S 4.7 Change of preset passwords
Initiation responsibility: PBX System Manager, IT Security Officer, Head of IT
Implementation responsibility: User, Administrator
Many IT systems, PBX systems and network switching elements (for example ISDN routers, voice data multiplexers etc.) are delivered with the passwords still set to the standard preset passwords specified by the manufacturer. The default password settings specified by the manufacturer or administrator should be changed immediately after installation, and if not at that time, then before the hardware or software is put into operation for the first time. The relevant rules for passwords are to be followed when changing the passwords (see S 2.11 Provisions governing the use of passwords).
Warning: On some PBX systems, changes made to the configuration are only saved to RAM. The same applies to password changes. For this reason, the data should always be saved and a new backup copy made after such changes. If the data is not saved, the standard default password will be valid again after restarting the system. Furthermore, it should be verified that the standard password is actually invalid and cannot be used any more to access the system after specifying a new password.
Review questions:
- Are standard passwords replaced by sufficiently strong passwords and default logins changed before the IT systems are put into operation?
- Is it checked if it is actually not possible to access the system using standard passwords or weak passwords?