Windows XP SP2 (for a “Remote V7000 Administration Tools” installation), the following error message is logged:
V7000 Firewall Configurator Error : The native firewall is supported from Windows 2003 SP1 or Windows XP SP2 only.
C.1.3 Checking of Windows Firewall/Internet Connection Sharing (ICS) service state
If the service Windows Firewall/Internet Connection Sharing (ICS) is not started, the following error message is logged:
V7000 Firewall Configurator Error : The service Windows Firewall/Internet Connection Sharing (ICS) is not running.
C.1.4 Automatic mode of configuration (cases 1-4)
The automatic mode of configuration takes into account of the current state of the corresponding components.
In case of the first automatic configuration, all selected components(*) are configured (i.e enabled) in the firewall.
(*) All V7000 components are automatically selected. Interop7 components to install can be selected through the installation program.
Native Windows common components are automatically selected.
In case of a non first automatic configuration, the current state of the selected components set by a preceding use of the V7000 Firewall Configurator tool in interactive mode is kept.
Firewall configurator
47 A2 11EL C-5
The Native Windows common components are the following:
• DCOM RPC:
port 135 protocol TCP
• MMC Admin :
application %windir%\system32\mmc.exe
The V7000 components are the following:
• AdminServer :
application <V7000 path component>\V7000_Service_VAS.exe
• Engine :
application <V7000 path component>\V7000_System_Control.exe
• RCF :
application <V7000 path component>\RemoteControlFacility_EXE.exe
• SDM :
application <V7000 path component>\V7000_SharedDiskManager.exe
• GCOS7 Consoles :
application <V7000 path component>\ClientConsole.exe
<V7000 path component> is the components path directory of a V7000 installation.
On a “Remote V7000 Administration Tools” installation, the only managed component is GCOS7 Consoles.
Security configuration for Windows 2003 Diane systems
C-6 47 A2 11EL
The Interop7 components are the following:
• AdminServer :
application <Interop7 path component>\Interop7Adm.exe
• SockG7 Std :
application <Interop7 path component\v7sg7.exe
• SockG7 TDS :
application <Interop7 path component>\v7sg7tds.exe
• GFTP Client :
application <Interop7 path component>\gftp.exe
• GFTP Server :
application <Interop7 path component>\gftpd.exe
• NT7GW :
application <Interop7 path component>\NT7GW.exe
• NT7 Admin :
application <Interop7 path component>\NT7ADM.exe
• OpenGTW :
application <Interop7 path component>\openGTW.exe
• OpenGTW Admin :
application <Interop7 path component>\openGtwAdm.exe
• OpenGTW Print :
application <Interop7 path component>\opgtwPrint.exe
• CNDSA :
application <Interop7 path component>\cndsa.exe
• G7CN :
application <Interop7 path component>\G7CN.exe
• G7Ping :
application <Interop7 path component>\G7ping.exe
Firewall configurator
47 A2 11EL C-7
<Interop7 path component> is the components path directory of a Interop7 installation
On a “Remote V7000 Administration Tools” installation, , the only managed components are G7CN and G7Ping, providing that the “Interop7 Basic Administration Tools” option was chosen at installation time.
When an automatic configuration session of the V7000 Firewall Configurator is executed, a corresponding text file is created in the <Trace> directory of a “Full V7000 Server” or of a “Remote V7000 Administration Tools” installation. The name of this text file is:
• V7000ConfigFirewall_V7000_Server.txt (case 1)
• V7000ConfigFirewall_Interop7_Server.txt (case 2)
• V7000ConfigFirewall_V7000_RemoteAdministration.txt (case 3)
• V7000ConfigFirewall_Interop7_RemoteAdministration.txt (case 4)
This file is re-created at each automatic session.
C.1.5 Automatic mode of enumeration (cases 5-6)
The V7000 Information Collector tool calls the V7000 Firewall Configurator to enumerate the actual state of all components known by the firewall, whatever the selected option in the main dialog box of the V7000 Information Collector tool.
When an automatic enumeration session of the V7000 Firewall Configurator is executed, a corresponding text file is created in the <Trace> directory of a “Full V7000 Server” or of a “Remote V7000 Administration Tools” installation. The name of this text file is:
• V7000ConfigFirewall_BCT_Server.txt (case 5)
• V7000ConfigFirewall_BCT_RemoteAdministration.txt (case 6)
This file is re-created at each automatic session.
Security configuration for Windows 2003 Diane systems
C-8 47 A2 11EL
C.2 V7000 Firewall Configurator User Rights
C.2.1 No user rights
The use of the V7000 Firewall Configurator is reserved for members belonging both to the Administrators and V7000BullServices groups for the complete set of functionalities.
If the user does not belongs neither to the Administrators group, nor to the V7000BullServices group, the following error dialog box is displayed:
Figure C-1 No user rights (on a “Full V7000 Server” installation)
Figure C-2 No user rights (on a “Remote V7000 Administration Tools” installation)
Moreover, the following error message is logged:
V7000 Firewall Configurator Error : Error: RC=CONFFW_INSUFFICIENT_USERRIGHTS (45002)
Firewall configurator
47 A2 11EL C-9
C.2.2 Read only restricted rights
If the user belongs to the Administrators group but not to the V7000BullServices group, the following warning dialog box is displayed before the main dialog box:
Figure C-3 Read only restricted rights (Administrators group only on a “Full V7000 Server” installation)
Figure C-4 Read only restricted rights (Administrators group only on a “Remote V7000 Administration Tools” installation)
If the user belongs to the V7000BullServices group but not to the Administrators group, the following warning dialog box is displayed before the main dialog box:
Security configuration for Windows 2003 Diane systems
C-10 47 A2 11EL
Figure C-5 Read only restricted rights (V7000BullServices group only on a “Full V7000 Server” installation)
Figure C-6 Read only restricted rights (V7000BullServices group only on a “Remote V7000 Administration Tools” installation)
In these two cases, the use of the tool is restricted to a visualization mode only.
C.2.3 Full user rights
If the user belongs both to the Administrators and V7000BullServices groups, the following warning dialog box is displayed before the main dialog box:
Firewall configurator
47 A2 11EL C-11
Figure C-7 Full user rights (on a “Full V7000 Server” installation)
Figure C-8 Full user rights (on a “Remote V7000 Administration Tools” installation)
Security configuration for Windows 2003 Diane systems
C-12 47 A2 11EL
C.3 Checking of Windows version
If the Windows version is less than Windows 2003 SP1 (for a “Full V7000 Server” installation) or Windows XP SP2 (for a “Remote V7000 Administration Tools” installation), the following error dialog box is displayed:
Figure C-9 Windows version less than W2003 SP1 or XP SP2 (on a “Full V7000 Server” installation)
Figure C-10 Windows version less than W2003 SP1 or XP SP2 (on a “Remote V7000 Administration Tools” installation)
Moreover, the following error message is logged:
V7000 Firewall Configurator Error : The native firewall is supported from Windows 2003 SP1 or Windows XP SP2 only.
Firewall configurator
47 A2 11EL C-13
C.4 Checking of Windows Firewall/Internet Connection Sharing (ICS) service state
If the service Windows Firewall/Internet Connection Sharing (ICS) is not started, the following error dialog box is displayed:
Figure C-11 Service Windows Firewall/Internet Connection Sharing (ICS) not started (on a “Full V7000 Server” installation)
Figure C-12 Service Windows Firewall/Internet Connection Sharing (ICS) not started (on a “Remote V7000 Administration Tools” installation)
Moreover, the following error message is logged:
V7000 Firewall Configurator Error : The service Windows Firewall/Internet Connection Sharing (ICS) is not running.
Security configuration for Windows 2003 Diane systems
C-14 47 A2 11EL
C.5 Checking of a V7000 Firewall Configurator previous instance
If an instance of the V7000 Firewall Configurator application is already running, the following error dialog box is displayed:
Figure C-13 Previous instance running (on a “Full V7000 Server” installation)
Figure C-14 Previous instance running (on a “Remote V7000 Administration Tools” installation)
Moreover, the following error message is logged:
V7000 Firewall Configurator Error : One instance of this application is already running.
Firewall configurator
47 A2 11EL C-15
C.6 Components managed in main dialog box
The main dialog box of the V7000 Firewall Configurator application is composed of four group boxes corresponding to the four components types:
• Native Windows common components
• V7000 components
• Interop7 components
• Third party components
C.6.1 Native Windows common components
Two native Windows components are managed:
• DCOM RPC:
port 135 protocol TCP
• MMC Admin :
application %windir%\system32\mmc.exe
These components are necessary for DCOM remote administration.
The “Common components” group box is always available for update, both on a “Full V7000 Server” and on a “Remote V7000 Administration Tools” installation, unless the use of the tool is restricted to a visualization mode only (see C.2.2). In this case, all common components are grayed and are checked or unchecked depending on their state in the firewall.
Security configuration for Windows 2003 Diane systems
C-16 47 A2 11EL
C.6.2 V7000 components
Five V7000 components are managed:
• AdminServer :
application <V7000 path component>\V7000_Service_VAS.exe
• Engine :
application <V7000 path component>\V7000_System_Control.exe
• RCF :
application <V7000 path component>\RemoteControlFacility_EXE.exe
• SDM :
application <V7000 path component>\V7000_SharedDiskManager.exe
• GCOS7 Consoles :
application <V7000 path component>\ClientConsole.exe
<V7000 path component> is the components path directory of a V7000 installation.
The “V7000 components” group box is always available for update, both on a “Full V7000 Server” and on a “Remote V7000 Administration Tools” installation, unless the use of the tool is restricted to a visualization mode only (see C.2.2). In this case, all V7000 components are grayed and are checked or unchecked depending on their state in the firewall.
Nevertheless, on a “Remote V7000 Administration Tools” installation, the following components are not available (grayed): AdminServer, Engine, RCF, SDM. They are also always unchecked.
Firewall configurator
47 A2 11EL C-17
C.6.3 Interop7 components
Thirteen Interop7 components are managed:
• AdminServer :
application <Interop7 path component>\Interop7Adm.exe
• SockG7 Std :
application <Interop7 path component\v7sg7.exe
• SockG7 TDS :
application <Interop7 path component>\v7sg7tds.exe
• GFTP Client :
application <Interop7 path component>\gftp.exe
• GFTP Server :
application <Interop7 path component>\gftpd.exe
• NT7GW :
application <Interop7 path component>\NT7GW.exe
• NT7 Admin :
application <Interop7 path component>\NT7ADM.exe
• OpenGTW :
application <Interop7 path component>\openGTW.exe
• OpenGTW Admin :
application <Interop7 path component>\openGtwAdm.exe
• OpenGTW Print :
application <Interop7 path component>\opgtwPrint.exe
• CNDSA :
application <Interop7 path component>\cndsa.exe
• G7CN :
application <Interop7 path component>\G7CN.exe
• G7Ping :
application <Interop7 path component>\G7ping.exe
Security configuration for Windows 2003 Diane systems
C-18 47 A2 11EL
<Interop7 path component> is the components path directory of a Interop7 installation.
The “Interop7 components” group box is available for update when Interop7 is installed, on a “Full V7000 Server” or on a “Remote V7000 Administration Tools” installation.
On a “Remote V7000 Administration Tools” installation, the following components are not available (grayed): AdminServer, SockG7 Std, SockG7 TDS, GFTP Client, GFTP Server, NT7GW, NT7 Admin, OpenGTW, OpenGTW Admin, OpenGTW Print, CNDSA. They are also always unchecked.
On a “Remote V7000 Administration Tools” installation, the components G7CN and G7Ping only are available, providing that the “Interop7 Basic Administration Tools” option was chosen at installation time. Else, they are unchecked but not grayed.
If Interop7 is not installed, the “Interop7 components” group box is not available (grayed) and all components are grayed and unchecked.
If the use of the tool is restricted to a visualization mode only (see C.2.2), all components are grayed and are checked or unchecked depending on their state in the firewall.
C.6.4 Third party components
The number of third party components is given by the presence of specific configuration files in the <Config> path directory of a “Full V7000 Server” installation. These files are built by the engineering team and supplied to the factory team at post-process time.
If no such files are found, the “Third party components” group box is not available (grayed) and no component is listed.
On a “Remote V7000 Administration Tools” installation, the “Third party components” group box is not available (grayed) and no component is listed.
If the use of the tool is restricted to a visualization mode only (see C.2.2), the components are not available and are checked or unchecked depending on their state in the firewall.
Firewall configurator
47 A2 11EL C-19
C.7 Components state towards the firewall at main dialog box opening time
For each component managed by the V7000 Firewall Configurator application, the real current state towards the firewall is displayed:
• checked if enabled
• unchecked if disabled
If the application detects that the configuration of a component has been updated by another tool (Windows Security Center/Windows Firewall for example):
• a Warning icon is displayed nearby the component, for Windows native, V7000 and Interop7 components
• a yellow highlight of the component name followed by the Warning word for factory installed third party components (on a “Full V7000 Server” installation only)
In this case, the following text is also displayed at the bottom of the main dialog box:
Warning icon(s) (Common/V7000/Interop7 components) or yellow highlighted Warning text(s) (Third party components) mean that the firewall configuration has been modified outside this tool. In this case, it is strongly recommended to reestablish the desired configuration with this tool.
C.7.1 Case of Interop7 components uninstall
When Interop7 components are uninstalled from the server, neither the V7000 Firewall Configurator nor the firewall himself are informed Thus, the current state of these components towards the firewall is kept and the V7000 Firewall Configurator displays it as follow at main dialog box opening time:
• checked if enabled
• unchecked if disabled
Security configuration for Windows 2003 Diane systems
C-20 47 A2 11EL
C.8 Components state validation/invalidation in main dialog box
The main dialog box is displayed with three buttons: OK, Cancel and Apply.
At main dialog box opening time:
• if the use of the tool is restricted to a visualization mode only (see C.2.2), the OK button is the only available (not grayed)
• else (full user rights), the Apply button is unavailable (grayed), unless Warning(s) are displayed (see C.7), and OK and Cancel buttons are available (not grayed)
The modification of a component (checked if not checked, or unchecked if checked):
• removes the corresponding Warning if it exists
• makes the Apply button available
When the Apply button is available (not grayed) (modification(s) in progress or Warning(s) displayed), a click on this button makes it unavailable (grayed) and:
• if modification(s) was (were) in progress, it is (they are) validated
• if Warning(s) was (were) displayed, the following information dialog box is displayed:
Figure C-15 No more Warning(s) after Apply button clicked (on a “Full V7000 Server” installation)
Firewall configurator
47 A2 11EL C-21
Figure C-16 No more Warning(s) after Apply button clicked (on a “Remote V7000 Administration Tools” installation)
and the Warning(s) and the specific text at the bottom of the main dialog box (see C.5) are removed when this dialog box is closed. The state of the components is validated.
The main dialog box is not closed when the Apply button is clicked.
When the Apply button is unavailable (grayed) (no modification in progress and no Warning displayed):
• a click on the OK button validates the displayed state of the components and closes the main dialog box
• a click on the Cancel button keeps the displayed state of the components and closes the main dialog box
When the Apply button is available (not grayed) (modification(s) in progress or Warning(s) displayed), a click on the OK button:
• validates modification(s) in progress (if any)
• displays the following information dialog box if Warning(s) was (were) displayed:
Figure C-17 No more Warning(s) after OK button clicked (on a “Full V7000 Server” installation)
Security configuration for Windows 2003 Diane systems
C-22 47 A2 11EL
Figure C-18 No more Warning(s) after OK button clicked (on a “Remote V7000 Administration Tools” installation)
• and the Warning(s) and the specific text at the bottom of the main dialog box (see C.7) are removed when this dialog box is closed. The state of the components is validated.
The main dialog box is closed when the OK button is clicked.
When the Apply button is available (not grayed) (modification(s) in progress or Warning(s) displayed), a click on the Cancel button invalidates modification(s) in progress (if any) and closes the main dialog box.
When the Apply or the OK button is clicked, if the application(s) associated with (a) checked component(s) is (are) not found on the system, the following warning dialog box is displayed:
Figure C-19 Application(s) not found on system (on a “Full V7000 Server” installation)
This example is given for third party components no present (or with erroneous specific configuration files built by the engineering team) on a “Full V7000 Server” installation.
Firewall configurator
47 A2 11EL C-23
In this case, the components are unchecked in the main dialog box.
NB: The same situation can be arrived for V7000 and Interop7 components on a “Full V7000 Server” installation or on a “Remote V7000 Administration Tools” installation.
C.9 Main dialog box use cases
This paragraph shows different aspects of the main dialog box following various use cases and their combinations:
• “Full V7000 Server” installation
• “Remote V7000 Administration Tools” installation
• Interop7 installed/not installed
• Warning(s) displayed at opening time
• use of the tool restricted to a visualization mode only
• third party components specific configuration files not present
Security configuration for Windows 2003 Diane systems
C-24 47 A2 11EL
C.9.1 Use case 1
“Full V7000 Server” installation, Interop7 not installed, no third party component, no Warning displayed at opening time.
Figure C-20 Main dialog box at opening time (use case 1)
Main dialog box at opening time: all common and V7000 components of a “Full V7000 Server” installation are enabled in the firewall and have been previously updated with the V7000 Firewall Configurator, “Interop7 components” and “Third party components” group boxes are unavailable (grayed), Apply button is unavailable (grayed).
Firewall configurator
47 A2 11EL C-25
C.9.2 Use case 2
“Remote V7000 Administration Tools” installation, Interop7 not installed, no Warning displayed at opening time.
Figure C-21 Main dialog box at opening time (use case 2)
Main dialog box at opening time: all common and V7000 components of a “Remote V7000 Administration Tools” installation are enabled in the firewall and have been previously updated with the V7000 Firewall Configurator, “Interop7 components” and “Third party components” group boxes are unavailable (grayed), Apply button is unavailable (grayed).
Security configuration for Windows 2003 Diane systems
C-26 47 A2 11EL
C.9.3 Use case 3
“Full V7000 Server” installation, Interop7 installed, no third party component, no Warning displayed at opening time.
Figure C-22 Main dialog box at opening time (use case 3)
Main dialog box at opening time: all common, V7000 and Interop7 components of a “Full V7000 Server” installation are enabled in the firewall and have been previously updated with the V7000 Firewall Configurator, “Third party components” group box is unavailable (grayed), Apply button is unavailable (grayed).
Firewall configurator
47 A2 11EL C-27
C.9.4 Use case 4
“Full V7000 Server” installation, Interop7 not installed, third party components correctly installed, no Warning displayed at opening time.
Figure C-23 Main dialog box at opening time (use case 4)
Main dialog box at opening time: all common, V7000 and founded third party components* of a “Full V7000 Server” installation are enabled in the firewall and have been previously updated with the V7000 Firewall Configurator, “Interop7 components” group box is unavailable (grayed), Apply button is unavailable (grayed) (*these third party components are examples only).
Security configuration for Windows 2003 Diane systems
C-28 47 A2 11EL
C.9.5 Use case 5
“Full V7000 Server” installation, Interop7 not installed, third party components correctly installed, Warnings displayed at opening time.
Figure C-24 Main dialog box at opening time (use case 5)
Main dialog box at opening time:
• the common component DCOM RPC is enabled in the firewall but has not been previously updated with the V7000 Firewall Configurator.
Firewall configurator
47 A2 11EL C-29
• the common component MMC Admin is disabled in the firewall but has not been previously updated with the V7000 Firewall Configurator.
• the V7000 component AdminServer is disabled in the firewall but has not been previously updated with the V7000 Firewall Configurator.
• the V7000 component Engine is enabled in the firewall and has been previously updated with the V7000 Firewall Configurator.
• the V7000 component RCF is disabled in the firewall but has not been previously updated with the V7000 Firewall Configurator.
• the V7000 component SDM is disabled in the firewall and has been previously updated with the V7000 Firewall Configurator.
• the V7000 component GCOS7 Consoles is enabled in the firewall but has not been previously updated with the V7000 Firewall Configurator.
• the third party component* GTS Agent is enabled in the firewall but has not been previously updated with the V7000 Firewall Configurator.
• the third party component* Navisphere Agent is disabled in the firewall but has not been previously updated with the V7000 Firewall Configurator.
• the third party component* Netop Host is enabled in the firewall and has been previously updated with the V7000 Firewall Configurator.
A specific text is displayed at the bottom of the main dialog box, “Interop7 components” group box is unavailable (grayed), Apply button is available (not grayed).
*these third party components are examples only
If the common component MMC Admin is now checked, if the V7000 component AdminServer is now checked, if the V7000 component Engine is now unchecked, if the V7000 component GCOS7 Consoles is now unchecked, if the third party component Navisphere Agent is now checked, the main dialog box is as follow:
Security configuration for Windows 2003 Diane systems
C-30 47 A2 11EL
Figure C-25 Main dialog box after some components update (use case 5)
The Warning icons are removed nearby the corresponding common and V7000 components, the third party component* Navisphere Agent is no more yellow highlighted.
*this third party component is an example only
Firewall configurator
47 A2 11EL C-31
If the Apply button is clicked, the following information message box is displayed:
Figure C-26 No more Warning(s) after Apply button clicked (use case 5)
After closing the information dialog box, the main dialog box is as follow:
Security configuration for Windows 2003 Diane systems
C-32 47 A2 11EL
Figure C-27 Main dialog box after Apply button clicked (use case 5)
No more Warning icons, no more yellow highlighted third party component is displayed, the specific text at the bottom of the main dialog box has been removed, the Apply button is unavailable (grayed): the state towards the firewall of all components has been validated through the V7000 Firewall Configurator.
Firewall configurator
47 A2 11EL C-33
C.9.6 Use case 6
“Full V7000 Server” installation, Interop7 not installed, third party components correctly installed, no Warning displayed at opening time, use of the V7000 Firewall Configurator restricted to a visualization mode only.
Figure C-28 Main dialog box at opening time (use case 6)
Main dialog box at opening time: all common, V7000 and third party components are unavailable (grayed for common and V7000 components, not grayed for third party components), the OK button is the only available.
Security configuration for Windows 2003 Diane systems
C-34 47 A2 11EL
C.9.7 Use case 7
“Full V7000 Server” installation, Interop7 not installed, third party components not correctly installed (erroneous specific configuration files), no Warning displayed at opening time.
Figure C-29 Main dialog box at opening time (use case 7)
Firewall configurator
47 A2 11EL C-35
Main dialog box at opening time: all common and V7000 components of a “Full V7000 Server” installation are enabled in the firewall and have been updated with the V7000 Firewall Configurator, the third party component* GTS Agent is enabled in the firewall and has been updated with the V7000 Firewall Configurator, the third party components* ThirdComponent1, ThirdComponent2 and ThirdComponent3 have erroneous specific configuration files.
*these third party components are examples only
If the third party components ThirdComponent1, ThirdComponent2 and ThirdComponent3 are checked and then the Apply button is clicked, the following warning message box is displayed
Figure C-30 Application(s) not found on system (use case 7)
and these third party components are unchecked.
Security configuration for Windows 2003 Diane systems
C-36 47 A2 11EL
C.10 Interactive session file
When an interactive session of the V7000 Firewall Configurator is executed, a corresponding text file is created in the <Trace> directory of a “Full V7000 Server” or of a “Remote V7000 Administration Tools” installation. The name of this text file is:
• V7000ConfigFirewall_Interactive_Server.txt on a “Full V7000 Server” installation
• V7000ConfigFirewall_Interactive_RemoteAdministration.txt on a “Remote V7000 Administration Tools” installation
This file is re-created at each interactive session. The historic of the last session is stored in this file.
Technical publication remarks form
Title : DPS7000/XTA NOVASCALE 7000 Security configuration for Windows 2003DIANE systems User Guide
Reference Nº : 47 A2 11EL 02 Date: January 2006
ERRORS IN PUBLICATION
SUGGESTIONS FOR IMPROVEMENT TO PUBLICATION
Your comments will be promptly investigated by qualified technical personnel and action will be taken as required.If you require a written reply, please include your complete mailing address below.
NAME : Date :
COMPANY :
ADDRESS :
Please give this technical publication remarks form to your BULL representative or mail to:
Bull - Documentation Dept.
1 Rue de ProvenceBP 20838432 ECHIROLLES [email protected]
Technical publications ordering form
To order additional publications, please fill in a copy of this form and send it via mail to:
BULL CEDOC357 AVENUE PATTONB.P.2084549008 ANGERS CEDEX 01FRANCE
Phone: +33 (0) 2 41 73 72 66FAX: +33 (0) 2 41 73 70 66E-Mail: [email protected]
CEDOC Reference # Designation Qty
_ _ _ _ _ _ _ _ _ [ _ _ ]
_ _ _ _ _ _ _ _ _ [ _ _ ]
_ _ _ _ _ _ _ _ _ [ _ _ ]
_ _ _ _ _ _ _ _ _ [ _ _ ]
_ _ _ _ _ _ _ _ _ [ _ _ ]
_ _ _ _ _ _ _ _ _ [ _ _ ]
_ _ _ _ _ _ _ _ _ [ _ _ ]
_ _ _ _ _ _ _ _ _ [ _ _ ]
_ _ _ _ _ _ _ _ _ [ _ _ ]
_ _ _ _ _ _ _ _ _ [ _ _ ]
_ _ _ _ _ _ _ _ _ [ _ _ ]
_ _ _ _ _ _ _ _ _ [ _ _ ]
[ _ _ ] : The latest revision will be provided if no revision number is given.
NAME: Date:
COMPANY:
ADDRESS:
PHONE: FAX:
E-MAIL:
For Bull Subsidiaries:
Identification:
For Bull Affiliated Customers:
Customer Code:
For Bull Internal Customers:
Budgetary Section:
For Others: Please ask your Bull representative.
BULL CEDOC
357 AVENUE PATTON
B.P.20845
49008 ANGERS CEDEX 01
FRANCE
47 A2 11EL 02REFERENCE