Hardened Notification Server
Configuration
White Paper
22 March 2005
© 2006 Altiris Inc. All rights reserved.
ABOUT ALTIRIS
Altiris, Inc. is a pioneer of IT lifecycle management software that allows
IT organizations to easily manage desktops, notebooks, thin clients,
handhelds, industry-standard servers, and heterogeneous software
including Windows, Linux, and UNIX. Altiris automates and simplifies IT
projects throughout the life of an asset to reduce the cost and complexity
of management. Altiris client and mobile, server, and asset man agement
solutions natively integrate via a common W eb -based console and
repository. For more information, visit www.altiris.com.
NOTICE
INFORMATION IN THI S DO CUMENT: ( I) IS PRO VIDED FOR I NFORMATIONAL PURPOSES O NLY W ITH
RESPECT TO PRODUCTS OF ALTIRI S OR ITS SUBSI DIARI ES (“PRODUCT S”), (II) REPRESENTS ALTIRI S’
VIEW S AS OF THE DAT E OF PUBLICATION OF THIS DO CUMENT, (III) IS SUBJECT TO CHANGE W ITHOUT
NOTICE, AND (I V) SHO ULD NOT BE CONSTRUED AS ANY CO MMIT MENT BY ALTI RI S. EXCEPT AS PROVI DED
IN ALTIRI S’ LICENSE AGREEMENT GOVERNING ANY PRO DUCTS OF ALTI RIS OR IT S SUBSIDIARIES
(“PRODUCT S”), ALTIRIS ASSUMES NO LIABILIT Y W HATSOEVER, AND DI SCLAI MS ANY EXPRESS OR IMPLIED
W ARRANTIES RELATING TO THE USE OF ANY PRODUCT S, INCL UDIN G W ITHOUT LIMITATION, W ARRANTIES
OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, O R INF RINGEMENT OF ANY THIRD PARTY
INTELLECTUAL PROPERTY RIGHTS. ALTIRIS ASSUMES NO RESPO NSI BIL ITY FOR ANY ERRORS OR
OMISSIONS CO NTAINED IN THI S DO CUMENT AND ALTIRIS SPE CIFICALL Y DISCLAI MS ANY AND ALL
LIABILITIES AND/O R OBLIG ATIONS F OR ANY CL AIMS, SUITS O R DAMAGES ARI SING FRO M O R IN
CONNECTION W ITH THE USE OF, RELIANCE UPON OR DISSEMINATION O FTHIS DOCUMENT AND/OR THE
INFORMATION CO NTAINED HEREIN.
Altiris may ha ve patent s or pending patent applications, trademarks, cop yrights, or other intellectual property
rights that relate to the Products referenced herein. The furnishing of this docu ment and other materials and
information does not provide any license, express or i mpl ied, by estoppel or otherwise, to any foregoing
intellectual property rights.
No part of this docu ment may be reproduced, stored in a retrieval system, or transmitted in any form or by any
means without the e xpress written con sent of Altiris, Inc.
Custo mers are solely responsible for assessing the suitability of the Products for use in particular applications.
Products are not intended for use in medical, life saving, life sustaining, critical control or safety systems, or in
nuclear facility applicatio ns.
Copyright © 2006, Altiris, Inc. All rights reserved.
Altiris, Inc.
588 W est 400 South
Lindon, UT 84042
Phone: (801) 226-8500
Fax: (801) 226-8506
*Other co mpany na me s or products me ntioned are or may be trade marks of th eir respective owners.
Infor mation in this document is sub ject to change without notice. For the latest docu mentation, visit
www.altiris.com.
www.altiris.com
CONTENTS
Introduction ................................................................................... 1
Windows Server 2003 Installation ................................................. 2
Operating System Install .............................................................. 2
Post Operating System install ...................................................... 2
Post Operating System Install Security ......................................... 3
SQL Installation ............................................................................ 4
SQL install ................................................................................... 4
UrlScan Security Tool Configuration ............................................ 5
Windows Server 2003 Components and Services Configuration . 6
Essential Web Service Extensions Configuration ........................ 8
Delete Virtual Directories ............................................................. 8
Remove unused application extensions ........................................ 9
Enabling Only Essential IIS Components and Services ............. 10
Subcomponents of the Application Ser ver .................................. 10
Subcomponents of Internet Information Services (IIS) ................ 11
Subcomponents of Message Queuing ......................................... 11
Subcomponents of the Background Intelligent Transfer Service (BITS)
Server Extension ....................................................................... 11
Subcomponents of the World Wide W eb Service ......................... 11
Initiate Notification Server Install ............................................... 13
NTFS Permissions ....................................................................... 14
Complete CoreSettings config .................................................... 18
Complete Notification Server Setup ........................................... 19
Altiris Solutions .......................................................................... 20
Alert Manager ............................................................................ 20
Altiris Knowledgebase ................................................................ 20
Inventory Solution ...................................................................... 20
Software Delivery for W indows ................................................... 20
Directory Connector ................................................................... 21
Patch Management Solution ....................................................... 21
Other Security Options ............................................................... 22
SSL encrypted communications .................................................. 22
IIS IP security ............................................................................ 22
Comments and Feedback ............................................................ 23
Appendix A .................................................................................. 24
Windows Server 2003 Components and Services Configurat ion List24
Subcomponents of the Application Server List ............................ 37
www.altiris.com
Subcomponents of Internet Information Services (IIS) List .......... 38
Subcomponents of the World Wide W eb Service List .................. 40
www.altiris.com
INTRODUCTION
The aim of this document is to provide a build guide for Altiris
Administrators to configure secure Notification Servers using Microsoft
recommendations on W eb server/IIS–based application security. As
Notification Server was designed as an internal infrastructure server to
manage many (mostly anonymous) resources of various operating
systems across multiple networks, some exceptions must be made to
default Microsoft recommendations to provide required functionality. This
has been done while still providing the absolute minimum access
privileges to the minimum number of services and areas of the file
system. Use of corporate firewall infrastructure to limit server access to
managed resources will further reduce the possibility of unauthorized
access or exploitation of a Notification Server.
This Hardened Notification Server Configuration document has been
designed for use as either a build guide for new secure Notification
Servers or for comparison against customers existing server build
standards.
www.altiris.com
Hardened Notification Server Configuration > 1
WINDOWS SERVER
2003 INSTALLATION
Both Altiris and Microsoft recommend using the Windows Server 2003 *
and Internet Information Server 6.0 for the most secure and stable W ebbased application hosting. This document has been written specifically
for W indows 2003 server and should not be implemented on any other
operating system. To ensure the operating system is in a known state,
this process begins with an installation on a clean machine as follows:
Operating System Install
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
Insert the Boot CD, turn on the computer, and boot from the CD.
Press the F6 key if SCSI or RaidDrivers are required.
Press the Enter key to set up W indows.
Press the F8 key to Agree to EULA.
Select a partition to install to:
 (Recommended) 4 GB for SYSTEM (SYS) (4096 MB)
 (Recommended minimum) 6 GB for NS/Application Drive (DATA)
(6144 MB)
 SQL data and log files on DATA or additional partition (size
dependant on number of managed resources X solutions
installed)
Format using NTFS (required on all partitions) .
Restart your computer as instructed to continue the install process.
Enter Region and Language options.
Enter Name and Organization details.
Enter the Product Key.
Select License Mode from one of the following:
 Per Server—Must have sufficient licenses for Agents
 Per Device or User (Recommended)—Limited by license levels;
won’t cause client to server communication failures if license
capacity is reached.
Enter Computer Name and an Administrator password. Make sure
that the Administrator Password conforms to complex password rules
Select Date & Time and the Timezone.
Select Network Settings:
Custom—choose Protocols & Static IP (recommended)
Select Maximize data throughput for network applications under
File & Print properties.
For Workgroup or Computer Domain, select the computer as a
member of a Domain if required (Notification Server cannot be
installed on a DC).
Post Operating System install
The system will restart after the installation process is complete. Next,
perform the following steps:
1. Install the latest drivers.
2 < Hardened Notification Server Configuration
www.altiris.com
2. Using the Manage Your Server wizard add a role, Application Server
(IIS ASP.NET) with the following configurations :
 Do not enable FrontPage Extensions
 Enable ASP.NET
3. Apply .NET SP1 for 1.1 (W indows 2003 version).
4. Restart the computer.
5. Run Manual W indows Update to install latest Microsoft hofixes.
Automatic update should be disabled to ensure patches are reviewed
before implementation. Altiris Patch Management can be used to
automate this function.
Post Operating System Install Security
Once the Machine is updated change the default Security Settings.
1. Manage ‘Local Users and Groups.’
2. Change the Administrator password to a non default n ame.
3. Create a user for the NS application identity, this must be (at a
minimum) a member of the local administrators group and remove
user from the local users group. A domain administrator account can
be used, but to limit potential access to a malicious user a local
admin is preferred.
www.altiris.com
Hardened Notification Server Configuration > 3
SQL INSTALLATION
This section describes the steps involved when installing SQL onto the
same host machine you have just configured for a Notification Server.
Note: If you are using a SQL database on a remote host then skip this
section.
SQL install
1. Run the SQL 2000 setup .exe (setupSQL.exe).
2. Set up Type with the following configurations:
 Select Custom.
3. Select your Destination Folder :
 Program Files—Located on a System or Application partition .
 Data Files—Located on a non-system or non-application partition.
4. Select your Components:
 All—Server Components
 All—Management Tools
 All—Client Connectivity
5. Configure Services Accounts:
 Use same account for both services
 Use the local system
6. Configure Authentication Mode:
 Mixed Mode—If SQL authentication to be used for NS database
access
 Set a SA password that conforms to complex password rules
7. Configure Collation Settings:
 Recommend default SQL collation— ‘Latin1_General’
8. Install SQL2000 SP3a—This is a minimum requirement of
Notification Server 6.
4 < Hardened Notification Server Configuration
www.altiris.com
URLSCAN SECURITY
TOOL
CONFIGURATION
The UrlScan* application from Microsoft is not required for IIS 6.0 as it
contains many of the UrlScan security changes as default. The additional
security features installed on IIS 6.0 by UrlScan are known to cause
failures in Notification Server client to server communications and
localization support. W e therefore strongly recommend that UrlScan is
not installed on any IIS 6.0 system hosting Notification Server. For more
information on UrlScan and IIS 6.0, consult the following Microsoft
document:
http://www.microsoft.com/technet/security/tools/urlscan.mspx?pf=true
www.altiris.com
Hardened Notification Server Configuration > 5
WINDOWS SERVER
2003 COMPONENTS
AND SERVICES
CONFIGURATION
For Notification Server specific configuration, implement the following
Microsoft settings. A comprehensive list of W indows Server 2003
Components and Services Configuration settings is listed in Appendix A
and at the following URL:
http://www.microsoft.com/resources/documentation/W indowsServ/2003/a
ll/deployguide/en-us/Default.asp?
Service Name
State
Application Management
Disable
Automatic Updates
Disable
Background Intelligent Transfer
Service
Disable
ClipBook
Disable
Distributed File System
Disable
Distributed Link Tracking Client
Disable
Distributed Link Tracking
Server
Disable
Error Reporting Service
Disable
Fax Service
Disable
Indexing Service
Disable
Internet Connection Firewall
(ICF)/Internet Connection
Sharing (ICS)
Disable
NetMeeting Remote Desktop
Sharing
Disable
Performance Logs and Alerts
See Comment (Index
A) Optional setting.
Print Spooler
Disable
Remote Access Auto
Disable
6 < Hardened Notification Server Configuration
www.altiris.com
Service Name
State
Connection Manager
www.altiris.com
Remote Access Connection
Manager
Disable
Remote Desktop Help Sessions
Manager
Disable
Remote Procedure Call (RPC)
Locater
Disable
Remote Registry
Disable
Removable Storage
Disable
Telephony
Disable
Telnet
Disable
Upload Managers
Disable
WinHTTP Web Proxy AutoDiscovery
Disable
Wireless Configuration
Disable
WMI Performance Adapter
Disable
Hardened Notification Server Configuration > 7
ESSENTIAL WEB
SERVICE EXTENSIONS
CONFIGURATION
For Notification Server–specific configuration, implement the following
Microsoft settings. If using this document as a server install guide,
FrontPage Server Extensions 2002 will not be an option. Please refer to
the link below for more information:
http://www.microsoft.com/resources/documentation/W indowsServ/2003/a
ll/deployguide/enus/Default.asp?url=/resources/documentation/W indowsServ/2003/all/depl
oyguide/en-us/iisdg_sec_ntwp.asp
Web Service
Extension
Description
Active Server
Pages
Notification Server requires this extensio n to be
Allowed.
ASP.NET
version 1.1.4322
Notification Server requires this extension to be
Allowed.
FrontPage Server
Extensions 2002
Neither Notification Server nor any Solutions
require this setting to be enabled. This is set to
Prohibited for maximum security.
Internet Data
Connector
Neither Notification Server nor any Solutions
require this setting to be enabled. This is set to
Prohibited for maximum security.
Server-Side
Includes
Neither Notification Server nor any Solutions
require this setting to be enabled. This is set to
Prohibited for maximum security.
WebDAV
Neither Notification Server nor any Solutions
require this setting to be enabled. This is set to
Prohibited for maximum security.
Delete Virtual Directories
Open the IIS configuration m anager and, from the IIS Default site, delete
the following virtual directories if they occur: Note: If using this
document as a server install guide, these folders will not be present.





/IIS Samples
/MSADC
/IIS Help
/Scripts
/IIS Admin
8 < Hardened Notification Server Configuration
www.altiris.com

/Printers
Remove unused application extensions
This section lists the application extensions that are required by
Notification Server in the IIS configuration manager. Unnecessary
extensions will be removed.
1. Open Default Web Site properties.
2. On the Home Directory tab, click the Configuration button in the
Application Settings section.
3. In the Application extensions section of the Mappings tab, delete
all extensions with the exception of the following which are used by
Notification Server:
 .asa
 .asax
 .asmx
 .asp
 .aspx
www.altiris.com
Hardened Notification Server Configuration > 9
ENABLING ONLY
ESSENTIAL IIS
COMPONENTS AND
SERVICES
IIS 6.0 includes other components and services in addition to the WWW
service, such as the File Transfer Protocol Service (FTP service) and the
Simple Mail Transfer Protocol (SMTP) service. You can install and
enable IIS components and services by using the Application Server
subcomponent, which is found in Add or Remove Windows Components
in Add or Remove Programs in Control Panel. After installing IIS, you
need to enable the IIS 6.0 components and services that ar e required by
the Web sites and applications running on your Web server.
Enable only the essential IIS 6.0 components and services that are
required by your W eb sites and applications. Enabling unnecessary
components and services increases the attack surfa ce of the W eb
server.
Subcomponents of the Application Server
The following settings apply to the Notification Server hardened
configuration. Please see Appendix A for the complete list of
Subcomponents of the Application Server.
Service Name
Setting
Enable network DTC access
Disable
Message Queuing
Disable
10 < Hardened Notification Server Configuration
www.altiris.com
Subcomponents of Internet Information Services
(IIS)
The following settings apply to the Notification Server hardened
configuration. See Appendix A for the complete list of Subcomponents of
Information Services (IIS).
Service Name
Setting
Background Intelligent Transfer
Service (BITS) server
extension
Disable
File Transfer Protocol (FTP)
Service
Disable
FrontPage 2002 Server
Extensions
Disable
Internet Information Services
Manager
Enabled
Internet Printing
Disable
NNTP Service
Disable
SMTP Service
Disable
Subcomponents of Message Queuing
Message Queuing is not required by Notification Server and should be
disabled.
Subcomponents of the Background Intelligent
Transfer Service (BITS) Server Extension
BITS Server extensions is not required by Notification Server and should
be disabled.
Subcomponents of the World Wide Web Service
The following settings apply to the Notification Server hardened
configuration. Please see Appendix A for the complete list of
Subcomponents of the World Wide W eb Service.
www.altiris.com
Hardened Notification Server Configuration > 11
Service Name
Setting
Active Server Pages
Enabled
Internet Data Connector
Disable
Remote Administration (HTML)
Disable
Remote Desktop W eb
Connection
Disable
Server-Side Includes
Disable
WebDav Publishing
Disable
12 < Hardened Notification Server Configuration
www.altiris.com
INITIATE
NOTIFICATION
SERVER INSTALL
www.altiris.com
4. Copy Altiris_NS_6_0.exe to a local partitio n and execute while
logged on as an Administrator on the local host. Run through the
install wizard using all defaults.
5. When the Notification Server setup wizard is launched, exit Internet
Explorer without entering any details.
Hardened Notification Server Configuration > 13
NTFS PERMISSIONS
Variables used in this section:



IUSR_% represents the Internet Guest Account, where the % is the
local hostname
%Windir% is the windows install folder
%NSinstallpath% is the Notification Server install path
When applying permissions during this section , ignore errors on files.
(for example, Pagefile.sys)
1. Open the properties on all partition/drive roots (for example, C, D,
and so on) and click the Security tab and configure as follows:
 Remove the Everyone user.
 Remove the User group.
 Add Network Service with List permissions.
 Select Replace permissions on all child objects.
 Note: Network Service must have minimum permissions to the
root of all partitions from which IIS will load content.
2. Modify the security on all sub-folders of all partition roots as follows:
 Uncheck the Allow Inheritable permissions to propagate from
Parent object option and Copy existing permissions.
 Remove the Network Service user.
 Select Replace permissions on all child objects.
3. Modify the security of the Documents and Settings folder as
follows:
 Add the Network Service user with Full Control permissions .
 Select Replace permissions on all child objects.
4. Modify the Program Files\Common Files folder security as follows:
 Add the Network Service user with List, Read, and Execute
permissions.
 Add the IUSR_% user with List, Read, and Execute permissions .
 Add the IIS_WPG group with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
5. Modify the Inetpub folder security as follows:
 Add the Network Service user with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
6. Modify the Inetpub\wwwroot folder security:
 Add the IUSR_% user with List, Read, and Execute permissions
 Add the IIS_WPG group with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
7. Modify the security of the
%windir%\Microsoft.NET\Framework\v1.1.4322 folder
 Add the Network Service user with Full Control permissions
 Select Replace permissions on all child objects
8. Modify the
%windir%\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
file security as follows:
14 < Hardened Notification Server Configuration
www.altiris.com
9.
10.
11.
12.
13.
14.
15.
16.
www.altiris.com
 Add the IUSR_% user with Read, and Execute permissions .
 Add the IIS_WPG group with Read, and Execute permissions.
Modify the security of the %windir%\Help, %windir%\Assembly, and
%windir%\Fonts folders as follows (use the Ctrl key to select all three
folders at once. Click Properties on Help or Fonts, not Assembly):
 Add the Network Service user with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
Modify the security of the %windir%\W inSxS folder:
 Add the Network Service user with List, Read, and Execute
permissions
 Select Replace permissions on all child objects.
Modify the security of the %windir%\Temp, %windir%\Registration,
and %windir%\Debug folders as follows (use the Ctrl key to select all
three folders at once):
 Add the Network Service user with Full Control permissions .
 Select Replace permissions on all child objects.
Modify the %windir%\IIS Temporary Compressed Files folder
security:
 Add the Network Service user with Full Control permissions .
 Add the IIS_WPG group with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
Modify the security of the %windir%\System32 folder as follows:
 Add the Network Service user with Lis t, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
 Add the Local Service group with List, Read, and Execute
permissions (this step should be done after replacing permissions
on child objects). Note: Local Service is a hidden group.
Modify the %windir%\System32\MsDtc folder as follows
 Edit Local Service group with Modify, List, Read, Execute and
Write.
 Edit Network Service group with Modify, List, Read, Execute and
Write.
 Select Replace permissions on all child objects.
Modify the %windir%\System32\Inetsrv folder security:
 Edit the Network Service user to with Full Control permissions .
 Add the IUSR_% user with List, Read, and Execute permissions .
 Add the IIS_WPG group with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
Modify the security of the %windir%\System32\Inetsrv\History,
%windir%\System32\Inetsrv\Iisadmpwd, and
%windir%\System32\Inetsrv\Metaback folders as follows (use the Ctrl
key to select all three folders at once):
Hardened Notification Server Configuration > 15

17.
18.
19.
20.
21.
22.
Uncheck the Allow Inheritable permissions to propagate from
Parent object option and copy existing permissions.
 Remove the IUSR_% user.
 Remove the IIS_W PG group.
 Select Replace permissions on all child objects.
Modify the security of the %windir%\Help\iisHelp\common folder as
follows:
 Add the IUSR_% user with List, Read, and Execute permissions .
 Add the IIS_WPG group with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
Modify the security of the %NSinstallpath% \Altiris folder:
 Edit the Network Service user with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
Modify the %NSinstallpath%\Altiris\Altiris Web folder security as
follows:
 Add the IUSR_% user with List, Read, and Execute permissions .
 Add the IIS_WPG group with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
Modify the security of the %NSinstallpath% \Notification Server\Logs
folder:
 Add the Network Service user with Full Control permissions .
 Add the IUSR_% user with Full Control permissions .
 Add the IIS_WPG group with Full Control permissions .
 Select Replace permissions on all child objects .
Modify the security of the %NSinstallpath% \Notification
Server\NScap\Bin, and Notification Server\NScap\Help folders as
follows (use the Ctrl key to select all three folders at once):
 Add the IUSR_% user with List, Read, and Execute permissions .
 Add the IIS_WPG group with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
Modify the security of the %NSinstallpath%\Notification
Server\NScap\EvtInbox folder:
 Add the IUSR_% user with List, Read, and Execute permissions .
 Add the IIS_WPG group with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
Note: The IUSR_% user and local Users group will require Full
Control of this folder if strand alone inventory is to be posted to the
Notification Server.
23. Modify the security of the %NSinstallpath% \Notification
Server\NScap\EvtQFast, Notification Server \NScap\EvtQLarge,
16 < Hardened Notification Server Configuration
www.altiris.com
24.
25.
26.
27.
www.altiris.com
Notification Server\NScap\EvtQSlow, Notification
Server\NScap\EvtQueue, and Notification Server\NScap\Temp
folders as follows (use the Ctrl key to select all five folders at once):
 Edit the Network Service user to with Full Control permissions .
 Add the IUSR_% user with Write, and Modify permissions .
 Add the IIS_WPG group with Write, and Modify permissions .
 Select Replace permissions on all child objects.
Modify the security of the %NSinstallpath% \Notification Server\Agent
folder:
 Add the IUSR_% user with List, Read, and Execute permissions .
 Add the IIS_WPG group with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
Modify the security of the %NSinstallpath% \Notification
Server\Bin\Aexloglib.dll, and Notification
Server\Bin\AeXNSEventRouter.dll files as follows:
 Add the IUSR_% user with Read, and Execute permissions .
 Add the IIS_WPG group with Read, and Execute permissions .
Modify the %NSinstallpath%\Notification Server\Bin\Isapi folder
security:
 Add the IUSR_% user with List, Read, and Execute permissions .
 Add the IIS_WPG group with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
At the command prompt run the Iisreset command.
Hardened Notification Server Configuration > 17
COMPLETE
CORESETTINGS
CONFIG
1. Modify %NSinstallpath%\ Notification
Server\Config\CoreSettings.config to change the value in the
<custonSettings key=”GenerateNSUNCPackageCodebases”
type=”local” value=”0” /> line to 0. As displayed in the above
example.
This setting is to disable UNC package downloads as UNC validation is
problematic in a secure environment.
18 < Hardened Notification Server Configuration
www.altiris.com
COMPLETE
NOTIFICATION
SERVER SETUP
www.altiris.com
Ensure SQL service is running, open Internet Explorer , and run the
Notification Server setup wizard from.
http://localhost/altiris/ns/install/NSsetup.aspx
Hardened Notification Server Configuration > 19
ALTIRIS SOLUTIONS
Alert Manager
After the initial Notification Server configuration, Alert Manager (installed
with NS) will not function. If Alert Manager is required complete the
following steps: This step may not be required on some configurations.
1. Open the Altiris\Helpdesk\AeXHD folder properties, click the
Security tab and configure it as follows:
 Add the IIS_WPG group with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
2. In the IIS configuration manager open the properties for the AeXHD
virtual directory under the Default Web Site and configure it as
follows:
 On the Virtual Directory tab, select the Create option in the
application section.
 Select AeXHD as the application pool.
 At the command prompt run the Iisreset command .
Altiris Knowledgebase
After the initial Notification Server configuration , the Altiris
Knowledgebase (installed with Notification Server) will not function. If the
Altiris Knowledgebase is required, complete the following steps. This
may not be required on some configurations.
1. Open the Altiris\Helpdesk\AeXKB folder’s properties (right-click >
Properties), click the Security tab and configure it as follows:
 Add the IIS_WPG group with List, Read, and Execute
permissions.
 Select Replace permissions on all child objects.
2. In the IIS configuration manager open the AeXKB virtual directory
properties in the Default Web Site and :
 On the Virtual Directory tab select the Create option in the
application section.
 Select AeXKB as the application pool.
 At the command prompt run the Iisreset command.
Inventory Solution
This process has been tested with Inventory Solution for Windows
version 6.0.139 with no further security modifications required.
Software Delivery for Windows
This process has been tested with Software Delivery Solution for
Windows version 6.1.1011 with no further security modifications
required.
20 < Hardened Notification Server Configuration
www.altiris.com
Directory Connector
This process has been tested with Directory Connector Solution version
6.0.577 with no further security modifications required.
Patch Management Solution
This process has been tested with Patch Management Solution for
Windows version 6.0.1136 with the following security modifications
required:
Open Properties on the Altiris\Patch Management\Packages folder and
click the Security tab and configure as follows:
 Add the IUSR_% user with List, Read, and Execute permissions .
 Add the IIS_WPG group with List, Read, and Execute permissions.
 Select Replace permissions on all child objects.
www.altiris.com
Hardened Notification Server Configuration > 21
OTHER SECURITY
OPTIONS
SSL encrypted communications
Secure Sockets Layer encryption can be used to encrypt client server
communications and to prevent impersonation of the server by an
alternate host. Please see the Configuring Notification Server to use S SL
section of the Notification Server Help Guide for instructions on
configuring SSL.
IIS IP security
IIS can be configured to use and source IP based security processes to
allow or deny access to IIS based upon a client’s source IP address. The
preferred configuration option is to configure IIS to deny all hosts except
those listed in an exceptions list. This list may contain either a single IP
address, a range of IP addresses, or source machine domain names.
Listing all the IP ranges of machines managed b y the Notification Server
(and none others) is a good method of preventing access to the
Notification Server by external networks.
Note: Specifying source domain names can cause an impact on system
performance as a reverse DNS lookup is required for every client to
server connection and is not recommended in environments where
performance is a concern.
22 < Hardened Notification Server Configuration
www.altiris.com
COMMENTS AND
FEEDBACK
www.altiris.com
This is a first revision document and the processes contained within
have not been subjected to wide scale production implementation. W e
recommend that for maximum security only Notification Server (including
Altiris Solutions) and Microsoft SQL server are hosted on the server. The
recommendations made in this document do not consider requirements
of any other applications and may likely impact their operation. For
comments and feedback, click on the Submit detailed feedback link to
the right of this article.
Hardened Notification Server Configuration > 23
APPENDIX A
Windows Server 2003 Components and Services
Configuration List
Service Name
Default
Startup
Type
Recommended
Startup Type
Comment
Alerter
Disabled
No change
Notifies selected users and computers
of administrative alerts.
Application
Layer Gateway
Service
Manual
No change
Provides support for application-level
plug-ins and enables network and
protocol connectivity.
Application
Management
Manual
Disable
Provides software installation services
for applications that are deployed in
Add or Remove Programs in Control
Panel.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security. NOTE: This
Service must be reset to Manual
should any changes be made to
‘Add/Remove Programs’ or ‘W indows
Components’ section.
Automatic
Updates
Automatic
Disable
Provides the download and installation
of critical Windows updates, such as
security patches and hotfixes. Manual
Windows Update may still be run.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Background
Intelligent
Transfer
Service
Manual
Disable
Provides a background file-transfer
mechanism and queue management,
and it is used by Automatic Update to
automatically download programs
(such as security patches).
Neither Notification Server nor any
Solutions require this service to be
24 < Hardened Notification Server Configuration
www.altiris.com
Service Name
Default
Startup
Type
Recommended
Startup Type
Comment
running. Disable this setting for
maximum security.
ClipBook
Disabled
See comment
Enables the Clipbook Viewer to create
and share data that can be reviewed
by remote users.
COM+ Event
System
Manual
No change
Provides automatic distribution of
events to COM+ components.
COM+ System
Application
Manual
No change
Manages the configuration and
tracking of COM+-based components.
Computer
Browser
Automatic
No change
Maintains the list of computers on the
network, and supplies the list to
programs that request the list.
Cryptographic
Services
Automatic
No change
Provides three management services:
Catalog Database Service, which
confirms the signatures of W indows
files; Protected Root Service, which
adds and removes Trusted Root
Certification Authority certificates from
the Web server; and Key Service,
which helps in enrolling certificates.
DHCP Client
Automatic
No change
Required to automatically obtain IP
configuration and to dynamically
update records in DNS.
Distributed File
System
Automatic
Disable
Manages logical volumes that are
distributed across a local area network
(LAN) or wide area network (WAN).
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Distributed
Link Tracking
www.altiris.com
Automatic
Disable
Maintains links between NTFS V5 file
system files within the Web server and
Hardened Notification Server Configuration > 25
Service Name
Default
Startup
Type
Recommended
Startup Type
Client
Comment
other servers in the domain.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Distributed
Link Tracking
Server
Manual
Disable
Tracks information about files that are
moved between NTFS V5 volumes
throughout a domain.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Distributed
Transaction
Coordinator
Automatic
No Change
Coordinates transactions that span
multiple resource managers, such as
databases, message queues, and file
systems.
DNS Client
Automatic
No change
Allows resolution of DNS names.
Error Reporting
Service
Automatic
Disable
Collects, stores, and reports
unexpected application crashes to
Microsoft. If this service is stopped,
then Error Reporting will occur only for
kernel faults.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Event Log
Automatic
No change
Writes event log messages that are
issued by Windows-based programs
and components to the log files.
Fax Service
Manual
Disable
Provides the ability to send and
receive faxes through fax resources
that are available on the Web server
and network.
26 < Hardened Notification Server Configuration
www.altiris.com
Service Name
Default
Startup
Type
Recommended
Startup Type
Comment
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
File Replication
Service
Manual
No change
Enables files to be automatically
copied and maintained simultaneously
on multiple servers.
Help and
Support
Automatic
No change
Enables Help and Support Center to
run on the W eb server.
HTTP SSL
Manual
No change
Implements the Secure Hypertext
Transfer Protocol (HTTPS) for the
HTTP service by using SSL. HTTP.sys
automatically starts this service when
any W eb sites require SSL.
Human
Interface
Device Access
Disabled
No change
Enables generic input to Human
Interface Devices (HIDs), which
activates and maintains the use of
predefined hot buttons on keyboards,
remote controls, and other multimedia
devices.
IMAPI CDBurning COM
Service
Disabled
No change
Manages CD recording by using the
Image Mastering API (IMAPI).
Indexing
Service
Manual
Disable
Indexes content and properties of files
on the Web server to provide rapid
access to the file through a flexible
query language.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Internet
Connection
Firewall
www.altiris.com
Disabled
Disable
Provides network address translation
(NAT), addressing and name
resolution, and intrusion detection
Hardened Notification Server Configuration > 27
Service Name
Default
Startup
Type
Recommended
Startup Type
(ICF)/Internet
Connection
Sharing (ICS)
Comment
when connected through a dial-up or
broadband connection.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Intersite
Messaging
Disabled
No changes
Required by Distributed File System
(DFS).
IPSec Services
Automatic
No change
Provides management and
coordination of Internet Protocol
security (IPSec) policies with the
IPSec driver.
Kerberos Key
Distribution
enter
Disabled
No change
Provides the ability for users to log on
using the Kerberos V5 authentication
protocol.
License
Logging
Service
Disabled
No change
Monitors and records client access
licensing for portions of the operating
system, such as IIS, Terminal
Services, and file and print sharing,
and for products that are not a part of
the operating system, such as
Microsoft SQL Server or Microsoft
Exchange Server.
On a dedicated Web server, this
service can be disabled.
Logical Disk
Manager
Automatic
No change
Required to ensure that dynamic disk
information is up to date.
Logical Disk
Manager
Administrative
Service
Manual
No change
Required to perform disk
administration.
Messenger
Disabled
No change
Transmits net sends and Alerter
service messages between clients and
28 < Hardened Notification Server Configuration
www.altiris.com
Service Name
Default
Startup
Type
Recommended
Startup Type
Comment
servers.
Microsoft
Software
Shadow Copy
Manual
No change
Manages software-based volume
shadow copies taken by the Volume
Shadow Copy service.
On a dedicated Web server, this
service can be disabled when volume
shadow copies are not used.
Net Logon
Manual
No change
Maintains a secure channel between
the domain controller, other domain
controllers, member servers, and
workstations in the same domain an d
trusted domains.
NetMeeting
Remote
Desktop
Sharing
Manual
Disable
Eliminates potential security threats by
allowing domain-controller remote
administration through NetMeeting.
Network
Connections
Manual
No change
Manages objects in the Network
Connections directory.
Network DDE
Disabled
No change
Provides network transport and
security for Dynamic Data Exchange
(DDE) for programs running on the
Web server.
This service can be disabled when no
DDE applications are running locally
on the Web server.
www.altiris.com
Network DDE
DSDM
Disabled
No change
Used by Network DDE. This service
can be disabled when Network DDE is
disabled.
Network
Location
Awareness
(NLA)
Manual
No change
Collects and stores network
configuration and location information,
and notifies applications when this
information changes.
Hardened Notification Server Configuration > 29
Service Name
Default
Startup
Type
Recommended
Startup Type
Comment
NTLM Security
Support
Provider
Manual
No change
Provides security to RPC programs
that use transports other than named
pipes, and enables users to log on
using the NTLM authentication
protocol.
Performance
Logs and
Alerts
Manual
See comment
Collects performance data for the
domain controller, writes the data to a
log, or generates alerts.
This service can be set to automatic
when you want to log performance
data or generate alerts without an
administrator being logged on.
Plug and Play
Automatic
No change
Required to automatically recognize
and adapt to changes in the Web
server hardware with little or no user
input.
Portable Media
Serial Number
Service
Manual
No change
Retrieves the serial number of any
portable media player that is
connected to the computer.
Print Spooler
Automatic
Disable
Manages all local and network print
queues and controls all print jobs.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Protected
Storage
Automatic
No change
Protects storage of sensitive
information, such as private keys, and
prevents access by unauthorized
services, processes, or users.
This service is used on a dedicated
Web server for smart-card logon.
Remote
Access Auto
Connection
Manual
30 < Hardened Notification Server Configuration
Disable
Detects unsuccessful attempts to
connect to a remote network or
computer and provides alternative
www.altiris.com
Service Name
Default
Startup
Type
Recommended
Startup Type
Manager
Comment
methods for connection.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Remote
Access
Connection
Manager
Manual
Disable
Manages VPN and dial-up connection
from the W eb server to the Internet or
other remote networks.
Remote
Desktop Help
Sessions
Manager
Manual
Remote
Procedure Call
(RPC)
Automatic
No change
Serves as the RPC endpoint mapper
for all applications and services that
use RPC communications.
Remote
Procedure Call
(RPC) Locater
Manual
Disable
Enables RPC clients using the RpcNs*
family of application programming
interfaces (APIs) to locate RPC
servers and manage the RPC name
service database.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Disable
Manages and controls Remote
Assistance.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Remote
Registry
Service
www.altiris.com
Automatic
Disable
Enables remote users to modify
registry settings on the Web server,
provided the remote users have the
required permissions. By default, only
Hardened Notification Server Configuration > 31
Service Name
Default
Startup
Type
Recommended
Startup Type
Comment
members of the Administrators and
Backup Operators groups can access
the registry remotely.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Removable
Storage
Manual
Disable
Manages and catalogs removable
media, and operates automated
removable media devices, such as
tape auto loaders or CD jukeboxes.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Resultant Set
of Policy
Provider
Manual
No change
Enables a user to connect to a remote
computer, access the Windows
Management Instrumentation (WMI)
database for that W eb server, and
then either verify the current Group
Policy settings or check the settings
before they are applied.
Routing and
Remote
Access
Disabled
No change
Enables LAN-to-LAN, LAN-to-W AN,
VPN, and NAT routing services.
Secondary
Logon
Automatic
No change
Allows you to run specific tools and
programs with different permissions
and user rights than the default
permissions and user rights of the
account under which you logged on.
Security
Accounts
Manager
Automatic
No change
A protected subsystem that manages
user and group account information.
Server
Automatic
No change
Provides RPC support, file sharing,
32 < Hardened Notification Server Configuration
www.altiris.com
Service Name
Default
Startup
Type
Recommended
Startup Type
Comment
print sharing, and named pipe sharing
over the network.
Shell Hardware
Detection
Automatic
No change
Provides notification for AutoPlay
hardware events.
Smart Card
Manual
No change
Manages and controls access to a
smart card that is inserted into a smart
card reader attached to the W eb
server.
Special
Administration
Console Helper
Manual
No change
Allows administrators to remotely
access a command prompt by using
Emergency Management Services.
This service can be disabled when
Emergency Management Services is
not being used to remotely manage
the Web server.
System Event
Notification
Automatic
No change
Monitors system events and notifies
subscribers to the COM+ Event
System of these events.
Task Scheduler
Automatic
No change
Provides the ability to schedule
automated tasks on the Web server.
TCP/IP
NetBIOS
Helper Service
Automatic
No change
Provides support for the NetBIOS over
TCP/IP (NetBT) service and NetBIOS
name resolution for clients.
Telephony
Manual
Disable
Provides Telephony API (TAPI)
support of client programs that control
telephony devices and IP-based voice
connections.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Telnet
www.altiris.com
Manual
Disable
Enables a remote user to log on and
Hardened Notification Server Configuration > 33
Service Name
Default
Startup
Type
Recommended
Startup Type
Comment
run applications from a command line
on the Web server.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Terminal
Services
Manual
See comment
Allows multiple remote users to be
connected interactively to the W eb
server, and provides display of
desktops and run applications.
To reduce the attack surface, disable
Terminal Services unless it is used for
remote administration of branch
offices or headless W eb servers.
Terminal
Services
Session
Directory
Disabled
No change
Enables a user connection request to
be routed to the appropriate terminal
server in a cluster.
Themes
Disabled
No change
Provides user-experience theme
management.
Uninterruptible
Power Supply
Automatic
No change
Manages an uninterruptible power
supply (UPS) that is connected to the
Web server by a serial port.
Upload
Managers
Manual
Disable
Manages the synchronous and
asynchronous file transfers between
clients and servers on the network.
Driver data is anonymously uploaded
from these transfers and then used by
Microsoft to help users find the drivers
they need.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security. To reduce the
attack surface, disable this service on
34 < Hardened Notification Server Configuration
www.altiris.com
Service Name
Default
Startup
Type
Recommended
Startup Type
Comment
dedicated W eb servers.
Virtual Disk
Services
Manual
No change
Provides software volume and
hardware volume management
service.
Volume
Shadow Copy
Manual
No change
Manages and implements volume
shadow copies that are used for
backup and other purposes.
This service can be disabled when
volume shadow copies are used on the
Web server.
www.altiris.com
WebClient
Disabled
No change
Enables W indows-based programs to
create, access, and modify Internetbased files.
Windows Audio
Disabled
No change
Manages audio devices for Windowsbased programs.
Windows
Image
Acquisition
(WIA)
Disabled
No change
Provides image acquisition services
for scanners and cameras.
Windows
Installer
Manual
No change
Adds, modifies, and removes
applications that are provided as a
Windows Installer (.msi) package.
Windows
Management
Instrumentation
Automatic
No change
Provides a common interface and
object model to access management
information about the Web server
through the WMI interface.
Windows
Management
Instrumentation
Driver
Extensions
Manual
No change
Monitors all drivers and event trace
providers that are configured to
publish W MI or event trace
information.
Hardened Notification Server Configuration > 35
Service Name
Default
Startup
Type
Recommended
Startup Type
Comment
Windows Time
Automatic
No change
Sets the W eb server clock, and
maintains date and time
synchronization for all computers in
the network.
WinHTTP Web
Proxy AutoDiscovery
Service
Manual
Disable
Implements the W eb Proxy AutoDiscovery (W PAD) protocol for
Windows HTTP services (WinHTTP)
and enables an HTTP client to
automatically discover a proxy
configuration.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Wireless
Configuration
Automatic
Disable
Enables automatic configuration for
IEEE 802.11 adapters.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
WMI
Performance
Adapter
Manual
Disable
Provides performance library
information from W MI providers to
clients on the network.
Neither Notification Server nor any
Solutions require this service to be
running. Disable this setting for
maximum security.
Workstation
Automatic
36 < Hardened Notification Server Configuration
No change
Creates and maintains client network
connections to remote servers.
www.altiris.com
Subcomponents of the Application Server List
Subcomponent
Default Setting
Recommended
Setting
Comment
Application
Server Console
Enabled
No change
Provides an MMC snap-in that
includes administration for all of
the Web Application Server
(W AS) components.
On a dedicated Web server, this
component is not required
because only IIS Manager is
used.
ASP.NET
Disabled
See comment
Provides support for ASP.NET
applications.
Enable this component when you
need to run ASP.NET
applications on the W eb server.
Enable network
COM+ access
Enabled
Disable
Allows the Web server to host
COM+ components for
distributed applications.
Neither Notification Server or
Solutions use this component.
Disable this for maximum
security.
Enable network
DTC access
Disabled
Disable
Allows the Web server to host
applications that participate in
network transactions through
Distributed Transaction
Coordinator (DTC).
Neither Notification Server or
Solutions use this component.
Disable this for maximum
security.
Internet
Information
Services (IIS)
www.altiris.com
Enabled (See
Table 3.3 for
subcomponents)
No change
Provides basic W eb and FTP
services.
This component is required on a
Hardened Notification Server Configuration > 37
Subcomponent
Default Setting
Recommended
Setting
Comment
dedicated W eb server.
Note: If this component is not
enabled, then all subcomponents
are not enabled.
Message
Queuing
Disabled (See
Table 3.4 for
subcomponents)
Disable
Provides guaranteed messaging,
security, and transactional
support for applications that
communicate through messaging
services provided by Message
Queuing (also known as MSMQ).
Neither Notification Server or
Solutions use this component.
Disable this for maximum
security.
Subcomponents of Internet Information Services
(IIS) List
Subcomponent
Background
Intelligent
Transfer Service
(BITS) server
extension
Default Setting
Recommended
Setting
Comment
Disabled
Disable
BITS is a background file
transfer mechanism used by
applications such as W indows
Updates and Automatic
Updates.
Neither Notification Server or
Solutions use this component.
Disable this for maximum
security.
Common Files
Enabled
No change
On a dedicated Web server,
these files are required by IIS
and must always be enabled.
File Transfer
Protocol (FTP)
Disabled
Disable
Allows the Web server to
provide FTP services.
38 < Hardened Notification Server Configuration
www.altiris.com
Subcomponent
Default Setting
Recommended
Setting
Service
FrontPage 2002
Server
Extensions
Comment
Neither Notification Server or
Solutions use this component.
Disable this for maximum
security.
Disabled
Disable
Provides FrontPage support for
administering and publishing
Web sites.
Neither Notification Server or
Solutions use this component.
Disable this for maximum
security.
Internet
Information
Services
Manager
Enabled
Internet Printing
Disabled
See comment
Administrative interface for IIS.
Disable when you do not want
to administer the W eb server
locally.
Disable
Provides Web-based printer
management and allows
printers to be shared by using
HTTP.
Neither Notification Server or
Solutions use this component.
Disable this for maximum
security.
NNTP Service
Disabled
Disable
Distributes, queries, retrieves,
and posts Usenet news articles
on the Internet.
Neither Notification Server or
Solutions use this component.
Disable this for maximum
security.
SMTP Service
Enabled
Disable
Supports the transfer of
electronic mail.
Neither Notification Server or
Solutions use this component.
Disable this for maximum
www.altiris.com
Hardened Notification Server Configuration > 39
Subcomponent
Default Setting
Recommended
Setting
Comment
security.
World Wide W eb
Service
Enabled (See
Table 3.6 for
subcomponents)
No change
Provides Internet services,
such as static and dynamic
content, to clients.
This component is required on
a dedicated Web server.
Note: If this component is not
enabled, then all
subcomponents are not
enabled.
Subcomponents of the World Wide Web Service
List
Subcomponent
Default
Setting
Recommended
Setting
Comment
Active Server
Pages
Disabled
Enabled
Provides support for Active Server
Pages (ASP).
Disable this component when none of
the Web sites or applications on the
Web server uses ASP. You can disable
this component in Add or Remove
Windows Components, which is
accessible from Add or Remove
Programs in Control Panel, or in the
Web Service Extensions node in IIS
Manager.
For more information, see "Enabling
Only Essential W eb Service Extensions "
later in this chapter.
Internet Data
Connector
Disabled
Disable
Provides support for dynamic content
provided through files with .idc
extensions.
Neither Notification Server or Solutions
use this component. Disable this for
40 < Hardened Notification Server Configuration
www.altiris.com
Subcomponent
Default
Setting
Recommended
Setting
Comment
maximum security.
Remote
Administration
(HTML)
Disabled
Remote
Desktop W eb
Connection
Disabled
Disable
Provides an HTML interface for
administering IIS.
Use IIS Manager instead to provide
easier administration and to reduce the
attack surface of the W eb server. This
component is not required on a
dedicated W eb server.
Disable
Includes Microsoft ActiveX® controls
and sample pages for hosting Terminal
Services client connections.
Use IIS Manager instead to provide
easier administration and to reduce the
attack surface of the W eb server. This
component is not required on a
dedicated W eb server.
Server-Side
Includes
Disabled
Disable
Provides support for .shtm, .shtml, and
.stm files.
Neither Notification Server or Solutions
use this component. Disable this for
maximum security.
WebDav
Publishing
Disabled
Disable
Web Distributed Authoring and
Versioning (WebDAV) extends the
HTTP/1.1 protocol to allow clients to
publish, lock, and manage resources on
the Web.
Neither Notification Server or Solutions
use this component. Disable this for
maximum security.
World Wide
Web Service
Enabled
No change
Provides Internet services, such as
static and dynamic content, to clients.
This component is required on a
dedicated W eb server.
www.altiris.com
Hardened Notification Server Configuration > 41