Best Practices for Accounts That Are Used to Access Cisco Unity Connection Administration in Connection 8.x
Cisco Unity Connection Administration is a web application that you use to do most administrative tasks. An administrative account can be used to access Connection Administration to define how Cisco Unity Connection works for individual users (or for a group of users), to set system schedules, to set call management options, and to make changes to other important data, all depending on the roles to which the administrative account is assigned. If your site is comprised of multiple Connection servers, an account that is used to access Connection Administration on one server may be able to authenticate and gain access to Connection Administration on the other networked servers as well. To secure access to Connection Administration, consider the following best practices.
Best Practice: Limit the Use of the Application Administration Account
Until you create a Cisco Unity Connection user account specifically for the purpose of administering Connection, you sign in to Cisco Unity Connection Administration by using the credentials that are associated with the default administrator account. The default administrator account is created during the installation of Connection with the application user username and password you specify during installation. The default administrator account is automatically assigned to the system administrator role, which offers full system access rights to Connection Administration. This means that not only can the administration account access all pages in Connection Administration, but it also has read, edit, create, delete and execute privileges for all Connection Administration pages. For this reason, you should limit the use of this highly privileged account to only one or to very few individuals.
As an alternative to the default administrator account, you can create additional administrative accounts that are assigned to roles that have fewer privileges based on what is appropriate to the administrative tasks that each person performs.
Note • Make sure you do not use the following application usernames as this will generate an error:
To learn more about creating administrative accounts, see the “Adding an Administrator Account (User Without a Voice Mailbox)” section in the “Adding Cisco Unity Connection 8.x Accounts Individually” chapter of the User Moves, Adds, and Changes Guide for Cisco Unity Connection Release 8.x . The guide is available at http://www.cisco.com/en/US/docs/voice_ip_comm/connection/8x/user_mac/guide/8xcucmacx.html .
Best Practice: Use Roles to Provide Different Levels of Access to Cisco Unity Connection Administration
When modifying role assignments to secure access to Cisco Unity Connection Administration, consider the following best practices:
- Do not modify the role assignment of the default administrator account. Instead, create additional administrative user accounts that offer the appropriate levels of access to Connection Administration. For example, you may want to assign an administrative user account to the User Administrator role, which allows the administrator to manage user account settings and access all user administration functions. Or you may want to assign an administrative user account to the Help Desk Administrator role, which allows the administrator to reset user passwords and PINs, unlock user accounts, and view user setting pages.
- Create additional administrative user templates that are assigned to roles that provide varying levels of access. By default, the Administrator user template is assigned to the System Administrator role. Any administrative user accounts that are created from the Administrator user template will be assigned to the System Administrator role, which gives administrators full access to all Connection administrative functions. Use this Administrator template sparingly to create accounts for administrative users.
- By default, the Voicemail User Template is not assigned to any roles, and should not be assigned to any administrative roles. Instead, use this template to create accounts for end users with mailboxes. (The only role that should be assigned to an end user with a mailbox is the Greeting Administrator role; with this role, the only “administrative” function is to have access to the Cisco Unity Greetings Administrator, which allows users to manage the recorded greetings for call handlers by phone.)
To learn more about the predefined roles Cisco Unity Connection offers and the level of privileges included with each role, see the “Roles in Cisco Unity Connection 8.x” section in the “Preparing to Add User Accounts in Cisco Unity Connection 8.x” chapter of the User Moves, Adds, and Changes Guide for Cisco Unity Connection Release 8.x , available at http://www.cisco.com/en/US/docs/voice_ip_comm/connection/8x/user_mac/guide/8xcucmacx.html .
Best Practice: Use Different Accounts to Access a Voice Mailbox and Cisco Unity Connection Administration
We recommend that Cisco Unity Connection administrators do not use the same account to access Cisco Unity Connection Administration that they use to sign in to the Cisco Personal Communications Assistant (PCA) or the phone interface.
Securing Unified Messaging Services Accounts (Cisco Unity Connection 8.5 and Later Only)
Added November 16, 2010
When you configure unified messaging for Cisco Unity Connection 8.5 and later, you create one or more Active Directory accounts that Connection uses to communicate with Exchange. Like any Active Directory account that has the right to access Exchange mailboxes, this account allows anyone who knows the account name and password to read mail and listen to voice messages, and to send and delete messages. The account does not have broad rights in Exchange, so you could not use it to restart an Exchange server, for example.
To secure the account, we recommend that you give the account a long password (20 or more characters) that includes upper- and lower-case characters, numbers, and special characters. The password is encrypted with AES 128-bit encryption and stored in the Connection database. The database is accessible only with root access, and root access is available only with assistance from Cisco TAC.
Do not disable the account, or Connection cannot use it to access Exchange mailboxes.