# Extension Security Overview

Extensions are a common target for toll fraud and unauthorized SIP registration. SIP (Session Initiation Protocol) is the signaling standard that phones use to register with the PBX and set up calls, so a stolen or weakly protected extension can be used to place expensive calls at your expense. Cloud Voice groups its protections into four areas: how devices are allowed to register, what outbound calls an extension can place, which outbound routes it can reach, and how user accounts sign in. Use this page as a map to the individual settings, then follow the linked topics to configure each one.

## Registration safeguards

Out of the box, any device with valid credentials can register an extension. The following options let you narrow that down so only trusted endpoints connect.

**User agent matching**

Every registering phone includes a user agent string in its SIP packets. You can require that string to begin with a value you specify; registrations whose user agent prefix doesn't match are rejected. See [Restrict Extension Registration Based on User Agent](/pbx/administrator-guide/restrict-extension-registration-based-on-user-agent/).

**IP address restriction**

By default there is no limit on where registrations may originate. You can instead permit only a single IP address or an IP range to register a given extension. See [Restrict Extension Registration Based on IP Address](/pbx/administrator-guide/restrict-extension-registration-based-on-ip-address/).

## Outbound call limits

These controls reduce the damage a compromised or misused extension can do by curbing the calls it is allowed to place.

:::note
None of these limits apply to emergency calls. To configure emergency dialing, see [Emergency Calling Overview](/pbx/administrator-guide/emergency-calling-overview/).
:::

**Disable outbound calls**

Blocks the extension from placing outbound calls entirely. See [Restrict Outbound Calls for an Extension](/pbx/administrator-guide/restrict-outbound-calls-for-an-extension/).

**Disable outbound calls outside business hours**

Prevents outbound calls during off-hours and holidays, so an extension can only dial out during your defined working times. See [Block Outbound Calls Outside Business Hours](/pbx/administrator-guide/block-outbound-calls-outside-business-hours/).

**Disallow international calls**

Stops the extension from dialing international destinations.

:::caution
This setting takes effect only when **Enable Allowed Country/Region Code Dialing Protection** is turned on. If that protection is off, blocking international calls here has no effect and those calls still go through. See [Block Outbound International Calls](/pbx/administrator-guide/block-outbound-international-calls/).
:::

**Outbound call frequency restriction**

Caps how many outbound calls an extension may place within a defined window. Once the count is exceeded, the system blocks further outbound calls from that extension. See [Limit Outbound Call Frequency of an Extension](/pbx/administrator-guide/limit-outbound-call-frequency-of-an-extension/).

**Maximum outbound call duration**

Sets a ceiling, in seconds, on how long an outbound call can run. When a call reaches the limit, the system disconnects it. See [Limit Call Duration of an Outbound Call](/pbx/administrator-guide/limit-call-duration-of-an-outbound-call/).

:::caution
This limit disconnects an active call the moment it reaches the ceiling, with no warning to the caller. Set it high enough that normal business calls are not cut off.
:::

## Outbound route permission

You can also choose exactly which outbound routes an extension is permitted to use.

:::note
If the extension already inherits permission to a route through its organization or extension group, you cannot override that route's permission at the extension level.
:::

## Login security

The following options protect the credentials extension users sign in with.

**Two-factor authentication (2FA)**

Cloud Voice supports 2FA, which asks users for an additional verification code at login on top of their password.

- To require 2FA across every extension, see [Enforce Two-factor Authentication for All Extension Users](/pbx/administrator-guide/enforce-two-factor-authentication-for-all-extension-users/).
- Users enable and manage 2FA for their own accounts from the Cloud Voice App.

:::note
2FA cannot be enabled for a single extension on its own. However, if a user has 2FA set up but can no longer complete it (for example, they stop receiving the code by email), you can disable it for just that extension so they can sign in with their username and password again. Go to **Extension and Trunk > Extension > Security > Login Security > Two-Factor Authentication**.
:::

**Periodic password changes**

As an administrator, you can require extension users to reset their passwords on a recurring schedule, which prevents long-lived credentials from becoming a liability. See [Set up Periodic Password Changes for an Extension](/pbx/administrator-guide/set-up-periodic-password-changes-for-an-extension/).
