Important Security settings when using Class of Service (CoS)

Important Security settings when using Class of Service (CoS)

Class of Service (CoS) is where you configure permissions for extensions, incoming lines, applications, features codes, outgoing lines, etc. It very important to properly configure each Class of Service, because this is where all validation for routing is done (examples: if an incoming line,  extension, or if an outgoing line route exists)

To add, modify or delete a Class of Service, login to the ScopServ GUI, and click on Telephony -> Manager- > Class of Services

In each Class of Service, you have different sections where you can set different permissions.

On the Services tab, you can specify which feature code(s)  (Voicemail, Agent Login, Call Forward, DND, etc.) are available. It is not recommended to use the ‘All Features’ option when the Class of Service is used by an “untrusted” source. So if the users that will use this Class of Service do not need full access then do not check the ‘All Features’ option and instead select individual features codes that will be available.

On the Applications tab, you can specify which applications (created on Applications -> Application) are available. It is not recommended to use the ‘All Applications’ option when the Class of Service is used by an “untrusted” source. If you check ‘All Applications ‘ and have a custom application that executes a “sensitive” task (example: turn off the alarm system) then this is a major security risk, this is why you must select individual permissions.

On the Local Extensions tab, you can specify which extensions are reachable. If you want all extensions to be available for users that use this Class of Service, then simply check the ‘ All Extension ‘ option. If you want to restrict the ability to reach some local extensions then select a list of allowed local extensions.

On the Outgoing Lines tab, you specify which outgoing lines you want to be reachable. You can set the line priority (examples: 011X must be defined before X. else 011X will never be reachable). If some users need access only to local/national calls but must not be able to make international calls, or be restricted to use specific trunks, then the Outgoing Lines tab is used to select individual outgoing lines.

On the Miscellaneous tab, you can set miscellaneous options like Agent or Hotdesk restrictions. It is also possible to include others permissions (Class of Services) by selecting one or more contexts.  The option ‘Include other permissions’ allows to include others permissions in order to create group like Class of Service objects. This is useful to create a Class of Service that will include a hierarchy of other Class of Service objects.

Class of Services can be used in different places like Interfaces (VoIP Account, Digital, Analog) to lookup destinations. They can also be used on Extensions to specify which permissions the extension will have (examples: can the extension reach Voicemail or disable DND). They can also be used on an Auto Attendant (IVR) menu to lookup a key pressed by a user so it is very important to ensure that everything is properly configured.

For example: if you configure an Auto Attendant (IVR) to use a Class of Service that has access to all services, then any person that reaches the IVR will be able to execute any inherited service such as *888 to spy on extensions, or dial *78 to set a CallForward, or reach DISA, or dial any included feature, and etc. So ensure that an IVR does not have access to Class of Services with excessive permissions else major security holes can exist in the configuration.

In summary it is very important to properly configure Class of Services to restrict access permissions to a user.

    • Related Articles

    • Module 7 - ScopTEL IP PBX Software - Class of Service Configuration

      Class of Service (CoS) | Background The Class of Service Manager is used to create objects with permissions or restrictions to Outgoing Lines, Incoming Lines, Extensions, Feature Codes, or Applications. These CoS objects can then be applied to ...
    • Module 13 - ScopTEL IP PBX Software -Managing Auto Attendants

      Auto Attendants Also known as an IVR Menu. In typical usage an Incoming Line is set according to a schedule to an Auto Attendant Menu Destination. Once the Auto Attendant answers a call the caller is prompted to enter DTMF entries from their keypad. ...
    • Module 6 - ScopTEL IP PBX Software - Incoming Lines Management

      Incoming Lines | Background Information Incoming Lines types are typically: “Extension (DNIS)” which are received numbers from SIP/IAX2 or PRI trunks. “Block” (a configured list of DNIS numbers).  DNIS (Dialed Number Information Service). The service ...
    • ScopServ Hardening Guide – Enhance System Security

      This guide is designed to provide you with essential information about how to harden the ScopServ Telephony PBX server. You should use this guide as part of your overall security strategy for ScopTEL.   Password Policy Hopefully you already use ...
    • How to Configure Priority Calls

      Summary Normally when you put your extension into Do Not Disturb status with the built in DND feature code the default caller behavior is to forward that caller to your voicemail.  Previously you could also create a custom call forward rule for all ...