Intrductin 1.1 Purpse f this dcument The purpse f this dcument is t prvide prspective ABELDent licensees and their hardware vendrs with the infrmatin that they will require t prepare fr the installatin and peratin f ABELDent. It will start with a brief verview f typical platfrms, and then prvide specific infrmatin that will be required t cnfigure an ABELDent ready platfrm. The sectins n cnfiguratin are mderately technical and intended primarily fr the use f the hardware vendr r IT prfessinal that will be cnfiguring the system. They are nt detailed instructins, it is expected that a cmpetent IT prfessinal will be familiar with these ubiquitus platfrms, and understand the cnventins. If yur hardware vendr needs clarificatin n any f the pints, please have them call (1-800-267-2235) r email ABEL at idept@abelsft.cm. We are happy t c-perate and wrk with yur hardware vendr t ensure that they get all the infrmatin required t get yur system setup fr ABELDent. 1.2 General Platfrm Overview ABELDent runs n Micrsft Windws perating systems and the Micrsft SQL Server 2008 R2 database. ABELDent is als available using the Micrsft Jet (Access) database. ABELDent is designed t scale frm small peer t peer netwrks with few wrkstatins, t larger netwrks in busy clinics with dedicated servers serving administrative and clinical wrkstatins in peratries. The smaller netwrks, with less than six wrkstatins, can be served by a wrkgrup cnsisting entirely f cmputers running the Micrsft Windws client perating systems such as (Windws 8 Pr, 7 Pr, r Vista Business). In this envirnment the file server is typically used as a wrkstatin. On larger netwrks with half a dzen r mre wrkstatins, a file/sql server with the Micrsft Windws Server perating system is required. ABELDent recmmends Micrsft Windws Server 2012 R2 r Micrsft Windws Server 2008 R2. The Windws Server perating system supprts larger netwrks and advanced features such as Active Directry security dmains, disk mirrring, remte desktp services, and many ther features and tls. Sme small practices with less than 6 wrkstatins still pt fr a dedicated server with the server versin f the perating system in rder use active directry, disk mirrring, r ther such features. 1.3 Hw t prceed ABEL recmmends that when lking int purchasing yur hardware, perating system, and ther sftware fr ABELDent that yu get at least three qutes. Please make sure that yu prvide the ABELDent recmmended hardware requirements, and these setup cnventins, s that the hardware vendr can include setup t these cnventins in the price that yu are quted. Current System Requirements are always available n the ABEL website http://www.abeldent.cm. Sme custmers pt t purchase their wn hardware frm vendrs that d nt prvide setup and installatin services. In such cases yu are likely t require the services f an experienced IT persn wh can understand these setup cnventins and cnfigure the system(s) in cnfrmance with the cnventins. If yu are dealing with a hardware vendr that yu have nt wrked with in the past, ABEL recmmends checking references. In many areas ABEL can prvide the names f hardware vendrs wh have prepared ABELDent systems in the past. ABELDent Setup Cnventins Page 1 f 25 Last updated March 6, 2014
Server Setup Cnventins 1.4 Operating system 1.4.1 Windws Server 2012 R2/Windws Server 2008 R2 1.4.1.1 Setup Please cnfrm t the fllwing cnventins when setting up a server with Micrsft Windws Server 2012 R2/Micrsft Windws Server 2008 R2. We recmmend that an Active directry dmain be set up. We recmmend using the NTFS file system. Setup TCP/IP as the netwrk prtcl. Set static IP addressing fr the server. ABEL recmmends a ruter with a firewall n all high-speed Internet cnnectins. The DC is usually cnfigured fr DHCP & DNS. In smaller practices withut a DC the ruter usually fills the DHCP/DNS rles. Name the cmputer with the custmer s ABEL client ID number. Fr example if the ABEL custmer ID number is C09999-ODS, name the server C09999. Yu can get the custmer ID number by calling ABEL s prductin department and asking fr it. An Active directry dmain is nrmally set up if using the Windws Server perating system. With AD, user accunts nly have t be set up n the server, nt n each wrkstatin. Create an accunt fr each user. Ensure that each accunt has a passwrd. The users shuld change their passwrd the first time they lg in. Disable the guest accunt. Use a strng passwrd fr the administratr accunt. Make sure that the apprpriate persn at the ffice r clinic has this passwrd. Nrmally the dentist, ffice manager, r IT persn. A high speed Internet cnnectin is required fr remte supprt. ABEL prvides the required sftware via a brwser plug in at the time supprt is prvided. Mdem cnnectins such as RRAS and PC-Anywhere are n lnger recmmended fr remte supprt cnnectins. Set the display reslutin t at least 1280 x 1024. Install the mst recent perating system service pack, and all critical patches and htfixes frm Micrsft. Turn ff any CPU pwer savers. Display pwer savers shuld be fine, but refrain frm using third party screensavers. Turn ff Hibernatin. Install the latest drivers fr all printer(s) and any ther devices r peripherals. Install and cnfigure any required backup hardware drivers and prgrams. ABEL recmmends the backup prgram that cmes with Windws Server. Shrtcuts shuld be setup n the desktp fr all users, r apprpriate users, t: Encryptin is strngly recmmended fr backups t remvable media. Make sure mre than 1 persn knws any required passwrds, and that encryptin keys r certificates are stred safely n-site and ff (and that at least 2 peple knw where these are). Perfrm a Full System backup with System State, ABELDent Setup Cnventins Page 2 f 25 Last updated March 6, 2014
Data nly backups. This will have t be setup after ABELDent is installed. ABEL recmmends that the ABELDent flder and its sub-flders be backed up. Nte: A regular user will nt have apprpriate privileges t perfrm full system backups; any users that perfrm backups will have t be added t the Backup Operatr s grup. A backup schedule can als be set. Mst custmers will have enugh space available n their backup media t perfrm a full backup with system state n a daily basis. This is recmmended fr small ffices withut an n-site IT persn t ensure that all data frm all applicatins is backed up. Mre sphisticated backup rtatins can be set up if and when space becmes an issue. If the custmer has a high speed always n Internet cnnectin it is recmmended that Autmatic Updates be turned n. Setup the grup plicy t: Nte: This is an ptinal step t enhance security lgs. Audit successful and unsuccessful accunt lgin events, Audit successful and unsuccessful accunt management events, Accunt lckut t 3 invalid lckut attempts, and the lckut duratin t 15 minutes, and the reset accunt lckut cunter t 15 minutes. Turn ff unnecessary Services such as Messenger, IIS (If it will nt be needed) and FTP. If using these services d nt allw annymus access. Nte that sme practices use ABEL s kisk and case presentatin sftware & will need IIS. Install and cnfigure a reputable Anti-Virus Prduct. Set it up t autmatically get updates regularly. It shuld be cnfigured fr Real-time scanning and fr at least 1 full disk scan per week. Sme prducts require that ABELDent be added t exceptins. 1.4.1.2 Testing Test Windws printing frm all wrkstatins, t all printers t which they will need t print. 1.4.2 Windws 8 r Windws 7 File Server 1.4.2.1 Setup Please cnfrm t the fllwing cnventins when setting up a small practice file server based n a client OS like Windws 8 r Windws 7. We recmmend the NTFS file system. Setup TCP/IP as the netwrk prtcl. Set static IP addressing fr the server. ABEL recmmends a ruter with a firewall n all high-speed Internet cnnectins. Name the cmputer with the custmer s ABEL client ID number. Fr example if the ABEL custmer ID number is C09999-ODS, name the server C09999. Yu can get the custmer ID number by calling ABEL s prductin department and asking fr it. TURN OFF sharing wizard/simple file sharing. Open My cmputer > Tls >Flder Optins >G t the view Tab>Uncheck simple file sharing. ABELDent Setup Cnventins Page 3 f 25 Last updated March 6, 2014
While yu are here als uncheck Hide extensins fr knwn file types. Create an accunt fr ABELDent users. An accunt can be set up fr each user, but yu shuld be aware that this accunt wuld have t be set up n all client machines frm which the user will be running ABELDent. This will require a little mre nging maintenance t administer the accunts when yu have staff changes. It is up t individual custmers t decide what is best fr their practice. The ABELDent users shuld nt be part f the administratr grup; they shuld be part f the users grup. Ensure that each accunt has a passwrd. The users shuld change their passwrd the first time they lg in. Disable the guest accunt. Put a strng passwrd n the administratr accunt. Make sure that the apprpriate persn at the ffice r clinic has this passwrd. Nrmally the dentist, ffice manager, r IT persn. If the custmer will be ding EDI ver a mdem rather than by itrans then setup a mdem with the apprpriate drivers. An external mdem is recmmended. A high speed Internet cnnectin is required fr remte supprt. ABEL prvides the required sftware via a brwser plug in at the time supprt is prvided. Mdem cnnectins such as RRAS and PC-Anywhere are n lnger recmmended fr remte supprt cnnectins. Create an accunt fr ABEL t use if they have t lg in t prvide supprt fr the prduct. Please cntact ABEL directly t prvide the username and passwrd. Make sure that the ABEL user has dial-in permissins and is part f the users grup. Set the display reslutin t at least 1280 x 1024. Install the mst recent perating system service pack, and all critical patches and htfixes frm Micrsft. Turn ff any CPU pwer savers. Display pwer savers shuld be fine, but refrain frm using third party screensavers. Turn ff Hibernatin. Install the latest drivers fr all printer(s) and any ther devices r peripherals. Install and cnfigure any required agents, drivers and prgrams t facilitate the backup. ABEL recmmends Internet based backups r backups t remvable hard disks. Encryptin is strngly recmmended fr backups t remvable media. Make sure mre than 1 persn knws any required passwrds, and that encryptin keys r certificates are stred safely n-site and ff (and that at least 2 peple knw where these are). If backing up t a lcal disk Perfrm a Full System backup with System State. Data nly backups. This will have t be setup after ABELDent is installed. ABEL recmmends that the ABELDent flder and its sub-flders be backed up. SQL backup files will als need t be backed up unless yu are using an nline backup agent with an SQL plug-in. A backup schedule can als be set. Mst custmers will have enugh space available n disk t perfrm a full backup with system state n a daily basis. This is recmmended fr small ffices withut an n-site IT persn t ensure that all data frm all applicatins is backed up. Mre sphisticated backup rtatins can be set up if and when space becmes an issue. Nte: A regular user may nt have apprpriate privileges t perfrm full system backups; any users that perfrm backups will have t be added t the Backup Operatr s grup. ABELDent Setup Cnventins Page 4 f 25 Last updated March 6, 2014
If the custmer has a high speed always n Internet cnnectin it is recmmended that Autmatic Updates be turned n. Turn ff unnecessary Services such as Messenger, IIS (If it will nt be needed) and FTP. If using these services d nt allw annymus access. Nte that sme practices use ABEL s case presentatin sftware & will need IIS. Install and cnfigure a reputable Antivirus Prduct. Set it up t autmatically get updates regularly. It shuld be cnfigured fr Real-time scanning and fr at least 1 full disk scan per week. Sme prducts require that ABELDent be added t exceptins. 1.4.2.2 Testing Test any lgin accunts created s that user prfiles are made. Make sure users that will require supprt have apprpriate Internet access. Test any ther applicatins that the custmer may have purchased such as Wrd etc. Test Windws printing frm each wrkstatin and with each user accunt. 1.5 Database 1.5.1 Micrsft Jet Database Althugh the SQL database is nw ur standard platfrm, the Micrsft Access database/jet database will cntinue t be supprted fr existing custmers. The JET database engine is installed alng with lder versins f ABELDent. 1.5.2 SQL Server 2012 R2/SQL Server 2008 R2 Fr the SQL versin f ABELDent, install SQL Server 2012 R2 r SQL Server 2008 R2 and prerequisites (.NET Framewrk 3.5) befre installing ABELDent. Remember t install all Service packs and htfixes fr SQL Server. ABELDent uses Windws authenticatin t authenticate with SQL Server. The ABELDent installatin will create the required databases and apply the required permissins fr client wrkstatins t access the data. It als creates a shrtcut under Start>Prgrams>ABELDent Administratin t facilitate the creatin f typical maintenance schedules and backup jbs. Client Machine Setup 1.6 Windws 8/7 client machine 1.6.1 Setup Please cnfrm t the fllwing cnventins when setting up Windws 8/7 client machines: We recmmend using the NTFS file system. Setup TCP/IP as the netwrk prtcl. We nrmally cnfigure TCP/IP t btain an IP autmatically. ABEL recmmends a ruter with a firewall n all high-speed internet cnnectins. If there is nt a ruter, Windws 7 will use Autmatic Private IP Addressing (APIPA). ABELDent Setup Cnventins Page 5 f 25 Last updated March 6, 2014
Name the cmputer with the custmer s ABEL client ID number fllwed by a hyphen and a numeric extensin. Fr example if the ABEL custmer ID number is C09999-ODS, name the first client machine C09999-1, the secnd client machine C09999-2, and s n Add the IP address f the ABELDent server t each client s hsts file (C:\Windws\System32\drivers\etc\hsts) t facilitate faster name reslutin n the netwrk. This is especially imprtant n netwrks that are nt running DNS services. Turn ff sharing wizard/simple file sharing. Open My cmputer > Tls >Flder Optins >G t the view Tab>Uncheck Use file sharing wizard. While yu are here als uncheck Hide extensins fr knwn file types. Create accunt(s) fr ABELDent users. The Accunt names and passwrds must exactly match the accunt(s) created n the server if in a wrkgrup envirnment. The users shuld nt be part f the administratrs grup; they shuld be part f the Users grup. Yu can create a grup fr ABELDent users but n mst systems, all regular users will be ABELDent users s the regular users grup can be used instead. Ensure that each accunt has a passwrd. The users shuld change their passwrd the first time they lg in. (this will have t be dne fr each user n all machines). Disable the guest accunt. Put a passwrd n the administratr accunt. Make sure that the apprpriate persn at the ffice r clinic has this passwrd. Nrmally the dentist, ffice manager, r IT persn. Set the display reslutin t at least 1280x1024. Install the mst recent perating system service pack, and all critical patches and htfixes frm Micrsft. Turn ff any CPU pwer saving features and disable hibernatin. Screensavers are nt an issue. Install the latest drivers fr all printer(s) and any ther devices r peripherals. If the custmer has a high-speed Internet cnnectin, it is recmmended that Autmatic Updates be turned n. Turn ff unnecessary Services such as Messenger, IIS (If it will nt be needed) and FTP. If using these services d nt allw annymus access. Nte that sme practices use ABEL s kisk and case presentatin sftware and will need IIS. Install and cnfigure a reputable Anti-Virus Prduct. Set it up t autmatically btain updates regularly. It shuld be cnfigured fr real-time scanning and fr at least 1 full disk scan per week. Sme prducts require that ABELDent be added t exceptins. 1.6.2 Testing Test Windws printing frm all wrkstatins. Make sure that the client machine can cnnect t the server and access shares created n the server. If yu create test shares, please remember t remve them when yu are thrugh. ABELDent Setup Cnventins Page 6 f 25 Last updated March 6, 2014
Cmpatibility and setup with Firewalls, Anti-Virus and Security Suites 1.7 Setting up Firewall Appliances The specific instructins fr setting up Firewalls vary with make and mdel and ften require certified specialists. Mst ABELDent cmmunicatin is internal n the LAN with sme exceptins fr electrnic claims. In multi-site installatins additinal prts may have t be pened up t allw ABELDent cmmunicatin. Specific requirements n such cmmunicatin vary widely depending n the specific architecture f yur setup. The fllwing table details the types f cmmunicatin used by ABELDent and what prts may have t be pened up. Service r Functin File and Printer sharing Windws NetBIOS ABELDent licensing ABELDent Prtal Thin Client / Terminal Services 1 Prt Prtcl Reasn required 139 445 137 138 HTTP/HTTPS 80 TCP TCP UDP UDP T save data t and retrieve data frm the file share 5093 UDP Only when thick clients with flating licenses are perating thrugh the firewall withut a VPN. 1504 TCP If custmer has subscribed t ABELDent patient prtal 3389 TCP T run the Remte Desktp Client cntrl 443 HTTP/HTTPS 80 443 TCP TCP TCP TCP If the physicians require Internet access fr clinical research then the physician wuld typically access infrmatin by visiting web sites with a brwser. The articles wuld typically be in html, pdf, r wrd frmat. Occasinally the infrmatin wuld be delivered as a chargeable r restricted service ver an SSL secured web site. Fr remte supprt (t custmers with an Internet cnnectin) ABELSft uses a tl called GTAssist ( http://www.gtassist.cm ).N prts need be kept pen t allw incming traffic n the firewall as the sessin is initiated inside by the custmer ging t ABELSft s web site ( http://www.abeldent.cm ) and fllwing the link t the remte supprt server website ( http://www.gtassist.cm/sb/abelsft ) t enter the apprpriate sessin cde. Many firewalls nly blck incming traffic, and allw utging cnnectins n all prts. In cases where utging traffic is als restricted the custmer will require utging access n prts 80 (TCP) & 443 (TCP) t cnnect t the remte supprt sessin. The full sessin frm the frm where the sessin cde is entered is encrypted using 128 bit SSL encryptin. itrans 9650 utging TCP Electrnic claims submissin 9650 utging UDP NTP/SNTP 123 UDP Client/server wrkstatin time synchrnizatin 1 This prt is ptinal. Terminal Services cmmunicatin is n prt 3389/TCP. In the event that Terminal Services/ Remte Desktp is used t run ABELDent remtely then these prts must be pened n the firewall. Hwever if the Remte Desktp sessin is run within a VPN cnnectin this is nt necessary. ABELSft recmmends the VPN apprach t any custmers perating ABELDent ver a high-speed Internet cnnectin. ABELDent Setup Cnventins Page 7 f 25 Last updated March 6, 2014
1.8 Anti-Virus It is nt practical fr ABELSft t test large numbers f Antivirus prgrams, as there are many such prgrams n the market. We rutinely check several f the mre ppular AV utilities with the latest versin f ABELDent. We pst ur findings in the table belw. Always check the nline versin f this dcument t ensure that yu are reading ur mst recent findings. ABELSft des NOT exclude ur prgram r data areas frm scanning n prductin systems. Such exclusins shuld nt be necessary. The fllwing prducts have been tested with ABELDent versin 11.x and 12.x Prduct Results Wrkarund steps if required Symantec Endpint Prtectin 12.1 N Knwn Prblems n/a Kaspersky Small Office Security N Knwn Prblems n/a ESET NOD32 N Knwn Prblems n/a Micrsft Security Essentials (Free) N Knwn Prblems Des nt install prperly n Windws Server 2012. Avast anti-virus Reprted prblems with file scanner Add exclusins fr ABELDent executables. Table last Updated March 6 th, 2014 check website fr mst recent versin. 1.9 Knwn prblems with Firewalls and steps t mitigate ABELSft des nt perfrm regular testing with the varius sftware firewalls included with many cnsumer Internet security suites. ABELSft recmmends ruters r firewall appliances at the perimeter. Sme peple prefer sftware-based firewalls as well. Such devices might be desirable n larger netwrks where threats frm within the perimeter prtectin are mre likely. In such cases ABELSft recmmends the Windws Firewall included with all recent Micrsft perating systems. The fllwing has been fund t wrk. Prduct Results Wrkarund required Micrsft Windws Firewall Nrtn Internet Security Tested. Client unable t get license. Limited testing in the field. Must pen prt 5093 UDP n server t subnet t allw clients t get license. Must pen prt 5093 UDP n server t subnet t allw clients t get license. ABELDent Setup Cnventins Page 8 f 25 Last updated March 6, 2014
2 Recmmendatins t help Prtect Data and Increase System Reliability One f the strngest advantages f perating n industry standard platfrms such as Micrsft Windws based perating system n Intel (r cmpatible) hardware platfrms is that there are many technlgies available that can be leveraged t increase the reliability f yur system, reduce dwntime, and prtect yur data. This sectin briefly discusses a few f these ptins that ABELSft recmmends that yu cnsider implementing. 2.1 Uninterruptable Pwer Supplies The risk f data lss in the event f a pwer utage that extends beynd the capacity f the battery, t prvide adequate pwer, is mitigated by Windws built in ability t mnitr pwer status & UPS battery state. Windws can be cnfigured t ntify users and perfrm an rderly shutdwn, preventing data lss. 2.2 Disk Mirrring and RAID Arrays The risk f data lss in the event f a server hard disk failure is mitigated by Windws ability t mirrr the disks. In the event f a disk failure the remaining disk cntinues t wrk until such a time as it is cnvenient t replace the failed disk and reestablish the mirrr set. ABELDent Setup Cnventins Page 9 f 25 Last updated March 6, 2014
2.3 Backups In the event f data crruptin, hard disk failure, r ther failure that results in the lss f data, ABELSft wuld have t recver the client s mst recent backup(s). ABELSft users typically use the Backup Utility that is supplied with Windws Server r Windws client perating systems, but ABELDent has the flexibility t wrk with mst backup prgrams and backup services n the market shuld the custmer prefer. Detailed backup & recvery prcedures are prvided in the ABELDent manual. 2.4 Additinal Technlgies ABELDent has been designed wrk n the Micrsft Windws platfrm. These platfrms have many such features incrprated int the perating system. The Windws platfrm als interperates with many third party prducts, bth hardware and sftware, that can be used t mitigate risk and prtect data. The level f fault tlerance can be cnfigured t match the requirements f the health care prvider. In additin t hardware and sftware slutins there are many services available t help prtect yur Windws system. These include such services as Online Data Backups as well as Remte Mnitring and Administratin. ABELSft can help yu with such services. ABELDent Setup Cnventins Page 10 f 25 Last updated March 6, 2014
3 Detailed Steps n the security settings described abve This sectin prvides detailed steps fr cnfiguratin f the security settings and grup plicy settings mentined abve fr technicians r custmers wh may nt be familiar with them. 3.1 Creating ABELDent Users Grup and User Accunts This sectin cvers the initial user setup that wuld nrmally be perfrmed by the hardware vendr r IT department befre ABELSft cmes ut t d the installatin. The ABELDent administratr will set these users up as members in ABELDent and cnfigure the apprpriate levels f privilege in ABELDent. Onging administratin including deletin and mdificatin f user accunts is cvered in the ABELDent user s manual. Initially we recmmend that an ABELDent Users Grup be setup. 1. Lg in n the server. 2. Select Start>Administrative Tls>Active Directry Users & Cmputers 3. Right click n users and selects New > Grup frm the pp ut menus 4. Fill in the grup name ABELDent Users 5. The Scpe f the Grup is nrmally the Dmain lcal 6. The Type f Grup is Security Each user is set up in Windws with a username matching the member s username in the ABELDent Authenticatin Manager. The typical steps n a Windws 2012 R2 Server wuld be as fllws: 1. Lg in n the server. 2. Select Start>Active Directry Users and Cmputers 3. The Administratr right clicks n the ABELDent Users OU and selects New > User frm the pp ut menus ABELDent Setup Cnventins Page 11 f 25 Last updated March 6, 2014
4. Fills in the user s first name, last name and username then click n next. 5. The initial passwrd wuld be entered by the administratr twice, checking the ptin t frce the user t change it n next lgn, befre clicking n next, and then Finish t create the user. 6. The user wuld then be added t the ABELDent Users OU. T add them t the ABELDent Users grup, start by duble clicking n the new username, clicking n the Member Of tab, clicking in the Add buttn, typing in the grup name, clicking n the Check Names buttn, and OK ABELDent Setup Cnventins Page 12 f 25 Last updated March 6, 2014
On a small standalne r peer-peer netwrk with a Windws 7 r Windws 8-based file server, the steps wuld be similar nly they will be perfrmed under cmputer Management. Right click n My Cmputer, select Manage, expand System Tls, Lcal Users & Grups, right click n Grups, select New Grup and then add the grup and user in the same way as described abve. Add the user t the apprpriate ABELDent Users grup when finished. On a small netwrk such as this the user must be created identically n each wrkstatin. ABELDent Setup Cnventins Page 13 f 25 Last updated March 6, 2014
3.2 Passwrd Plicies ABELDent Platfrm Setup Cnventins The fllwing steps describe hw t set the grup plicy t ensure passwrd length & cmplexity rules are enabled in Windws Server 2012 R2. 1. Click n the Windws Start buttn. 2. Search fr Grup Plicy Management. 3. In Grup Plicy Management, expand the tree view in the left clumn s yu can see the Default Dmain Plicy directly belw the dmain name 4. Right-click n Default Dmain Plicy and select Edit frm the drp dwn menu. 5. In the Grup Plicy Windw, click the + t expand Cmputer Cnfiguratin. 6. Click the + t expand Plicies. 7. Click the + t expand Windws Settings. 8. Click the + t expand Security Settings. 9. Click the + t expand Accunt Plicy 10. Click n Passwrd Plicy. 11. ABELSft recmmends that several Plicies be set here: a. Minimum Passwrd length shuld be set at 8 r mre characters b. Passwrd must meet cmplexity requirements shuld be defined and enabled. This will mandate additinal criteria beynd the standard Windws case sensitive passwrd c. Enfrce passwrd histry shuld be set t help prevent passwrds frm being reused. We suggest the maximum value f 24 be used. d. The abve Plicy wuld be ineffective if users culd quickly cycle thrugh passwrds until they can reuse them. A Minimum passwrd age f 30 days will prevent such abuse. e. A passwrd age f 90 Days will ensure quarterly passwrd changes. This wuld be the lngest ABELSft wuld recmmend. Sme ffices like a Maximum passwrd age f 42 days t ensure passwrd changes at lease every 6 weeks. ABELDent Setup Cnventins Page 14 f 25 Last updated March 6, 2014
ABELDent Setup Cnventins Page 15 f 25 Last updated March 6, 2014
Similar Plicies can be applied t Standalne r small peer-peer netwrks using the Lcal Cmputer Plicy prvided by Windws 8 and Windws 7. The Administratr can achieve access t the plicy by clicking n Start > Typing in GPEdit.msc > and clicking n OK. The diagram belw shws that the same settings are available there. 3.3 Accunt Lckut Plicies ABELDent relies n Micrsft Windws t prvide the authenticatin, and n Micrsft Windws Grup Plicy t cntrl the behavir f the system n failures t authenticate. The fllwing steps shw hw t cnfigure a typical accunt lckut plicy. This example shws hw t set a lckut after 3 invalid lgin attempts, set the lckut duratin t 3 days, and reset the lckut cunter daily (S that 3 failed lgin attempts in a day wuld lck the user accunt fr 3 days, unless an administratr manually unlcked the accunt. Manual unlcking can be perfrmed by the administratr as shwn at the end f this sectin. 1. Click n the Windws Start buttn. 2. Select Administrative Tls. 3. Click Grup Plicy Management. 4. In Grup Plicy Management, expand the tree view in the left clumn s yu can see the Default Dmain Plicy directly belw the dmain name 5. Right-click n Default Dmain Plicy and select Edit ABELDent Setup Cnventins Page 16 f 25 Last updated March 6, 2014
6. Click the + t expand Windws Settings. 7. Click the + t expand Security Settings. 8. Click the + t expand Accunt Plicies. 9. Select Accunt Plicy Lckut 10. Duble-click Accunt lckut threshld 11. Change the value f Accunt will lck ut after: t 3 invalid lgn attempts. 12. Click OK. ABELDent Setup Cnventins Page 17 f 25 Last updated March 6, 2014
13. Duble-click Accunt lckut duratin. 14. Type in the value 15 minutes. 15. Click OK. 16. Duble-click n Reset accunt lckut cunter after. 17. Type in the value 15 minutes. 18. Click n OK. 19. Click the X in the upper right f the Grup Plicy windw. ABELDent Setup Cnventins Page 18 f 25 Last updated March 6, 2014
3.4 Inactivity timeut and lck ABELDent Platfrm Setup Cnventins ABELDent leverages Micrsft Windws technlgies that lck a system upn detectin f inactivity. The prcedure is described belw. ABELSft recmmends Windws 8 fr secure use wrkstatins. In these cases ABELDent and perating system lgn security is integrated (i.e., Single sign-n methdlgy). These wrkstatins can be set in Windws t autmatically lck after a defined perid f inactivity at the wrkstatin by specifying the screen-saver t be the native Windws 8 passwrd lgn screen-saver. These settings can be enfrced and lcked-dwn with an enfrced grup plicy fr grups f statins r users r individual statins r users. Like the Passwrd and Accunt Lckut Plicies these settings are best made in Grup Plicy. Fllw the Steps in the previus tw steps t enter grup Plicy. The screen saver timeut Plicies are set at User Cnfiguratin>Administrative Templates>Cntrl Panel>Persnalizatin>Screen Saver Timeut Suggested value is 180 secnds (3 minutes). Sme users find this hard t tlerate. We suggest trying 3 minutes, and if it causes t many prblems this value can always be increased later (with permissin frm the apprpriate physicians r ther authrities). 3.5 Make sure that user can change their wn passwrd On a Windws 2012 R2 dmain when the administratr creates the user accunt, the administratr determines whether the user will have the apprpriate level f privilege t change their wn passwrd. The screen capture belw shws the default ABELDent Setup Cnventins Page 19 f 25 Last updated March 6, 2014
setting where User cannt change passwrd is UNCHECKED. This setting cannt be selected when User must change passwrd at next lgn is selected, therefre the setting is already crrect fr new accunts with User must change passwrd at next lgn selected. Fr existing accunts yu shuld manually check t make sure that User cannt change passwrd is unchecked. yu can get t this setting by clicking n Start>Administrative Tls>Active Directry Users & Cmputers >duble click n users> duble click n the apprpriate user > Click n the accunt tab checkbxes will be in the accunt ptins area. Similarly if a Windws 2012 dmain des nt exist, when the administratr creates the user accunt in Windws 8, the administratr determines whether the user will have the apprpriate level f privilege t change their wn passwrd. 3.6 Setup NTP/SNTP Time Synchrnizatin Explanatin f NTP time synchrnizatin can be fund n the Micrsft website http://supprt.micrsft.cm/kb/816042 We are including excerpts n the specific setup steps required here. We strngly recmmend an external time surce as dcumented here, rather than the internal time surce that is als mentined in the same Micrsft article. Cnfiguring the Windws Time service t use an external time surce T cnfigure an internal time server t synchrnize with an external time surce, fllw these steps: 1. Change the server type t NTP. T d this, fllw these steps: a. Click the Start buttn, type regedit, and then click OK. ABELDent Setup Cnventins Page 20 f 25 Last updated March 6, 2014
b. Lcate and then click the fllwing registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentCntrlSet\Services\W32Time\Parameters\Type c. In the right pane, right-click Type, and then click Mdify. d. In Edit Value, type NTP in the Value data bx, and then click OK. Set AnnunceFlags t 5. T d this, fllw these steps:. Lcate and then click the fllwing registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentCntrlSet\Services\W32Time\Cnfig\AnnunceFlags a. In the right pane, right-click AnnunceFlags, and then click Mdify. b. In Edit DWORD Value, type 5 in the Value data bx, and then click OK. Enable NTPServer. T d this, fllw these steps:. Lcate and then click the fllwing registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentCntrlSet\Services\W32Time\TimePrviders\NtpServer a. In the right pane, right-click Enabled, and then click Mdify. b. In Edit DWORD Value, type 1 in the Value data bx, and then click OK. Specify the time surces. T d this, fllw these steps:. Lcate and then click the fllwing registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentCntrlSet\Services\W32Time\Parameters a. In the right pane, right-click NtpServer, and then click Mdify. b. In Edit Value, type Peers in the Value data bx, and then click OK. Nte Peers is a placehlder fr a space-delimited list f peers frm which yur cmputer btains time stamps. Each DNS name that is listed must be unique. Yu must append,0x1 t the end f each DNS name. If yu d nt append,0x1 t the end f each DNS name, the changes made in step 5 will nt take effect. Select the pll interval. T d this, fllw these steps:. Lcate and then click the fllwing registry subkey: ABELDent Setup Cnventins Page 21 f 25 Last updated March 6, 2014
HKEY_LOCAL_MACHINE\SYSTEM\CurrentCntrlSet\Services\W32Time\TimePrviders\NtpClient\SpecialPllInterval a. In the right pane, right-click SpecialPllInterval, and then click Mdify. b. In Edit DWORD Value, type TimeInSecnds in the Value data bx, and then click OK. Nte TimeInSecnds is a placehlder fr the number f secnds that yu want between each pll. A recmmended value is 900 Decimal. This value cnfigures the Time Server t pll every 15 minutes. Cnfigure the time crrectin settings. T d this, fllw these steps:. Lcate and then click the fllwing registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentCntrlSet\Services\W32Time\Cnfig\MaxPsPhaseCrrectin a. In the right pane, right-click MaxPsPhaseCrrectin, and then click Mdify. b. In Edit DWORD Value, click t select Decimal in the Base bx. c. In Edit DWORD Value, type TimeInSecnds in the Value data bx, and then click OK. Nte TimeInSecnds is a placehlder fr a reasnable value, such as 1 hur (3600) r 30 minutes (1800). The value that yu select will depend upn the pll interval, netwrk cnditin, and external time surce. d. Lcate and then click the fllwing registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentCntrlSet\Services\W32Time\Cnfig\MaxNegPhaseCrrectin e. In the right pane, right-click MaxNegPhaseCrrectin, and then click Mdify. f. In Edit DWORD Value, click t select Decimal in the Base bx. g. In Edit DWORD Value, type TimeInSecnds in the Value data bx, and then click OK. Nte TimeInSecnds is a placehlder fr a reasnable value, such as 1 hur (3600) r 30 minutes (1800). The value that yu select will depend upn the pll interval, netwrk cnditin, and external time surce. Quit Registry Editr. At the cmmand prmpt, type the fllwing cmmand t restart the Windws Time service, and then press ENTER: net stp w32time && net start w32time ABELDent Setup Cnventins Page 22 f 25 Last updated March 6, 2014
3.7 Disable LMHash ABELDent Platfrm Setup Cnventins Mdern Windws systems use a very secure system called Kerbers fr secure authenticatin. Passwrds are nt directly stred r transmitted. Standards based hashes(md4) are stred in encrypted databases, and nly hashes f passwrds are ever transmitted. Windws systems als have cmpnents that supprt backward cmpatibility t lder less secure authenticatin systems, specifically ne cmpnent called LANManager. ABELSft recmmends that yu turn ff such cmpatibility s that passwrd hashes are nt stred r transmitted using these lder vulnerable standards. The fllwing instructins tell hw t disable the LMHash Implement the NLMHash Plicy by Using Grup Plicy T disable the strage f LM hashes f a user's passwrds in the lcal cmputer's SAM database by using Lcal Grup Plicy (Windws 8 r Windws Server 2012) r in a Windws Server 2012 Active Directry envirnment by using Grup Plicy in Active Directry, fllw these steps: 1. In Grup Plicy, expand Cmputer Cnfiguratin, expand Plicies, expand Windws Settings, expand Security Settings, expand Lcal Plicies, and then click Security Optins. 2. In the list f available plicies, duble-click Netwrk security: D nt stre LAN Manager hash value n next passwrd change. 3. Click Enabled, and then click OK. ABELDent Setup Cnventins Page 23 f 25 Last updated March 6, 2014
4 Appendix B Security and Auditing Checklist This checklist is prvided t help yu systematically perfrm the recmmended security setup Practice Name: ABEL ID: Date: Security Requirements Server Wrkstatin 1 Wrkstatin 2 Wrkstatin3 Wrkstatin 4 Wrkstatin 5 Machine Name Enfrce passwrd histry enabled Maximum passwrd age enabled fr 90 days Minimum passwrd length set t 8 characters enabled Passwrd must meet cmplexity requirements Accunt lckut duratin set t 15 minutes Accunt lckut threshld enabled fr 3 attempts Reset accunt lckut cunter set t 15 minutes Audit accunt lgn events enabled fr success/failure Audit accunt management enabled fr success/failure Audit lgn events enabled fr success/failure Audit bject access enabled fr success/failure Audit plicy change enabled fr success/failure Screen saver passwrd prtected enabled fr 3 minutes Remte Access enabled/cnfigured Time synchrnizatin cnfigured Firewall rules created ABELDent Setup Cnventins Page 24 f 25 Last updated March 6, 2014
1. MS SQL 1433 2. MS SQL 1434 3. NetBIOS 139 4. Micrsft DS 445 5. NetBIOS 137 6. NetBIOS 138 7. SSL 443 8. RDP 3389 Backup sftware installed/cnfigured t backup 1. Applicatin data 2. Security credentials 3. Lg/audit files Backup and archive files are encrypted Anti-Virus sftware installed N cnflict between ABELDent and installed antivirus sftware VPN sftware installed/cnfigured Uninterruptable Pwer Supply 1. Setup 2. Sftware installed Physical security f server/desktp I verify that ABELSft s security and auditing checklist has been cmpleted as indicated abve. IT Technician Name: IT Technician Signature: ABELDent Setup Cnventins Page 25 f 25 Last updated March 6, 2014