The IP Office has a range of security features. However, for ease of initial IP Office installation the security features are not enabled by default. Therefore, during installation it is necessary to implement the configuration options listed here.
Minimum Security
A minimum-security scenario is one where any individual with the correct service user name and password can access the configuration from any PC using IP Office Manager. Passwords can be simple and never age.
Change the default passwords of all service users and the security administrator
Set the system Security Administration service security level to Secure, Low.
Leave the system service user Password Reject Action set to Log to Audit Trail.
Leave the system Client Certificate Checks level set to None.
Leave the system Minimum Password Complexity set to Low.
Leave the system Previous Password Limit set to 0.
Leave the system Password Change Period set to 0.
Leave the system Account Idle Time set to 0.
Leave the Certificate Check Level to Low in the IP Office Manager preferences.
Medium Security
A medium-security scenario uses password complexity restrictions. Passwords cannot be simple and will age.
Change the default passwords of all service users and the security administrator
Set the system Security Administration service security level to Secure, Medium.
Set the system Configuration service security level to Secure, Medium.
Leave the system service user Password Reject Action set to Log to Audit Trail.
Leave the system Client Certificate Checks level set to None.
Set the system Minimum Password Complexity to Medium.
Set the system Previous Password Limit to a non-zero value.
Set the system Password Change Period to non-zero value.
Set the system Account Idle Time to a non-zero value.
Disable all the system Unsecured Interfaces.
Leave the Certificate Check Level to Low in the IP Office Manager preferences.
Maximum Security
A maximum-security scenario is one where both configuration and security settings are constrained. Certified individuals with the correct service user name and password can access the configuration from specific PC installations of IP Office Manager. Passwords cannot be simple and will age. IP Office Manager can manage specific systems.
Change the default passwords of all service users and the security administrator
Set the system Security Administration service security level to Secure, High.
Set the system Configuration service security level to Secure, High.
Set the system service user Password Reject Action to Log and Disable Account.
Set the system Client Certificate Checks level to High.
Set the system Minimum Password Complexity to High.
Set the system Minimum Password Length to greater than 8.
Set the system Previous Password Limit to greater than 5.
Set the system Password Change Period to a non-zero value.
Set the system Account Idle Time to a non-zero value.
Install 1024-bit+ third-party certificates in all IP Office server certificates, derived from a trusted certificate authority.
Install the corresponding trusted CA certificate in each of the IP Office Manager PC’s Windows certificate stores.
Install 1024-bit+ third-party certificates in all IP Office Manager Certificate Stores.
Install the corresponding certificates in all the system Certificate Stores of all permissible Manager entities, and the trusted CA certificate.
Disable all the system Unsecured Interfaces.
Set the Manager Certificate Checks level to High in the IP Office Manager preferences.
Set the certificate offered to the system in the IP Office Manager preferences.
The above essentially locks the IP Office and corresponding IP Office Manager together. Only recognized (by strong certificate) entities can communicate successfully on the service interfaces. All services use strong encryption and message authentication.
The use of intermediate CA certificates can overcome the limit of 6 certificates in each system IP Office certificate store.
