Instruction manual
Small business communications systems
6-22 Issue 9 May 2003
■ Deny access to pooled facility codes by removing pool dial-out
codes 70, 890 899, or any others on your system.
■ Create a Disallowed List or use the pre-prepared Disallowed List
number 7 to disallow dialing 0, 11, 10, 1700, 1809, 1900, and 976 or
1 (wildcard) 976. Disallowed List number 7 does not include 800,
1800, 411, and 1411, but Avaya recommends that you add them.
Assign all voice mail port extensions to this Disallowed List. Avaya
recommends assigning Disallowed List number 7. This is an added
layer of security, in case outward restriction is inadvertently
removed. (Voice messaging ports are assigned, by default, to
Disallowed List number 7.)
If outcalling is required by voice messaging system extensions:
■ Program an ARS Facility Restriction Level (FRL) of 2 on voice mail
port extensions used for outcalling.
■ If 800 and 411 numbers are used, remove 1800, 800, 411, and 1411
from Disallowed List number 7.
■ If outcalling is allowed to long-distance numbers, build an Allowed
List for the voice mail port extensions used for outcalling. This list
should contain the area code and the first three digits of the local
exchange telephone numbers to be allowed.
Additional general security for voice messaging systems:
■ Use a secure password for the general mailboxes.
■ The default administration mailbox, 9997, must be reassigned to the
system manager’s mailbox/extension number and securely
password protected.
■ All voice messaging system users must use secure passwords
known only to the user.
Security risks associated with the Automated
Attendant feature of voice messaging systems
Two areas of toll fraud risk associated with the Automated Attendant feature of
voice messaging systems are:
■ Pooled facility (line/trunk) access codes are translated to a menu prompt to
allow remote access. If a hacker finds this prompt, the hacker has
immediate access. (Dial access to pools is initially factory-set to restrict all
extensions: to allow pool access, this restriction must be removed by the
system manager.)
■ If the automated attendant prompts callers to use Remote Call Forwarding
(RCF) to reach an outside telephone number, the system may be
susceptible to toll fraud. An example of this application is a menu or
submenu that says, “To reach our answering service, select prompt
number 5,” and transfers a caller to an external telephone number. Remote
call forwarding can be used securely only when the central office provides