01-28-2010 07:01 AM - edited 03-19-2019 12:22 AM
We have a customer that has been audited and the following items were found on the Unity Server:
Affected Hosts:
Unity Server IP
Explanation: These hosts are running a MSSQL database server which is accessible from the network.
Depending on the sensitivity of data in the database, it is generally best practice to block traffic to database ports that does not come from required hosts.
Risk Consequence: Not Best Practice
Recommendation: If possible, only allow required hosts to connect to sensitive databases. This includes not allowing machines to connect from the network at all if the database is only used locally.
Vulnerability: LDAP NULL BASE/NULL BIND
Affected Hosts:
Unity Server IP
Explanation: These hosts are running an LDAP server which allows queries with the BASE directory set to NULL. Additionally, anonymous queries are allowed using a NULL BIND. These settings could allow anyone to connect to the LDAP server and easily extract diretory information without any prior knowledge.
Risk Consequence: Information Leakage
Recommendation: Unless they are required, NULL BASE queries and NULL BIND should be disabled on these servers.
The Unity Server is the Domain Controller and it is the only server in the domain. Is it possible from the server to correct these findings?
Thanks,
Joe
02-03-2010 12:21 PM
Hi -
Here is a link to the Unity security guide for your review - http://www.cisco.com/en/US/docs/voice_ip_comm/unity/42/security/guide/ex/usgex4x.pdf
Also, this specific link refers to the TCP/UDP ports required by Unity to function - http://www.cisco.com/en/US/docs/voice_ip_comm/unity/42/security/guide/ex/usg001.html#wp1080978
As you are running a voicemail only configuration, you may not have much user access to the server except for administration, unless you have the Unity Inbox enabled for your users to check voice messages from the web in addition to their phones. As the guide mentions, if you are running antivirus software and a compatible version of the headless intrusion detection client CSA, you should be OK. Please review any caveat mentioned in the guide, as blocking ports or altering access to Unity can affect your voicemail operation.
Regards, Ginger
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide