/mcp• Use secure password policies and do not rely on default passwords. • Restrict physical and network access to devices. Toll Fraud Recommendations On Cisco Unified CM, several mechanisms can be used to prevent toll fraud. Partitions and calling search spaces (CSS) provide segmentation and access control to the directory number that can be called or the device or line that is placing the call. As a best practice, apply the most restrictive class of service possible (for example, no access to PSTN routes for calls coming in from the PSTN) based on partitions and calling search spaces. Other mechanisms can also be used, such as time-of-day routing, enabling the Block OffNet to OffNet Transfer service parameter, forced authentication code (FAC), and route filters. On Cisco Expressway-E, use Call Processing Language (CPL) rules to block fraudulent attempts. On Cisco Unified Border Element, configure protection mechanisms against toll fraud; for example, configure an IP trust list and explicit incoming and outgoing dial peers. Certificate Recommendations Simplify certificate management by using CA-signed certificates. By default, server certificates are self-signed. For a client to establish trust with a device presenting a self-signed certificate, the self-signed certificate must be imported into the trust store of the client. If the certificate is not imported, the connection can be terminated by the client, or the client may present warning message(s) about the certificate to the user. Importing certificates is feasible if the number of clients is low, but this solution does not scale for larger organizations. For this reason, we recommend that you utilize certificates signed by a trusted CA and configure clients to trust the CA. This is especially important for certificates such as the Tomcat certificates for Cisco Unified CM, Unified CM IM and Presence, and Cisco Unity Connection, as well as the XMPP certificate for IM and Presence. For Cisco Expressway-E servers, use certificates that are signed by a public CA. Use multi-server certificates wherever possible, especially for the Cisco Unified CM and Unified CM IM and Presence Tomcat certificates. Multi-server certificates allow the administrator to assign a single certificate for a given service across multiple servers in a cluster in order to further simplify certificate management. Regarding endpoints, two types of certificates available: Manufacturer Installed Certificate (MIC) and Local Significant Certificate (LSC). Endpoint certificates are used for encryption of call signaling and media, encryption of the phone web page, and for the optional encryption of TFTP phone configuration files. You should use an LSC instead of MIC certificate, whenever possible. Encryption Recommendations Provide encryption for the following: • SIP trunks SIP trunks connect Cisco Unified CM with other servers such as Cisco Unity Connection, IM and Presence, Cisco Meeting Server, Cisco Unified Border Element, business-to-business Collaboration Edge, and voice gateways. • HTTP connections Use HTTPS instead of HTTP for all application connections such as Extension Mobility and corporate directory.