UCF STIG Viewer Logo

The hardware Voice Video Endpoint must disable or restrict built-in web servers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-206799 SRG-NET-000512-VVEP-00052 SV-206799r604140_rule Medium
Description
Hardware Voice Video Endpoints sometimes contain a web server for the implementation of various functions and features. In many cases these are used to configure the network settings or user preferences on the device. In some Voice Video Endpoints, a user can access a missed call list, call history, or other information. If access to such a web server is not restricted to authorized entities, the device supporting it is subject to unauthorized access and compromise.
STIG Date
Voice Video Endpoint Security Requirements Guide 2020-12-04

Details

Check Text ( C-7055r363920_chk )
If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable. If the hardware Voice Video Endpoint does not contain a web server, this check procedure is Not Applicable.

Verify the hardware Voice Video Endpoint disables or restricts built-in web servers. Web servers embedded in hardware Voice Video Endpoints must be restricted to authorized entities’ devices through an authentication mechanism or, minimally, through IP address filtering, or be otherwise disabled. Additionally, the connection must be for direct user or administrative functions.

If the hardware Voice Video Endpoint does not disable or restrict built-in web servers, this is a finding.
Fix Text (F-7055r363921_fix)
Configure the hardware Voice Video Endpoint to disable or restrict built-in web servers.