In this section:
The
- In Appliance mode, the SBA utilizes Unable to show "metadata-from": No such page "_space_variables"'s solution to guarantee security and reliability.Unable to show "metadata-from": No such page "_space_variables"fully support the ASM (Hardware and Software)
- In Server mode, the SBA is customized by the customer with a solution not tested or approved by Unable to show "metadata-from": No such page "_space_variables". Customization can be for functionality or security purposes.Unable to show "metadata-from": No such page "_space_variables"does not know the impact of this customization, therefore can only support the Hardware components.
By default, all ASMs are shipped in Appliance mode. Any customization will turn the ASM into Server mode. The only way to return into appliance mode is to re-initialize the ASM using the on-board capability via the WebUI.
Security Risk for a Server
The main risk for a server as a client computer is from a virus attack. A virus is a malware program that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs or data files. Viruses often perform some type of harmful activity on infected hosts, such as stealing hard disk space or CPU time, accessing private information, corrupting data, displaying political or humorous messages on the user's screen, spamming their contacts, or logging their keystrokes. However, not all viruses carry a destructive payload or attempt to hide themselves—the defining characteristic of viruses is that they are self-replicating computer programs which install themselves without the user's consent.
Infection vectors
Human interaction
Malware uses human interaction to get into a computer and execute itself. The vector can be an email, a file downloaded on web site, a file hosted into a flash drive, or newly installed software. Limiting the human interaction on an embedded system significantly reduces this risk.
Software bugs
Network-related software can contain a bug introduced during the software design that will allow the network capability of this software to execute some unwanted action (breach). Keeping the software updated reduces this risk.
Security on the ASM Module for SBA
The SBA is a mission-critical box because it provides voice survivability to branch office users.
To reduce the attack surfaces of the Windows Server, Microsoft create some requirements for the SBA components, as well as recommending the use of a Security Configuration Wizard template provided by Microsoft to lock down the server and reduce the elements at risk of attack. These templates have been leveraged and customized by
Microsoft Security
The following areas are the Microsoft security elements within the SBA that have been implemented on the
Microsoft Requirement
- Driver or software installation should not replace any Microsoft-authored system components and the driver must not bypass any Windows components.
- For each driver, no errors can occur under the Driver Verifier facility provided with Windows. Poorly written kernel-mode drivers have the potential to cause the system to become unstable or stop working.
- All drivers installed on the system must be signed.
Security Configuration Wizard Template
The Security Configuration Wizard template provided by Microsoft is a security policy created with SCW that configures services, network security, specific registry values, and audit policy. The Security Configuration Wizard template must be applied after the device has been deployed and all the applications have started.
The Security Configuration Wizard template performs the following tasks:
- Disables unnecessary services.
- Provides Windows Firewall with Advanced Security support.
- Updates the registry to secure Windows components.
Unable to show "metadata-from": No such page "_space_variables" Enhancements to the Microsoft Template
In addition to the above Security Template provided by Microsoft,
- Disable RDP Printer Redirection
- Disable S-Channel Warning generated by failed TLS connection
- Disable administrative file sharing
- Disable SSL v3 client
- Disable SSL v3 server
Unable to show "metadata-from": No such page "_space_variables" Architectural Security
The architectural implementation of the SBA server within the SBC platform also enhances the security of the deployed appliance by the following design factors:
Functional
- All operations for deployment and maintenance of the SBA are completed through the SBC secured WebUI and do not require physical or remote access to the ASM module. This removes the human interaction vectors.
- All communication between the SBC and SBA is internal to the SBC. This limits the risk of a software bug.
- Unable to show "metadata-from": No such page "_space_variables"does not install "Internet Information Services" and Internet Explorer. This limits the risk of a software bug.
- Configuration of a Level 2 ACL within the SBC platform through the SBC secured WebUI. This limits the risk of a software bug.
- Configuration of Windows Firewall through the secured SBC WebUI. This limits the risk of a software bug and removes the human interaction vectors.
- All updates provided by Unable to show "metadata-from": No such page "_space_variables"contain an MD5sum that is signed to ensure authenticity. This removes the human interaction vectors.
Support
As part of the ongoing commitment to provide partners and customers with software and security updates, Microsoft may release bug fixes or service packs as necessary to
Windows Server Updates
Microsoft frequently publishes updates to the Windows Server operating system. These updates are publicly available and can be downloaded and applied to the SBA should the customer wish to do so (and if found relevant).
Every second Tuesday of each month,
If you download and install a Microsoft update before
Lync/Skype Server Component Updates
SBA updates are posted on the Microsoft Update website and can be downloaded by anyone.
Once fully tested and verified by
If you download and install a Microsoft update before
Customer Security
It is the customer’s responsibility to use the tools available from