The overall security of the Xarios Call Recorder deployment relies on the many installation factors, primarily the security in place on the host operating system and network infrastructure.

The following sections outline recommendations for improving security of Xarios Call Recorder installations.

Secure User Access

It is essential to secure access to both the host operating system and the Xarios Call Recorder website to ensure that only users that should be accessing the system, can access the system. In addition, any user accounts created on the system should use the 'principle of least privilege', using the Roles & Profiles provided to limit user access to only the features they require. 

The system also has a number of 'Built-In' user accounts which provide a pre-determined level of access. These include:

• engineer
• supervisor

The default passwords of these accounts should be changed after installation to restrict access to the system.

For more information on managing user accounts, please refer to the Users & Business Units section.

 

HTTPS Website Access

The Xarios Call Recorder Website provides users with access to the configuration settings for the system as well as being the front end for the call recording playback and reporting interface.

By default, access to this website is through HTTP on port 80. To improve security for users logging into the system, HTTPS should be enabled on the website and HTTP access should be disabled.

To enable HTTPS, a certificate must be uploaded to server and the IIS server (local web server) configuration must be updated. For information on how to do this, please refer to the Enabling HTTPS section.

 

Secure Host Operating System

It is important that the operating system hosting the Xarios Call Recorder has security policies in place to minimize the risk of any unauthorized access to data and/or features. The following security steps should be taken on ALL host operating systems as a bare minimum:

• Implement an Anti-Virus Solution - Information on anti-virus exceptions can be found in the Anti-Virus Requirements section.
• Implement a Firewall - Information on the network ports used by the solution can be found in the Network Requirements section.
• Install OS Security Updates - Either automatically or manually, all OS security updates should be installed on a regular basis.
• Disable Weak Ciphers & Protocols - Disable older TLS ciphers and other less secure protocols.

Following the steps above will make the system more secure and will reduce the risk of unauthorized access.

Disabling Weak Ciphers & Protocols

Access to weaker ciphers/protocols needs to be done in the operating system registry in most instances. Information on how to do this can be found in the following Microsoft articles:

• https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc
• https://support.microsoft.com/en-gb/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

Alternatively, the following free tool can be used - https://www.nartac.com/Products/IISCrypto

• Install ISSCrypto Tool
• Apply PCI 3.1 template
• Remove TLS 1.1 & Triple DES Cipher

 

Audit Personal Data

To comply with local data protection laws (such as GDPR), it is important to understand what personal data is being stored within the solution and what it is being used for. There are several areas where personal data could be stored within the Xarios Call Recorder system:

• Contact Directory - Custom data fields can be inputted along with telephone numbers and other contact information
• Call Recordings - Personal data could be discussed on calls and stored in call recordings. Calls can also be tagged with custom data and notes   

In all cases where customer's or employee's personal data is stored in the system, the following guidelines should be followed:

• The location and type of data stored should be documented
• Permission should be obtained from the person whose data it is
• Access to the data should be restricted to users who require it to perform the specific function the data is stored for

For more information on GDPR, where data is stored within Xarios Call Recorder, please refer to the GDPR section.