Ensure Minimum Rights of Access

Last Updated : Jan 13, 2023 |

About this task

Restrict Service Users' rights of access to the minimum necessary. See User Accounts and Rights of Access for more information on the differing access levels.

Procedure

  1. In IP Office Manager security settings Rights Groups, remove all unnecessary access rights; only retain rights that are essential.
  2. In IP Office Manager security settings Service Users > Rights Group Membership, remove all unnecessary rights group membership.
  3. If necessary, create new rights groups with minimum access.
  4. Rights groups that are defined but not assigned to any Service User do not present a security risk.
  5. In IP Office Manager security settings Services tab: Enable only the minimum services at the recommended Service Security Level according to the following table:

    Service Name

    Application(s)

    Service Security Level

    Notes

    Configuration

    IP Office Manager, Configuration Web Service (DevConnect)

    Secure, Medium

    Should always be enabled

    Security Administration

    IP Office Manager

    Secure, Medium

    Should always be enabled

    System Status Application Interface

    SSA

    Secure, Medium

    Disable if SSA not present

    Enhanced TSPI

    Avaya one-X® Portal for IP Office

    Secure, Medium

    Disable if Avaya one-X® Portal for IP Office not present

    HTTP

    H323 Phones

    Embedded File Manager (HTTP only),

    IP Office Softphone

    SysMonitor

    Voicemail Pro (HTTPS only)

    IP Office Line

    Controls the IP Office HTTP server.

    Disable if not required.

    If just HTTPS required, set to Secure, Medium.

    If HTTP must be enabled, set the System > System > Avaya HTTP Clients Only setting active to reject all non-Avaya clients.

    Web Services

    IP Office Web Manager

    Secure, Medium

    Disable if Web Management or System Manager (SMGR) not used

    External

    Voicemail Pro, Avaya one-X® Portal for IP Office, Web Control, WebRTC

    n/a

    Not a true service interface
  6. In IP Office Manager configuration System > System tab, check the File Writer IP Address setting. This specifies the IP address allowed to write files to the IP Office (IP500 V2 and Linux) using HTTP and TFTP protocols. It should be set to 0.0.0.0 (disabled) and set only when files need to be transferred.
Related information
Securing the IP Office Platform Solution