Securing Telephony Users & Extensions

Last Updated : Jan 21, 2025 |

About this task

Users and extensions should be configured to restrict access to necessary features, default login codes changed and auto-create disabled.

Procedure

  1. All unused users should be deleted – except NoUser.
  2. The following auto-create settings must be disabled when not required:

    • LAN1/LAN2 > VoIP > H323 Gatekeeper > Auto-create Extn

    • LAN1/LAN2 > VoIP > H323 Gatekeeper > Auto-create User

    • LAN1/LAN2 > VoIP > SIP Registrar > Auto-create Extn/User

    • Line > IP DECT > Gateway > Auto-Create Extension

    • Line > IP DECT > Gateway > Auto-Create User

  3. If any auto-create feature is used to assist installation, the settings must be deactivated as soon as possible. Note that these settings are automatically deactivated 24 hours after being set to avoid inadvertent exposure.
  4. If no H.323 extensions are supported, the System > LAN1/2 > VoIP > H.323 Gatekeeper Enabled must be disabled. If H.323 extensions are supported, only the relevant LAN's gatekeeper should be enabled.
  5. If no H.323 remote workers are supported, the System > LAN1/2 > VoIP > H.323 Gatekeeper > H.323 Remote Extn Enabled must be set disabled. If H.323 remote workers are supported, only the relevant LAN's Remote Extn should be enabled.
  6. If no SIP extensions are supported, the System > LAN1/2 > VoIP > SIP Registrar Enabled must be set disabled. If SIP extensions are supported, only the relevant LAN's registrar should be enabled.
  7. If no SIP remote workers are supported, the System > LAN1/2 > VoIP > SIP Registrar > SIP Remote Extn Enabled must be set disabled. If SIP remote workers are supported, only the relevant LAN's SIP Remote Extn should be enabled.
  8. Enforce a Login Code (PIN) policy for all users and extensions by setting System > Telephony > Login Code Complexity > Minimum Length to the minimum acceptable length, and activating Complexity Test. For more information, see Password and PIN Management.
  9. All VoIP (SIP, H323, DECT) users' User > Telephony > Supervisor Settings > Login Code or Extension > Extn > Phone Password must be set.
  10. If any SIP registrar or H323 gatekeeper is exposed directly or indirectly to an unsecure network, follow the steps for Hardening for Remote Workers.
  11. All SIP extensions' Extension > Extn > Force Authorization setting must be enabled.
  12. All auto-created VoIP users must have their User > Telephony > Supervisor Settings > Login Code changed from the default. All auto-created non-VoIP (Digital, Analog) users should have their name and extension changed from the default.
  13. Each user should have only the necessary User > User > Profile features enabled, all others disabled.
  14. Each user should have only the minimum necessary User > User Portal interface features enabled, all others disabled:
  15. If different from the system-wide setting, change the Extn > VoIP > Media Security setting. See VoIP Security.
  16. If the VoIP extension is to be configured for secure media (SRTP) or operates in an unsecure environment, any settings file supplied by IP Office should be conveyed via HTTPS not HTTP. To force settings file provision to be HTTPS, change the security settings Services > HTTP setting, see Ensure Minimum Rights of Access. This will require certificate administration, see Certificates and Trust.
Related information
Securing the IP Office Platform Solution