Our QSA flagged us for a self signed cert associated with port 8952 and it is not TLS compliant. I checked the PortMap pdf and I do not believe I have either of these components in my infrastructure and am betting this is something just exposed by default 'to make things easier' (no judgement.) I only have a CIC/Media server switchover pair, and we use Interactive Attendant to process calls (60+ custom handlers.) I also have no web servers or other components on these servers so the 'address this in your web config' does not apply. I have learned over the years that the CIC and components have a proprietary web server that is build in and cannot be locked down any further (according to Gensys support.) I use TLS with certs to lock down what i can (sip trunks and DB.)
Any insight or information is greatly appreciated.
#ArchitectureandDesign#AskMeAnything(AMA)#Implementation#Security#Unsure/Other------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------