Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook Addendum
Lucent Technologies BCS Products Security Handbook Addendum
Have a look at the manual Lucent Technologies BCS Products Security Handbook Addendum online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Messaging 2000 Voice Mail System 2-1 Overview 2 BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 2 2Messaging 2000 Voice Mail System Overview The Messag ing 2000 (M2000) System p rovid es Voic e Mail servic es for the MERLIN Leg end Communic ation System. The system is PC b ased and utilizes the IBM OS-2 op erating system. The system is c onnec ted to the Leg end system via line-sid e VMI p orts. These p orts allow ac c ess to the voic e mailb oxes assoc iated with eac h PBX sub sc rib er. Maintaining Message 2000 System Security The M2000 system inc lud es features that c an enhanc e the sec urity of the M2000 system. It is rec ommend ed that the end -user review the following sec urity measures and implement them as ap p rop riate. nPreventing Callers from Transferring to Extensions Not Assig ned M2000 Sys t e m M a il b o xe s On some p hone systems, c allers c an transfer to a system extension and then use that extension to ac c ess an outsid e line. This is most relevant for M2000 ports used for outc alls for networking or messag e notific ation to a b eep er. By p reventing c allers from ac c essing system extensions not assig ned M2000 system mailb oxes, the risk of outsid e c allers ac c essing an outsid e line may b e red uc ed . Setting the following p arameters on the Invalid Mailb ox tab in System Setup c an p revent c allers from ac c essing non-assigned extensions. — Transfer Invalid Mailb oxes During Hours — Transfer Invalid Mailb oxes After Hours
BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 Messaging 2000 Voice Mail System 2-2 Maintaining Message 2000 System Security 2 When these p arameters are d isab led , c allers d ialing an extension that has not b een assig ned an M2000 mailbox will hear, “ Mailb ox numb er is not valid . Please redial the numb er of the p erson you are c alling .” NOTE: It is rec ommend ed that these p arameters are set to d isab le transfer to invalid mailb oxes. nImp eding Callers from Ac c essing the Quic k Assist Maintenanc e Mailb ox When Quic k Assist is run in Rec over Mod e, the system c an automatic ally assign messages with invalid header information to a default mailbox. This allows the system manag er to then c op y the messag es to the c orrec t sub sc rib er mailbox. The d efault for this maintenanc e mailb ox is the last mailb ox numb er availab le on the system. For examp le, on an M2000 system with 4-d ig it mailb oxes, mailbox 9999 is used . Sinc e it is easier for an outsid e c aller attemp ting to g ain unauthorized mailb ox ac c ess to g uess a mailb ox numb er suc h as 9999, it is rec ommend ed that the system mailb ox in whic h unattac hed messag es will b e p lac ed , b e sp ec ified explic itly. In ad d ition, it is strong ly rec ommend ed that this mailb ox b e assig ned a long p assword that c ould not easily b e g uessed b y an outsid e c aller attemp ting to ac c ess the system. When Quic k Assist is run in Rec over Mod e from the Quic k Assist ic on in the Luc ent folder, use the “ Mailb ox to Rec eive Unattac hed Messages” field on the Rec over Files d ialog b ox to spec ify a mailb ox in whic h to p lac e messag es with invalid head er information. When Quick Assist is run from the \CVR p romp t or in b atc h mod e as p art of reg ular system maintenanc e, sp ec ify this mailb ox b y inc lud ing the -M n p arameter, where n ind ic ates the numb er of the mailb ox to b e used , in the Quic k Assist c ommand line. nAssig ning Rand omly Generated Password s to M2000 System Mailb oxes During System Setup , M2000 allows selec tion of the typ e of p assword assig ned to new system mailboxes. You may assig n the same d efault p assword to all new mailb oxes, or not req uire a p assword , or have the M2000 system automatic ally assig n a random p assword to eac h new mailb ox. For sec urity p urp oses, it is rec ommend ed that rand om password assig nment b e used . This makes it muc h more d iffic ult for a c aller to g uess a mailb ox’s p assword . When rand om password assig nment is used , the M2000 system d isp lays the p assword s assig ned to the new mailb oxes when they are c reated . nReq uiring Password s at Least 1 Dig it Long er than Mailb ox Numb ers The long er the p assword s assig ned to system mailb oxes, the hard er it is for a c aller to g uess them. The Minimum Leng th of Password p arameter on the Sub sc rib er p arameters tab in the System Setup utility allows you to set the least number of digits required in a mailbox password. It is rec ommend ed that this p arameter b e set to at least 1 d igit hig her than the leng th of the system’s mailb ox numb ers. For examp le, if the system uses 4-d ig it mailboxes, it is rec ommend ed that the Minimum Leng th of
BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 Messaging 2000 Voice Mail System 2-3 Maintaining Message 2000 System Security 2 Password p arameter b e set to at least 5. Note that the leng th of this p arameter must b e set to b alanc e system sec urity ag ainst ease of use for the sub sc rib ers. Setting this p arameter too hig h may make it d iffic ult for system sub sc rib ers to rememb er their p assword s. nRequiring Subscribers to Regularly Change Their Passwords The requirement that subscribers regularly change their passwords helps p revent outsid e c allers from d etermining sub sc rib er p assword s and g aining unauthorized acc ess to system mailb oxes. The Days Before Forc ed Password Change p arameter on the Sub sc rib er tab in System Setup should be used to spec ify the req uired internal b efore sub sc rib ers are req uired to c hang e their mailb ox p assword s. When this parameter is enab led , subsc rib ers must c hang e their p assword the first time they log into their mailb oxes and after the numb er of sp ec ified d ays exp ires b efore they c an p roc eed to the main menu. nMonitoring Uninitialized Mailb oxes If the Days Before Forc ed Password Chang e parameter in System Setup is d isab led , sub sc rib ers are not req uired to c hang e their p assword s. This c an make it easier for a c aller to g uess a sub sc rib er’s p assword, esp ec ially if a d efault p assword is used for all mailb oxes instead of rand omly assig ned p assword s for eac h mailb ox. The Uninitialized Mailb ox rep ort lists all mailb oxes for which the p assword has not yet b een c hanged from the initially assig ned p assword . It is rec ommend ed that this rep ort b e regularly reviewed to d etermine whic h sub sc rib ers have not yet c hang ed their p assword s. Sub sc rib ers should b e reminded that they should c hang e their p assword s reg ularly to p revent anyone b ut themselves from ac c essing their mailb oxes. If it is found that many subsc ribers are not c hanging their p asswords, the Days Before Forc ed Password Chang e p arameter in the System Setup utility should b e enab led to req uire them to reg ularly c hang e their p assword s. nU s in g Ex t e n d e d Pa s sw o rd Se c u r it y Extend ed p assword sec urity req uires sub sc rib ers to p ress the “ #” key after entering their p assword s to ac c ess their mailb oxes. If sub sc rib ers d o not p ress the “ #” key, the system p auses b efore allowing mailbox ac c ess. The Enab le Extend ed Password Sec urity parameter on the Sub sc rib er tab in System Setup d etermines whether the system waits for the sub sc rib er to p ress “ #” or allows immed iate mailb ox ac c ess after suc c essful p assword entry. This p arameter help s p revent unauthorized users from d etermining the numb er of d ig its in M2000 system mailbox password s. NOTE: It is rec ommend ed that this feature b e enab led .
BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 Messaging 2000 Voice Mail System 2-4 Maintaining Message 2000 System Security 2 nProvid ing Notific ation of Unsuc c essful Mailb ox Login Attemp ts The M2000 system c an send voic e notific ation to sub sc rib ers when one or more unsuc c essful log in attemp ts have been mad e to their mailb oxes. This feature informs sub sc rib ers that someone may have attemp ted to g ain unauthorized ac c ess to their mailb oxes. The Failed Log in Notific ation op tion on the Class of Servic e d ialog b ox determines whether this feature is enabled. The Failed Login Notify option on the Sub sc rib er Setting s d ialog b ox c ontrols this feature b y ind ivid ual mailb ox. When an unsuc c essful log in attempt oc c urs, it is rec ommend ed that the sub sc rib er c hang e their mailb ox p assword immed iately and notify the system manag er of the attemp ted log in. NOTE: It is rec ommend ed that this feature b e enab led for all mailb oxes. nLoc king Sub sc rib er Mailb oxes After Unsuc c essful Login Attemp ts The M2000 system can lock a mailbox when a caller attempting to log into the mailb ox is d isc onnec ted after entering the inc orrec t p assword a sp ec ified numb er of times. A loc ked mailb ox p revents any c aller, inc lud ing the sub sc rib er, from log ging into the mailb ox until the system manag er manually unloc ks the mailb ox. Mailbox Lock-Out Option on the Class of Service dialog box determines whether this feature is enab led . The Mailb ox Loc k-Out op tion on the Sub sc rib er Setting s d ialog b ox c ontrols this feature by ind ivid ual mailb ox. The Consec utive Login Failures Before Loc k-Out p arameter on the Sub sc rib er Parameters tab in System Setup d etermines the number of failed log in attempts allowed b efore the mailb ox is loc ked , if the Mailb ox Loc k-Out op tion is enab led for the mailb ox. NOTE: It is rec ommend ed that this feature b e enab led for all mailb oxes. nMonitoring Failed Login Attempts The Login Failure report provides a list of all unsuccessful login attempts to system mailb oxes. This report should b e reviewed p eriod ic ally to d etermine if there are a lot of failed log in attempts to a p artic ular mailbox and when the failed attemp ts oc c ur. A hig h numb er of failed log in attemp ts may ind ic ate the mailb ox owner req uires ad d itional training or that an unauthorized user is attemp ting to g ain ac c ess to the mailb ox. nHaving Sub sc rib ers Rec ord Their Name Promp ts When sub sc rib ers rec ord their Name promp ts, those p romp ts are voic ed as c onfirmation to c allers send ing messag es to system mailb oxes. This ensures that messag es will b e sent to the c orrec t mailboxes. If a Name p rompt is not rec ord ed for a sub sc rib er mailbox, only the mailb ox numb er is voic ed to c allers sending messages to that mailb ox.
BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 Messaging 2000 Voice Mail System 2-5 Maintaining Message 2000 System Security 2 nDeleting Unused Mailboxes Immediately If a mailb ox is no longer b eing used , it is rec ommend ed that the mailb ox b e immed iately d eleted from the M2000 system. This will p revent anyone from g aining unauthorized system ac c ess throug h the mailb ox. If a mailbox is being reassigned to a new mailbox owner, it is strongly rec ommend ed that the mailb ox b e d eleted , then re-c reated . nReq uiring Callers to Enter Passwords to Proc eed in V-Trees If V-Trees are used to d istribute or c ollec t sensitive information, suc h as p ric ing d ata or c ustomer d ata, it is strong ly rec ommend ed that you use the Require Password to Proc eed to Next Level op tion. This op tion requires c allers to a V-Tree to correctly enter a predefined password b efore they are allowed to p roc eed in the V-Tree. You c an use this op tion on multip le levels to p rotec t ind ivid ual op tions, or it c an b e used on the first level of the V-Trees to limit ac c ess to the entire V-Tree. This ensures that only authorized c allers c an g ain ac c ess to the information p rovid ed in the V-Tree. nSec uring the M2000 System PC It is imp erative that the M2000 system PC b e p rotec ted from unauthorized system manag ement ac c ess. Unauthorized ac c ess to the M2000 system PC could result in system setup chang es, loss of mailb oxes and messag es, and d atabase c orrup tion. The b est way to p revent unauthorized system manag ement ac c ess to the M2000 system PC is to store the PC in a sec ure area, suc h as a loc ked room. If the M2000 system PC c annot b e stored in a sec ure area, the b uilt-in PC sec urity features, suc h as p assword s, must b e used to p rovid e a d eg ree of p rotec tion. Refer to your PC d oc umentation for information on sec urity features available on the PC. Note that b efore imp lementing sec urity features on the PC, a Luc ent tec hnic al sup p ort rep resentative should b e c ontac ted to assure that these features will not d isrup t M2000 system p erformanc e. nUtilizing Phone System Sec urity Features Luc ent Communic ation systems have sec urity features that allow one to help p revent unauthorized ac c ess to system p orts. A Luc ent system rep resentative should b e c ontac ted to determine what sec urity features are availab le for the Merlin Leg end system and how to implement them. nUsing Supervisor Password s to Restrict System Manag ement Acc ess Ac c ess to M2000 system manag ement features is p assword -protec ted . There are two levels of system manag er p assword s. Level 2 ac c ess allows a system manag er to c reate, ed it, and d elete mailb oxes; ac c ess reports and system statistic s; c reate and sp ec ify p rompts; maintain network nod es; and c reate V-Trees. Level 3 ac c ess allows a system manag er to p erform all level 2 tasks, to set system p arameters using the System Setup module, configure greetings by port, modify classes of service, and c onfig ure multiling ual M2000 systems.
BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 Messaging 2000 Voice Mail System 2-6 Security Recommendations for Remote Access 2 It is rec ommend ed that at least a 6-dig it p assword b e used for b oth the level 2 and level 3 p assword s. The long er the level 2 and level 3 p assword s, the more d iffic ult it b ec omes for someone to g uess them. It is also rec ommend ed that all sup ervisor p assword s b e c hang ed on a reg ular b asis to further p rotec t ag ainst unauthorized system manag er ac c ess. nUsing the Auto Log off Feature to Restric t System Manag ement Ac c ess The M2000 system’s “ auto log off feature” allows one to spec ify the maximum amount of time a system management session c an remain inac tive b efore the M2000 system automatic ally logs out that user and terminates the session. This feature help s p revent unauthorized system manag er ac c ess. To set the auto log off, the numb er of minutes of inac tivity allowed b efore log off must b e entered in the “ Log off In_____ Minutes” field on the Sup ervisor Password d ialog b ox when log g ing into the system. Security Recommendations for Remote Access Remote ac c ess to the system should b e sec ured via the following g uid elines: nAll remote ac c ess logins to the system must b e ad ministered to req uire the use of a sec ond ary p assword nThe end -user must p eriod ic ally/freq uently c hang e all sec ond ary passwords. After changing the secondary passwords, the end-user should notify the ap p rop riate Luc ent supp ort org anization(s) that the p assword s have b een c hanged . n The mod em c onnec tion to the system should b e “ d isab led ” when it is not req uired for use b y b enefit p ersonnel. This c onnec tion should b e enab led only b y the system administrator on an “ as need ed” b asis.
New and Updated Security Checklists 3-1 Overview 3 BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 3 3New and Updated Security Checklists Overview The following c hec klists d esc rib e sec urity features for a new Luc ent Tec hnolog ies p rod uc t, the Messag ing 2000 Voic e Mail System, and up d ates the sec urity feature c hec klist for several PARTNER c ommunic ations systems and PARTNER mail systems. NOTE: The c hec klists p rovid e sp ac e for marking the features as you c omplete them and for writing notes if nec essary.
BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 New and Updated Security Checklists 3-2 Messaging 2000 Voice Mail System 3 Messaging 2000 Voice Mail System See also the g eneral sec urity c hec klist for all BCS Prod uc ts in the BC S Pro d u c t s Sec urity Handb ook , 555-025-600, Ap p end ix H, and see the sec urity list for the host c ommunic ations system. C us tom er : _________________________________________ PBX Typ e: _________________________________________ Loc ati on: _________________________________________ N ew Ins tal l: _________________________________________ Sys tem U p g r ad e: _________________________________________ Por t A d d i tio ns : _________________________________________ Table 3-1. Messaging 2000 Voice Mail System Y/N 1Note N/A System Administration Passwords [ Req uired ] Set the Minimum Leng th of Password p arameter on the Sub sc rib er tab in System Setup at least 1 d ig it hig her than the numb er of d ig its system mailb oxes. [ Req uired ] Set the Days Before Forc ed Password Change p arameter on the Sub sc rib er tab in System Setup to req uire sub sc rib ers to reg ularly c hang e their mailbox passwords. The rec ommend ed setting is a value from 182 to 365. [ Req uired ] Use at least 6-d ig it level 2 and level 3 sup ervisor p assword s to p revent unauthorized system manag er ac cess.
BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 New and Updated Security Checklists 3-3 Messaging 2000 Voice Mail System 3 [ Req uired ] All remote ac c ess logins to the system must b e ad ministered to req uire the use of a sec ond ary p assword . [ Rec ommend ed] Use the Rand omly Generated method of assigning passwords to new mailb oxes. [ Rec ommend ed] Reg ularly monitor the Uninitialized Mailb ox rep ort to d etermine if subsc rib ers have changed their mailboxes p assword s. Remind sub scrib ers that have not initialized their mailb oxes that they should c hange their p asswords immed iately to p revent unauthorized ac c ess to their mailb oxes. [ Rec ommend ed] Ac tivate the Enab le Password Sec urity p arameter on the Sub sc rib er tab in System Setup to req uire sub sc rib ers to p ress the “ #” key after they finish entering their p assword s. [ Rec ommend ed] Write d own level 2 and level 3 p assword s and keep them in a sec ure plac e. [ Rec ommend ed] Notify the loc al servic e p rovid er of any c hang es to level 2 or level 3 sup ervisor p assword s in case remote maintenance is req uired. Log in Attemp ts [ Req uired ] Enab le the Failed Log in Notific ation in sub sc ribers’ c lasses of servic e and the Failed Log in Notify op tion on the Sub sc rib er Setting s d ialog b ox so the system notifies sub sc rib ers when one or more unsuc c essful log in attempts are mad e to their mailb oxes. Table 3-1. Messaging 2000 Voice Mail System — Continued Y/N 1Note N/A
BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 New and Updated Security Checklists 3-4 Messaging 2000 Voice Mail System 3 [ Req uired ] Set the Consec utive Log in Failures Before Loc k-Out p arameter on the Sub sc rib er tab in System Setup to sp ec ify how many unsuc c essful log in attemp ts are allowed before mailboxes are loc ked . [ Req uired ] Enab le the Mailb ox Loc k-Out Op tion in subsc ribers’ c lasses of servic e and the Mailb ox Loc k-Out op tion on the Sub sc rib er Setting s d ialog b ox to loc k sub sc rib er mailb oxes after the numb er of unsuc c essful log in attemp ts spec ified in the Consec utive Log in Failures Before Loc k-Out parameter have oc c urred . [ Rec ommend ed] Reg ularly monitor the Log in Failure rep ort to d etermine if a hig h numb er of unsuc c essful log in attemp ts are occ urring on a mailb ox or if the login attemp ts are oc c urring after b usiness hours. Misc ellaneous [ Req uired ] Set the Auto Log off feature to a low value to ensure that the M2000 system returns to sec urity level 1 after a short p eriod of inac tivity. [ Rec ommend ed] When Quic k Assist is run in recover mod e from the Quic k Assist ic on in the Luc ent fold er, sp ec ify a Mailb ox to Receive Unattac hed Messages on the Rec over Files d ialog b ox. Table 3-1. Messaging 2000 Voice Mail System — Continued Y/N 1Note N/A