logo.gif MCU 4215
host: mcu-reuna.reuna.cl

Understanding security warnings

The Security status page displays a list of active security warnings for the MCU. To access this information, go to Status > Security. Security warnings identify potential weaknesses in the security of the MCU's configuration. For more information on configuring security settings, refer to Configuring security settings. For more detailed information on the security status, refer to Displaying security status.

The table below details the warnings that appear, and the relevant actions needed to rectify them.

Warning Action Explanation
Advanced password security is disabled

Enable advanced account security mode in security settings

If advanced account security mode is not enabled, passwords will be stored in plain text in the configuration file, and therefore be unsecure.

To enable advanced account security mode, go to Settings > Security and enable Advanced account security mode.

Hide log messages on console is disabled

Enable hide log messages on console in serial console settings

To hide log messages on the console, go to Settings > Security and select Hide log messages on console. This will stop event messages appearing on the console.

Require administrator login to console is disabled

Enable require administrator login in serial console settings

You must log in using an admin account to access serial console commands, in this way the serial console will be more secure.

To do this, go to Settings > Security and select Require administrator login.

Guest account is enabled

Disable the guest account.

By default the guest user account is assigned the privilege of 'conference list only', meaning that users who log in as guest can view the list of active conferences and change their own profile. Disabling the guest account makes the MCU more secure.

To disable the guest account, go to Users > User list and select Guest. Select Disable user account.

Admin account has default username

Change the admin account username

The MCU must have at least one configured user with administrator privileges. By default, the User ID is "admin" and no password is required.

To change the admin account username, go to Users > User list and select admin. Enter a new username in the User ID field and click Update user settings.

Unsecured FTP service is enabled

Disable FTP in network TCP services

Information sent using FTP is unencrypted and sent in plain text; therefore, it is possible for people to discover usernames and passwords easily.

To disable FTP, go to Network > Services and deselect the FTP check box.

Unsecured HTTP service is enabled

Disable HTTP in network TCP services

Information sent using HTTP (Web) is unsecured and not encrypted.

To disable HTTP, go to Network > Services and deselect Web. We recommend that you enable Secure web.

Unsecured SNMP service is enabled

Disable SNMP in network UDP services

Information sent using SNMP is unencrypted and sent in plain text; therefore, it is possible for people to discover usernames and passwords easily.

To disable SNMP, go to Network > Services and deselect SNMP.

Auto-refresh of web pages is enabled

Change auto-refresh interval to "No auto-refresh"

If your MCU is set to auto-refresh it could mean that on an idle MCU a session will never time out.

To turn off auto-refresh, go to Settings > User interface and change Status page auto-refresh interval to No auto-refresh.

Audit logging of configuration changes is disabled

Enable the audit log

If the audit log is disabled, the MCU will not create an audit log. To enable audit logs, go to Logs > Audit log and select Enable auditing.

For more information on the audit log, refer to Configuring security settings.

Audit logs dropped due to lack of compact flash, audit system integrity compromised

MCU 4200 Series, MCU 4500 Series and MSE Media blade only: Check system configuration for possible security changes

If no compact flash card is installed in the MCU, logs are only stored up to a maximum of 200 events. The 200 events do not 'wrap', and therefore when the maximum is reached the log is deleted and started over again. To rectify this problem, insert a compact flash card.

For more information on the audit log, refer to Configuring security settings.

Audit logs hash check failed, audit system integrity compromised

Check system configuration for possible security changes

If audit logs checks fail, it is possible that your MCU has been compromised. For example, someone may have taken the compact flash card out and deleted some audit logs.

For more information on the audit log, refer to Configuring security settings

Compact flash card not present, audit and CDR logs will not be saved

MCU 4200 Series, MCU 4500 Series and MSE Media blade only: Insert a compact flash card or check whether the existing compact flash card is functional

If no compact flash card is installed in the MCU, logs are only stored up to a maximum of 200 events. The 200 events do not 'wrap', and therefore when the maximum is reached the log is deleted and started over again.

The MCU will give you this warning when you are nearing the 200 maximum. To rectify this problem, insert a compact flash card.

Call encryption is disabled

Enable call encryption

When encryption status is Disabled, no calls on the MCU will be able to use encryption.

To enable encryption, go to Settings > Encryption. For Encryption status, select Enabled.

Audit log above 75% capacity

Download and delete audit logs

The audit log has a maximum capacity of 100,000 audit events, or the size limit of the compact flash card. When you are nearing either of these limits, the MCU will give you this warning. If you reach full capacity of the compact flash card, the MCU will 'wrap' meaning that older logs will be deleted. To rectify this problem download and clear the audit log.

To do this, go to Logs > Audit log and select Download as XML. Once this has completed, click Delete all records.

Audit log above 90% capacity

Download and delete audit logs.

The audit log has a maximum capacity of 100,000 audit events, or the size limit of the compact flash card. When you are nearing either of these limits, the MCU will give you this warning. If you reach full capacity of the compact flash card, the MCU will 'wrap' meaning that older logs will be deleted. To rectify this problem download and clear the audit log.

To do this, go to Logs > Audit log and select Download as XML. Once this has completed, click Delete all records.

Streaming enabled

Disable streaming.

Streaming connections are not connected using HTTPS and are therefore less secure.

To disable streaming, go to Settings > Streaming. Under Streaming & ConferenceMe settings, for Enable select None.

ConferenceMe enabled

Disable ConferenceMe.

To disable ConferenceMe, go to Settings > Streaming. In the Streaming & ConferenceMe settings section, for Enable select None.

Streaming enabled but streaming participants overlaid icon disabled

Enable streaming participants overlaid icon.

The MCU provides icons in the corner of the video screen to give participants information about the conference.

See Using in-conference features with video endpoints to see all in-conference icons and their descriptions.

To enable the icons, go to Settings > Conferences. For Overlaid icons, select the icons you would like to be visible to participants.

Audio participants overlaid icon disabled

Enable audio participants overlaid icon.

Unsecured conferences overlaid icon disabled

Enable unsecured conferences overlaid icon.

Recording indicator overlaid icon disabled

Enable recording indicator overlaid icon.

Encryption not available on this device

Add feature key for encryption.

To use encryption on your MCU you must have the Encryption feature key installed. To purchase this feature key, contact your reseller.

Default encryption setting for new ad hoc conferences set to optional

Set encryption to required in the template for new ad hoc conferences.

When encryption status is Enabled, the MCU advertises itself as being able to use encryption and will use encryption if required to do so by an endpoint.

To rectify this problem, go to Conferences > Templates > Ad hoc conferences. Set Encryption, to Required.

To use encryption on your MCU you must have the Encryption feature key installed. To purchase this feature key, contact your reseller.

SRTP encryption disabled

Enable SRTP encryption.

When SRTP is disabled, the MCU will not advertise that it is able to encrypt using SRTP.

To rectify this problem, go to Settings > Encryption. For SRTP encryption, select Secure transports (TLS) only. This means that if encryption is used for a call, the media will only be encrypted in calls that are set up using TLS.

SRTP encryption enabled for all transports, including insecure transports (UDP and TCP)

Enable SRTP encryption for secure transports (TLS) only.

To rectify this problem, go to Settings > Encryption. For SRTP encryption, select Secure transports (TLS) only. This means that if encryption is used for a call, the media will only be encrypted in calls that are set up using TLS.

Default encryption setting for new scheduled conferences set to optional

Set encryption to required in the top level conference template.

When you (or another user) create a new conference (by choosing Conferences and clicking Add new conference), you can set the encryption setting for the conference to be either Optional or Required.

To ensure that all new scheduled conferences use encryption, go to Conferences > Templates and for Encryption, select Required.

Streaming page is public

Disable public streaming page.

You can allow users access to the streaming list pages without having to authenticate with the MCU. By default, these pages are accessible to users who have not logged in.

To force users to authenticate before they can access the streaming page, go to Settings > User interface, and in the Public pages section, deselect Streaming.

Conference list page is public

Disable public conference list page.

You can allow users access to the conference list pages without having to authenticate with the MCU. By default, these pages are accessible to users who have not logged in.

To force users to authenticate before they can access the conference list page, go to Settings > User interface, and in the Public pages section, deselect Conference list.

Shell not secured for startup

Disable the serial input during startup.

If Disable serial input during startup isn't selected, the serial console is not protected during application startup. This means users will have access to debug services in the operating system.

To disable this, go to Settings > Security, and select Disable serial input during startup.

Related topics