Tuesday, December 11, 2007

Password policies for PBX servers

Password policies form an important part of computer security. Unfortunately a large number of VoIP PBX servers do not apply any policies when it comes to authentication. Because of the lack of such security mechanisms, bruteforce attacks are a viable way to attack PBX servers. Svcrack, which is part of the SIPVicious tool suite, demonstrates this.

Of course, vendors and developers should be cautious when implementing features that can cause a denial of service. For example, the Account Lockout policy (available in Microsoft's AD and other systems) allows anyone to deny service to another user. This is not such a good idea especially in the case of something as "real time" as the phone service.

On the other hand, trotting or slowing down authentication might be a solution to limit the chance of attackers guessing the password in a reasonable time. Password complexity should also be enforced to hinder brute-force and dictionary attacks.


CG said...

in your experience with PBX's and AD environment, are those numbers attached to user accounts or just phones? so would i potentially lock out a user or just their phone on their desk?

sandro said...

hi chris .. from what I see, it highly depends on the PBX system being used.

Most of the times, they're separate systems. The AD accounts are separate from the PBX accounts. So typically, you would lock their phone on the desk if you had a lockout policy on the PBX. However, with Microsoft's Unified Communications / LCS, things will change.