Help contents >
Advanced topics >
Understanding security warnings
|
Search/Print Index |
The Configuring security settings. For more detailed information on the security status, refer to Displaying security status.
page displays a list of active security warnings for the MCU. To access this information, go to . Security warnings identify potential weaknesses in the security of the MCU's configuration. For more information on configuring security settings, refer toThe table below details the warnings that appear, and the relevant actions needed to rectify them.
Warning | Action | Explanation |
---|---|---|
Advanced password security is disabled | Enable advanced account security mode in secutity settings |
If advanced account security mode is not enabled, passwords will be stored in plain text in the configuration file, and therefore be unsecure. To enable advanced account security mode, go to Advanced account security mode. and enable |
Hide log messages on console is disabled |
Enable hide log messages on console in serial console settings |
To hide log messages on the console, go to Hide log messages on console. This will stop event messages appearing on the console. and select |
Require administrator login to console is disabled |
Enable require administrator login in serial console settings |
You must log in using an admin account to access serial console commands, in this way the serial console will be more secure. To do this, go to Require administrator login. and select |
Guest account is enabled |
Disable the guest account. |
By default the guest user account is assigned the privilege of 'conference list only', meaning that users who log in as guest can view the list of active conferences and change their own profile. Disabling the guest account makes the MCU more secure. To disable the guest account, go to Guest. Select Disable user account. and select |
Admin account has default username |
Change the admin account username |
The MCU must have at least one configured user with administrator privileges. By default, the User ID is "admin" and no password is required. To change the admin account username, go to admin. Enter a new username in the User ID field and click . and select |
Unsecured FTP service is enabled |
Disable FTP in network TCP services |
Information sent using FTP is unencrypted and sent in plain text; therefore, it is possible for people to discover usernames and passwords easily. To disable FTP, go to FTP check box. and deselect the |
Unsecured HTTP service is enabled |
Disable HTTP in network TCP services |
Information sent using HTTP (Web) is unsecured and not encrypted. To disable HTTP, go to Web. We recommend that you enable Secure web. and deselect |
Unsecured SNMP service is enabled |
Disable SNMP in network UDP services |
Information sent using SNMP is unencrypted and sent in plain text; therefore, it is possible for people to discover usernames and passwords easily. To disable SNMP, go to SNMP. and deselect |
Auto-refresh of web pages is enabled |
Change auto-refresh interval to "No auto-refresh" |
If your MCU is set to auto-refresh it could mean that on an idle MCU a session will never time out. To turn off auto-refresh, go to Status page auto-refresh interval to No auto-refresh. and change |
Audit logging of configuration changes is disabled |
Enable the audit log |
If the audit log is disabled, the MCU will not create an audit log. To enable audit logs, go to and select .For more information on the audit log, refer to Configuring security settings. |
Audit logs dropped due to lack of compact flash, audit system integrity compromised |
Check system configuration for possible security changes |
If no compact flash card is installed in the MCU, logs are only stored up to a maximum of 200 events. The 200 events do not 'wrap', and therefore when the maximum is reached the log is deleted and started over again. To rectify this problem, insert a compact flash card. For more information on the audit log, refer to Configuring security settings. |
Audit logs hash check failed, audit system integrity compromised |
Check system configuration for possible security changes |
If audit logs checks fail, it is possible that your MCU has been compromised. For example, someone may have taken the compact flash card out and deleted some audit logs. For more information on the audit log, refer to Configuring security settings |
Compact flash card not present, audit and CDR logs will not be saved |
Insert a compact flash card or check whether the existing compact flash card is functional |
If no compact flash card is installed in the MCU, logs are only stored up to a maximum of 200 events. The 200 events do not 'wrap', and therefore when the maximum is reached the log is deleted and started over again. The MCU will give you this warning when you are nearing the 200 maximum. To rectify this problem, insert a compact flash card. |
Call encryption is disabled |
Enable call encryption |
When encryption status is Disabled, no calls on the MCU will be able to use encryption. To enable encryption, go to Encryption status, select Enabled. . For |
Audit log above 75% capacity |
Download and delete audit logs |
The audit log has a maximum capacity of 100,000 audit events, or the size limit of the compact flash card. When you are nearing either of these limits, the MCU will give you this warning. If you reach full capacity of the compact flash card, the MCU will 'wrap' meaning that older logs will be deleted. To rectify this problem download and clear the audit log. To do this, go to and select . Once this has completed, click . |
Audit log above 90% capacity |
Download and delete audit logs. |
The audit log has a maximum capacity of 100,000 audit events, or the size limit of the compact flash card. When you are nearing either of these limits, the MCU will give you this warning. If you reach full capacity of the compact flash card, the MCU will 'wrap' meaning that older logs will be deleted. To rectify this problem download and clear the audit log. To do this, go to and select . Once this has completed, click . |
Streaming enabled |
Disable streaming. |
Streaming connections are not connected using HTTPS and are therefore less secure. To disable streaming, go to Enable select None. . Under , for |
ConferenceMe enabled |
Disable ConferenceMe. |
To disable ConferenceMe, go to Enable select None. . In the section, for |
Streaming enabled but streaming participants overlaid icon disabled |
Enable streaming participants overlaid icon. |
The MCU provides icons in the corner of the video screen to give participants information about the conference. See Using in-conference features with video endpoints to see all in-conference icons and their descriptions. To enable the icons, go to Overlaid icons, select the icons you would like to be visible to participants. . For |
Audio participants overlaid icon disabled |
Enable audio participants overlaid icon. |
|
Unsecured conferences overlaid icon disabled |
Enable unsecured conferences overlaid icon. |
|
Recording indicator overlaid icon disabled |
Enable recording indicator overlaid icon. |
|
Encryption not available on this device |
Add feature key for encryption. |
To use encryption on your MCU you must have the Encryption feature key installed. To purchase this feature key, contact your reseller. |
Default encryption setting for new ad hoc conferences set to optional |
Set encryption to required in the template for new ad hoc conferences. |
When encryption status is Enabled, the MCU advertises itself as being able to use encryption and will use encryption if required to do so by an endpoint. To rectify this problem, go to Encryption, to Required. . SetTo use encryption on your MCU you must have the Encryption feature key installed. To purchase this feature key, contact your reseller. |
SRTP encryption disabled |
Enable SRTP encryption. |
When SRTP is disabled, the MCU will not advertise that it is able to encrypt using SRTP. To rectify this problem, go to SRTP encryption, select Secure transports (TLS) only. This means that if encryption is used for a call, the media will only be encrypted in calls that are set up using TLS. . For |
SRTP encryption enabled for all transports, including insecure transports (UDP and TCP) |
Enable SRTP encryption for secure transports (TLS) only. |
To rectify this problem, go to SRTP encryption, select Secure transports (TLS) only. This means that if encryption is used for a call, the media will only be encrypted in calls that are set up using TLS. . For |
Default encryption setting for new scheduled conferences set to optional |
Set encryption to required in the top level conference template. |
When you (or another user) create a new conference (by choosing Optional or Required. and clicking ), you can set the encryption setting for the conference to be eitherTo ensure that all new scheduled conferences use encryption, go to Encryption, select Required. and for |
Streaming page is public |
Disable public streaming page. |
You can allow users access to the streaming list pages without having to authenticate with the MCU. By default, these pages are accessible to users who have not logged in. To force users to authenticate before they can access the streaming page, go to Streaming. , and in the section, deselect |
Conference list page is public |
Disable public conference list page. |
You can allow users access to the conference list pages without having to authenticate with the MCU. By default, these pages are accessible to users who have not logged in. To force users to authenticate before they can access the conference list page, go to Conference list. , and in the section, deselect |
Shell not secured for startup |
Disable the serial input during startup. |
If Disable serial input during startup isn't selected, the serial console is not protected during application startup. This means users will have access to debug services in the operating system. To disable this, go to Disable serial input during startup. , and select |
(c) Copyright TANDBERG 2003-2010, License information |