Skip to content

III - Administrative Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-NET-000015

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must disable (prevent) auto-registration of Voice Video Endpoints.

    &lt;VulnDiscussion&gt;Authentication must not automatically give an entity access to an asset. Authorization procedures and controls must be implem...
    Rule High Severity
  • SRG-NET-000018

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must be configured to only enable the extension mobility feature for endpoints on a per user basis.

    &lt;VulnDiscussion&gt;Extension mobility is a feature of a VVoIP system that permits a person to transfer their phone number extension and phone fe...
    Rule Medium Severity
  • SRG-NET-000018

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must be configured to globally disable the extension mobility feature for endpoints.

    &lt;VulnDiscussion&gt;Extension mobility is a feature of a VVoIP system that permits a person to transfer their phone number extension and phone fe...
    Rule Medium Severity
  • SRG-NET-000018

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must be configured to use DNS servers assigned to support the VVoIP system.

    &lt;VulnDiscussion&gt;In some cases a VVoIP endpoint will be configured with one or more URLs pointing to the locations of various servers with whi...
    Rule Medium Severity
  • SRG-NET-000041

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must display the Standard Mandatory DOD Notice and Consent Banner before granting access to management sessions.

    &lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the network ensures privacy and security no...
    Rule Medium Severity
  • SRG-NET-000042

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must retain the Standard Mandatory DOD Notice and Consent Banner on the screen for management sessions until admins acknowledge the usage conditions and take explicit actions to log on for further access.

    &lt;VulnDiscussion&gt;The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that th...
    Rule Medium Severity
  • SRG-NET-000053

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must limit the number of concurrent management sessions to an organizationally defined limit.

    &lt;VulnDiscussion&gt;Network element management includes the ability to control the number of users and user sessions that use a network element. ...
    Rule Medium Severity
  • SRG-NET-000062

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must use TLS 1.2 or greater to protect the confidentiality of remote access.

    &lt;VulnDiscussion&gt;Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and u...
    Rule High Severity
  • SRG-NET-000074

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the type of session connection.

    &lt;VulnDiscussion&gt;Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relat...
    Rule Medium Severity
  • SRG-NET-000075

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing timestamps (date and time) for all session connections.

    &lt;VulnDiscussion&gt;Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relat...
    Rule Medium Severity
  • SRG-NET-000076

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing where (location) the connection originated.

    &lt;VulnDiscussion&gt;Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relat...
    Rule Medium Severity
  • SRG-NET-000077

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the identity of the initiator of the call.

    &lt;VulnDiscussion&gt;Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relat...
    Rule Medium Severity
  • SRG-NET-000078

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the outcome (status) of the connection.

    &lt;VulnDiscussion&gt;Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relat...
    Rule Medium Severity
  • SRG-NET-000079

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the identity of the users and identifiers associated with the session.

    &lt;VulnDiscussion&gt;Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relat...
    Rule Medium Severity
  • SRG-NET-000088

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of a session (call) record system failure.

    &lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process session records. Withou...
    Rule Medium Severity
  • SRG-NET-000098

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must protect session (call) records from unauthorized read access.

    &lt;VulnDiscussion&gt;Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means...
    Rule Medium Severity
  • SRG-NET-000099

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must protect session (call) records from unauthorized modification.

    &lt;VulnDiscussion&gt;If session records were to become compromised, then forensic analysis and discovery of the true source of potentially malicio...
    Rule Medium Severity
  • SRG-NET-000100

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must protect session (call) records from unauthorized deletion.

    &lt;VulnDiscussion&gt;If session records were to become compromised, then forensic analysis and discovery of the true source of potentially malicio...
    Rule Medium Severity
  • SRG-NET-000113

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records for events determined to be significant and relevant by local policy.

    &lt;VulnDiscussion&gt;Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relat...
    Rule Medium Severity
  • SRG-NET-000131

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must be configured to disable nonessential capabilities.

    &lt;VulnDiscussion&gt;It is detrimental for Enterprise Voice, Video, and Messaging Session Managers to provide, or enable by default, functionality...
    Rule Medium Severity
  • SRG-NET-000132

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).

    &lt;VulnDiscussion&gt;In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e....
    Rule High Severity
  • SRG-NET-000138

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

    &lt;VulnDiscussion&gt;To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticat...
    Rule High Severity
  • SRG-NET-000138

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must be configured to use an organizational-level user account management system.

    &lt;VulnDiscussion&gt;To effectively manage user accounts, organizational level systems such as Lightweight Directory Access Protocol (LDAP) or Act...
    Rule High Severity
  • SRG-NET-000147

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must be configured to implement attack-resistant mechanisms for Voice Video Endpoint registration.

    &lt;VulnDiscussion&gt;Attacks against an Enterprise Voice, Video, and Messaging Session Manager may include denial of service (DoS), replay attacks...
    Rule Medium Severity
  • SRG-NET-000148

    <GroupDescription></GroupDescription>
    Group
  • The Enterprise Voice, Video, and Messaging Session Manager must be configured to uniquely identify each Voice Video Endpoint device before registration.

    &lt;VulnDiscussion&gt;Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Typi...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules