Disable External System Access

[mackaltman]

With all the talk of voice mail systems being compromised, I was wondering if it were possible to disable external access to the system, voicemail or otherwise. While I understand the general rule of thumb is to modify the admin's password, voice mail boxes generally have only a few numbers to "crack" before they are accessed. Additionally, I am sure many experience the end-user using a password like "1234" or "1111" so they don't forget. Our system does require a 6-digit combination, but that's only a million different possible combinations. To be safe, I would like to disable access from an external user altogether.

Mitel 3300, MCD Release 6.0 SP2

 

[kwbMitel]

Simply restrict the VM ports from outdialing using COR

Hackers can get in but not out.

**********************************************
What's most important is that you realise ... There is no spoon.

 

[mackaltman]

The problem is they can get to the voice mail box, which is a problem. If I am understanding your respond correctly, you are saying retricting the VM ports from outdialing will only not allow them to dial out from a voice mail box; however, they will still be able to check the messages? Why is there not a way to disable someone from accessing voice mails when they are not on the network? There are some voice mail boxes, which contain confidential information.

 

[kwbMitel]

Users are able to set passcodes up to 6 digits (if configured to 6 digits)

If a user does not want to properly secure their mailbox then nothing you or I can do will prevent unauthorised access.

Nobody is going to try and crack a mailbox to listen to messages. Even allowing for the possibility that this were true then I would make sure there were no messages there to listen to by automatically emailing message and deleting it.

It sounds to me like you are over thinking the issue.

**********************************************
What's most important is that you realise ... There is no spoon.

 

[merlin215]

Definately no expert on the Mitel 3300 but , can you :

Put the vmail system behind the firewall ( Network protection only )

And thru the Auto Attendant(s) restrict them from getting access to dialing the aa Vm features ? Taking out the option for checking voicemail via the AA / Call Flow ?

This way they cannot dial into the AA and check anything on the voicemail system at all .

Is this possible ?

 

[kwbMitel]

Do you require:

Dial by Extension? Y/N
Dial By Name Y/N

If you answer yes to Either of those then the options are severely limited.

**********************************************
What's most important is that you realise ... There is no spoon.

 

[mackaltman]

If a user does not want to properly secure their mailbox then nothing you or I can do will prevent unauthorised access.

To stand by idly with the notion that [0-9]{6} is secure, would be irresponsible of anyone. In regards to the user, this is why IT exists, and why IT Security professionals are high in demand. Unfortunately, we have to think for the user (even the "brightest" of them).

For example, let's say a VM is setup with a default password. They change it and forget it. They ask IT who reset its. Rinse and repeat a few times. The user is going to naturally think IT is thinking they are the most forgetful person ever. To prevent them from having to ask IT again, they make their password simple (123456). They've solved their problem, and created another one, which they aren't aware of. Additionally, a large staff can easily inundate IT personnel with these simple requests.

Nobody is going to try and crack a mailbox to listen to messages.

The very reason I posed my question was because this is not true. As you know through helping me on another thread, we have DIDs. Those DIDs have related VM boxes. If you were to change my VM box, every customer that reaches voice mail will hear what you've recorded. I doubt it's necessary to explain why this is a problem.

It sounds to me like you are over thinking the issue.

I wouldn't say I am. I may be over thinking this response, but by providing short message it didn't seem to illustrate the importance of resolve this issue. From an ISS standpoint, we should only grant access or privileges to those privy of the information. Additionally, we should minimize risks where possible. So, are you saying there is absolutely no way to prevent someone from accessing menu options when they reach a voice mail box? The system has to know whether or not a call came into a switch or generated internally.

 

[mackaltman]

Dial by Extension? Y/N
Dial By Name Y/N

Dial by Extension: Y
Dial By Name: N

 

[kwbMitel]

There are ways to prevent access but to do so will reduce the functionality of the system below acceptable standards.

The entire purpose of a voicemail is to provide access for callers to leave messages and users to retrieve them. Anything that would prevent that is pointless IMHO.

There are more intelligent voicemails out there that allow greater security levels but you have gone with the less expensive option.

I believe rel 6 had the option to lock out mailboxes on successive bad passcodes. You could try that maybe.





**********************************************
What's most important is that you realise ... There is no spoon.

 

[mackaltman]

Acceptable" is a matter of opinion. Ultimately, the question still stands, "Does Mitel allow the capability of disabling an external caller from accessing the voice mail system?" If it doesn't, I'm okay with that. I can legitimately advise we need to switch to a different system; however, I want to ensure I've exhausted all efforts to ensure that it does not offer this capability.

 

[lowradiation]

On Mitel's embedded voice mail you won't be able to prevent remote access to a personal mailbox.
On Mitel's Nupoint voice mail you can prevent it by using call director on each mailbox or if you have the Extended Absence Greeting enabled in each mailbox that will prevent user's from pressing * to retrieve messages remotely.

 

[kwbMitel]

There are ways to provide auto attendant that does not allow access

Those method do not allow Dial by name or Dial by Extension

Is losing those functions acceptable?

**********************************************
What's most important is that you realise ... There is no spoon.

 

[kwbMitel]

Nevermind - Dialing a users DID will take you to a mailbox from which you can access the system.

I asked earlier if setting a lockout limit would serve your purpose, Are you saying it will not.

If so, I think I've exhausted all my ideas on the subject.

**********************************************
What's most important is that you realise ... There is no spoon.

 

[mackaltman]

@kwbMitel a lockout does not restrict external access so I did not consider it as a solution.

@lowradiation Thanks! I will look into us getting Nupoint. While all Mitel products are pricey, I'm sure getting that would be minimal compared to a different system altogether.

 

[kwbMitel]

>>>lockout does not restrict external access

What are you assuming here. That the external caller can guess a passcode in one of the first 3 tries?

May I ask at this point what you mean by access?

**********************************************
What's most important is that you realise ... There is no spoon.