Cisco Cisco IP Contact Center Release 4.6.1 Design Guide
8-10
Cisco Unified Contact Center Enterprise 7.0, 7.1, and 7.2 SRND
OL-8669-16
Chapter 8 Securing Unified CCE
Active Directory Deployment
Organizational Units
Application Created
The installation of Unified ICM or Unified CCE software now requires that the AD Domain in which
the servers are members must be in Native Mode. The installation will add a number of OU objects,
containers, users, and groups that are necessary for the operation of the software. Adding these objects
can be done only in an Organizational Unit in AD over which the user running the install program has
been delegated control. The OU can be located anywhere in the domain hierarchy, and the AD
Administrator determines how deeply nested the Unified ICM/Unified CCE OU hierarchy is created and
populated.
the servers are members must be in Native Mode. The installation will add a number of OU objects,
containers, users, and groups that are necessary for the operation of the software. Adding these objects
can be done only in an Organizational Unit in AD over which the user running the install program has
been delegated control. The OU can be located anywhere in the domain hierarchy, and the AD
Administrator determines how deeply nested the Unified ICM/Unified CCE OU hierarchy is created and
populated.
Note
Local server accounts and groups are not created on the application servers. All created groups are
Domain Local Security Groups, and all user accounts are domain accounts. The Service Logon domain
account is added to the Local Administrators' group of the application servers.
Domain Local Security Groups, and all user accounts are domain accounts. The Service Logon domain
account is added to the Local Administrators' group of the application servers.
Unified ICM and Unified CCE software installation is integrated with a Domain Manager tool that can
be used standalone for pre-installing the OU hierarchies and objects required by the software or can be
used when the Setup program is invoked to create the same objects in AD. The AD/OU creation can be
done on the domain in which the running server is a member or on a trusted domain. In Cisco Unified
System Contact Center (Unified SCC), this function is fulfilled by the Unified CCE machine initializer,
which defaults to the machine's joined domain and takes only one input, the <Facility> name. The
instance name is always ipcc in the case of a Unified SCC deployment.
be used standalone for pre-installing the OU hierarchies and objects required by the software or can be
used when the Setup program is invoked to create the same objects in AD. The AD/OU creation can be
done on the domain in which the running server is a member or on a trusted domain. In Cisco Unified
System Contact Center (Unified SCC), this function is fulfilled by the Unified CCE machine initializer,
which defaults to the machine's joined domain and takes only one input, the <Facility> name. The
instance name is always ipcc in the case of a Unified SCC deployment.
Do not confuse the creation of AD objects with Group Policy Objects (GPO). The Automated Security
Hardening, which is provided following the standard Microsoft Security Template format, is not added
to AD as part of the software installation through the configuration of a GPO. The security policy
provided by this customized template (for Unified ICM/Unified CCE applications) is applied locally
when a user chooses to apply hardening, or it can be pushed down through a GPO through manual AD
configuration using the provided policy file, CiscoICM_Security_Template.inf.
Hardening, which is provided following the standard Microsoft Security Template format, is not added
to AD as part of the software installation through the configuration of a GPO. The security policy
provided by this customized template (for Unified ICM/Unified CCE applications) is applied locally
when a user chooses to apply hardening, or it can be pushed down through a GPO through manual AD
configuration using the provided policy file, CiscoICM_Security_Template.inf.
AD Administrator Created
As mentioned, there are certain AD objects that may be created by an administrator. The primary
example in
example in
is represented by an OU container, Unified CCE Servers, which is manually added
to contain the servers that are members of a given domain. These servers must be moved to this OU once
they are joined to the domain. This ensures that some segregation is applied to control who can or cannot
administer the servers (delegation of control) and, most importantly, which AD Domain Security Policy
can or cannot be inherited by these application servers that are in the OU.
they are joined to the domain. This ensures that some segregation is applied to control who can or cannot
administer the servers (delegation of control) and, most importantly, which AD Domain Security Policy
can or cannot be inherited by these application servers that are in the OU.
As noted before, Unified ICM/Unified CCE servers ship with a customized security policy that is
modeled after the Microsoft Windows Server 2003 High Security policy. This policy can be applied at
this server OU level through a Group Policy Object (GPO), but any differing policies must be blocked
from being inherited at the Unified ICM/Unified CCE Servers’ OU. Keep in mind that blocking
inheritance, a configuration option at the OU object level, can be overridden when the No Override
option is selected at a higher hierarchy level. The application of group policies should follow a very well
thought-out design that starts with the most common denominator, and those policies should be
restrictive only at the appropriate level in the hierarchy. For a more in-depth explanation on how to
properly deploy group policies, refer to the Windows Server 2003 Security Guide, available at
modeled after the Microsoft Windows Server 2003 High Security policy. This policy can be applied at
this server OU level through a Group Policy Object (GPO), but any differing policies must be blocked
from being inherited at the Unified ICM/Unified CCE Servers’ OU. Keep in mind that blocking
inheritance, a configuration option at the OU object level, can be overridden when the No Override
option is selected at a higher hierarchy level. The application of group policies should follow a very well
thought-out design that starts with the most common denominator, and those policies should be
restrictive only at the appropriate level in the hierarchy. For a more in-depth explanation on how to
properly deploy group policies, refer to the Windows Server 2003 Security Guide, available at