Security Best Practices
It is essential that you change all default passwords to unique passwords, and extension passwords should never be the same as the extension number. When choosing passwords, ensure they are complex. If possible, require alphanumeric passwords with as many digits as the system allows.
Institute mechanisms to ensure employees change their passwords and access codes/PINs regularly. Moreover, delete former employees’ passwords immediately following separation. Usernames and passwords should be erased when phones are repurposed/reassigned.
Consider limiting max trunk calls and max calls per extension in accordance with your company specific requirements. When configuring your PBX, adhere to the following:
- Update your server’s operating system and all associated software/firmware to the latest version and ensure all the latest security patches are enabled.
- Configure IVRs to use a timeout-based call-disconnect rule, as failure to do so could result in long calls.
- Disable remote notification, auto-attendant, call-forwarding and out-paging features if you do not use them.
Dial Plan Restrictions
It is important that you restrict your dial plan. If you do not make international calls, do not allow users to dial 011 as their first three digits. If you do make international calls, consider restricting allowable dial strings to only the country codes where you place calls.
Note: Do not forget to protect your dial plan against Caribbean dialing. You can access a list of country calling codes here.
If your PBX supports access lists for IP authorization, they should be extremely conservative; moreover, limit VOIP registrations to office network or trusted networks.
If the PBX is configurable via a web browser GUI, it should not be accessible via a public IP. If you must make changes to your PBX configuration from outside your network, you should only enable remote access while you are working on the configuration and then immediately remove access when your updates are complete.
Please remember to enable VoIP logging to monitor activity and check firewall logs regularly to identify potential threats. In addition, assess the security of all PBX peripherals/applications regularly, including platform, operating system, password, and permissions scheme.
IP, unfortunately, is a high‐value target for hackers. These are a few things you should do to ensure that your PBX installation is secure and well protected against the normal attack vectors for this technology.