3CX Security - Reset Credentials/Passwords

Actions to take to increase the security of your PBX

Introduction

This article takes you through some recommended actions which will increase the security of your PBX to avoid attacks and potential data breaches.

Action 1: Change the Root/Admin Account Credentials

3CX installs have normal “users” that have extensions and they have a root account to administer the PBX. The root account is often used by resellers to set up the system and manage it. If you have changed partners or are unsure of when the password was last changed we recommend you change it.

Root credentials - Changing the password

 

To change the root password:

  1. Login to your Admin Console as admin/root.
  2. Navigate to Users” and select the System Owner user.

  1. Click on the Reset Password option below the user profile image (shown above).

  1. An email will be sent to the email specified in the user configuration. Click on Set your password.

  1. Type your new Root Password both in New Password and Confirm Password fields and click OK. Passwords should be at least 10 characters long with no spaces. Must contain minimum 1 lowercase and 1 uppercase letter, a digit and a special character. Supported special characters are: !#$%&()*+,-./:;<=>?@{}
  2. This will log you out from the 3CX Admin Console. Login again with your new credentials.

Forgot your root credentials?

If you forgot your root credentials, you can have them sent to the PBX admin email:

  1. Navigate to the login screen of your 3CX.
  2. Click on the “Forgot password?”
  3. Enter your Email address
  4. Your current credentials will be sent to the configured email address given the email exists.

Action 2: Set up a System Owner

The role of System Owner which can be assigned to any user/extension. New installations already configure the first ever user of the system as a system owner. If you are an existing user and you have upgraded, you will receive a warning in the Admin Console to assign an extension/user as a System Owner.

  1. To assign the ‘System Owner’ role, log in to the 3CX Admin Console and navigate to Users.
  2. Edit the user you want to elevate to a System Owner, click on the General tab.
  3. Select the System Owner role in the Role dropdown.
  4. Once a user is assigned the “System Owner” role, the user can log in to both the Web Client and the Admin Console using their existing credentials. If the user does not have their credentials, press the Reset password” button in Users > General

Action 3: Limit Access to the 3CX Admin Console and Web Client by IP

A really good way to secure your PBX is to lock down the administration of your PBX to a specific list of IPS, for example, the IP of your office and maybe the IP of the home of the network administrator. To do this:

  1. Log into the 3CX Admin Console.
  2. From the left panel, navigate to Advanced > Console Restrictions
  3. Select the option to Allow Access from specific IP Addresses only.
  4. Click the +Add button to add an IP.
  5. Important: Before you click OK, make sure that you see the blue info message (left) indicating that your current IP is allowed

  1. If you see this red warning (right), it means you haven’t added your current remote office IP Address in the allow list. Clicking OK while seeing this message will lock you out of the Admin Console / Web Client.
  2. Make sure you have a static IP! If you have a dynamic IP and it changes you will be locked out of your Admin Console / Web Client.

Action 4: Reset User Credentials via Web Client

Reset Credentials for all Users

You can mass reset the credentials of any / all users of your PBX using the following steps:

  1. Login to the 3CX Admin Console using Root or System Owner Credentials and navigate to ‘Users’.
  2. Select all the users that you wish to reset their credentials and click on Reset”.
  3. Reset procedure will start for the selected users.

Keep in mind

Note that if you select to reset the following options you will need to reprovision any IP phones or apps registered on those extensions.

  • SIP ID and Authentication Passwords
  • Voicemail PIN
  • IP Phone Web Password
  • Regenerate provisioning file & QR Code for 3CX Apps

Allow Users to Change their own Credentials

There is also the option of allowing users reset their own credentials from their Web Clients. To do so:

  1. Login to the Admin Console using Root Credentials or as a System Owner.
  2. Navigate to Settings > Options and make sure to enable the option Allow change password for 3CX Apps.
  3. By enabling this, you expose the option in the Web Client for each user to reset their own credentials.

  1. Now inform your users to log into their Web Client and navigate to Settings > General and click on Change Password.
  2. Type your current password in the Old Password field and type your new password both in the New Password and Confirm New Password fields. Click on Save. Passwords should be at least 10 characters long with no spaces. Must contain minimum 1 lowercase and 1 uppercase letter, a digit and a special character. Supported special characters are: !#$%&()*+,-./:;<=>?@{}
  3. The password is updated and users will need to login to their web client using their new password.

Action 5: Use SSO - Google or Microsoft 365

A great way to secure your PBX is to enable SSO so that users can use their Google or Microsoft 365 account to authenticate with the PBX. This allows users to not only re-use the same password but it also means you can switch on 2 factor authentication if you have it configured.

Please follow these guides to read more on how to set up SSO with 3CX.

See Also

Last Updated

This document was last updated on 12 September 2024

https://www.3cx.com/docs/pbx-security-credentials/