S 4.7 Change of preset passwords

Initiation responsibility: PBX officer; IT Security Management; Head of IT Section

Implementation responsibility: Administrators

Many IT systems, PBXs and gateway components (e.g. ISDN routers, speech-data multiplexers etc.) are delivered with default passwords configured by the manufacturer. These should, as a first step, be replaced by individual passwords. In this respect, the pertinent provisions on passwords must be observed (cf. S 2.11 Provisions governing the use of passwords).

Caution: In some PBXs, changes made to the configuration are only filed in RAM. The same applies to password changes. Therefore, data must always be saved and a new backup copy made after such an operation. If this is not done, the default password will again be enforced after any "restart" of the facility. In addition, a check is required as to whether the default password has actually become invalid after the specification of a new password, and can thus no longer be used to access the system.

Additional controls:

• Does the facility still use a default password?
• Have backup copies been made after the allocation and saving of the individual password?
• Is access to the system still possible with the default password following the specification of a new password?
• Are the relevant regulations on "password handling" being observed?