Best Security Practice

The overall security of the Mitel Communication Service deployment relies on the many installation factors, primarily the security in place on the host operating system and network infrastructure.

The following sections outline recommendations for improving security of Mitel Communication Service installations.

Securing the installation and ensuring only relevant users have access to the system is the responsibility of the installer of the system.

Secure User Access

It is essential to secure access to both the host operating system and the MiVoice Office Application website to ensure that only users that should be accessing the system, can access the system. In addition, any user accounts created on the system should use the 'principle of least privilege', using the Roles & Profiles provided to limit user access to only the features they require.

The system also has a number of 'Built-In' user accounts which provide a pre-determined level of access. These include:

engineer
supervisor

The default passwords of these accounts should be changed after installation to restrict access to the system.

For more information on managing user accounts, please refer to the Users & Business Units section.

HTTPS Website Access

The MiVoice Office Application Suite Website provides users with access to the configuration settings for the system as well as being the front end to the following features:

Call Reporting
Call Recording
Real-Time Wallboard/Dashboard

By default, access to this website is through HTTP on port 80. To improve security for users logging into the system, HTTPS should be enabled on the website and HTTP access should be disabled.

To enable HTTPS, a certificate must be uploaded to server and the IIS server (local web server) configuration must be updated. For information on how to do this, please refer to the Enabling HTTPS section.

If the MiVoice Office Application Suite website is to be made available to users outside the Local Area Network (LAN) through port forwarding, ensure that HTTPS is enabled and restrict access to specific external IP addresses to increase security.

Secure Host Operating System

It is important that the operating system hosting the MiVoice Office Application Suite has security policies in place to minimize the risk of any unauthorized access to data and/or features. The following security steps should be taken on ALL host operating systems as a bare minimum:

Implement an Anti-Virus Solution - Information on anti-virus exceptions can be found in the Anti-Virus Requirements section.
Implement a Firewall - Information on the network ports used by the solution can be found in the Network Requirements section.
Install OS Security Updates - OS security updates should be installed on a regular basis following patch management best practice.
Disable Weak Ciphers & Protocols - Disable older TLS ciphers and other less secure protocols.
Require SMB message signing.

Following the steps above will make the system more secure and will reduce the risk of unauthorized access.

Enabling TLS 1.2 & Disabling Weak Ciphers & Protocols

Access to weaker ciphers/protocols needs to be done in the operating system registry in most instances. Information on how to do this can be found in the following Microsoft articles:

Alternatively, the following free tool can be used - https://www.nartac.com/Products/IISCrypto

Install ISSCrypto Tool
Apply PCI 3.1 template
Remove TLS 1.1 & Triple DES Cipher

Prior to disabling weak protocols/ciphers, ensure that TLS 1.2 is supported on both client and server systems. The following list of pre-requisites need to be checked/implemented:

Ensure SQL Server is running 2014 SP1 CU5 or higher.
Ensure .NET Framework 4.6 is installed on server and client operating systems.
Enable the 'Force TLS 1.2' option within Phone Manager Desktop Client settings (refer to the Phone Manager Technical Manual for more information)

Enabling TLS 1.2 on Phone Manager Desktop

Due to the version of the .NET Framework used by Phone Manager, it will not automatically use TLS 1.2 even if it is available. Once TLS 1.2 is enabled on the server, enable the 'Force TLS 1.2' setting on each Phone Manager Desktop client before disabling earlier versions of 1.2 on the server:

The setting is in %programdata% localsettings.xml - in that .xml file you are looking for the following string: <_securityProtocolType>0</_SECURITYPROTOCOLTYPE>

Add 3072 inside that string as below:

<_securityProtocolType>3072</_SECURITYPROTOCOLTYPE>

This will force TLS 1.2 for that client. Please note the client and server must be running a minimum of .NET Framework 4.6 and the server must have TLS 1.2 support enabled

Require SMB signing

To prevent "man-in-the-middle" attacks that modify SMB packets in transit, the SMB protocol supports digital signing of SMB packets. Refer to the following Microsoft articles for requiring SMB signing on Server and Client OS:

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always

This is not an exhaustive list and should be taken as a bare minimum of security precautions that should be applied to the host operating system.

Email Configuration

If using the email based features of the solution (alerts, alarms, schedules etc) it is advisable to configure the SMTP connection to the server to use both authentication and SSL/TLS.

Audit Personal Data

To comply with local data protection laws (such as GDPR), it is important to understand what personal data is being stored within the solution and what it is being used for. There are several areas where personal data could be stored within the MiVoice Office Application Suite system:

Contact Directory - Custom data fields can be inputted along with telephone numbers and other contact information
Call Recordings - Personal data could be discussed on calls and stored in call recordings. Calls can also be tagged with custom data and notes
Call Reporting - Telephone numbers can contact/speed dial names are stored within the call history system
Phone Manager Outbound - Campaign data can contain personal information if imported in addition to the contact information

In all cases where customer's or employee's personal data is stored in the system, the following guidelines should be followed:

The location and type of data stored should be documented
Permission should be obtained from the person whose data it is
Access to the data should be restricted to users who require it to perform the specific function the data is stored for

For more information on GDPR, where data is stored within MiVoice Office Application Suite, please refer to the GDPR section. For information relating to Mitel Phone Manager Outbound, please refer to the Phone Manager Outbound Technical Manual.

Software Patch Management Policy

It is necessary for the administrator to ensure that the MiVoice Office Application Suite is always updated and equipped with all critical patches to guarantee the highest level of security. Information on the latest releases available can be found here https://edocs.MitelAppSuite.com/appsuitelatest/#ReleaseNotes.html.

Mitel Product Security Policy

As part of Mitel’s ongoing commitment to customers and product excellence, Mitel maintains a dedicated product security incident response program to handle the discovery of potential vulnerabilities and security flaws in products. Mitel’s product security policy is published at www.mitel.com/mitel-product-security-policy.

Mitel Security Advisories

Public notices regarding moderate and high-risk product security vulnerabilities are published at www.mitel.com/security-advisories.