The organization must document procedures of the Voice Video access control policy for the configuration and display of endpoint password/PIN.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300042

Associated with: CCI-002163

VVSP-01-000007_rule The organization must document procedures of the Voice Video access control policy for the configuration and display of endpoint password/PIN.

Vulnerability discussion

During Voice Video endpoint registration with the session controller, a file containing specific configuration settings is downloaded by the endpoint from the session manager. This file contains the phone number assigned to the endpoint, the IP addresses for session management, the software menus specific to the system, the endpoint configuration password, the stored personal preferences and speed dial numbers, and other system operational information. These configuration settings can be updated by resetting and re-registering the endpoint, which causes an updated configuration file to be downloaded.The network configuration information and settings on a Voice Video hardware endpoint must be protected by a password or PIN. Voice Video endpoints do not typically provide automated PIN/password management. PINs that are not managed or required to be changed are most likely never changed; therefore, they are easily compromised or guessed. Additionally, as SA personnel change, the group passwords and PINs they know and use must be changed. Therefore, the organization must have and follow a policy and procedure for managing the passwords or PINs used to access the local VoIP phone network configurations. Such a standard operating procedure should address password/PIN complexity (length and character mix), expiration, change intervals, other conditions requiring a change, reuse, protection, and storage.NOTE: Most instruments will only accept numerical input; therefore, a PIN is used. Some instruments may accept alpha characters for passwords. These factors help determine the password/PIN complexity that is achievable.

Check content

Review the procedures to facilitate organization-specific Voice Video access control policy and associated access controls. Verify the procedures of the Voice Video access control policy for the configuration and display of endpoint password/PIN are documented and enforced. Confirm that Voice Video endpoint password/PIN settings meet DoD password policies for length, complexity, expiration, change intervals, and other conditions to change configuration of the endpoint. If the organization does not document and enforce procedures of the Voice Video access control policy for the configuration and display of endpoint password/PIN, this is a finding.

Fix text

Develop and document procedures implementing the Voice Video access control policy for the configuration and display of endpoint password/PIN. The procedures must meet DoD password policies for length, complexity, expiration, change intervals, and other conditions as determined by local authority. NOTE: Most instruments will only accept numerical input; therefore, a PIN is used. Some instruments may accept alpha characters for passwords. These factors help determine the password/PIN complexity that is achievable.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer