S 5.31 Suitable modem configuration

Initiation responsibility: IT Security Management, Administrators

Implementation responsibility: IT users, Administrator

Most modems operate with the Hayes standard (also termed AT standard, as the commands start with "AT"). This is a manufacturer-dependent standard. The basic instruction sets of the various modems largely correspond. Considerable deviations are found in the extended instruction sets. It is important to check the instruction set of the employed modem to determine how the functions described in the following have been realised and whether incorrect configuration could result in security shortcomings.

The selected settings should be stored in the non-volatile memory of the modem (cf. S 1.38 Suitable installation of a modem). Furthermore, they should be printed on paper to allow a comparison with current settings whenever required.

Some security-related configurations are described in the following:

Auto-answer

The S0 register can be used to set the modem to automatically accept an incoming call after a preset number of rings. The setting S0=0 prevents this and requires calls to be accepted manually.

This setting should be selected if connections are to be prevented from being established covertly by an external source. Otherwise a call-back mechanism is to be employed. (cf. S 5.30 Activating an existing call-back option).

Remote configuration of a modem

Some modems can be set to allow their configuration from remote modems. Ensure that this feature is inactive.

Refer to S 5.33 Remote maintenance via modem for problems concerning remote maintenance via modems.

Password-protected storing of (call-back) numbers

Many modems allow the password protection of telephone and call-back numbers stored in the non-volatile memory. If this feature is available, it should be used, and the password should be selected in accordance with S 2.11 Provisions governing the use of passwords. With some modems, the entry of a certain command causes a list of the numbers to be displayed together with the related passwords. Access to such modems must therefore be limited to authorised persons (cf. S 1.38 Suitable installation of a modem).

Additional controls:

• Are the employees responsible for modems familiar with their entire instruction sets?

• Are the modem configurations documented?