The Enterprise Voice, Video, and Messaging Session Manager must be configured to only enable the extension mobility feature for endpoints on a per user basis.
An XCCDF Rule
Description
<VulnDiscussion>Extension mobility is a feature of a VVoIP system that permits a person to transfer their phone number extension and phone features (or configuration) to a phone that is not in their normal workspace. This is useful when a person is visiting a remote office away from their normal office and typically functions within an established enterprise wide VVoIP system where the system is designed as a contiguous system. In this case, the system is typically a single vendor solution. The system might be within one LAN/CAN may include multiple LAN/CANs at multiple interconnected sites. To activate this feature, the user approaches a phone that is not their regular phone and identifies themselves to the phone system via a username, password, pin, code, or some combination of these. Upon validation, the system configuration manager will configure the temporary phone to match the configuration of the user's regular phone. Minimally, the phone number is transferred and possibly some or all of the user's speed dial numbers and other personal preferences. This capability is dependent upon the capabilities of the temporary phone. Once activated the user's inbound calls are directed to the temporary location. The user's regular phone may or may not maintain its normal capabilities and also may also answer inbound calls. Extension mobility is similar to but not the same as forwarding calls. Forwarding is typically activated from the user's normal phone or their user preferences configuration settings. Forwarding is therefore pre-set to a known location. Extension mobility is typically activated from the remote location and is activated upon arrival at that location. Extension mobility should be available only to those individuals that need to use the feature.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-259989r948932_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure the extension mobility feature only when enabled per user. Confirm the following specific security features are configured:
- The feature is enabled/disabled on a per user basis.
- Feature activation requires user authentication minimally using a user unique PIN (preferably including a unique user ID).
- Feature is not activated using a common activation code, or feature button on the phone.
- The user (or system administrator) can manually disable the feature at their discretion.
- The user may have the capability to set duration when activating the feature. (Optional)