Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-NET-000015
Group -
The Enterprise Voice, Video, and Messaging Endpoint must not be configured with any vendor default accounts, PINs, or passwords to access configuration settings.
Many Enterprise Voice, Video, and Messaging Endpoints can set or display configuration settings in the instrument itself. This presents a risk if a user obtains information such as the IP addresses...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to prevent the configuration or display of configuration settings without the use of a PIN or password.
Many Enterprise Voice, Video, and Messaging Endpoints can set or display configuration settings in the instrument itself. This presents a risk if a user obtains information such as the IP addresses...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint PC port must be configured to connect to an 802.1x supplicant or the PC port must be disabled.
IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and b...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to apply 802.1Q VLAN tags to signaling and media traffic.
When Enterprise Voice, Video, and Messaging Endpoints do not dynamically assign 802.1Q VLAN tags as data is created and combined, it is possible the VLAN tags will not correctly reflect the data ty...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint must notify the user, upon successful logon (access) to the network element, of the date and time of the last logon (access).
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if a...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to limit the number of concurrent sessions to an organizationally defined number.
Enterprise Voice, Video, and Messaging Endpoint management includes the ability to control the number of user sessions and limiting the number of allowed user sessions helps limit risk related to D...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing what type of connection occurred.
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely ...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing where the connection occurred.
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely ...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing the source of the connection.
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely ...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to disable or remove nonessential capabilities.
It is detrimental for Enterprise Voice, Video, and Messaging Endpoints when unnecessary features are enabled by default. Often these features are enabled by default with functionality exceeding req...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint must use multifactor authentication for network access to nonprivileged (nonadmin) accounts.
To ensure accountability and prevent unauthenticated access, nonprivileged users must use multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authenti...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to implement replay-resistant authentication mechanisms for network access.
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be ...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint must offload audit records onto a different system or media than the system being audited.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Au...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint must generate audit records when successful/unsuccessful logon attempts occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint must generate audit records showing starting and ending time for user access to the system.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Endpoint must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security bas...Rule Medium Severity -
SRG-NET-000015
Group -
SRG-NET-000015
Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to register with an Enterprise Voice, Video, and Messaging Session Manager.
For most VoIP systems, registration is the process of centrally recording the user ID, endpoint MAC address, service/policy profile with two-stage authentication prior to authorizing the establishm...Rule High Severity -
SRG-NET-000018
Group -
The Enterprise Voice, Video, and Messaging Endpoint PC port must be configured to maintain VLAN separation from the voice video VLAN, or be disabled.
Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing...Rule Medium Severity -
SRG-NET-000018
Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to integrate into the implemented 802.1x network access control system.
IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and b...Rule Medium Severity -
SRG-NET-000018
Group -
SRG-NET-000018
Group -
The Enterprise Voice, Video, and Messaging Endpoint not supporting 802.1x must be configured to use MAC Authentication Bypass (MAB) on the access switchport.
IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and b...Rule Medium Severity -
SRG-NET-000018
Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use a voice video VLAN, separate from all other VLANs.
Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing...Rule Medium Severity -
SRG-NET-000018
Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to disable the Far End Camera Control feature if supported.
Many VTC endpoints support Far End Camera Control (FECC). This feature uses H.281 protocol, which must be supported by both VTUs. Typically, this is only available during an active VTC session but ...Rule Medium Severity -
SRG-NET-000029
Group -
The Enterprise Voice, Video, and Messaging Endpoint must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allow...Rule Medium Severity -
SRG-NET-000053
Group -
SRG-NET-000041
Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the network.
Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Exe...Rule Medium Severity -
SRG-NET-000042
Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If t...Rule Medium Severity -
SRG-NET-000048
Group -
SRG-NET-000049
Group -
SRG-NET-000074
Group -
SRG-NET-000075
Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing when (date and time) the connection occurred.
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely ...Rule Medium Severity -
SRG-NET-000076
Group -
SRG-NET-000077
Group -
SRG-NET-000078
Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing the outcome of the connection.
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely ...Rule Medium Severity -
SRG-NET-000079
Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing the identity of all users.
Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility...Rule Medium Severity -
SRG-NET-000113
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.