Unity 4.0(5) Audit items

Unanswered Question
Jan 28th, 2010

We have a customer that has been audited and the following items were found on the Unity Server:

Affected Hosts:
Unity Server IP
Explanation: These hosts are running a MSSQL database server which is accessible from the network.
Depending on the sensitivity of data in the database, it is generally best practice to block traffic to database ports that does not come from required hosts.
Risk Consequence: Not Best Practice
Recommendation: If possible, only allow required hosts to connect to sensitive databases. This includes not allowing machines to connect from the network at all if the database is only used locally.


Vulnerability: LDAP NULL BASE/NULL BIND
Affected Hosts:
Unity Server IP
Explanation: These hosts are running an LDAP server which allows queries with the BASE directory set to NULL. Additionally, anonymous queries are allowed using a NULL BIND. These settings could allow anyone to connect to the LDAP server and easily extract diretory information without any prior knowledge.
Risk Consequence: Information Leakage
Recommendation: Unless they are required, NULL BASE queries and NULL BIND should be disabled on these servers.

The Unity Server is the Domain Controller and it is the only server in the domain.  Is it possible from the server to correct these findings?

Thanks,

Joe

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ginger Dillon Wed, 02/03/2010 - 12:21

Hi -

Here is a link to the Unity security guide for your review - http://www.cisco.com/en/US/docs/voice_ip_comm/unity/42/security/guide/ex/usgex4x.pdf

Also, this specific link refers to the TCP/UDP ports required by Unity to function - http://www.cisco.com/en/US/docs/voice_ip_comm/unity/42/security/guide/ex/usg001.html#wp1080978

As you are running a voicemail only configuration, you may not have much user access to the server except for administration, unless you have the Unity Inbox enabled for your users to check voice messages from the web in addition to their phones.  As the guide mentions, if you are running antivirus software and a compatible version of the headless intrusion detection client CSA, you should be OK.  Please review any caveat mentioned in the guide, as blocking ports or altering access to Unity can affect your voicemail operation.

Regards, Ginger

Actions

This Discussion