Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-NET-000338
Group -
SRG-NET-000315
Group -
SRG-NET-000004
Group -
The Enterprise Voice, Video, and Messaging Session Manager must automatically disable user accounts after a 35-day period of account inactivity.
Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to globally disable the extension mobility feature for endpoints.
Extension mobility is a feature of a VVoIP system that permits a person to transfer their phone number extension and phone features (or configuration) to a phone that is not in their normal workspa...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use DNS servers assigned to support the VVoIP system.
In some cases a VVoIP endpoint will be configured with one or more URLs pointing to the locations of various servers with which they are associated such as their call controller. These URLs are tra...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must retain the Standard Mandatory DOD Notice and Consent Banner on the screen for management sessions until admins acknowledge the usage conditions and take explicit actions to log on for further access.
The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If t...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must use TLS 1.2 or greater to protect the confidentiality of remote access.
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requ...Rule High Severity -
The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing timestamps (date and time) for all session connections.
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are g...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the identity of the initiator of the call.
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are g...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the outcome (status) of the connection.
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are g...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of a session (call) record system failure.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process session records. Without this notification, the security personnel may be unaware of an impendi...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must protect session (call) records from unauthorized deletion.
If session records were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of s...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule High Severity -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to implement attack-resistant mechanisms for Voice Video Endpoint registration.
Attacks against an Enterprise Voice, Video, and Messaging Session Manager may include denial of service (DoS), replay attacks, or cross-site scripting. A replay attack may enable an unauthorized us...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager supporting Command and Control (C2) communications must validate the integrity of transmitted multilevel precedence and preemption (MLPP) attributes.
If MLPP attributes are not associated with the information being transmitted between components, then access control policies and information flows which depend on these MLPP attributes will not fu...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to generate session (call) records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information.
Any Enterprise Voice, Video, and Messaging Session Manager providing too much information in session records risks compromising the data and security of the application and system. The structure an...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to restrict Enterprise Voice, Video, and Messaging Session Manager access outside of operational hours.
Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during operational hours can indicate hostile activity if it occurs during off hours. Depending...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to enforce changes to privileges of Voice Video Endpoint user access.
Without the enforcement of immediate change to privilege levels, users and devices may not provide the correct level of service. Privileges include access to outside connections, precedence, and pr...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to offload session (call) records to a central log server.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. T...Rule High Severity -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to require Voice Video Endpoints to re-register at least every three hours.
Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system. Regist...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to provide an indication of current participants in all calls, meetings, and conferences.
Providing an explicit indication of current participants in videoconferences helps to prevent unauthorized individuals from participating in collaborative videoconference sessions without the expli...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) system components.
If MLPP attributes are not associated with the information being transmitted between systems, then access control policies and information flows which depend on these MLPP attributes will not funct...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organizationally defined security safeguards.
A network element experiencing a DoS attack will not be able to handle the traffic load. The high CPU utilization caused by a DoS attack will also have impact control keep-alives and timers used fo...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to protect the confidentiality and integrity of transmitted configuration files, signaling, and media streams.
Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. Communication paths ...Rule High Severity -
The Enterprise Voice, Video, and Messaging Session Manager must implement NIST FIPS-validated cryptography for communications sessions.
All signaling and media traffic from an Enterprise Voice, Video, and Messaging Session Manager must be encrypted. Network elements using encryption are required to use FIPS-compliant mechanisms for...Rule High Severity -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use the organization authoritative time source (NTP) to maintain system time.
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security bas...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager requiring user access authentication must provide a logout capability for user-initiated communications sessions.
If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. However, for some types of interactive sessions inc...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to apply 802.1Q VLAN tags to signaling and media traffic.
When network elements do not dynamically reconfigure the data security attributes as data is created and combined, the possibility exists that security attributes will not correctly reflect the dat...Rule Medium Severity -
SRG-NET-000138
Group -
SRG-NET-000018
Group -
SRG-NET-000015
Group -
The Enterprise Voice, Video, and Messaging Session Manager must disable (prevent) auto-registration of Voice Video Endpoints.
Authentication must not automatically give an entity access to an asset. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and curre...Rule High Severity -
SRG-NET-000018
Group -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to only enable the extension mobility feature for endpoints on a per user basis.
Extension mobility is a feature of a VVoIP system that permits a person to transfer their phone number extension and phone features (or configuration) to a phone that is not in their normal workspa...Rule Medium Severity -
The Enterprise Voice, Video, and Messaging Session Manager must limit the number of concurrent management sessions to an organizationally defined limit.
Network element management includes the ability to control the number of users and user sessions that use a network element. Limiting the number of allowed users and sessions per user is helpful in...Rule Medium Severity -
SRG-NET-000018
Group -
SRG-NET-000041
Group -
The Enterprise Voice, Video, and Messaging Session Manager must display the Standard Mandatory DOD Notice and Consent Banner before granting access to management sessions.
Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Exe...Rule Medium Severity -
SRG-NET-000042
Group -
SRG-NET-000053
Group -
SRG-NET-000062
Group -
SRG-NET-000074
Group -
The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the type of session connection.
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are g...Rule Medium Severity -
SRG-NET-000075
Group -
SRG-NET-000076
Group -
The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing where (location) the connection originated.
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are g...Rule Medium Severity -
SRG-NET-000077
Group -
SRG-NET-000078
Group -
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use an organizational-level user account management system.
To effectively manage user accounts, organizational level systems such as Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) are used to create and manage user credentials that c...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.