STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019:

The extension mobility feature must only be enabled per user when specific security features are configured.

DISA Rule

SV-23732r3_rule

Vulnerability Number

V-21520

Group Title

VVoIP 1670

Rule Version

VVoIP 1670

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the extension mobility feature only when enabled per user. Confirm the following specific security features are configured:
- The feature is enabled/disabled on a per user basis.
- Feature activation requires user authentication minimally using a user unique PIN (preferably including a unique user ID)
- Feature is not activated using a common activation code, or feature button on the phone.
- The user (or system administrator) can manually disable the feature at their discretion.
- The user may have the capability to set duration when activating the feature. (Optional)
- The feature automatically deactivates based on a period of inactivity or the time of day.

Check Contents

If the extension mobility feature of the VVoIP system cannot be configured per user or is globally disabled, this is not applicable.

Interview the ISSO to validate compliance with the following requirement:

Verify the configuration for the extension mobility feature is only available when enabled per user. Confirm the following specific security features are configured:
- The feature is enabled/disabled on a per user basis.
- Feature activation requires user authentication minimally using a user unique PIN (preferably including a unique user ID)
- Feature is not activated using a common activation code, or feature button on the phone.
- The user (or system administrator) can manually disable the feature at their discretion.
- The user may have the capability to set duration when activating the feature. (Optional)
- The feature automatically deactivates based on a period of inactivity or the time of day.

If the extension mobility feature is enabled and does not meet the above specific security features, this is a finding.

Vulnerability Number

V-21520

Documentable

False

Rule Version

VVoIP 1670

Severity Override Guidance

If the extension mobility feature of the VVoIP system cannot be configured per user or is globally disabled, this is not applicable.

Interview the ISSO to validate compliance with the following requirement:

Verify the configuration for the extension mobility feature is only available when enabled per user. Confirm the following specific security features are configured:
- The feature is enabled/disabled on a per user basis.
- Feature activation requires user authentication minimally using a user unique PIN (preferably including a unique user ID)
- Feature is not activated using a common activation code, or feature button on the phone.
- The user (or system administrator) can manually disable the feature at their discretion.
- The user may have the capability to set duration when activating the feature. (Optional)
- The feature automatically deactivates based on a period of inactivity or the time of day.

If the extension mobility feature is enabled and does not meet the above specific security features, this is a finding.

Check Content Reference

M

Target Key

3407

Comments