Configuration Guide for Cisco Unified MeetingPlace Release 8.6
Securing the System
Downloads: This chapterpdf (PDF - 165.0KB) The complete bookPDF (PDF - 7.28MB) | Feedback

Securing the System

Table Of Contents

Securing the System

Overview of Security Tasks

About Cisco WebEx and Cisco Unified MeetingPlace Password and PIN Security

Using Cisco Security Agent (CSA) on the Application Server

Limiting the Number of Failed User Sign-in Attempts

Configuring Requirements for User Passwords and PINs

Configuring Requirements for Meeting Passwords

Configuring Security Features on MeetingPlace-Scheduled and Audio-Only Deployments

Restricting Access to Scheduled Meetings

Restricting Access to Recordings

Restricting the Use of Vanity Meeting IDs

Restricting Dial-Out Privileges for Guest Users

Restricting Dial-Out Privileges for Profiled Users

Limiting the Number of Attempted Dial-Out Calls From Voice Meetings

Configuring Guest User Permissions

Setting Group User Access to the Meeting Page

Setting Group User Access Meeting Privileges


Securing the System


Overview of Security Tasks

About Cisco WebEx and Cisco Unified MeetingPlace Password and PIN Security

Using Cisco Security Agent (CSA) on the Application Server

Limiting the Number of Failed User Sign-in Attempts

Configuring Requirements for User Passwords and PINs

Configuring Requirements for Meeting Passwords

Configuring Security Features on MeetingPlace-Scheduled and Audio-Only Deployments

Configuring Guest User Permissions

Overview of Security Tasks

While your company might already have guidelines for securing its computer systems and preventing toll fraud, we also recommend that you perform the tasks listed in Table 1.

Table 1 Security Recommendations for Cisco Unified MeetingPlace 

Recommendation
Where to Find Information
Toll Fraud Prevention

Restrict dial-out privileges to specific users.

Note (Cisco WebEx integration only) Dial-out privileges from the Cisco WebEx site are determined by the guest profile, not by individual user profiles.

Restricting Dial-Out Privileges for Guest Users

Restricting Dial-Out Privileges for Profiled Users

Monitor dial-out usage.

Running Capacity Management Reports

Exporting Information about Outgoing Calls

Exporting Meetings

We recommend that you configure Cisco Unified Communications Manager with a Calling Search Space that does the following:

Allows dial-out calls to meeting participants and the help desk Attendant.

Prevents toll fraud by blocking unwanted dial-out calls, for example, to international or premium-rate phone numbers.

Administration Guide for your release of Cisco Unified Communications Manager at http://www.cisco.com/en/US/products/sw/voicesw/ps556/prod_maintenance_guides_list.html

System Security

Secure the physical location of the servers. Keep the servers in areas protected by lock or card-key systems to prevent unauthorized access to the systems.

Use the Cisco Security Agent on the Application Server.

Using Cisco Security Agent (CSA) on the Application Server

Use the Secure Socket Layer (SSL) on the Application Server.

Configuring SSL for the Application Server

Use Secure Conferencing on the Application Server.

How to Configure Secure Conferencing Mode in the Configuring Call Control module

Generate self-signed certificates for secure conferencing.

Configuring Certificates on a Cisco Unified MeetingPlace System in the Configuring Call Control module

Keep the database current. Disable or delete the user profiles of employees who leave the company.

Locking or Deactivating a User Profile

Deleting a User Profile

Change the default passwords for the admin profile.

Changing the Passwords for the Admin Profile

On the router that connects Cisco Unified MeetingPlace to the external network, limit external SSH access to Cisco Unified MeetingPlace to the following:

Safe IP address in your company or organization

Third-party support personnel

Cisco IP addresses:

128.107.0.0/16

198.133.219.0/24

Even if you believe that the SSH sign-in credentials are safe, denial of service attacks can still be launched against your system.

Documentation for your specific router and software release

Complete as many of these tasks as are appropriate for your user base.

Configuring Requirements for User Passwords and PINs

Limiting the Number of Failed User Sign-in Attempts

Configuring Requirements for Meeting Passwords

Restricting Access to Scheduled Meetings

Restricting Access to Recordings

Restricting the Use of Vanity Meeting IDs

Web Server Security

Use the Cisco Security Agent on the Web Servers, especially those in the DMZ.

Working with the Cisco Security Agent (CSA) in the Upgrading to Cisco Unified MeetingPlace Release 8.0 from Cisco Unified MeetingPlace Release 7.0 module

Cisco Security Agent (CSA) in the "Migrating from Cisco Unified MeetingPlace Release 7.x or 8.0" section in the Installation, Upgrade, and Migration Guide for Cisco Unified MeetingPlace

Use McAfee VirusScan Enterprise on the Web Servers, especially those in the DMZ.

System Requirements for Cisco Unified MeetingPlace

Documentation provided by McAfee

Enable SSL on the Web Servers.

How to Configure Secure Sockets Layer for the Web Server


About Cisco WebEx and Cisco Unified MeetingPlace Password and PIN Security

Cisco WebEx and Cisco Unified MeetingPlace have different password and PIN security requirements. The way you configure your system's security settings depends on how you have configured your system's user profiles and groups. If your user profiles and groups are owned by Cisco WebEx then you configure your security settings with Cisco WebEx. If your user profiles and groups are owned by Cisco Unified MeetingPlace then you configure your security settings with Cisco Unified MeetingPlace.

Cisco WebEx provides password security with restrictions that are described in the Cisco WebEx documentation. Cisco Unified MeetingPlace provides password and PIN security that you configure with the Cisco Unified MeetingPlace administration tools.

If your user profiles and groups are managed by Cisco WebEx and you use the Cisco WebEx interface to configure your security settings, you are not required to configure a Cisco Unified MeetingPlace PIN. Make sure to configure your user profiles to Force PIN change at next sign-in so that users are required to enter a PIN when they attempt to log into a conference.

Related Topics

Configuring Requirements for User Passwords and PINs

Configuring User Profiles and User Groups for Cisco Unified MeetingPlace

About Integrating with Cisco WebEx

Field Reference: Usage Configuration Page

Using Cisco Security Agent (CSA) on the Application Server

The Cisco Security Agent (CSA) is an application that provides system and data security and allows you to monitor the activities on your system. The CSA is automatically installed on the Application Server with Cisco Unified MeetingPlace and requires no configuration. The red flag at the bottom-right corner of the screen indicates that CSA is running and active on your system.

The CSA consists of a set of rules that govern which users and applications can alter or query critical file systems. It also provides security on ports to minimize unauthorized system sign-ins for malicious purposes. The CSA logs violations of any of the security rules. You can peruse the log periodically to determine what attempted activities were blocked.

Restrictions

Because the CSA application that is included with Cisco Unified MeetingPlace is a standalone version:

You cannot use the CSA Management Console.

You cannot manually update the CSA independent of the Application Server. The Application Server software also installs the CSA.

Procedure


Step 1 Sign in to the console.

Step 2 Right-click the red CSA flag in the bottom right.

Step 3 Select Open Agent Panel.

Step 4 To change the level of security for your system:

a. Select System Security.

b. Move the security level slide bar to the new security level.


Note We recommend that you keep the security level at medium or high.


Step 5 Select Status > Messages > View log to display the logged security events.

Step 6 (Optional) Select Purge log to remove the entries that appear on the Status > Messages window.

Doing this regularly can help you track new events.


Note Selecting Purge log does not affect the logs under /var/log/csalog.



Limiting the Number of Failed User Sign-in Attempts

You can configure the number of times in a session that an user can fail to sign in to Cisco Unified MeetingPlace before the user profile becomes "locked." Users with locked user profiles cannot sign in.

Restrictions

The preconfigured system administrator profile cannot be locked.

Before reaching the maximum number of sign-in attempts, the user can restart the counter for failed sign-in attempts by:

Closing the browser and opening a new one to continue the sign-in attempts.

Ending the call to Cisco Unified MeetingPlace and making a new call to continue the sign-in attempts.

Procedure


Step 1 Sign in to the Administration Center.

Step 2 Select System Configuration > Usage Configuration.

Step 3 Configure the Maximum profile sign-in attempts field. A lower value is more secure than a higher value.

Step 4 Select Save.


Related Topics

Changing the User Status in Cisco Unified MeetingPlace User Profiles

Field Reference: Usage Configuration Page

Configuring Requirements for User Passwords and PINs

You can increase the security of your system by:

Requiring long user passwords

Requiring users to change their user passwords upon first sign-in

Requiring users to change their user passwords frequently

Requiring complex user passwords

Restrictions

This task does not affect Directory Service users, who are authenticated externally through AXL authentication.

Long or complex passwords and frequent password changes can frustrate your users. Make sure you align your password requirements with those already in use at your company.

Procedure


Step 1 Sign in to the Administration Center.

Step 2 Select System Configuration > Usage Configuration.

Step 3 Configure the following fields, which determine how long passwords must be:

Minimum profile PIN length

Minimum user password length

Step 4 Configure the following fields, which affect when users are required to change their passwords:

Change profile PIN (days)

Change user password (days)

Step 5 Configure the following fields, which determine how complex the user PIN and passwords must be:

Password contains characters from at least three classes

PIN does not consist entirely of sequential digits

Password/PIN does not repeat a character more than three consecutive times

Password/PIN does not repeat or reverse the username

Password/PIN is not "cisco", "ocsic" or variation of these

Step 6 (Optional) Select System Configuration > User Profiles.

a. Select Edit to edit an existing user profile.

b. Configure these fields to force user password or PIN changes:

Force user password change at next sign-in

Force PIN change at next sign-in

Step 7 Select Save.


Related Topics

Field Reference: Usage Configuration Page

Field Reference: Add User Profile Page and Edit User Profile Page

Configuring Directory Service on MeetingPlace-Scheduled and Audio-Only Deployments

Configuring Requirements for Meeting Passwords


Note You cannot password protect audio-only meetings that are scheduled from Cisco WebEx with user profiles that are managed by Cisco WebEx.


Meeting passwords prevent uninvited people from attending meetings. You can increase the security of your system by:

Requiring passwords for meetings scheduled by some or all users

Requiring long meeting passwords

Before You Begin

Meeting password must be communicated to the meeting invitees in order for them to join the meeting:

Configure user groups and user profiles to include meeting passwords in email notifications. See the "Configuring User Preferences for Email Notifications" section.

If not all meeting invitees will receive email notifications, the meeting scheduler or another organizer must manually communicate the meeting password.

Procedure


Step 1 Sign in to the Administration Center.

Step 2 Select System Configuration > Meeting Configuration.

Step 3 Configure the Minimum meeting password length field. A higher value is more secure than a lower value.

Step 4 Select Save.


Perform the following additional steps on MeetingPlace-scheduled and audio-only systems only:

Procedure


Step 1 Sign in to the Administration Center.

Step 2 Select User Configuration.

Step 3 Select User Groups or User Profiles, depending on whether you want to configure a user group or an individual user profile.

Step 4 Select Edit or Add New, depending on whether you want to configure an existing or a new user group or user profile.

Step 5 Set the Meeting password required to Yes.

Step 6 Select Save.

Step 7 Repeat Step 2 through Step 6 for all user groups and user profiles for which you want to require meeting passwords.


Related Topics

Field Reference: Meeting Configuration Page

Field Reference: Add User Profile Page and Edit User Profile Page

Configuring Security Features on MeetingPlace-Scheduled and Audio-Only Deployments

The following sections describe security features available only on MeetingPlace-scheduled and audio-only deployments:

Restricting Access to Scheduled Meetings

Restricting Access to Recordings

Restricting the Use of Vanity Meeting IDs

Restricting Dial-Out Privileges for Guest Users

Restricting Dial-Out Privileges for Profiled Users

Limiting the Number of Attempted Dial-Out Calls From Voice Meetings

Restricting Access to Scheduled Meetings

You can restrict uninvited and unprofiled users from attending meetings that are scheduled by some or all users.

Remember, however, that if meeting attendance is restricted to profiled users, unprofiled external users (such as your customers or business partners) and users with locked profiles cannot attend meetings, even if they are invited.

Procedure


Step 1 Sign in to the Administration Center.

Step 2 Select User Configuration.

Step 3 Select User Groups or User Profiles, depending on whether you want to configure a user group or an individual user profile.

Step 4 Select Edit or Add New, depending on whether you want to configure an existing or a new user group or user profile.

Step 5 Configure the Who can attend field.

Step 6 Select Save.


Related Topics

Field Reference: Add User Profile Page and Edit User Profile Page

Restricting Access to Recordings

You can restrict unprofiled users from accessing recordings for meetings that are scheduled by some or all users. Remember, however, that if access to recordings is restricted to profiled users, unprofiled external users (such as your customers or business partners) and users with locked profiles cannot access the recordings, even if they were invited to and attended the meetings.

Procedure


Step 1 Sign in to the Administration Center.

Step 2 Select User Configuration.

Step 3 Select User Groups or User Profiles, depending on whether you want to configure a user group or an individual user profile.

Step 4 Select Edit or Add New, depending on whether you want to configure an existing or a new user group or user profile.

Step 5 Configure the Who can access field.

Step 6 Select Save.


Related Topics

Field Reference: Add User Profile Page and Edit User Profile Page

Restricting the Use of Vanity Meeting IDs

By default, Cisco Unified MeetingPlace allows the meeting scheduler to request a specific meeting ID, such as one that is easy to remember (12345) or one that spells a word (24726 or CISCO). If, however, an uninvited person knows one of the phone numbers for your Cisco Unified MeetingPlace system, that person can easily guess a popular meeting ID and join a meeting that he is not authorized to attend.

You can prevent unauthorized meeting attendance by disabling the ability to request a vanity meeting ID when scheduling a meeting. Instead, a unique, randomly generated ID is assigned to every scheduled meeting. Users cannot change the assigned meeting IDs.

Procedure


Step 1 Sign in to the Administration Center.

Step 2 Select System Configuration > Meeting Configuration.

Step 3 Set the Allow vanity meeting IDs field to No.

Step 4 Select Save.


Related Topics

Field Reference: Meeting Configuration Page

How to Configure Restricted Meeting ID Patterns

What To Do Next

You can further prevent unauthorized meeting attendance by:

Requiring meeting passwords—See the "Configuring Requirements for Meeting Passwords" section.

Restricting scheduled meeting attendance to profiled users—See the "Restricting Access to Scheduled Meetings" section.

Restricting Dial-Out Privileges for Guest Users

To prevent toll fraud, you can specify that only profiled users who successfully sign in to Cisco Unified MeetingPlace can dial out.


Note (Cisco WebEx integration only) Completing this task restricts all users from dialing out from Cisco WebEx web meetings. Dial-out privileges from Cisco WebEx meetings are determined by the guest profile, not by individual user profiles.

If you disable dial-out privileges in the guest profile, then make sure that you complete the Disabling Dial-Out Calls from the Cisco WebEx Site for MeetingPlace-Scheduling Deployments task.


Procedure


Step 1 Sign in to the Administration Center.

Step 2 Select User Configuration > User Profiles.

Step 3 Find the guest profile.

Step 4 Select Edit.

Step 5 Set the Can dial out (does not apply to Cisco WebEx meetings) field to No.

Step 6 Select Save.


Related Topics

Guest Profile

Field Reference: Add User Profile Page and Edit User Profile Page

Restricting Dial-Out Privileges for Profiled Users

Limiting the Number of Attempted Dial-Out Calls From Voice Meetings

Enabling or Disabling Dial-Out Calls for WebEx-Scheduling Deployments

Restricting Dial-Out Privileges for Profiled Users

To prevent toll fraud, you can restrict dial-out privileges to specific user groups and user profiles.

Procedure


Step 1 Sign in to the Administration Center.

Step 2 Select User Configuration.

Step 3 To restrict dial-out privileges for specific user groups, select User Groups. To restrict dial-out privileges for specific user profiles, select User Profiles.

Step 4 Select a user group or user profile and select Edit in the same row.

Step 5 Set Can dial out (does not apply to Cisco WebEx meetings) to No.

Step 6 Select Save.


Related Topics

Navigation Reference: User Groups Page

Navigation Reference: User Profiles Page

Restricting Dial-Out Privileges for Guest Users

Limiting the Number of Attempted Dial-Out Calls From Voice Meetings

Limiting the Number of Attempted Dial-Out Calls From Voice Meetings

To prevent toll fraud, you can specify the maximum number of dial-out calls that each user can try to make from within a meeting.

Restriction

This procedure affects only the dial-out calls that the user attempts by pressing #31 from the telephone user interface (TUI). You cannot limit the number of dial-out calls that are attempted from the web meeting room.

Procedure


Step 1 Sign in to the Administration Center.

Step 2 Select User Configuration.

Step 3 To restrict dial-out privileges for specific user groups, select User Groups. To restrict dial-out privileges for specific user profiles, select User Profiles.

Step 4 Select a user group or user profile and select Edit in the same row.

Step 5 Configure the Maximum phone dial-out attempts per meeting field.

We recommend restricting the dial-out attempts to as low a number as possible while accommodating the dial-out needs of your users.

Step 6 Select Save.


Related Topics

Navigation Reference: User Groups Page

Navigation Reference: User Profiles Page

Restricting Dial-Out Privileges for Guest Users

Restricting Dial-Out Privileges for Profiled Users

Configuring Guest User Permissions

By default, Cisco Unified MeetingPlace has non-restrictive privileges for guest user accounts. A guest user can view meeting information but cannot modify any system settings. When configuring a guest user account, depending on the how the guest user account will be used and the requested level of security, you can decide to configure less restrictive permissions or set the permissions to be as restrictive as possible.

Setting Group User Access to the Meeting Page

You can restrict guest users from accessing the Meetings page.

Procedure


Step 1 Sign in to the Cisco Unified MeetingPlace site using the administrative account credentials.

Step 2 Select Admin.

Step 3 Select Web Server.

Step 4 Select the appropriate Web Server Name.

Step 5 Set the value of Allow Public Meetings in Find Meeting List to No.

Step 6 Set the value of Allow Guest Access to Find Meeting Page to No.

Step 7 Select Submit.

Setting Group User Access Meeting Privileges

Procedure


Step 1 Sign in to the Administration Center.

Step 2 Select User Configuration > User Profiles.

Step 3 Choose to search by username.

Step 4 In the Begins with field enter guest.

Step 5 Select Search.

Step 6 Select Edit in the row that displays the guest user profile.

Step 7 In the Permissions section, set Can dial out to No.

Step 8 In the Recordings section, set Who can access to User with Cisco Unified MeetingPlace profiles only.

Step 9 In the Meeting Preferences section, set Who can attend to User with Cisco Unified MeetingPlace profiles only.

Step 10 In the Meeting Preference section, set Show reservationless meetings in public listing to No.