From Voice Video Endpoint Security Requirements Guide
Part of SRG-NET-000512-VVEP-00052
Associated with: CCI-000366
Hardware Voice Video Endpoints sometimes contain a web server for the implementation of various functions and features. In many cases these are used to configure the network settings or user preferences on the device. In some Voice Video Endpoints, a user can access a missed call list, call history, or other information. If access to such a web server is not restricted to authorized entities, the device supporting it is subject to unauthorized access and compromise.
If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable. If the hardware Voice Video Endpoint does not contain a web server, this check procedure is Not Applicable. Verify the hardware Voice Video Endpoint disables or restricts built-in web servers. Web servers embedded in hardware Voice Video Endpoints must be restricted to authorized entities’ devices through an authentication mechanism or, minimally, through IP address filtering, or be otherwise disabled. Additionally, the connection must be for direct user or administrative functions. If the hardware Voice Video Endpoint does not disable or restrict built-in web servers, this is a finding.
Configure the hardware Voice Video Endpoint to disable or restrict built-in web servers.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer