Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-8254 | VVoIP 1045 (GENERAL) | SV-8740r1_rule | ECSC-1 | Medium |
Description |
---|
Voice mail and Unified Mail services in a VoIP environment are available in several different configurations. For example, a legacy voice mail platform can connect to a VoIP gateway to provide voice mail services for VoIP users. In the same respect, a VoIP based voice mail platform can provide voice mail services to the legacy voice users and the VoIP users. In addition to providing traditional voice mail services, many VoIP voice mail systems are also capable of providing unified mail (integrated voice and electronic mail), or by interacting with existing email messaging systems. Voice mail services are commonly configured to run on common operating systems, such as, Microsoft Windows NT, Windows 2000, or Sun Solaris. Steps should be taken to ensure that these operating systems are secured in accordance to the appropriate STIG. Application services supporting the voice mail services should also be hardened. For example, MS SQL Server may be used to support subscriber accounts, or MS IIS may be used to allow subscribers to change their voice mail settings using an Internet Browser. Various VoIP solutions use various application services to provide Voice and voice mail support. Many of these applications can provide access to the VoIP environment via unsecured channels. This can happen through the abuse and use of enabled but unused services or through known un-patched vulnerabilities that exist on common application servers. All unused services are to be disabled and all application servers are to be secured using the applicable STIG guidance. |
STIG | Date |
---|---|
Voice / Video Services Policy STIG | 2015-07-01 |
Check Text ( C-23621r1_chk ) |
---|
Interview the IAO and review site documentation to confirm compliance with the following requirement: In the event a Voice Mail or Unified Mail server is VoIP enabled or connected to an IP network for user access to the Voice/Unified Mail service or for system management, ensure application services supporting the voice/unified mail service such as SQL, IIS, Apache, Oracle, Exchange, etc., are properly secured according to the appropriate STIGs. Determine if the Voice/Unified Mail servers are connected to an IP network. Then determine if it is based upon any of the general purpose application technologies for which there is a STIG or checklist. Note: compliance with these STIGs is in addition to compliance with the DSN and applicable OS STIGs as covered under VoIP 0330. Obtain a copy of the applicable SRR or Self Assessment results and review for compliance. If SRR results are not available, perform a review to determine if the STIGs have been applied This is a finding in the event it is evident that the appropriate STIGs have not been applied. This check is not intended to determine if the asset is in full compliance |
Fix Text (F-20136r1_fix) |
---|
In the event a Voice Mail or Unified Mail server is VoIP enabled or connected to an IP network for user access to the Voice/Unified Mail service or for system management, ensure application services supporting the voice/unified mail service such as SQL, IIS, Apache, Oracle, Exchange, etc., are properly secured according to the appropriate STIGs Secure IP connected Voice/Unified Mail servers. Apply all applicable general purpose application STIGs (i.e., Database, Web, Application Services, e-mail, etc.) and ensure compliance with applicable STIG guidelines. |