Lucent Technologies DEFINITY Enterprise Communication Server Release 8.2 Administrators Guide

							DEFINITY ECS Release 8.2
Administrator’s Guide  555-233-506  Issue 1
April 2000
Enhancing system security 
307 Preventing toll fraud 
11
Set logoff notification and forced password aging when administering 
logins. You must assign passwords for these logins at setup time.
Establish well-controlled procedures for resetting passwords.
2. Prevent voice mail system transfer to dial tone
Activate “secure transfer” features in voice mail systems.
Place appropriate restrictions on voice mail access/egress ports.
Limit the number of invalid attempts to access a voice mail to five or less.
3. Deny unauthorized users direct inward system access (screen)
If you are not using the Remote Access features, deactivate or disable them.
If you are using Remote Access, require the use of barrier codes and/or 
authorization codes set for maximum length. Change the codes frequently. 
It is your responsibility to keep your own records regarding who is allowed 
to use which authorization code.
4. Place protection on systems that prompt callers to input digits
Prevent callers from dialing unintended digit combinations at prompts.
Restrict auto attendants and call vectors from allowing access to dial tone.
5. Use system software to intelligently control call routing
Create Automatic Route Selection or World Class Routing patterns to 
control how each call is to be handled.
Use “Time of Day” routing capabilities to limit facilities available on 
nights and weekends.
Deny all end-points the ability to directly access outgoing trunks.
6. Block access to international calling capability
When international access is required, establish permission groups.
Limit access to only the specific destinations required for business.
7. Protect access to information stored as voice
Password restrict access to voice mail mailboxes.
Use non-trivial passwords and change passwords regularly.
8. Provide physical security for telecommunications assets
Restrict unauthorized access to equipment rooms and wire connection 
closets.
Protect system documentation and reports data from being compromised. 
						

							DEFINITY ECS Release 8.2
Administrator’s Guide  555-233-506  Issue 1
April 2000
Enhancing system security 
308 Preventing toll fraud 
11
9. Monitor traffic and system activity for abnormal patterns
Activate features that “turn off” access in response to unauthorized access 
attempts.
Use Traffic and Call Detail reports to monitor call activity levels.
10. Educate system users to recognize toll fraud activity and react 
appropriately
From safely using calling cards to securing voice mailbox password, train 
your users on how to protect themselves from inadvertent compromises to 
the system’s security.
11. Monitor access to the dial-up maintenance port. Change the access 
password regularly and issue it only to authorized personnel. Consider 
activating Access Security Gateway.
12. Create a switch system management policy concerning employee turnover 
and include these actions:
a. Delete any unused voice mailboxes in the voice mail system.
b. Immediately delete any voice mailboxes belonging to a terminated 
employee.
c. Immediately remove the authorization code if a terminated 
employee had screen calling privileges and a personal authorization 
code.
d. Immediately change barrier codes and/or authorization codes shared 
by a terminated employee. Notify the remaining users of the change.
e. Remove a terminated employee’s login ID if they had access to the 
system administration interface. Change any associated passwords 
immediately.
13. Back up system files regularly to ensure a timely recovery. Schedule 
regular, off-site backups.
14. Callers misrepresenting themselves as the “phone company,” “AT&T,” 
“RBOCS,” or even known employees within your company may claim to 
be testing the lines and ask to be transferred to “900,” “90,” or ask the 
attendant to do “start 9 release.” This transfer reaches an outside operator, 
allowing the unauthorized caller to place a long distance or international 
call. Instruct your users to never transfer these calls. Do not assume that if 
“trunk to trunk transfer” is blocked this cannot happen.
15. Hackers run random generator PC programs to detect dial tone. Then they 
revisit those lines to break barrier codes and/or authorization codes to make 
fraudulent calls or resell their services. They do this using your telephone 
lines to incur the cost of the call. Frequently these call/sell operations are  
						

							DEFINITY ECS Release 8.2
Administrator’s Guide  555-233-506  Issue 1
April 2000
Enhancing system security 
309 Physical security 
11
conducted at public payphones located in subways, shopping malls, or 
airport locations. Refer to ‘‘
Remote Access’’ on page 857 to prevent this 
happening to your company.
Physical security
Physical security is your responsibility. Implement the following safeguards as an 
added layer of security:
1. Unplug and secure attendant console handsets when the attendant position 
is not in use.
2. Lock wiring closets and switch rooms.
3. Keep a log book register of technicians and visitors.
4. Shred all switch information or directories you discard.
5. Always demand verification of a technician or visitor by asking for a valid 
I.D. badge.
6. Keep any reports that may reveal trunk access codes, screen barrier codes, 
authorization codes, or password information secure.
7. Keep the attendant console and supporting documentation in an office that 
is secured with a changeable combination lock. Provide the combination 
only to those individuals who need to enter the office.
8. Keep any documentation pertaining to switch operation secure.
9. Label all backup tapes or flash cards with correct dates to avoid using an 
outdated one when restoring data. Be sure that all backup media have the 
correct generic software load.
System security checklist
Here’s some of the steps required for indemnification. Use these to analyze your 
system security.
1. Remove all default factory logins of 
cust, rcust, browse, nms, and bcms 
and assign unique logins with 7-character alphanumeric passwords and a 
90-day password aging. Use the 
list logins command to find out what 
logins are there.
2. If you do not use Remote Access, be sure to disable it permanently.
Tip:
You can use the display remote-access command to check the status 
of your remote access. 
						

							DEFINITY ECS Release 8.2
Administrator’s Guide  555-233-506  Issue 1
April 2000
Enhancing system security 
310 System security checklist 
11
To disable Remote Access, on the Remote Access screen, Permanently 
Disable field, type 
y. Refer to ‘‘Remote Access’’ on page 857 for more 
information on remote access.
NOTE:
Lucent recommends that you permanently disable Remote Access 
using the 
change remote-access command. If you do permanently 
disable Remote Access, the code is removed from the software. 
Lucent charges a fee to restore the Remote Access feature.
3. If you use Remote Access, but only for internal calls, change 
announcements or remote service observing.
a. Use a 7-digit barrier code.
b. Assign a unique Class of Restriction (COR) to the 7-digit barrier 
code.
The unique COR must be administered where the FRL is 
0, the 
Calling Party Restriction field is 
outward, the Calling Permissions 
field is 
n on all unique Trunk Group COR.
c. Assign Security Violation Notification Remote to 
10 attempts in 2 
minutes.
d. Set the aging cycle to 
90 days with 100 call limit per barrier code.
Refer to ‘‘
Remote Access’’ on page 857 for more information.
4. If you use Remote Access to process calls off-net or in any way access the 
public network:
a. Use a 7-digit barrier code.
b. Assign a unique COR to the barrier code.
c. Restrict the COR assigned to each barrier code by FRL level to only 
the required calling areas to conduct business.
d. Set the aging cycle to 
90 days with 100 call limit per barrier code.
e. Suppress dial tone where applicable.
f. Administer Authorization Codes.
g. Use a minimum of 11 digits (combination of barrier codes and 
authorization codes).
h. Assign Security Violation Notification Remote to 10 attempts in 2 
minutes. 
						

							DEFINITY ECS Release 8.2
Administrator’s Guide  555-233-506  Issue 1
April 2000
Enhancing system security 
311 System security checklist 
11
5. If you use vectors:
a. Assign all Vector Directory Numbers (VDN) a unique COR. Refer 
to DEFINITY ECS Guide to ACD Call Centers for more 
information.
NOTE:
The COR associated with the VDN dictates the calling privileges of 
the VDN/vector. High susceptibility to toll fraud exists on vectors 
that have “collect digits” steps. When a vector collects digits, it 
processes those digits back to the switch and if the COR of the VDN 
allows it to complete the call off-net, it will do so. For example, the 
announcement “If you know your party’s 4-digit extension number, 
enter it now” results in 4 digits being collected in step 6. If you input 
“90##” or “900#”, the 4 digits are analyzed and if “9” points towards 
ARS and “0” or “00” is assigned in the ARS Analysis Tables and the 
VDN COR allows it, the call routes out of the switch to an outside 
local exchange or long distance operator. The operator then connects 
the call to the requested number.
b. If vectors associated with the VDN do not require routing the call 
off-net or via AAR, assign a unique COR where the FRL is 
0, the 
Calling Party Restriction field is 
outward, the Calling Permissions 
field is 
n on all unique Trunk Group COR.
c. If the vector has a “route-to” step that routes the call to a remote 
switch via AAR, assign a unique COR with a unique ARS/AAR 
Partition Group, the lowest FRL to complete an AAR call, and 
n on 
all unique COR assigned to your public network trunking facilities 
on the Calling Permissions. Assign the appropriate AAR route 
patterns on the AAR Partition Group using the 
change aar analysis 
partition x 2
 command.
Tip:
You can use the display aar analysis print command to print 
a copy of your Automatic Alternate Routing (AAR) setup 
before making any changes. You can use the printout to correct 
any mistakes.
d. If the vector has a “route-to” step that routes the call to off-net, 
assign a unique COR with a unique ARS/AAR Partition Group, the 
lowest FRL to complete an ARS call, and 
n on all unique COR 
assigned to your public network trunking facilities on the Calling 
Permissions. Assign the appropriate complete dial string in the 
“route-to” step of the vector the unique ARS Partition Group using 
the 
change ars analysis partition x 2 command. 
						

							DEFINITY ECS Release 8.2
Administrator’s Guide  555-233-506  Issue 1
April 2000
Enhancing system security 
312 System security checklist 
11
6. On the Feature Access Code screen, Facility Test Calls Access Code, the 
Data Origination Access Code, and the Data Privacy Access Code fields, 
change from the default or remove them.
NOTE:
These codes, when dialed, return system dial tone or direct access to 
outgoing trunking facilities. Transfers to these codes can take place 
via an unsecured vector with “collect digits” steps or an unsecured 
voice mail system.
7. Restrict Call Forwarding Off Net on every class of service.
Refer to ‘‘
Class of Service’’ on page 532 for more information on Class of 
Service.
NOTE:
You cannot administer loop-start trunks if Call Forwarding Off Net is 
required.
8. If loop start trunks are administered in the switch and cannot be changed by 
the Local Exchange Company, block all class of service from forwarding 
calls off-net. In the Class of Service screen, Restriction Call Fwd-Off Net 
field, set to 
y for the 16 (0-15) COS numbers.
Refer to ‘‘
Class of Service’’ on page 532 for more information.
NOTE:
If a station is call forwarded off-net and an incoming call to the 
extension establishes using a loop-start trunk, incorrect disconnect 
supervision can occur at the Local Exchange Central Office when the 
call terminates. This gives the caller recall or transfer dial tone to 
establish a fraudulent call.
9. Administer Call Detail Recording on all trunk groups to record both 
incoming and outgoing calls.
Refer to ‘‘
Collecting information about calls’’ on page 439 for more 
information.
10. On the ‘‘
Route Pattern’’ on page 865, be careful assigning route patterns 
with an FRL of 
0; these allow access to outgoing trunking facilities. Lucent 
recommends assigning routes with an FRL of 1 or higher.
NOTE:
An exception might be assigning a route pattern with an FRL of 0 to 
be used for 911 calls so even restricted users may dial this in 
emergencies. 
						

							DEFINITY ECS Release 8.2
Administrator’s Guide  555-233-506  Issue 1
April 2000
Enhancing system security 
313 System security checklist 
11
Tip:
You can use the list route-pattern print command to print a copy of 
your facility restriction levels (FRL) and check their status.
11. On all trunk group screens, set the Dial Access field to 
n. If set to y, it 
allows users to dial Trunk Access Codes, thus bypassing all the ARS call 
screening functions.
Refer to ‘‘
Trunk Group’’ on page 967 for more information.
12. On the ‘‘
AAR and ARS Digit Analysis Table’’ on page 451, set all dial 
strings not required to conduct business to 
den (deny).
13. If you require international calling, on the ‘‘
AAR and ARS Digit 
Conversion Table’’ on page 455, use only the 011+ country codes/city 
codes or specific dial strings.
14. Assign all trunk groups or same trunk group types a unique Class of 
Restriction. If the trunk group does not require networking through your 
switch, administer the Class of Restriction of the trunk group where the 
FRL is 
0, the Calling Party Restriction field is outward, and all unique 
Class of Restriction assigned to your outgoing trunk groups are 
n. Refer to 
‘‘
Class of Restriction’’ on page 520 for more information.
Tip:
You can use the list trunk-group print command to have a printout of 
all your trunks groups. Then, you can use the 
display trunk-group x 
command (where x is the trunk group) to check the Class of 
Restriction (COR) of each trunk group.
15. For your AUDIX, on the System Appearance screen, set:
nthe Enhanced Call Transfer field to y.
nthe Transfer Type field to enhanced. If set to basic, set the Transfer 
Restriction field to 
subscribers. Refer to ‘‘Feature-Related System 
Parameters’’ on page 632 for more information.
NOTE:
The Class of Restriction of the voice mail ports dictates the calling 
restrictions of the voice mail. If the above settings are not 
administered correctly, the possibility exists to complete a transfer to 
trunk access codes or ARS/AAR feature codes for fraudulent 
purposes. Never assign mailboxes that begin with the digits or trunk 
access codes of ARS/AAR feature access codes. Require your users 
to use a mailbox password length greater than the amount of digits in 
the extension number. 
						

							DEFINITY ECS Release 8.2
Administrator’s Guide  555-233-506  Issue 1
April 2000
Enhancing system security 
314 Adding logins and passwords 
11
16. Lucent recommends you administer the following on all voice mail ports:
nAssign all voice mail ports a unique Class of Restriction. Refer to 
‘‘
Class of Restriction’’ on page 520 for more information.
nIf you are not using outcalling, fax attendant, or networking, 
administer the unique Class of Restriction where the FRL is 
0, the 
Calling Party Restriction field is 
outward, and all unique trunk 
group Class of Restriction on the Calling Permissions are 
n. Refer to 
‘‘
Class of Restriction’’ on page 520 for more information.
NOTE:
Lucent recommends you administer as many layers of security as 
possible. You can implement steps 9
 and 16 as a double layer of 
security. In the event that the voice mail becomes unsecured for any 
reason, the layer of security on the switch takes over, and vice versa.
17. Administer all fax machines, modems, and answering machines analog 
voice ports as follows:
nSet the Switchhook Flash field to n.
nSet the Distinctive Audible Alert field to n. Refer to ‘‘Station’’ on 
page 882 for more information.
18. Install a Call Accounting System to maintain call records. In the CDR 
System Parameters screen, Record Outgoing Calls Only field, set to 
y. 
Refer to ‘‘
CDR System Parameters’’ on page 508 for more information.
NOTE:
Call Accounting Systems produce reports of call records. It detects 
phones that are being hacked by recording the extension number, date 
and time of the call, and what digits were dialed.
Adding logins and passwords
This section shows you how to add a user and their password. To add a login, you 
must be a superuser with authority to administer permissions.
When adding logins, remember the following:
nType the new login name as part of the add command. The name must be 
3–6 alphanumeric characters in length, and can contain the characters 0-9, 
a-z, A-Z.
nThe password must be from 7 to 11 alphanumeric characters in length and 
contain at least 1 non-alphabetic character. 
						

							DEFINITY ECS Release 8.2
Administrator’s Guide  555-233-506  Issue 1
April 2000
Enhancing system security 
315 Adding logins and passwords 
11
Instructions
We will add the login 
angi3 with the password b3stm0m. We also will require the 
user to change their password every 30 days.
To add new logins and passwords:
1. Type 
add login angi3 and press RETURN.
The Login Administration
 screen appears.
The Login’s Name field shows the name you typed in the 
add command.
2. In the Password of Login Making Change field, type your superuser 
password.
3. In the Disable Following a Security Violation field, type 
y to disable this 
login following a login security violation.
This field appears only if on the Security-Related System Parameters 
screen, SVN Login Violation Notification field is 
y.
4. In the Login’s Password field, type 
b3stm0m.
The password does not appear on the screen as you type.
5. In the Reenter Login’s Password field, retype 
b3stm0m.
6. In the Password Aging Cycle Length (Days) field, type 
30.
This requires the user to change the password every 30 days.
7. Press 
ENTER to save your changes.
Now you need to set the permissions for this new login.
 LOGIN ADMINISTRATION
               Password of Login Making Change:
           LOGIN BEING ADMINISTERED
                              Login’s Name: angi3
                                Login Type:
                             Service Level:
    Disable Following a Security Violation?
  Access to INADS Port? _
          LOGIN’S PASSWORD INFORMATION
                          Login’s Password:
                  Reenter Login’s Password:
Password Aging Cycle Length (Days): 30
LOGOFF NOTIFICATION
Facility Test Call Notification? y  Acknowledgment Required? y
Remote Access Notification? y  Acknowledgment Required? y
ACCESS SECURITY GATEWAY PARAMETERS
Access Security Gateway? n 
						

							DEFINITY ECS Release 8.2
Administrator’s Guide  555-233-506  Issue 1
April 2000
Enhancing system security 
316 Adding logins and passwords 
11
8. Type change permissions angi3 and press RETURN.
The Command Permission Categories
 screen appears.
9. In the Administer Stations field, type 
y.
This allows your user to add, change, duplicate, or remove stations, data 
modules and associated features.
10. In the Additional Restrictions field, type 
y.
A 
y in this field brings up the second and third pages of this screen.
11. In the first field, type 
vdn.
This restricts your user from administering a VDN.
12. Press 
ENTER to save your changes.
 
                           COMMAND PERMISSION CATEGORIES
                             Login Name: angi3
   COMMON COMMANDS
                  Display Admin. and Maint. Data? n
                             System Measurements? n
   ADMINISTRATION COMMANDS
         Administer Stations? y Administer Features? n
           Administer Trunks? n Administer Permissions? n
     Additional Restrictions? y
   MAINTENANCE COMMANDS
           Maintain Stations? n       Maintain Switch Circuit Packs? n
             Maintain Trunks? n      Maintain Process Circuit Packs? n
            Maintain Systems? n  Maintain Enhanced DS1? n 
 
COMMAND PERMISSION CATEGORIES
                              RESTRICTED OBJECT LIST
           vdn  ______________________
           _______________________        ______________________
           _______________________        ______________________
           _______________________        ______________________
           _______________________        ______________________
           _______________________        ______________________
           _______________________        ______________________
           _______________________        ______________________
           _______________________        ______________________
           _______________________        ______________________