Disable Cisco VoIP phone web interface

[MichealC4]

Per the subject, how do I disable the VoIP phone web interface for each phone? We've got various idiots that keep trying to run root.exe and cmd.exe on them, and they also give out too much information, so there really is no need to have the web server enabled on them that I can see. Unless you guys know of something I don't. If it is something I can set in CM, that'd be great, but if not, ah well, I'll do it per phone. Some of our phones look like changes can be made to the phone as they provide form fields with the information, such as ring settings. There is no submit button, but why would they give the information in a form field? At any rate, I've searched cisco.com and all over google, and haven't found anything of use.

----------------------------
"Security is like an onion" - Unknown

 

[BuckWeet]

Do you mean the web server on the callmanager?

Do you have your CCM server behind a layer 3 device, segmented from the data subnets?

If so, put an access-list on it, that'll stop it right there..


BuckWeet

 

[MichealC4]

I'm talking about each phone. We use the web interface on CCM quite a bit, though I do have some questions about CCM that I'll start a new topic about.

----------------------------
"Security is like an onion" - Unknown

 

[BuckWeet]

I think you want to edit the enterprise parameters webpage..


BuckWeet

 

[MichealC4]

Thanks. I was hoping it would be a CCM change and not a per phone change.

----------------------------
"Security is like an onion" - Unknown

 

[BuckWeet]

is it a CCM change

the enterprise parameters is in your ccmadmin

 

[MichealC4]

Sorry, I handle the security stuff, my boss and a coworker handle all of the phone stuff, so I am not familar with everything just yet. I'll give it a go tomorrow and let you know. Thanks.

----------------------------
"Security is like an onion" - Unknown

 

[ccmuser]

There is really not much on the web phone page? It is actually quite nice to have up and running for troubleshooting. All information on the phone webpage can be obtained directly off the phone. Assuming that your network is somewhat secure and outside computer do not have access to your internal network. What added security benefit does disabling the web stats give you? The "hacker" Must already be in your building and can just walk to a phone and press the "setting button

 

[MichealC4]

I actually walked in almost a year ago, so I'm still trying to learn the ins and outs of our environment. However, the phones have a public IP address that is reachable from the outside. I'm willing to explore alternatives such as ACL's on the router, but I figured I might as well go to the source. Our phones give you numbers, ring settings, and sometimes names. The names and numbers could then be used in a social engineering attempt. You laugh, but we've had social engineering attempts in the past. Besides, the less there is for an attacker to scan, the less bandwidth they eat up, and the less they have open to try to attack.

----------------------------
"Security is like an onion" - Unknown

 

[ccmuser]

Oh... I totally agree that you do not want this INFO public. I just assumed that your Voice network is behind a FW and as isolated from outside networks as possible.. If it is not that is something you should be moving towards.

 

[MichealC4]

ccmuser: That's not my department per se, but if memory serves me correctly, that was tried before, and for whatever reason, it didn't work. Originally, (long before I got there), we had a third-party company set things up. Needless to say, they made a mess of things, we are still trying to clean up some other things. My boss and coworker, as I understand it, tried putting some phones behind the firewall at a remote campus, for couldn't get it to work. Yes, I'd like to see the phones behind the firewall as well. Our voice network is on a totally seperate subnet from the rest of our stuff, so that helps some there at least.

----------------------------
"Security is like an onion" - Unknown