Understanding security warnings

Enable advanced account security mode in security settings

If advanced account security mode is not enabled, passwords will be stored in plain text in the configuration file, and therefore be unsecure.

To enable advanced account security mode, go to Settings > Security and enable Advanced account security mode.

Enable hide log messages on console in serial console settings

To hide log messages on the console, go to Settings > Security and select Hide log messages on console. This will stop event messages appearing on the console.

Enable require administrator login in serial console settings

You must log in using an admin account to access serial console commands, in this way the serial console will be more secure.

To do this, go to Settings > Security and select Require administrator login.

Disable the guest account.

By default the guest user account is assigned the privilege of 'conference list only', meaning that users who log in as guest can view the list of active conferences and change their own profile. Disabling the guest account makes the MCU more secure.

To disable the guest account, go to Users > User list and select Guest. Select Disable user account.

Change the admin account username

The MCU must have at least one configured user with administrator privileges. By default, the User ID is "admin" and no password is required.

To change the admin account username, go to Users > User list and select admin. Enter a new username in the User ID field and click Update user settings.

Disable FTP in network TCP services

Information sent using FTP is unencrypted and sent in plain text; therefore, it is possible for people to discover usernames and passwords easily.

To disable FTP, go to Network > Services and deselect the FTP check box.

Disable HTTP in network TCP services

Information sent using HTTP (Web) is unsecured and not encrypted.

To disable HTTP, go to Network > Services and deselect Web. We recommend that you enable Secure web.

Disable SNMP in network UDP services

Information sent using SNMP is unencrypted and sent in plain text; therefore, it is possible for people to discover usernames and passwords easily.

To disable SNMP, go to Network > Services and deselect SNMP.

Change auto-refresh interval to "No auto-refresh"

If your MCU is set to auto-refresh it could mean that on an idle MCU a session will never time out.

To turn off auto-refresh, go to Settings > User interface and change Status page auto-refresh interval to No auto-refresh.

Enable the audit log

If the audit log is disabled, the MCU will not create an audit log. To enable audit logs, go to Logs > Audit log and select Enable auditing.

For more information on the audit log, refer to Configuring security settings.

MCU 4200 Series, MCU 4500 Series and MSE Media blade only: Check system configuration for possible security changes

If no compact flash card is installed in the MCU, logs are only stored up to a maximum of 200 events. The 200 events do not 'wrap', and therefore when the maximum is reached the log is deleted and started over again. To rectify this problem, insert a compact flash card.

For more information on the audit log, refer to Configuring security settings.

Check system configuration for possible security changes

If audit logs checks fail, it is possible that your MCU has been compromised. For example, someone may have taken the compact flash card out and deleted some audit logs.

For more information on the audit log, refer to Configuring security settings

MCU 4200 Series, MCU 4500 Series and MSE Media blade only: Insert a compact flash card or check whether the existing compact flash card is functional

If no compact flash card is installed in the MCU, logs are only stored up to a maximum of 200 events. The 200 events do not 'wrap', and therefore when the maximum is reached the log is deleted and started over again.

The MCU will give you this warning when you are nearing the 200 maximum. To rectify this problem, insert a compact flash card.

Enable call encryption

When encryption status is Disabled, no calls on the MCU will be able to use encryption.

To enable encryption, go to Settings > Encryption. For Encryption status, select Enabled.

Download and delete audit logs

The audit log has a maximum capacity of 100,000 audit events, or the size limit of the compact flash card. When you are nearing either of these limits, the MCU will give you this warning. If you reach full capacity of the compact flash card, the MCU will 'wrap' meaning that older logs will be deleted. To rectify this problem download and clear the audit log.

To do this, go to Logs > Audit log and select Download as XML. Once this has completed, click Delete all records.

Download and delete audit logs.

The audit log has a maximum capacity of 100,000 audit events, or the size limit of the compact flash card. When you are nearing either of these limits, the MCU will give you this warning. If you reach full capacity of the compact flash card, the MCU will 'wrap' meaning that older logs will be deleted. To rectify this problem download and clear the audit log.

To do this, go to Logs > Audit log and select Download as XML. Once this has completed, click Delete all records.

Disable streaming.

Streaming connections are not connected using HTTPS and are therefore less secure.

To disable streaming, go to Settings > Streaming. Under Streaming & ConferenceMe settings, for Enable select None.

Disable ConferenceMe.

To disable ConferenceMe, go to Settings > Streaming. In the Streaming & ConferenceMe settings section, for Enable select None.

Enable streaming participants overlaid icon.

The MCU provides icons in the corner of the video screen to give participants information about the conference.

See Using in-conference features with video endpoints to see all in-conference icons and their descriptions.

To enable the icons, go to Settings > Conferences. For Overlaid icons, select the icons you would like to be visible to participants.

Enable audio participants overlaid icon.

Enable unsecured conferences overlaid icon.

Enable recording indicator overlaid icon.

Add feature key for encryption.

To use encryption on your MCU you must have the Encryption feature key installed. To purchase this feature key, contact your reseller.

Set encryption to required in the template for new ad hoc conferences.

When encryption status is Enabled, the MCU advertises itself as being able to use encryption and will use encryption if required to do so by an endpoint.

To rectify this problem, go to Conferences > Templates > Ad hoc conferences. Set Encryption, to Required.

To use encryption on your MCU you must have the Encryption feature key installed. To purchase this feature key, contact your reseller.

Enable SRTP encryption.

When SRTP is disabled, the MCU will not advertise that it is able to encrypt using SRTP.

To rectify this problem, go to Settings > Encryption. For SRTP encryption, select Secure transports (TLS) only. This means that if encryption is used for a call, the media will only be encrypted in calls that are set up using TLS.

Enable SRTP encryption for secure transports (TLS) only.

To rectify this problem, go to Settings > Encryption. For SRTP encryption, select Secure transports (TLS) only. This means that if encryption is used for a call, the media will only be encrypted in calls that are set up using TLS.

Set encryption to required in the top level conference template.

When you (or another user) create a new conference (by choosing Conferences and clicking Add new conference), you can set the encryption setting for the conference to be either Optional or Required.

To ensure that all new scheduled conferences use encryption, go to Conferences > Templates and for Encryption, select Required.

Disable public streaming page.

You can allow users access to the streaming list pages without having to authenticate with the MCU. By default, these pages are accessible to users who have not logged in.

To force users to authenticate before they can access the streaming page, go to Settings > User interface, and in the Public pages section, deselect Streaming.

Disable public conference list page.

You can allow users access to the conference list pages without having to authenticate with the MCU. By default, these pages are accessible to users who have not logged in.

To force users to authenticate before they can access the conference list page, go to Settings > User interface, and in the Public pages section, deselect Conference list.

Disable the serial input during startup.

If Disable serial input during startup isn't selected, the serial console is not protected during application startup. This means users will have access to debug services in the operating system.

To disable this, go to Settings > Security, and select Disable serial input during startup.