Avaya

Modular Messaging Help

Print | Back | Fwd | Close
Home | Search the Help
 Getting Started 
 Administration 
 Maintenance 
 Reference 
Home > Getting started > Modular Messaging and Security > System Hardening

System Hardening

What is System Hardening?

System Hardening basically means identifying the uses of a particular computer (such as a Web server, E-mail or a voice mail server, or an Internet server) and then disabling (or in some cases removing) all components that are not required. The components allowed on the system are specific to the functions that the system is supposed to perform. System Hardening involves tightening the system security by implementing steps such as, limiting the number of users, setting password policies, and creating access control lists.

System Hardening must be well defined in the information security guidelines. The process of hardening a system varies depending upon your operating system. You must ensure that you:

  • Turn off unnecessary services. Default installations leave many services turned on that may be unnecessary. Turn off unnecessary services and delete the executables from the system to provide a more secure system. Doing this provides additional benefits that includes better system performance since the processor does not spend time monitoring and running services that are not being used.

  • Patch the system. The system should have all service packs/ patches/ hot fixes applied to it, especially those that pertain to the security of the system. Once applied, you must validate all the hardening procedures to ensure that the hardening settings are unchanged, since some service packs are known to roll back configuration settings. See patching for more information.

  • Configure file system, directory and registry settings. Access rights to the file system, directory service and the registry should be reviewed and enforced. Providing global read and write access to key directories can lead to a security exposure. In most cases, this level of permission is unnecessary.

  • Configure and tune logging. Logging can be enhanced by configuring the system to log more detail and security-relevant information. Monitoring of logs is often one of the best ways to learn about attempted and successful security breaches.

  • Ensure Physical security. Strong security controls and hardening might mean little if the system itself is not physically secure from unauthorized access.

  • Choose a strong administrator password. Selection of the administrator password is absolutely critical. It is important that this password is selected as per the specified guidelines and is the most closely guarded password on the network. The administrator account should be used only in emergencies, with system administrators using their own administrator-equivalent accounts to provide accountability for their actions.

  • Install host-based intrusion detection. Use host intrusion-detection features and products to monitor and identify security incidents.

  • Verify all security settings. After configuring the security settings on the host, check all the settings to make sure they are intact. It is a known fact that, in many operating systems, applying patches and making changes to settings can often undo other changes that were previously made.

Modular Messaging and Hardening

Modular Messaging servers (MAS and MSS), are based on Windows 2000 and Linux operating systems respectively. Avaya chose open operating systems such as Linux or a version of Microsoft Windows to facilitate an integrated any-time, any-where, any-method communication environment that enables the convergence of voice and data.

The Avaya S3400 Message Server is hardened to reduce vulnerabilities to the system and to customers’ networks. Although the S3400 Message Server is not designed to be exposed to the Internet, Avaya implements the system hardening process. This includes disabling all unnecessary services that are not relevant to the operation of Modular Messaging.

Avaya follows standard procedures for hardening the Linux-based system (MSS). The Windows systems (MAS) are hardened by following the Microsoft checklist for Windows hardening. On the MSS, all the unnecessary executables and RPMs are deleted. Some services are impossible to disable on Windows, such as the Remote Procedure Call (RPC) service. For Windows, hardening also includes the removal of all unnecessary executables and registry entries. In addition, Avaya applies appropriately restrictive permissions to files, services, end points, and registry entries.

Once the system is hardened, Avaya then subjects the system to a variety of common "attack tools" to find security holes. Common tools that can be downloaded from the Web include Nmap and Nessus. Avaya finds and fixes security problems found prior to the release of the product or update. Note that the system is only as secure as the security knowledge base at the time of the release as new vulnerabilities are possible.

Of the major operating systems (Unix, Linux, Windows), one is not inherently more secure than the other. Every operating system is not secure out of the box. All can be made more secure through the application of a good security policy, which includes proper administration, configuration, and diligent application of vendor updates when security problems are discovered. See the Microsoft Security Home Page for the most current information on hardening and security.

Top of page

Home | Search the Help | Print | Back | Fwd | Close

©2003 Avaya Inc. All rights reserved. Last modified 24 November, 2003